AI becomes key player in enterprise ransomware defense

Ransomware breaches continue to rise even as fewer victims pay, according to a Delinea report.

69% of organizations globally have fallen victim to ransomware, with 27% being hit more than once. While only 57% of organizations paid ransoms, down from 76% in 2024, the frequency and impact of attacks continued to grow as threat actors turned to other tactics like extortion, with 85% of ransomware victims threatened with exposure.

Paying the ransom doesn’t always bring the desired results. About one in four respondents who paid a ransom said they didn’t get all their data back, rising to one in three in the UK. Even if they do, it’s likely that their adversaries will still try to monetize that data.

“Ransomware has evolved into a shape-shifting, AI-enabled threat that no business can afford to underestimate,” said Art Gilliland, CEO at Delinea. “In order to combat the sophistication of today’s attacks, organizations must fight AI with AI and embrace proactive, identity security strategies like zero trust architecture, Privileged Access Management, and continuous credential monitoring to stay ahead.”

Organizations still falling short on essential security practices

Despite 90% of executives expressing concern over ransomware threats, many organizations continue to fall short in essential security practices, with only 34% enforcing least privilege access controls and just 57% implementing application control measures.

Most victims reported extended recovery times, with 75% taking up to two weeks to fully restore operations. Only 18% of victims recovered within 24 hours.

The number of respondents with incident response plans in place is 90% on average, which is reassuringly high even if the figure hasn’t moved much from the previous year. It’s also notable that the smallest companies (with fewer than 50 employees) recorded the most significant increase in incident response: from 60% to 79% over the course of a year.

However, a more effective strategy is to focus on prevention—because once data has been stolen, it will most likely be monetized by threat actors. The top four preventative measures taken by respondents last year are:

• Regularly update systems and software
• Back up critical data
• Enforce password best practices
• Implement application control

AI accelerates both attacks and defense

Researchers believe that threat actors will use GenAI in the future to mimic the writing style of employees, clients and suppliers, in order to increase the success rate for phishing attacks.

They could also generate unique phishing sites that impersonate an organization’s brand, use deepfake audio or video to impersonate trusted colleagues and trick employees into downloading malware.

At the same time, defenders are increasingly relying on AI to detect and respond to threats faster, with 90% of organizations now using AI in their ransomware defense strategies – primarily within Security Operations Centres (64%), for analysing Indicators of Compromise (62%), and to prevent phishing (51%).

Stolen credentials continue to be a primary factor in data breaches. They don’t just help threat actors gain initial access to corporate networks, but also escalate privileges and move laterally to cause maximum damage. It’s one of many reasons why ransomware breaches are on the rise.