NEVERHACK Year in Review: Ransomware, AI-Driven Attacks & What’s Coming in 2026

The year-end “in-between” week can feel like a pause: inbox quieter, meetings lighter, everyone half-powered by leftovers and holiday coffee. But for cybersecurity teams, the threat landscape doesn’t take a break. That’s why this special CyberCast episode matters—because it’s not just a look back at the year that was, it’s also a reset for what comes next.

In this episode, NEVERHACK’s CyberCast expands its on-air team. Ronnie hands the mic to three additional hosts—Anett Numa, Britta, and Louis—each bringing a different lens on cybersecurity: public sector and defense perspectives, threat intelligence grounded in real attacker behavior, and a “translator” mindset that bridges technical topics with leadership and business realities.

What follows is a lively roundtable that does two things very well:

1. it turns big, abstract security themes into concrete lessons you can apply, and
2. it sets a clear agenda for 2026—what organizations should pay attention to, and where attackers are already moving.

A new CyberCast team, a wider range of angles

The episode begins by introducing the new voices and what they’ll cover in future shows. Anett Numa joins from a public sector background, including years working in Estonian government roles tied to national security and international cooperation. Her goal on CyberCast is to connect the dots between policy, defense, and real-world cyber readiness—bringing in guests from government, military, and public sector circles, plus case studies that help organizations understand what “preparedness” actually looks like.

Britta’s angle is hands-on and adversary-focused. With experience in a Security Operations Center role and now in cyber threat intelligence, she lives close to the “bad guys doing bad stuff on the internet,” translating evolving tactics into what defenders need to do differently. This perspective is especially valuable for smaller organizations that don’t have time to track every new campaign, vulnerability, or threat actor trend.

Louis brings a different kind of expertise: building world-class talent in a creative industry, leadership consulting informed by elite military operators, and the ability to communicate technical security value in plain language. That mix is ideal for podcast conversations with vendors, partners, and guests who don’t fit neatly into one specialty bucket—but still influence how organizations buy, deploy, and operate security.

The result: CyberCast evolves from a single-host show into a broader platform that can cover governance, operational defense, threat intelligence, industry trends, and the human side of security.

The Cinamon cinemas ransomware incident: a “local” story with universal lessons

The first big topic grounds the episode in a real Estonian case: the ransomware attack affecting Cinamon cinemas. It’s a strong example because it highlights what ransomware is really about in practice—not just “systems got encrypted,” but what fails, what survives, and how operations continue.

A key insight from the discussion: not everything was impacted equally. The entertainment/projection systems were still running, while administrative and ticketing systems were locked—and critically, backups were also affected. That detail turns this from a generic ransomware story into a clear operational lesson: if your backups can be encrypted, then functionally you may not have backups at all. Air-gapping, immutability, and separation aren’t optional “best practices”; they’re the difference between a bad week and an existential rebuild.

The team also highlights a surprisingly hopeful part of the incident response: Cinamon communicated openly. Many organizations go silent after a ransomware event, but Cinamon publicly acknowledged the situation and worked with local support resources. The discussion frames transparency as a strategic decision—not just PR. Sharing what happened (and, importantly, what you’re changing afterward) helps customers, partners, and the broader ecosystem learn and improve.

Another point worth sitting with: business continuity isn’t always “all or nothing.” Cinamon could still operate in an old-school, manual mode because some systems weren’t tied together. That prompts a practical question for listeners: if your laptops and servers were suddenly unavailable, could you still deliver your core service—even in a degraded way?If the answer is “no,” that doesn’t mean you’re doomed; it means you need a continuity plan that acknowledges what’s truly critical, what can be manual, and what must be resilient by design.

The conversation also touches the classic ransom dilemma: do you pay? Cinamon reportedly refused. The episode balances the emotional and financial logic (“principle” vs. cost of rebuilding) with a security reality: paying doesn’t guarantee recovery. Attackers aren’t a trusted vendor. Even if you transfer funds, there’s no certainty you’ll get working decryption keys or that the attacker hasn’t left further access behind.

Ransomware is up—yet payouts are pressured

From a threat intelligence perspective, the team’s read is clear: ransomware activity is rising. At the same time, there are signs that payouts are under pressure. The episode points to initiatives like “No More Ransom,” which provides decryption tools for certain ransomware families—helpful but not guaranteed.

The deeper takeaway isn’t a statistic; it’s a mindset shift: ransomware is increasingly an “SMB problem,” not because SMBs are careless, but because attackers optimize for return on effort. Well-defended big targets are harder, slower, and riskier. Smaller organizations—cinemas, manufacturers, service firms—can become “low hanging fruit” when patching lags, backups aren’t protected, and visibility is weak.

