Ransomware is Surging
Ransomware attacks are accelerating. More than two-thirds of organizations were hit in the past year, and over a quarter were targeted more than once. In the U.S., breaches rose by a third, with the biggest jump seen among large enterprises. But smaller firms aren’t safe either; they are often easy prey for mass-market ransomware campaigns.Additionally, certain sectors are seeing even sharper spikes: attacks on the U.S. IT and Telecom industry jumped 65% year-over-year, while retail, catering, and leisure saw a 57% rise. Half of healthcare organizations reported being attacked. These industries have two things in common—high volumes of sensitive data and a low tolerance for downtime.Why the rise? Credential theft was involved in nearly a third of breaches, according to Verizon’s 2025 DBIR. Meanwhile, Ransomware-as-a-Service (RaaS) continues to democratize attack capabilities, especially across sectors like tech, manufacturing, and construction. Initial Access Brokers (IABs) are also expanding the threat surface by selling verified access to compromised systems—often letting buyers test credentials before purchase. Privileged accounts tied to identity systems like Active Directory remain top targets.And this comes with another shift—60% of ransomware victims experienced a data breach, and 85% were threatened with publication or resale. This means backups alone can’t mitigate the risk. If data theft is the point, organizations need layered defenses focused on prevention, not just recovery.
The Real Cost is Bigger Than You Think
Nearly half of ransomware victims needed between one and six days to recover. For three-quarters, recovery stretched to two weeks. The few who bounced back in under 24 hours likely caught the threat early—before encryption or exfiltration.Ransomware disrupts far more than IT. The report highlighted that in June 2024, an attack on NHS supplier Synnovis led to canceled procedures and urgent calls for blood donations. Some systems were still down three months later. Marks & Spencer, Co-op, and others have suffered major service disruptions. In more severe cases like the June 2023 breach that took down KNP Logistics Group, ransomware can cost jobs and shuttering businesses.The downstream impacts are wide-ranging as well and can look like lost profits, missed opportunities, reputation damage, and rising pressure on leadership. Recovery isn’t just technical—it’s operational and psychological. And less than 1% of firms are still in recovery after a month, but those edge cases can have outsized impact.Most executives are now taking ransomware seriously with nine in ten being concerned, with a sharp rise in concern among U.S. leaders, especially in large enterprises. Cyber insurance is increasingly part of the response. Four out of five organizations are covered, and while smaller companies lag, they are starting to catch up. Notably, insurance providers are pushing organizations to improve their security hygiene before offering coverage, helping raise the bar overall.
Prevention Beats Cleanup, But Many are Still Struggling
So how are organizations actually responding to rising threats? About 90% say they have incident response plans—up significantly among small businesses, where readiness jumped from 60% to 79% over the past year. While this might seem like progress, response isn’t enough.The top four prevention measures taken last year were: system patching, data backups, password best practices, and application control. And in the U.S., adoption of these measures grew meaningfully. But clearly, they are not closing the gap. The expanding attack surface driven by remote work, cloud sprawl, IoT, and AI, gives attackers more entry points than defenders can easily manage.Least privilege is one of the most underutilized defenses as only about one in three organizations enforce it, despite its ability to reduce lateral movement and restrict access to sensitive systems. Least privilege, when paired with strong IAM, PAM, MFA, and AI-driven analytics, is a key part of any Zero Trust strategy. But it requires maturity—clear user roles, regular access audits, and continuous oversight with tools like CIEM and ITDR.
AI is Fueling the Threat including Defense
The threat landscape is shifting fast. AI is now a major accelerator for ransomware actors. Groups like FunkSec are already using generative AI to build malware. In the near future, attackers may use GenAI to craft phishing messages that mimic your clients’ or employees’ tone, generate spoofed login pages, or even deploy deepfake audio and video for social engineering.Delinea’s report emphasizes on the early signs of agentic AI that can move through entire attack chains from reconnaissance to exfiltration with minimal human oversight. That could mean faster attacks, shorter kill chains, and fewer opportunities to intervene.The good news? Defenders are leaning on AI too. Nine in ten security teams are now using AI especially in the SOC to manage alert fatigue and triage incidents faster. AI is helping analyze indicators of compromise across vast data sets, flag anomalies, and even assist in phishing prevention by scanning emails, links, and attachments for suspicious behavior.
