TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Application Security Trivy Supply Chain Attack Targets CI/CD Secrets Trivy Supply Chain Attack Targets CI/CD Secrets by Jai Vijayan Mar 23, 2026 4 Min Read Application Security CISOs Debate Human Role in AI-Powered Security CISOs Debate Human Role in AI-Powered Security by Alexander Culafi Mar 23, 2026 5 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America Recent in World See All Application Security Real-Time Banking Trojan Strikes Brazil's Pix Users Real-Time Banking Trojan Strikes Brazil's Pix Users by Alexander Culafi Mar 13, 2026 4 Min Read Threat Intelligence Iran's Cyber-Kinetic War Doctrine Takes Shape Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi Mar 6, 2026 4 Min Read The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Endpoint Security Cyber Risk Cyberattacks & Data Breaches Threat Intelligence Cybersecurity In-Depth: Digging into data about the latest attacks, threats, and trends using charts and tables. Ransomware's New Era: Moving at AI Speed Threat actors bypass security tools and use AI to launch faster ransomware attacks that exploit valid credentials and target data Arielle Waldman , Features Writer , Dark Reading March 23, 2026 6 Min Read Data Source: Halcyon Ransomware is not only growing; threat actors are accelerating the pace of their attacks by using offensive tools to exploit valid credentials and hit targets with speed and precision. The practice has undergone big changes over the past five years. Initially, attacks focused on encrypting data; now, threat actors threaten to extract it to pressure victims into paying. Double-extortion tactics quickly shifted to triple-extortion threats to expose stolen data. Threat actors also transitioned from extorting companies to contacting victims directly — whatever it takes to rake in the cash. The latest shift is all about speed. Ransomware actors discovered methods to bypass endpoint detection and response (EDR) tools, and they're increasingly using artificial intelligence (AI) to steal data more quickly. Halycon's 2026 Method Survey Report revealed that while 98% of organizations use EDR for ransomware defense, only 25% "actually trust it to defend against today's evolving ransomware threat." Additionally, 78% of surveyed participants said AI made ransomware attacks more effective. Conversely, only 6% believe the tools have improved their own defenses. Related: Undead Operating Systems Haunt Enterprise Security Networks Over the past 18 to 20 months, the prevalence of ransomware has increased, and attack quality, unfortunately, has also improved, warns Mick Coady, field CTO of Elisity Cybersecurity. As a former head of cybersecurity for hospitals, he's observed that bypassing or evading EDR tools is one evolving tactic. Attackers know that medical devices, especially those over five years old, can't be protected by EDRs, so they target them rather than patchable IT devices. "At the end of the day, I think the sophistication has been more about them getting new angles of attack," Coady says. Living-Off-the-Land Techniques Continue Arctic Wolf found similar trends in its 2026 Threat Report : ransomware accounted for 44% of its incident response (IR) cases last year, and threat actors are operating at "increased speed and specialization." The report went on to say that threat actors adapted to organizations' defenses by using automation to compress the kill chain and bypassed controls "by logging in, not breaking in." That is the most striking shift from the recent year, says Kerri Shafer-Page, vice president of digital forensics and IR at Arctic Wolf. Threat actors are still getting in through the perimeter by exploiting vulnerabilities in firewalls and virtual private networks, but they're also using valid credentials, she adds. "It's challenging to keep the employee base educated," Shafer-Page tells Dark Reading. "It has to be a drumbeat because of attackers' sophistication." Related: Cylake Offers AI-Native Security Without Relying on Cloud Services Access management contributes to major hygiene issues, Shafer-Page observes. Too many individuals within a company hold over-privileged identities, and once threat actors gain that privileged access, they "break all the store windows" as they move laterally to "take everything out and quickly leave." The use of offensive security tools is one of the biggest shifts for ransomware gangs, agrees Will Thomas, senior threat intelligence advisor at Team Cymru. However, it stems from a good news, bad news scenario: over the last five years, many malware families that delivered ransomware, such as Emotet , Trickbot, and IcedID, have become obsolete following a series of takedowns. That forced ransomware groups to adopt something that they can deploy themselves, explains Thomas. Many of the initial access vectors for ransomware have shifted from malware loaders and botnets to exploiting devices, phishing, brute-force attacks, and even infostealing. "Infostealers just need one infection, and you get the credentials and log in, compared to loader botnets that need to maintain persistence and to remain undetected," Thomas says. "If you can just get credentials, then you can just log in." Related: Bug in Google's Gemini AI Panel Opens Door to Hijacking AI Is Leading to Higher Quality Attacks As companies race to adopt AI, so do attackers. It's improving ransomware capabilities, primarily around intelligence gathering. Arctic Wolf noticed threat actors using AI to conduct vulnerability and general research on victim organizations. Attackers are leveraging AI in two primary ways: scaling and automation, and high-fidelity social engineering tactics, says Matt Hull, vice president of cyber intelligence and response at NCC Group. These advanced tactics are "fundamentally changing the risk profiles for enterprise," he warns. NCC Group recorded a "staggering" 50% year-on-year increase in global ransomware attacks in 2025. AI-advanced tooling and automation frameworks have effectively lowered the barrier to entry for cybercrime, adds Hull. Now, less technical threat actors can conduct sophisticated ransomware campaigns at scale. NCC Group also saw a rise in real-time deepfake vishing, which attackers use to successfully bypass traditional verification protocols by impersonating the voices of trusted executives or colleagues. What Does it Look Like on the Defensive Side? Organizations are struggling to defend against the latest evolution of ransomware. That's in part due to an increasingly decentralized ecosystem, says Thomas. What used to be a handful of larger loader botnets and ransomware-as-a-service campaigns is extending exponentially. Previously, five or 10 large players dominated the landscape, but now there are many rebrands and spinoffs, and actors using leaked ransomware builders, warns Thomas. "It's scary how simple it can be because all these tools and guides are available out there," he says. The complete reconfiguration of the threat actor hierarchy and their delivery vectors is the most "defining shift of 2025," says Hull. Law enforcement actions knocked LockBit 3.0, the most prolific threat actor, off the top charts, and Qilin emerged as the "apex predator", he adds. Qilin's prominent reputation is drawing attention – and impersonators. Arctic Wolf experienced it firsthand while handling an IR case. The security company became suspicious when demand patterns deviated from usual Qilin activity, and negotiators realized the ransomware group they were communicating with was only posing as the infamous gang. The impostors had somehow gotten into Qilin's leak site and posted the company's name to extort it, Shafer-Page reveals. "When we followed through with that actual threat group who owned all of that territory, they were like: 'We don't know what you're talking about. We have no issue with that client.' And they removed them from their leak site," she says. To address ransomware's ongoing evolution, she urges victim organizations to be upfront and transparent with CISOs and the board. That means having meaningful conversations with the people who control the budgets. Additionally, all companies, regardless of size, should have a clear picture of where their data is. For smaller IT shops, it's important to control access management, adds Shafer-Page. It's increasingly important to take steps to combat ransomware, since it doesn't seem to be going anywhere. Threat actors will exploit ongoing hygiene issues and insufficient access management protocols to launch attacks. And it will only continue to evolve, particularly on the data extortion side, which will see a rise, anticipates Shafer-Page. "When you and I talk to each other again next year, I'll start with the same thing: 'Yes, ransomware is Number One'," s