AI drives ransomware surge, experts urge faster defence

Cybersecurity specialists warn that artificial intelligence is reshaping ransomware attacks and putting new pressure on organisations' defences. Industry figures say defenders must prioritise speed, resilience and modernisation over traditional perimeter controls.

Anti-Ransomware Day comes amid a wave of incidents across retail, cloud services and critical infrastructure. Security leaders argue that attackers' rapid adoption of AI, combined with the growth of Ransomware-as-a-Service (RaaS), has weakened conventional strategies built on static tools and periodic patching.

Shobhit Gautam, Staff Solutions Architect - EMEA at HackerOne, said ransomware exposure now depends less on how many vulnerabilities an organisation has and more on how quickly it can fix them.

"Ransomware risk is no longer defined by the number of vulnerabilities an organisation has, but by how quickly they can remediate them. The time between vulnerability disclosure and exploitation has now reduced to less than a day, or even just a few hours. Attackers are becoming faster at identifying and exploiting vulnerabilities as they adopt AI and weaponise its capabilities. As the risk of ransomware attacks grows, security programs built around lengthy triage and remediation cycles are no longer sustainable." - Shobhit Gautam, Staff Solutions Architect - EMEA, HackerOne

Security researchers say criminal groups now scan for newly disclosed flaws at scale and automate exploitation attempts. That has shortened the window for defenders to test, prioritise and fix issues before attackers gain a foothold.

Gautam said organisations also need to act faster on the growing volume of data from scanners and monitoring tools.

"It is up to defenders to identify these risks before attackers can. While fortunately, discovery is scaling quickly, validation, ownership and remediation are not. Unless businesses can act on these insights, the situation will only get worse. It is key that the focus be on reducing the window of exposure and acting on vulnerability discovery quickly. This is why organisations are increasingly adopting a continuous threat exposure management (CTEM) approach, focused on constantly identifying, validating and reducing vulnerabilities before attackers can strike. From here, businesses can work alongside security researchers and defence experts capable of mitigating these risks and shutting down any potential threats before they can be realised. This is the path to effective cyber resilience in the face of ransomware attacks." said Gautam

Other specialists point to the changing economics of ransomware. Subscription-based RaaS models and easy access to AI tools have lowered the barrier to entry for criminals and increased the number of campaigns in circulation.

Stephan Badesha, Chief Information Security Officer at Node4, said recent experience shows how AI has increased both the volume and sophistication of attacks.

"Ransomware attacks have surged over the past year, fuelled by the profitability of these crimes, the expansion of remote and cloud environments, and the emergence of Ransomware-as-a-Service. The integration of AI has further increased both the frequency and sophistication of attacks, enabling criminals to target high-value systems with greater precision and scale their operations more rapidly." said Stephan Badesha, CISO, Node4

He said this shift leaves organisations exposed if they rely on outdated security architectures and infrequent testing. Layered controls, rapid recovery and employee awareness now sit at the centre of effective defence strategies.

"For organisations, this shift means that traditional defences are no longer sufficient. A proactive, layered approach is essential, incorporating continuous monitoring, robust access controls, well-tested backup and recovery strategies, and ongoing employee awareness programmes. Harnessing AI can also be a significant advantage, allowing businesses to detect anomalies and respond to threats in real time." said Badesha.

He also highlighted the financial and operational fallout that many victims underestimate.

"The true cost of ransomware goes well beyond the initial ransom payment. Downtime, reputational harm, regulatory penalties, and recovery expenses can far exceed the ransom itself. While these attacks may seem increasingly unavoidable, organisations that prioritise resilience over prevention alone are better positioned to reduce the impact and recover more quickly." said Badesha.

Managed Service Providers are taking on a larger share of frontline defence work for mid-sized organisations that lack in-house expertise. Badesha said that support includes monitoring, incident response and recovery planning.

"Managed Service Providers play a crucial role by offering 24/7 monitoring, threat intelligence, and recovery support, enabling organisations to stay ahead of emerging threats. Ultimately, the most effective defence combines robust technology, rigorous processes, and a well-informed workforce together providing the best protection against today's evolving ransomware landscape." said Badesha.

Retailers have come under particular strain from recent ransomware incidents that disrupted tills, deliveries and online orders. High-profile attacks have exposed weak points in legacy back-end systems that support stock visibility and order management.

Abdelkader Keddari, VP EMEA Solution Engineering, at Fluent Commerce, said recent breaches at major UK chains show how reliance on ageing platforms has become a direct business risk.

"Over the past year, high-profile ransomware attacks on major UK retailers have exposed the harsh reality that many still rely on outdated legacy systems which leave them vulnerable and slow to respond. When trust is breached, particularly where customer data is concerned, the damage to brand reputation and revenue can be severe." - Abdelkader Keddari, VP EMEA Solution Engineering, Fluent Commerce.

He said boardrooms need regular assessments of operational weaknesses rather than focusing only on front-end customer experience. The spread of omnichannel models has increased complexity across stores, warehouses and online operations.

"Retailers should consistently assess where their operational weaknesses lie. Unable to provide real-time visibility or adapt quickly in a crisis, legacy systems prevent effective decision-making. As the industry relies more on an omnichannel approach, that lack of adaptability is more than a day-to-day issue - it's a major business risk." said Keddari.

Keddari also warned that both small and large retailers face different but significant risks. Smaller firms may lack dedicated security teams, while larger brands attract organised groups because of the volume of personal and payment data they hold.

"No retailer is immune either. Smaller businesses often lack the resources for advanced cybersecurity, while larger organisations, which handle vast amounts of data, are the most attractive targets. The shift to online retailing has only widened the attack surface, with phishing, ransomware and payment system breaches on the rise. One of the first casualties in an attack is inventory visibility. Without real-time insight, retailers can't track stock or reroute orders, leading to empty shelves, unfulfilled promises and disappointed customers. Retailers who were targeted weeks ago are still experiencing the fallout, and there is no end in sight." said Keddari.

He said modernising order management and related systems can support more flexible responses during incidents and limit the impact on customers and revenue.

"To stay resilient, investment in technology like cloud-native Order Management Systems and Distributed Order Management (DOM) is essential. These tools give retailers the ability to respond quickly and effectively, protect sales, and uphold customer confidence, even in the case of a breach. Operational resilience also depends on more than tech or security - it's about smarter decision-making, building flexibility into your operations, and being ready to pivot when the unexpected hits. Then you'll be ready for the next wave of ransomware attacks when they hit." said Keddari.