AI-driven attacks: lower cost, higher speed, and new defensive blind spots

One of the most thought-provoking sections is the roundtable on AI. The team avoids simple hype and gets into what AI changes structurally: it reduces the cost of experimentation for attackers. Even without deep expertise, a threat actor can use AI to draft scripts, modify tooling, and iterate faster. The code might be messy, but “messy and effective” is still effective.

But the episode doesn’t stop at “AI helps attackers.” It explores a less obvious risk: AI inside the defender’s environment can become a new asset attackers want. If an organization uses AI or LLM-like tooling to analyze logs and security telemetry, that system may contain a consolidated view of how the environment works—data flows, system behavior, suspicious events, and investigative context. If an attacker laterally moves and gains access to that tool, they can learn your environment faster than ever.

There’s also a practical concern raised: data handling and the “black box” nature of AI. Organizations often don’t fully understand where data is stored, how it’s processed, or what secondary exposure it creates—especially if the AI capability relies on external services. Even when AI is used for “good,” security leaders need to treat it like any other sensitive system: define data boundaries, control access, log usage, and plan for compromise scenarios.

The tone stays human and grounded—there’s humor, curiosity, and the reality that AI is now embedded in how people work (“vibe coding,” faster workflows, different tradeoffs between writing algorithms vs. pushing tasks to models). The implicit lesson is important: AI adoption is happening whether policies keep up or not—so governance must catch up quickly.

Cyber threat intelligence: not just alerts—focus, prioritization, and “headlights”

As the conversation shifts toward 2026, cyber threat intelligence (CTI) becomes a key theme. Britta makes the point that CTI isn’t only about urgent warnings; it’s about helping organizations prioritize limited resources. You can’t protect everything equally at all times. CTI helps you focus on what threat actors are actually doing now—so patching, monitoring, and controls align with real adversary behavior.

The team breaks CTI value into layers:

• Tactical: immediate threats, emerging campaigns, “what’s happening this week.”
• Strategic: trends by industry, what attackers typically do to organizations like yours.
• Operational: decisions about expansion, risk in new regions, and understanding exposure and vulnerabilities as infrastructure changes.

A practical, business-facing framing appears too: compare CTI and security controls to the cost of downtime. What does one day of outage cost you? That question turns “security spend” from a vague expense into a concrete business risk conversation.

Exercises and war-gaming: “train as you fight”

Anett tees up a powerful thread for next year’s episodes: cyber exercises, including NATO CCDCOE’s Locked Shields (mentioned as a major annual exercise hosted from Estonia). The point isn’t just that exercises are impressive—it’s why they matter. Training needs to be realistic, stress-tested, and connected to how real incidents unfold.

The episode also raises an important question that many organizations get wrong: do we actually adapt policies and plans based on exercise outcomes, or do we treat exercises as theater? Doing a tabletop is easy. Changing budget priorities, updating escalation paths, improving backups, fixing patch cycles, and rebuilding weak vendor dependencies—that’s harder. Exercises are valuable only when lessons turn into structural improvements.

What the team is watching for 2026: sovereignty, supply chain, and basics done well

In the final wrap-up, each host shares what they’re focused on next year:

• Cloud / technology sovereignty: where data lives, who controls infrastructure, and how geopolitical realities shape security and procurement.
• Higher expectations: customers, citizens, and investors demanding stronger cybersecurity as part of trust—not an optional add-on.
• War-gaming and cyber hygiene: more scenario planning, and a return to basics like patching—because many attacks remain preventable.
• Supply chain and third-party risk: trusted partners becoming the pathway in—whether through phishing, compromised vendors, or dependency-level attacks.
• AI “chaos” and acceleration: more systems becoming AI-integrated, more automation on both sides, and a fast-moving shift in how tools talk to each other.

It’s a balanced outlook: some big structural forces (sovereignty, supply chain), some operational disciplines (exercises, incident readiness), and some fundamentals (patching, hygiene) that still determine outcomes.

Why you should listen

This episode is worth your time if you’re responsible for a business, IT, security, or risk function—and especially if you operate in a smaller organization that suspects it’s “too small to be targeted.” The Cinamon ransomware story alone is a reminder that attackers don’t need a Fortune 500 victim; they just need an easy path to disruption or payment.

More than that, the episode makes cybersecurity feel actionable. It’s not a doom-and-gloom lecture. It’s a candid conversation about what happened, why it matters, and what you can do next—whether that’s tightening backup strategy, taking AI governance seriously, investing in CTI to prioritize effort, or running exercises that lead to real operational change.

Listen now to meet the expanded CyberCast team and get a clear, practical set of takeaways to start 2026 stronger.

If you enjoy the episode, subscribe so you don’t miss the upcoming deep dives (including CTI-focused episodes and public-sector / defense perspectives).

If you want to reach the team, the episode shares contact options including email and LinkedIn outreach.