A challenge in securing any IT environment is staying ahead of the tactics and technologies that bad actors use to breach an organisation, and now it appears that the democratisation of GenAI is opening up the door to an increase in ransomware campaigns.
For years, security practitioners worried about when and how threat actors would use AI and other advanced technologies against them. The arrival of GenAI elevated that concern, and incidents centered on Deepfakes and other AI-driven threat actor techniques drove it home.
Driven by the lucrative nature of ransomware and the availability of AI-driven ransomware toolkits, the number of incidents have hit an alarming figure, increasing by 37% in 2024 versus the prior year according to the 2025 Verizon Data Breach Investigations Report (DBIR). In 2024, ransomware was associated with 44% of data breaches around the world; and accounted for 54% of those in APAC.
GenA! and LLMs make life easier for cyber criminals
In Akamai’s newly-published 2025 State of the Internet/Security research, Security and content delivery network (CDN) provider Akamai attributed this surge to a number of factors, including AI.
Examining incident data from its Secure Internet Access enterprise clients, Akamai says shows a strong correlation between the increased availability of GenAI and Large Language Models (LLMs). This makes it easier for less seasoned bad actors to mount highly effective ransomware operations. Cyber criminals tap LLMs to write code and elevate their social engineering methods.
Ransomware-as-a-Service and multiple extortion
While money is a powerful motivator in ransomware campaigns, the Akamai research noted hacktivism is also part of the picture. The increasing prevalence of Ransomware-as-a-Service (RaaS) is one indicator of this. RaaS leverages a sprawling underground network that uses developers, the zero-day market and initial access brokers. These organised crime entities specialise in particular functions like money laundering to fund activities pursuing sociopolitical or ethical goals.
Threat actors are also becoming more aggressive in their extortion efforts, increasingly applying double extortion in which cybercriminals move beyond breaching an organisation to encrypt data and then demanding payment to decrypt it has become commonplace. In double extortion breaches, cybercriminals promise to release data if not paid. Triple extortion, leveraging DDoS attacks to add more incentive for the targeted organisation to pay the ransom, is also a more frequently used tactic than in the past.
Akamai notes that it found incidents that used quadruple extortion, in which cybercriminals communicate with executives, other employees, partners, and the media to add more pressure to pay. Some criminal organisations also threaten to expose lack of regulatory compliance to authorities to up the ante. It is worth noting that some cybercriminals release the data anyway, or come back for more ransom money. There is no honor among thieves.
The effectiveness of cybercriminals in collecting ransom has had a ripple effect on cyber insurance rates and increased frequency of IT security audits by firms to ensure the appropriate controls are in place.
The challenge of staying one step ahead of the threat actors has never been more daunting. Budget holders need to prioritise the resources to make it possible for security practitioners to do so, or risk the consequences.
