AI-powered ransomware surge despite fewer ransoms paid

A new report from Delinea highlights that 69% of organisations worldwide have suffered a ransomware breach in the past year, with attackers increasingly leveraging artificial intelligence in their operations.

The 2025 State of Ransomware Report, based on insights from more than 1,000 IT and security leaders across the globe, draws attention to a rapidly changing threat environment where both the frequency and severity of ransomware attacks have risen, despite a decline in the proportion of victims paying ransom demands.

Delinea's research shows that 27% of organisations were targeted more than once, while cybercriminals are now increasingly adopting AI to automate attacks, conduct phishing campaigns, impersonate legitimate contacts through deepfakes, and escalate the overall pace of their operations.

The report indicates that a falling number of organisations – 57%, compared with 76% in 2024 – chose to pay ransoms. However, attack methods are diversifying, with 85% of ransomware victims facing threatened data exposure rather than purely demands for payment.

"Ransomware has evolved into a shape-shifting, AI-enabled threat that no business can afford to underestimate. In order to combat the sophistication of today's attacks, organisations must fight AI with AI and embrace proactive, identity security strategies like zero trust architecture, Privileged Access Management, and continuous credential monitoring to stay ahead," Art Gilliland, Chief Executive Officer at Delinea, commented.

The increased use of artificial intelligence is not limited to criminal actors. The report observes that organisations are adapting to the evolving risk by deploying AI-powered defences. According to the findings, 90% of organisations now incorporate AI into their strategies to counter ransomware, mainly using these technologies within Security Operations Centres (64%), to analyse Indicators of Compromise (62%), and to defend against phishing attacks (51%).

Despite these efforts and high levels of executive concern – with nine in ten business leaders expressing significant worry about ransomware threats – critical gaps in cybersecurity practices remain. Only 34% of respondents reported enforcing least privilege access controls, which restrict user access rights to the minimum necessary. Meanwhile, just 57% of those surveyed had adopted application control measures to limit potentially harmful software.

Organisations continue to face substantial operational disruption following ransomware incidents. The report found that 75% of those affected required up to two weeks to fully recover from an attack. In sectors reliant on continuous operations, such as healthcare, financial services, and critical infrastructure, such delays can result in severe consequences including missed medical treatments, inaccessible assets, lost revenue, reputational harm, and, in certain contexts, risks to human life.

Even among organisations willing to pay the ransom, the likelihood of a quick recovery remains uncertain. More than half of those surveyed acknowledged that their companies had paid ransom demands despite recommendations by law enforcement to avoid doing so. Yet, one in four reported that even after payment, their data was not restored, compounding the cost and disruption associated with the attack.

The report identified the emergence and rise of Ransomware-as-a-Service (RaaS), which allows a broader range of actors to carry out sophisticated attacks without deep technical expertise, as another significant factor contributing to the growing rate and scale of ransomware incidents globally.

Delinea's 2025 State of Ransomware Report concludes that while AI is enabling both attackers and defenders to operate more efficiently, the overall surge in successful breaches suggests essential security practices still require wider adoption and consistent application within organisations.