-
Criminals are making use of generative AI attack strategies that will significantly improve the success rates of social engineering attacks and increase their difficulty to identify.
-
A study monitored different ransomware groups, their locations and targeted victims to identify the differences in operations among those malicious gangs.
-
Relying solely on malware signature differences or measuring the number of victim organizations from each group fails to account for fundamental differences of each group.
Cybercriminal organizations have become increasingly sophisticated and are no longer just hacking computers but now also leveraging artificial intelligence and automation to produce more significant, faster, and more personalized attacks.
A recently published study in the Journal of Cybersecurity and Privacy documents this transformation of those involved in ransomware operations into structured data-driven businesses.
The study moves away from the typical metrics used to evaluate ransomware operations, such as malware signatures. Instead, it focuses on behavioral patterns of those involved in ransomware operations.
Researchers analyzed and tracked the activities of 147 verified victim companies from 14 different countries and involving 48 different distinct ransomware actors during their work last year.
How AI Helps Criminals Scale Their Attacks
Today, contemporary ransomware groups have structured themselves to operate similarly to legitimate businesses. They now include well-defined processes for various elements of their cycle, such as initial access, internal movement, data exfiltration, and public exposure through leak pages. AI has enabled exploiters to significantly improve their activities and increase the effectiveness of their attacks.
One of the primary uses of AI is for phishing attacks. With AI technology, exploiters can generate massive amounts of personalized and realistic-looking emails to target and lure victims in an attempt to compromise their email accounts.
The personalized nature of these emails increases the probability of success for social engineering attacks, which is one of the most common methods hackers use to compromise systems.
In conjunction with researchers’ findings, they developed the ‘AI-Amplification Indicator,’ a composite score built from four distinct and measurable categories, which allows the evaluation of ransomware groups.
The four categories include: AI-Enabled Social Engineering; Targeting Breadth; Operational Tempo; and Temporal Scaling. Each of these categories demonstrates a different component of how ransomware networks operate when planning an attack, executing the attack, and expanding their attacks.
This report contains verifiable data on 48 distinct ransomware actors in 2025. Researchers collected data by observing activity on the dark web leak sites where ransomware actors name their victims as part of their extortion scheme.
Not All Ransomware Groups Operate the Same Way
The analysis of ransomware groups’ data has revealed that a small number of ransomware groups account for most ransomware activity. Those highly productive groups are likely to use a variety of strategies to attack ransomware victims.
These higher-productivity groups demonstrate rapid tempo, target a large number of victims at once, and an ongoing campaign of ransomware attacks over extended time periods. As a result, their attacks show a more sophisticated, well-planned, and coordinated planning of operations.
On the other hand, ransomware groups within the lower productivity levels exhibit irregular attacks, are limited to certain areas, and have slower scaling. A few of the ransomware groups use burst attack patterns, where they disclose a large number of victims in a short period of time. Others follow a more consistent pattern over several months of continuous attacks.
The number of ransomware victims is only one piece of the picture. The study found that groups that have a similar number of victims can exhibit very different operating profiles. For example, one ransomware group may attack many victim organizations quickly in a single nation, whereas the other ransomware group attacks multiple industries and geographical areas over a longer period of time.
Further, the study indicated that some groups concentrate on certain sectors of the economy or geographical areas while other groups pursue a more diverse approach to targeting organizations and having a broader geographic distribution.
The summary analysis shows that the targeting approaches vary widely among the different groups, therefore, understanding the differences in targeting approaches will assist security teams to identify which ransomware threats to monitor closely.
As ransomware groups adopt AI to scale their operations, some are also incorporating AI voice phishing tools into their attack chains, using voice impersonation to gain initial access before deploying ransomware, demonstrating the convergence of AI-powered social engineering and traditional ransomware tactics.
What This Means for Cybersecurity Defenders
According to the report, organizations require a new approach to defend against cyberattacks. Many of the traditional ways of defense only take into consideration the technical indicators or the number of individual victims and do not provide a complete picture of the complexity of modern-day ransomware attacks. Cybersecurity defenders would benefit from using behaviorally-based threat intelligence as a possible way forward.
By implementing behavioral indicators of threat actors, including rate of attack (tempo), variety of attacks (diversification), and speed of increasing the number of attacks (scaling), cybersecurity defenders will focus and prioritize threat groups based on their potential to cause harm, instead of taking the same approach to every attack.
Additionally, the report emphasized that artificial intelligence is becoming increasingly important, both from the offensive and defensive standpoints. Attack groups use generative artificial intelligence (AI) to improve social engineering and automate their operations, so cybersecurity defenders must adopt equally sophisticated technologies to ensure sufficient tools are available to detect evolving threat environments.
Continuous monitoring and collation of data are consistent themes throughout the researchers’ findings due to the ‘dynamic, ever-changing’ unique nature of ransomware. A thorough multi-year and multi-regional data analysis will help to understand the long-term trends of how ransomware is evolving and how emerging technologies will have an impact.
