Ransomware Attacks are on the Rise
Ransomware incidents are accelerating, with more than two-thirds of organizations experiencing an attack over the past year; over a quarter were targeted multiple times. In the U.S., breaches have increased by one-third, particularly among large enterprises, though smaller companies are also vulnerable to widespread ransomware attacks. Certain sectors are witnessing sharper increases: the U.S. IT and Telecommunications industry saw a 65% rise, while the retail and leisure sectors experienced a 57% spike. Half of healthcare organizations reported being affected, largely due to their significant amounts of sensitive data and minimal tolerance for downtime.
The surge can be traced back to credential theft, present in nearly a third of breaches according to Verizon’s 2025 DBIR. Additionally, Ransomware-as-a-Service (RaaS) is democratizing attack capabilities across various sectors, including tech and manufacturing. Initial Access Brokers (IABs) are widening the risk landscape by selling verified access to compromised systems, allowing buyers to assess credentials beforehand. Privileged accounts linked to identity systems like Active Directory remain primary targets. In a shift, 60% of ransomware victims experienced data breaches, and 85% faced threats of data publication or resale, indicating that backups alone are no longer sufficient.
The Hidden Costs of Ransomware
Almost half of ransomware victims took between one and six days to recover, with three-quarters facing a recovery period stretching to two weeks. Only a few were able to bounce back in under 24 hours, having identified the threat early on, before encryption or exfiltration occurred. The impact of ransomware extends beyond IT; for example, a June 2024 attack on NHS supplier Synnovis resulted in postponed procedures and urgent blood donation requests, with systems remaining down for months. Companies like Marks & Spencer and Co-op also faced significant service disruptions, whereas more severe incidents, like the June 2023 breach affecting KNP Logistics Group, can lead to job losses and business closures. The ripple effects include decreased profits, lost opportunities, reputational damage, and increased pressure on leadership.
Increasingly, executives recognize the urgency of ransomware threats, with 90% expressing concern, particularly among U.S. leaders in large enterprises. Cyber insurance is becoming part of many organizations’ responses; four out of five firms are now covered, with smaller companies gradually improving their insurance status. Notably, insurance providers are incentivizing organizations to enhance their security practices before issuing coverage, thereby elevating overall standards.
Proactive Prevention Over Reactive Responses
How are organizations addressing these escalating threats? Approximately 90% report having incident response plans—an increase particularly notable among small businesses, where readiness jumped from 60% to 79% in the past year. While this reflects progress, merely having a response plan is not adequate. The primary prevention strategies implemented last year included system patching, data backups, password best practices, and application control, with significant adoption in the U.S. However, these measures alone are insufficient to close the security gap, created by remote work, cloud proliferation, IoT devices, and AI advancements, all providing attackers with more entry points than defenders can manage.
A key defensive strategy, the principle of least privilege, remains underutilized, enforced by only one in three organizations despite its potential to limit lateral movement and restrict access to sensitive systems. When incorporated with strong Identity and Access Management (IAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), and AI-driven analytics, least privilege is a crucial element of any Zero Trust strategy. Achieving this requires maturity, including clear role definitions, regular access audits, and ongoing oversight with tools like Cloud Infrastructure Entitlement Management (CIEM) and Identity Threat Detection and Response (ITDR).
The Dual Role of AI in Ransomware
The threat landscape is evolving rapidly, with AI now playing a significant role in accelerating ransomware activities. Groups like FunkSec are already utilizing generative AI to create malware. In the near future, attackers may leverage AI to generate phishing messages that mimic the tone of clients or employees, create fake login pages, or produce deepfake content for social engineering. Delinea’s report highlights the emergence of agentic AI capable of navigating entire attack chains—from reconnaissance to exfiltration—with minimal human input, which could entail accelerated breaches, shorter kill chains, and fewer chances to intervene.
The silver lining? Defenders are also harnessing AI. An overwhelming 90% of security teams are implementing AI, particularly in Security Operations Centers (SOCs), to combat alert fatigue and expedite incident response. AI aids in analyzing indicators of compromise across extensive datasets, flagging anomalies, and assisting in phishing defenses by scrutinizing emails, links, and attachments for suspicious activity.
