British carmaker Jaguar Land Rover (JLR) was forced to halt production at some of its sites this week after admitting its IT systems had been “severely disrupted” by a cyber-attack.
JLR said it had taken “immediate action to mitigate” the impact and shut down systems, although it stressed there was no evidence that customer data had been stolen.
A group of English-speaking hackers, linked to the attack on Marks & Spencer earlier this year, claimed responsibility on Telegram. According to reports, the gang posted a screenshot of what appeared to be JLR’s internal systems alongside a news report of the disruption.
The group combined three well-known collectives: Scattered Spider, Lapsus$, and ShinyHunters – gangs that have repeatedly targeted Western businesses.
Scattered Spider, a loose network of teenage and twentysomething hackers, has already been blamed for attacks on M&S, Co-op and Harrods in 2025. Four people, including three teenagers, were arrested in the UK in July as part of investigations into those breaches.
A spokesperson for JLR said: “We are aware of the claims relating to the recent cyber incident and we are continuing to actively investigate.”
But how does JLR hack highlight the changing nature of ransom activity? According to industry experts, ransomware gangs have shifted from professionalised Russian-speaking crime syndicates to looser, more unpredictable English-speaking collectives.
“Right now you’ve got two worlds: the traditional Russian organised crime groups, and then Scattered Spider and the broader ‘com’ groups,” said Chris Yule, director of threat research at Sophos. “Scattered Spider isn’t a single group, but more a loose collective.”
While recent arrests initially slowed activity, Yule warned when speaking with him at Black Hat, Vegas, in August, that the lull may be temporary. “They went quiet after the MGM incident, too, then resurfaced.”
Gamifying attacks
The FBI describes “the com” as thousands of young adults and even minors organised into subgroups such as “Hacker Com” and “IRL Com.” What troubles researchers is less the money than the mindset.
“These aren’t financially motivated gangs in the traditional sense,” Yule said. “They make money, but they’re not living lavish lifestyles. Instead, they gamify it, competing to one-up each other. That makes it much harder for law enforcement to disincentivise them.”
The new groups rely on manipulating people as much as breaking code. “From a cyber perspective, the big lesson has been around social engineering,” said Yule.
“Many organisations have had to tighten processes. At Sophos, for example, we now require Teams calls with cameras and photo ID checks before resetting MFA or passwords. You can’t just phone up pretending to be someone anymore.”
Yet attackers continue to innovate. With deepfake tools, voices and video can be convincingly faked with as little as 30 seconds of recorded audio.
These tricks undermine safeguards and exploit what Sophos’ principal security consultant Eric Escobar describes as the “natural helpfulness” of employees.
The weakest link: why cybercriminals target people
The AI multiplier
Artificial intelligence is intensifying the problem. Danny Jenkins, chief executive of Threatlocker, argued that the attack surface itself has not changed, but the number of potential attackers has.
“In 2020, maybe a couple of million people worldwide had the skills. Today, thanks to AI, billions of people could potentially create malware, even without coding experience,” he said.
“It’s like locks on doors: if only a locksmith can pick a lock, you’re relatively safe. If everyone on your street can pick a lock, you need a stronger lock.”
AI makes phishing messages more persuasive and malware creation accessible to non-technical actors. “Criminals often underestimate how traceable they are,” Jenkins added. “A lack of understanding, combined with financial desperation, makes them reckless.”
For Jenkins, resilience depends on practical steps rather than over-reliance on technology: “Stop trusting unknown software. Close down open network ports. Limit what applications can do.”
“Do those three things, and it becomes much harder for attackers to succeed. And because criminals are generally lazy, they’ll likely move on to an easier target.”
Fragmentation and collaboration
At the same time, and not restricted to groups within ‘the com’, the ransomware ecosystem is fragmenting while remaining highly collaborative. “Nation-state actors often let hacktivists do the public-facing work,” said Kerri Shafer-Page, vice-president of incident response at Arctic Wolf. “That way, the hacktivists get the spotlight while the state keeps its hands clean.”
She likens the shifting alliances to “high school cliques.”
“They work together, steal each other’s playbooks, fight, break up, and then re-use or improve the same tactics.”
“Members often move between groups, carrying their knowledge with them, whether that’s effective malware, proven extortion methods, or successful targeting strategies. It’s like an ‘Amazon of the dark web.’”
Smaller groups are emerging, often mimicking the big players. “We’re also seeing the rise of smaller groups, similar to pyramid schemes,” Shafer-Page said. “They learn from larger, well-known actors, use discarded tools, and demand a cut of extortion payments.”
Paying the price
Ransomware remains profitable: “Around 76% of victims end up paying,” according to Arctic Wolf’s research. Shafer-Page’s team negotiates with attackers not on moral grounds, but to buy time or reduce extortion demands.
But the practice is debatable. Yule argued that outright bans, such as those considered in the UK public sector, are problematic. “In theory, if attackers know victims can’t pay, it reduces incentives.”
“But in reality, ransomware is mostly opportunistic. Sometimes organisations simply have no choice but to pay to survive. Strict bans may complicate things more than they help.”
Australia, meanwhile, has mandated reporting of ransom payments, a model Yule believes could shed more light on the true scale of attacks. “At the moment we only see what’s listed on leak sites, which is a fraction of the picture,” he said.
