Key Takeaways

  • FBI Assistant Director Chad Yarbrough identifies ransomware as the single most pervasive danger to critical infrastructure sectors.
  • While ransomware dominates headlines, cyber-enabled fraud is responsible for the overwhelming majority—83%—of all reported financial losses.
  • The data indicates a split threat landscape: operational disruption comes from malware, but financial extraction comes largely from fraud and social engineering.

“The most pervasive threat to critical infrastructure.” That is the specific, heavy label Chad Yarbrough recently applied to ransomware.

For those in the B2B space, particularly in sectors like manufacturing, energy, and logistics, this assessment from the FBI’s Assistant Director of the Criminal Investigative Division validates what security teams have felt for years. The operational risk of having systems locked down is the primary nightmare for anyone managing physical assets.

And yet, if you follow the money, the story changes completely.

While ransomware captures the visceral fear of a shutdown, Yarbrough highlighted a statistic that paints a different picture of the financial landscape: cyber-enabled fraud overall accounted for 83% of all reported losses. It’s a staggering gap. It suggests that while we are busy watching the front door for encryption attacks, the vast majority of capital is quietly slipping out the back window through wire transfers and spoofed invoices.

The Noise vs. The Numbers

It’s a small detail, but it tells you a lot about how the threat landscape is bifurcated. We have one category of threat that attacks the function of a business, and another that attacks the funds.

Yarbrough’s classification of ransomware as the "most pervasive threat to critical infrastructure" speaks to the unique nature of that crime. It isn't just about theft; it’s about denial of service. For critical infrastructure, uptime isn't a KPI—it’s a public safety requirement. When a pipeline, a hospital, or a power grid gets hit, the pervasive nature of the threat isn't measured in dollars alone, but in societal impact.

Ransomware groups have evolved into persistent, dug-in adversaries. They don't just scramble data; they dismantle the trust required to operate complex machinery. That is why the FBI flags it as the top infrastructure threat. It breaks things.

However, the 83% figure regarding cyber-enabled fraud acts as a necessary counterweight to the ransomware narrative. If ransomware is the loudest threat, fraud is the most efficient.

The Silent 83 Percent

What does that mean for teams already struggling with budget allocation? It creates a difficult tension. Security leaders often secure funding based on the fear of a ransomware headline. Yet, the data suggests that nearly all actual monetary loss comes from fraud—tactics that often require less technical sophistication and more psychological manipulation.

Cyber-enabled fraud includes categories like Business Email Compromise (BEC), investment scams, and vendor impersonation. These attacks don't necessarily trip the intrusion detection systems designed to stop a ransomware payload. They ride on legitimate communication rails.

If 83% of losses are tied to fraud, it implies that the defense against financial drain isn't purely technical. It’s procedural. It’s about verification steps in the finance department rather than just endpoint protection in the server room.

A War on Two Fronts

Yarbrough’s comments illustrate that modern organizations are fighting two distinct wars simultaneously.

On one side, you have the infrastructure battle. This is where the ransomware fight happens. It requires immutable backups, network segmentation, and rapid incident response plans. The goal here is resilience—how fast can you get the lights back on? The FBI’s focus on this as a "pervasive threat" underlines that for critical sectors, this is an existential risk.

On the other side, you have the fraud battle. This is where the 83% lives. The adversary here isn't trying to shut you down; they want you to stay open so you can process their fraudulent wire request.

That’s where it gets tricky.

Defense against ransomware is often invisible to the average employee until something breaks. Defense against fraud, however, requires active employee participation. It demands that a junior accountant question an urgent email from the CFO. It requires a procurement officer to double-check a routing number change from a long-time supplier.

Balancing the B2B Response

The disparity between the "pervasive threat" of ransomware and the 83% loss volume of fraud challenges the traditional "castle-and-moat" security strategy.

For business leaders, Yarbrough’s distinction serves as a reminder that risk cannot be treated as a monolith. You cannot solve the fraud problem with the same tools you use to solve the ransomware problem.

Ransomware is a technical failure; fraud is often a process failure.

When the FBI points out that the vast majority of losses come from fraud, they are signaling that the criminals are rational economic actors. Ransomware is high-effort and high-risk. Developing a locker, negotiating a ransom, and laundering the crypto is a heavy lift. Fraud, by comparison, is often low-tech and high-yield.

This doesn't mean we should stop worrying about ransomware. Far from it. As Yarbrough noted, for critical infrastructure, it remains the top dog. A power plant losing $50,000 to fraud is an annoyance; a power plant shutting down for three days is a catastrophe. The impact of ransomware goes beyond the balance sheet.

But for the average B2B enterprise—software companies, logistics firms, professional services—the 83% statistic is a warning shot. It suggests that while your IT team is patching vulnerabilities to stop the "pervasive threat," your finance team might be the actual target of the campaign.

The takeaway from the FBI’s perspective is clear: We have to stop treating these as the same problem. We need hard barriers for the infrastructure attacks and rigorous human verification for the fraud. If you only build walls for one, you’re leaving the other gate wide open.