Ransomware's New Era: Moving at AI Speed

ENDPOINT SECURITY CYBER RISK CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE Cybersecurity In-Depth: Digging into data about the latest attacks, threats, and trends using charts and tables. Ransomware's New Era: Moving at AI Speed Threat actors bypass security tools and use AI to launch faster ransomware attacks that exploit valid credentials and target data Arielle Waldman,Features Writer,Dark Reading March 23, 2026 6 Min Read DATA SOURCE: HALCYON Ransomware is not only growing; threat actors are accelerating the pace of their attacks by using offensive tools to exploit valid credentials and hit targets with speed and precision.  The practice has undergone big changes over the past five years. Initially, attacks focused on encrypting data; now, threat actors threaten to extract it to pressure victims into paying. Double-extortion tactics quickly shifted to triple-extortion threats to expose stolen data. Threat actors also transitioned from extorting companies to contacting victims directly — whatever it takes to rake in the cash.   The latest shift is all about speed. Ransomware actors discovered methods to bypass endpoint detection and response (EDR) tools, and they're increasingly using artificial intelligence (AI) to steal data more quickly.  Halycon's 2026 Method Survey Report revealed that while 98% of organizations use EDR for ransomware defense, only 25% "actually trust it to defend against today's evolving ransomware threat." Additionally, 78% of surveyed participants said AI made ransomware attacks more effective. Conversely, only 6% believe the tools have improved their own defenses.  Related:Undead Operating Systems Haunt Enterprise Security Networks Over the past 18 to 20 months, the prevalence of ransomware has increased, and attack quality, unfortunately, has also improved, warns Mick Coady, field CTO of Elisity Cybersecurity. As a former head of cybersecurity for hospitals, he's observed that bypassing or evading EDR tools is one evolving tactic. Attackers know that medical devices, especially those over five years old, can't be protected by EDRs, so they target them rather than patchable IT devices.  "At the end of the day, I think the sophistication has been more about them getting new angles of attack," Coady says.  Living-Off-the-Land Techniques Continue Arctic Wolf found similar trends in its 2026 Threat Report: ransomware accounted for 44% of its incident response (IR) cases last year, and threat actors are operating at "increased speed and specialization." The report went on to say that threat actors adapted to organizations' defenses by using automation to compress the kill chain and bypassed controls "by logging in, not breaking in."  That is the most striking shift from the recent year, says Kerri Shafer-Page, vice president of digital forensics and IR at Arctic Wolf. Threat actors are still getting in through the perimeter by exploiting vulnerabilities in firewalls and virtual private networks, but they're also using valid credentials, she adds.  "It's challenging to keep the employee base educated," Shafer-Page tells Dark Reading. "It has to be a drumbeat because of attackers' sophistication." Related:Cylake Offers AI-Native Security Without Relying on Cloud Services Access management contributes to major hygiene issues, Shafer-Page observes. Too many individuals within a company hold over-privileged identities, and once threat actors gain that privileged access, they "break all the store windows" as they move laterally to "take everything out and quickly leave."  The use of offensive security tools is one of the biggest shifts for ransomware gangs, agrees Will Thomas, senior threat intelligence advisor at Team Cymru. However, it stems from a good news, bad news scenario: over the last five years, many malware families that delivered ransomware, such as Emotet, Trickbot, and IcedID, have become obsolete following a series of takedowns. That forced ransomware groups to adopt something that they can deploy themselves, explains Thomas.  Many of the initial access vectors for ransomware have shifted from malware loaders and botnets to exploiting devices, phishing, brute-force attacks, and even infostealing.  "Infostealers just need one infection, and you get the credentials and log in, compared to loader botnets that need to maintain persistence and to remain undetected," Thomas says. "If you can just get credentials, then you can just log in."     Related:Bug in Google's Gemini AI Panel Opens Door to Hijacking AI Is Leading to Higher Quality Attacks As companies race to adopt AI, so do attackers. It's improving ransomware capabilities, primarily around intelligence gathering. Arctic Wolf noticed threat actors using AI to conduct vulnerability and general research on victim organizations.  