Top Highlights
- Most ransomware-as-a-service groups now utilize AI-powered tools, significantly accelerating attack speeds, with a drop in breach breakout time from 48 to 18 minutes between 2024 and mid-2025.
- AI enhancements include automatic malware detection and suppression features, helping ransomware groups improve their effectiveness and attractiveness to affiliates.
- Prominent groups like LockBit are embracing advanced AI capabilities to rebuild and expand, while others like Medusa decline, highlighting differing adoption levels within the ecosystem.
- Currently, only about 50% of RaaS groups offer AI tools, indicating still-early adoption and limiting their ability to attract top talent capable of targeting very secure organizations.
Problem Explained
Recent findings revealed by cybersecurity firm ReliaQuest highlight a troubling surge in the use of AI-powered tools by ransomware-as-a-service (RaaS) groups, which are significantly accelerating their attack methods. These cybercriminal organizations are increasingly employing AI to automate crucial steps like bypassing antivirus defenses and swiftly moving from initial access to infecting multiple devices, with the average “breakout time” shrinking from 48 minutes in 2024 to just 18 minutes in mid-2025. Notably, malicious groups such as LockBit are leveraging these advanced capabilities to attract new affiliates and restore their influence, while others like Medusa show signs of decline, lacking automation tools. Concurrently, emerging groups like “The Gentlemen” and DragonForce are adopting AI-powered features, boosting their operations and victim counts. Despite these advancements, only half of the RaaS groups currently offer full AI capabilities, indicating that the evolution of automated cybercrime remains in its early stages, yet poised to become more sophisticated and destructive. The report, based on security research and observations, highlights a shifting threat landscape driven by automation and artificial intelligence, posing mounting risks to organizations worldwide.
Potential Risks
The rise of AI-fueled automation empowering ransomware-as-a-service groups means that even small or less-prepared businesses face a heightened threat of cyberattack, as these malicious actors can deploy highly sophisticated, rapid, and targeted attacks that were once only possible for well-funded crime syndicates. This technological boost allows hackers to rapidly identify vulnerabilities, craft convincing phishing schemes, and launch relentless assaults that can encrypt critical data, halt operations, and cause significant financial and reputational damage with minimal effort and expertise. As a result, any business—regardless of size or industry—becomes a potential target, risking costly downtime, loss of confidential information, and erosion of customer trust, ultimately threatening the very foundation of its survival in today’s digitally driven landscape.
Possible Action Plan
Understanding the urgency of timely remediation is crucial, especially when AI-fueled automation empowers ransomware-as-a-service groups to differentiate themselves, increasing both their sophistication and threat level. Quick action can limit damage and prevent malicious activities from expanding.
Detection & Monitoring
Implement continuous monitoring tools to identify suspicious activities early, leveraging AI-based anomaly detection systems to recognize when automated processes are being exploited.
Incident Response
Develop and regularly update an incident response plan that prioritizes rapid containment, eradication, and recovery procedures tailored to automated ransomware attacks.
Patch Management
Ensure all software and systems are current with the latest security patches, especially those vulnerable to exploitation via automation tools.
Access Control
Enforce strict access controls and multi-factor authentication, reducing the risk of automated attack scripts gaining unauthorized entry to critical systems.
User Training
Conduct ongoing employee training focused on recognizing automated threats and social engineering tactics that facilitate automated attack vectors.
Threat Intelligence Sharing
Participate in industry information-sharing platforms to stay informed about emerging AI-driven attack techniques and corresponding mitigations.
Automated Defense Tools
Deploy and tune automated endpoint detection and response (EDR) tools designed to react swiftly to signs of ransomware activity fueled by automation.
Backup Strategies
Maintain regular, immutable backups stored securely offsite to enable rapid recovery with minimal data loss in the event of an incident.
Stay Ahead in Cybersecurity
Discover cutting-edge developments in Emerging Tech and industry Insights.
Understand foundational security frameworks via NIST CSF on Wikipedia.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1cyberattack-v1-multisource
