Geopolitics for Hire: When Ransomware Crews Work for Governments
Ransomware is up 48% even as overall attacks fall — and the targets are shifting to critical infrastructure. The reason isn't just greed. Nation-states have discovered that a criminal crew makes a perfect deniable weapon.
👋 Welcome to Unlocked
Here's a number that doesn't fit the headline: overall cyberattack activity is down, but ransomware is up 48% year over year. Fewer attacks, more ransomware. That's not a contradiction — it's a signal.
Ransomware is getting more targeted, more disruptive, and more political. When a crew calling itself The Gentlemen shut down two of Mackay Sugar's mills on June 10, it fit a pattern security researchers have been flagging all year: the action is moving from data theft toward operational disruption, and from pure profit toward something closer to statecraft.
The 2026 threat reporting tells a consistent story. The ransomware "slowdown" in raw numbers masks a more dangerous shift — toward critical infrastructure, and toward criminal crews acting as deniable instruments of nation-states.
This week we dig into why the line between cybercrime and cyberwar is dissolving, and what it means when the crew hitting your network might be working for someone with a flag.
🔑 What's Actually Happening
For a decade, ransomware was a business model: encrypt, extort, get paid. That model still runs — it even has its own negotiators and middlemen, as we covered in "The Double Agent." But a second use case has grown up alongside it. Nation-states have realized that an established criminal crew — the kind profiled in our guide to modern threat actors — is a near-perfect proxy. It comes with its own infrastructure, its own deniability, and a profit motive that conveniently obscures a political one.
The strategic appeal is plausible deniability. A government can apply pressure to an adversary — disrupt a port, a utility, a food supplier — while pointing at "criminals" if anyone asks. The Waterfall 2026 reporting frames it bluntly: the headline decline in ransomware volume hides a pivot toward attacks on critical infrastructure, the kind that cause physical, operational consequences rather than just data loss. The trend is now an official policy concern — the UK's national cyber agency reports that hostile states are behind 75% of attacks on UK critical infrastructure — the same blurring of state and criminal lines we saw with the Salt Typhoon telecom-espionage campaign.
The result is a threat that's harder to categorize and harder to deter, because the usual logic — "they just want money" — no longer fully applies.
🏭 Case in Point: The Sugar Mill That Went Dark
Mackay Sugar is Australia's second-largest sugar producer. On June 10, a ransomware crew called The Gentlemen halted milling and cane haulage at its Farleigh and Racecourse mills — in the middle of crushing season, when the mills run continuously and any pause leaves cane rotting in trucks and fields. More than 1,300 family-owned farms and the surrounding regional supply chain felt it immediately.
What's striking isn't the ransom note; it's the target. A year earlier, The Gentlemen had essentially zero recorded activity. By May 2026 they were one of the most active crews being tracked. Whether or not a government directed this particular attack, it runs the exact playbook this issue is about: hit the operations of an essential supplier, cause real-world pain, and stay deniable. The damage was the disruption.
📉 The Numbers
- +48% — year-over-year rise in ransomware, the highest growth rate Check Point recorded in 2026, even as overall attack volume declined.
- 698 — ransomware attacks Check Point logged worldwide in May 2026 alone.
- June 10, 2026 — The Gentlemen shut down Mackay Sugar's Farleigh and Racecourse mills.
- 1,300+ — family farms disrupted, mid-harvest, by that single attack.
- Critical infrastructure — the sector the 2026 Waterfall report names as the growing target behind the volume "slowdown."
🔍 Three Reasons the Line Is Dissolving
1. Deniability is the whole point.
A nation-state that hits a rival directly risks attribution and retaliation. One that quietly enables a ransomware crew gets the same disruptive effect with a built-in alibi. The crew gets paid; the state gets leverage; everyone can shrug at the press conference.
2. The target moved from data to operations.
Stealing records is lucrative but rarely strategic. Shutting down a sugar mill, a pipeline, or a hospital is. The shift toward operational technology and critical infrastructure is what turns ransomware from an accounting problem into a national-security one.
3. Fewer, bigger, more deliberate.
The drop in raw attack counts isn't good news — it reflects a move away from spray-and-pray toward selective, high-impact operations. A smaller number of carefully chosen targets is exactly what you'd expect when the goal is pressure, not just payout.
🛡️ What This Means for Your Access Layer
Plan for disruption, not just data loss.
If the goal is to stop your operations, backups of your data aren't enough. Test whether you can keep running — or fail safely — when core systems go dark. Tabletop the outage, not just the breach.
Assume the initial access is an identity.
However geopolitical the motive, the way in is usually mundane: stolen credentials, a phished login, an over-privileged account — the bread and butter of social-engineering crews like Scattered Spider. Phishing-resistant, hardware-bound authentication and least-privilege access close the front door these crews rely on, regardless of who's paying them.
Segment so one foothold isn't the whole building.
Operational impact depends on lateral movement. Strong segmentation between IT and OT, and between business units, limits how far a single compromise can travel — which is the difference between an incident and a shutdown.
Know who you'd call.
If an attack might be state-linked, the response involves more than your IR firm. Know your reporting obligations and your government points of contact before you need them.
🔑 The Bottom Line
Ransomware didn't get smaller; it got sharper. The attacks that remain are more targeted, more disruptive, and increasingly aimed at the systems that keep the lights on. Treating ransomware as a purely criminal, purely financial problem misreads where the threat is going. Some of these crews are doing geopolitics for hire — and your infrastructure is the message.
💡 Unlocked Tip of the Week
Ask your team one question this week: "If our operations were deliberately shut down — not for ransom, but to make a point — how long could we run, and how would we recover?" If the plan only covers getting your data back, it's built for the last threat, not this one.
🔥 Final Takeaway
For years, the comforting assumption about ransomware was that the attackers just wanted money — which meant you could, in theory, make the problem go away. That assumption is expiring.
Ransomware up 48% while attacks overall fall. Operations, not just data, in the crosshairs. Criminal crews carrying out objectives that look a lot like statecraft. The motive is murkier, and murkier motives are harder to deter.
The organizations that come through this in better shape won't be the ones with the biggest ransom-payment budget. They'll be the ones who hardened the boring fundamentals — strong identity, tight segmentation, tested resilience — so that a deniable weapon aimed their way hits a wall instead of a switchboard.
The crews changed who they work for. Make sure your defenses don't care.
Stay ready. Stay resilient.
Until next time,
← Last Week: The Cyber Trust Mark and the New AI Mandate: What Washington Just Changed