Attackers are leveraging AI in two primary ways: scaling and automation, and high-fidelity social engineering tactics, says Matt Hull, vice president of cyber intelligence and response at NCC Group. These advanced tactics are "fundamentally changing the risk profiles for enterprise," he warns. NCC Group recorded a "staggering" 50% year-on-year increase in global ransomware attacks in 2025. AI-advanced tooling and automation frameworks have effectively lowered the barrier to entry for cybercrime, adds Hull. Now, less technical threat actors can conduct sophisticated ransomware campaigns at scale.  NCC Group also saw a rise in real-time deepfake vishing, which attackers use to successfully bypass traditional verification protocols by impersonating the voices of trusted executives or colleagues.  What Does it Look Like on the Defensive Side? Organizations are struggling to defend against the latest evolution of ransomware. That's in part due to an increasingly decentralized ecosystem, says Thomas.  What used to be a handful of larger loader botnets and ransomware-as-a-service campaigns is extending exponentially. Previously, five or 10 large players dominated the landscape, but now there are many rebrands and spinoffs, and actors using leaked ransomware builders, warns Thomas.  "It's scary how simple it can be because all these tools and guides are available out there," he says. The complete reconfiguration of the threat actor hierarchy and their delivery vectors is the most "defining shift of 2025," says Hull. Law enforcement actions knocked LockBit 3.0, the most prolific threat actor, off the top charts, and Qilin emerged as the "apex predator", he adds.  Qilin's prominent reputation is drawing attention – and impersonators. Arctic Wolf experienced it firsthand while handling an IR case. The security company became suspicious when demand patterns deviated from usual Qilin activity, and negotiators realized the ransomware group they were communicating with was only posing as the infamous gang. The impostors had somehow gotten into Qilin's leak site and posted the company's name to extort it, Shafer-Page reveals.  "When we followed through with that actual threat group who owned all of that territory, they were like: 'We don't know what you're talking about. We have no issue with that client.' And they removed them from their leak site," she says.  To address ransomware's ongoing evolution, she urges victim organizations to be upfront and transparent with CISOs and the board. That means having meaningful conversations with the people who control the budgets.  Additionally, all companies, regardless of size, should have a clear picture of where their data is. For smaller IT shops, it's important to control access management, adds Shafer-Page. It's increasingly important to take steps to combat ransomware, since it doesn't seem to be going anywhere. Threat actors will exploit ongoing hygiene issues and insufficient access management protocols to launch attacks.   And it will only continue to evolve, particularly on the data extortion side, which will see a rise, anticipates Shafer-Page.  "When you and I talk to each other again next year, I'll start with the same thing: 'Yes, ransomware is Number One'," she says. About the Author Arielle Waldman Features Writer, Dark Reading Arielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, hoping to provide context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection.     Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like ENDPOINT SECURITY Russia Hits Critical Orgs Via Misconfigured Edge Devices by Alexander Culafi DEC 16, 2025 ENDPOINT SECURITY 'ShadyPanda' Hackers Weaponize Millions of Browsers by Jai Vijayan, Contributing Writer DEC 03, 2025 ENDPOINT SECURITY We've All Been Wrong: Phishing Training Doesn't Work by Nate Nelson, Contributing Writer JUL 01, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Edge Picks APPLICATION SECURITY AI Agents in Browsers Light on Cybersecurity, Bypass Controls CYBER RISK Browser Extensions Pose Heightened, but Manageable, Security Risks CYBERSECURITY OPERATIONS Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds ENDPOINT SECURITY Extension Poisoning Campaign Highlights Gaps in Browser Security Latest Articles in The Edge CYBER RISK With Government's Role Uncertain, Businesses Unite to Combat Fraud MAR 19, 2026 THREAT INTELLIGENCE Inside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026 MAR 16, 2026 THREAT INTELLIGENCE The Data Gap: Why Nonprofit Cyber Incidents Go Underreported MAR 13, 2026 CYBER RISK Cyberattackers Don't Care About Good Causes MAR 13, 2026 Read More The Edge