Securin, a leading provider of AI-based Adversarial Exposure Validation (AEV) solutions, has released its 2025 Ransomware Report, finding that generative AI is rapidly accelerating ransomware operations by lowering barriers to entry, increasing scale, and intensifying psychological pressure across leadership, risk functions and frontline staff, without fully automating attacks.
Based on analysis of thousands of confirmed ransomware victims across 117 threat groups, the report shows ransomware evolving into a hybrid threat that blends cybercrime with infrastructure disruption, identity deception, and information warfare techniques. Three groups—Qilin, Akira and CL0P—accounted for nearly 30 percent of all victims, indicating that a small number of operators drive a disproportionate share of incidents.
For the first time, commercial facilities were the most targeted sector for ransomware, accounting for 14.1 percent of all victims, followed by manufacturing and IT service providers. The report found that attackers prioritized environments where operational interruption carried immediate financial or organizational consequences.
Manufacturing and infrastructure-adjacent sectors experienced increased activity tied to production downtime, supply chain delays, and safety risks.
While some early 2025 reporting suggested ransomware had become largely AI-driven, Securin’s findings present a more measured reality. AI is now widely accessible to threat actors, but it primarily functions as a force multiplier rather than an autonomous operator.
Threat groups commonly use AI to draft phishing and extortion messages, debug scripts, translate content, and streamline repetitive tasks. Only a small number of observed campaigns relied on AI in ways that were critical to execution.
“The narrative around autonomous ransomware misses the point,” said Aviral Verma, Head of Research, Securin. “The real change is acceleration. AI reduces friction at every stage of an attack, making ransomware operations faster, more scalable, and easier to replicate—even for less skilled actors.”
Securin’s findings show that AI use expanded during 2025, primarily as an efficiency tool. AI reduced effort and increased scale for bad actors, while operational decisions remained manual. The report identifies four areas where AI is having the greatest impact:
- Malware development. AI-assisted coding enables less-experienced actors to deploy sophisticated ransomware, increasing attacker volume and experimentation.
- Adaptive execution. Emerging malware can generate attack logic at runtime, weakening signature-based detection and improving adaptability to target environments.
- Automated extortion. AI chatbots now manage negotiations, translation, and scripted psychological pressure, allowing groups to scale victim interactions with minimal staffing.
- Identity deception. Deepfake audio and voice cloning have become operational tools, enabling attackers to impersonate executives or help desk staff to bypass identity controls.
