Ransomware, reputation, risk: Black Hat Europe in review, 2026 in view
Common failures in security that enable vulnerabilities to be exploited, as well as the politicisation of technology leading to its use by nation-states for cyber crime, were among the biggest issues addressed at the Black Hat Europe conference in London held at the very end of 2025.
The event – one of the final conferences of the calendar year and known for its demonstrations of offensive techniques, research, tools and training – came at the end of a year in which major breaches and vulnerabilities dominated the headlines.
Many major incidents last year were broadly described as “cyber attacks” rather than being labelled more specifically as ransomware or phishing. In the case of the Asahi Group incident, the company confirmed in its statement that its servers “were targeted by a ransomware attack” and “we are withholding specific details regarding the cyber attack” to prevent further damage.
Add attacks involving British retailers to the list, and 2025 became less about who was behind the attack and more about staying online and protecting sensitive customer data. Are we moving away from attribution to nation-states and towards protection as a priority, alongside improving response? While the cyber industry focused on who was behind which incidents and where blame lay, perhaps the issue is that many attacks now have some form of hacktivist element.
Opening the event, Black Hat founder Jeff Moss claimed that as all “technology is political” now, any technical decision made has a political consequence.
Citing the “crypto wars” of the 1990s over the use of the PGP algorithm, ongoing debates over backdoors in technology, and disinformation campaigns around the 2016 US presidential election, Moss said: “My point is that we’re in a political situation, whether you like it or not. I want us to acknowledge that. I don’t like acknowledging it, but that’s where we’re at, and one of the most political things currently is ransomware.”
Moss also referenced declarations about whether Chinese technology is used at his DEF CON event, including having to confirm that the event does not use Chinese tech, along with statements regarding where data is stored.
Ransomware and LockBit
The mention of ransomware was particularly relevant, as the opening keynote from Max Smeets focused on his experience working with LockBit data seized by the National Crime Agency (NCA) as part of 2024’s Operation Cronos. In this case, the NCA infiltrated LockBit systems, captured victim data and locked out the controllers – an action that later analysis found had a “significant impact on the group’s activities”.
Smeets said his analysis of the LockBit data showed that ransomware and wiper attacks – where the focus is on wiping data rather than extortion – are increasingly being used. He pointed to incidents such as the recent cyber attack on a Venezuelan tanker, as well as the 2017 NotPetya attack.
Smeets, a senior researcher at the Center for Security Studies (CSS) at ETH Zurich, made several observations on the state of ransomware based on his examination of LockBit conversations:
- Only a small number of LockBit affiliates make real money.
- Negotiation tactics are highly repetitive and scripted, with affiliates following a familiar playbook and showing little variation.
- Pricing is crude and not data-driven, with attackers relying on estimates rather than deep analysis to understand leverage over victims.
- Affiliates prefer moving to a new victim rather than engaging in prolonged negotiations.
A slide presented by Smeets showed that across two versions of LockBit, only eight percent of victims paid to have their data decrypted, reinforcing that attackers have a single goal: to get paid. Among those that did pay, victims appeared more frequently in email conversation lists and did not appear to pay less in subsequent incidents.
Smeets also highlighted the importance of reputation in ransomware operations. Attackers must be trusted to decrypt data and not leak it, and it is often easier to rebuild infrastructure than to rebuild reputation.
Vicious and destructive attacks
Speaking to Computer Weekly, Rafe Pilling, director of Threat Intelligence in the Sophos Counter Threat Unit (CTU), said there is now a wider variety of threat actors entering the ransomware ecosystem.
“A lot of it used to be very much Russian-speaking organised crime and their chums,” he said. “Now it’s Western-based, UK-based, English-speaking threat actors and even teenagers getting involved in ransomware – some of which end up being quite vicious and destructive attacks.”
On the importance of reputation, Pilling explained that ransomware relies on a brand that victims have enough faith in to believe they will receive a way out if they pay. If that trust is broken – for example, if decryption is not provided – then the reputation of the operator is damaged.
“There seems to be some kind of inverse ratio between the number of victims you hit at once and the amount of money you make,” Pilling said. “It’s much better to hit smaller numbers of victims over a longer period of time than to attempt a big-bang attack.”
Pilling added that for modern ransomware operators such as BlackCat and LockBit, reputation is central to their operations, and that “a big part of the NCA strategy for going after LockBit was not just to disrupt them, but to disrupt and undermine their reputation”.
This came at the end of a year in which the UK government announced a crackdown on ransomware payments, and with a bill currently progressing through the House of Commons that would require cyber extortion and ransomware attacks to be reported to the government within a specified timeframe. While ransomware is unlikely to disappear, it may become less impactful as new measures are put in place.
The user’s impact
Another recurring theme was the role of users. Linus Neumann from the Chaos Computer Club discussed issues around the human factor, arguing that the real problem lies with “the people who built and operate it”.
Echoing Moss’s comments about lessons from the past not being followed, Neumann said too many attacks are still enabled by human error, while too much effort is spent on detection and recovery. Prevention, he said, fails far too often.
“We will continue to fail until we understand what business does, and need to talk to employees,” he said, pointing to a tendency to blame users rather than fixing the environments built for them.
Neumann claimed that “there is no unsolved IT security problem” from his perspective, citing advances such as two-factor authentication, smartcards and end-to-end encryption – technologies that exist but are still not widely or consistently deployed.
AI increasing amplification and automation
AI was also a prominent topic, with Tenable’s Gavin Millard focusing on technologies that he said would not “destroy the world”, but are instead increasing amplification and automation “faster and at scale”.
Millard warned that organisations with significant existing security issues and poor remediation processes may be most vulnerable. He noted that agentic AI can help to reduce the “disclosure to exposure gap” and, if used correctly, address long-standing hygiene issues – while also acknowledging that it inevitably expands the attack surface.
“To mobilise an agentic army, it needs to have the right context, and this is where AI is going to be incredibly useful,” Millard said. He pointed to AI’s ability to handle patching, noting that a poorly applied patch can bring down a network, and that AI can help determine which vulnerabilities should be prioritised regardless of severity scores.
“We need to have guardrails for agentic AI,” he said. “We need to say [to agents] you can’t patch anything that requires a reboot; you can’t patch anything that requires admin privileges. You need to define your policy role for agentic AI to work without disrupting operations.”
Secure software, safe researchers
On the topic of vulnerabilities, Microsoft’s Tom Gallagher discussed the principles of “secure by design” and “assume breach” as part of the company’s efforts to build more secure products, highlighting how bug bounty programmes and external collaboration strengthen software security.
A panel also examined challenges around vulnerability disclosure and legal reform, particularly in relation to the UK’s Computer Misuse Act. The discussion highlighted how reporting vulnerabilities can be risky, time-consuming and unrewarded, with researchers facing legal threats and potential damage to their careers. Held under the Chatham House Rule, the panel concluded that better incentives and protections are needed for researchers, and that vulnerability reporting should be treated as a public good.
Overall, the themes at Black Hat Europe underscored the political, economic and social dimensions of cyber security – from technology and service choices to corporate governance around users and technical hygiene, and how AI is reshaping the capabilities of both defenders and attackers.
As 2026 begins, new challenges await, and the lessons of 2025 should serve organisations well. However, many of these themes are familiar and repeatedly discussed. Are these issues genuinely unresolved, or are they simply persistent? Where the industry finds itself at the end of 2026 may help to answer that question.
