Academic researchers are developing LLM-based tools that analyze historical ransomware victim data and adversary behavior profiles to predict which organizations attackers will target next. While still early, this approach could shift cybersecurity from reactive defense toward proactive risk prioritization.
About two-thirds of organizations experienced ransomware attacks in 2023, according to a recent study drawing on Sophos data. That number now reads like a warning many organizations failed to heed. Today, as ransomware groups grow more structured and selective, researchers are asking a different question: not just who got hit, but who will get hit next.
The Shift Toward Predictive Ransomware Risk Modeling
Most cybersecurity teams still operate reactively. An attack lands, they respond, they patch, they move on. But a growing body of academic research suggests there is a better way. Instead of waiting for ransomware to knock, analysts can study the patterns of past attacks to forecast future ones.
A 2025 paper by Spencer Massengale and Philip Huff proposes using large language models to assess and prioritize ransomware risk for specific organizations. The idea is straightforward: feed the model public victim disclosure data alongside structured adversary profiles, and it identifies which threat groups are most likely to target a given entity.
This is not guesswork. It is pattern recognition applied to real breach data, scaled by LLMs that can process thousands of disclosures faster than any human analyst could manually review.
How the Prediction Models Actually Work
The approach relies on two key inputs. First, historical victim data drawn from public breach disclosures, sector information, and organizational characteristics. Second, SKRAM adversary profiles, a framework that captures each group's Skills, Knowledge, Resources, Authorities, and Motivation. These profiles are built from ransomware bulletins, threat reports, and news items.
By cross-referencing these inputs, the model builds a risk portrait for an organization. It does not just flag general risk. It names specific groups that, based on their historical targeting patterns, pose the most probable threat to a given organizational profile.
The researchers also developed a heuristic for generating synthetic victim data, which helps fill gaps where real disclosure data is sparse. This enrichment step makes the model more robust, especially for sectors that may not report breaches as publicly.
Why Certain Sectors Keep Appearing in the Crosshairs
Healthcare remains a consistent target. In 2024, Ascension, one of the largest healthcare providers in the U.S., suffered a ransomware attack that disrupted clinical operations across its network. That kind of incident does not happen because healthcare organizations have worse security on average. It happens because the data they hold is uniquely valuable, and the pressure to restore operations is uniquely intense.
Predictive models account for exactly this logic. They weigh not just technical vulnerability but also the motivational factors that drive adversary selection, which is precisely what SKRAM profiles are designed to capture.
What This Means for Cybersecurity Strategy
If researchers can reliably forecast which organizations ransomware groups will target, the implications are significant. Security budgets could be allocated based on calculated risk rather than vague threat assessments. Organizations could preemptively harden the specific attack vectors that their most likely adversaries prefer.
But there are real limits to what we know right now. The research is still academic, and the paper does not specify exact prediction accuracy rates, false positive rates, or how these models perform when adversary behavior shifts suddenly. Public industry reports covering 2026 targeting trends are not yet available either.
What is clear is that the direction of travel points toward intelligence-driven, predictive defense. The question is how quickly organizations will adopt these approaches before the next wave of attacks arrives.
So here is a question worth sitting with: if a model told you tomorrow that your organization matched the exact profile of a ransomware group's next batch of targets, would your leadership treat that as an urgent problem or an interesting data point?
Comments