AI and Automation Accelerate Ransomware Operations and Intrusion Speed
Recent reporting and threat research indicate AI and automation are materially compressing attacker timelines, reducing defenders’ opportunity to detect and contain intrusions. A ReliaQuest analysis cited by SC Media found lateral movement can occur in as little as four minutes (with average lateral movement time dropping from 48 to 34 minutes), and data exfiltration in the fastest cases falling to six minutes (down from more than four hours previously). The same reporting notes 80% of ransomware groups are leveraging AI and/or automation for data theft, and highlights BoaLoader as an example of converged AI-assisted development, social engineering, and traditional cybercrime activity.
Separate ransomware telemetry from NCC Group shows overall publicly disclosed ransomware incidents dipped month-over-month in January but remained broadly consistent year-over-year (741 vs. 696), with North America accounting for 54% of activity and industrials the most targeted sector (32%). The report identified Qilin as the most active group (108 cases), followed by Akira and Sinobi, and warned that attacker tradecraft is expanding to new initial access paths, including messaging platforms (e.g., WhatsApp, Signal, Telegram) via device-linking scams and malicious QR codes. ASEC’s weekly “Ransom & Dark Web Issues” roundup provides additional context on ongoing ransomware and hacktivist activity (e.g., Morpheus targeting a South Korean plating company and Ailock republishing prior victims), but it is not clearly tied to the same specific datasets or findings on AI-driven acceleration described in the other reporting.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
ReliaQuest says most ransomware groups now use AI or automation
ReliaQuest stated that 80% of ransomware groups use AI and/or automation to steal data, citing BoaLoader as an example of AI-assisted malware development combined with social engineering and traditional cybercrime. The report warned that AI is increasing attacker speed, scale, and flexibility, prompting calls for AI-based defensive measures.
ReliaQuest observes major drop in lateral movement and exfiltration times
ReliaQuest reported that attackers can move laterally in as little as four minutes, an 85% reduction from the fastest observed lateral movement in 2024, while average lateral movement time fell from 48 minutes to 34 minutes. The company also found the fastest data exfiltration cases now take six minutes, down from more than four hours the prior year.
Qilin leads January ransomware activity as North America tops regions
In NCC Group's January ransomware analysis, Qilin was identified as the most active group with 108 attacks, while industrials were the most targeted sector and North America accounted for 54% of global activity. The report also warned that messaging apps such as WhatsApp, Signal, and Telegram are emerging entry points through device-linking scams and malicious QR codes.
NCC Group records 741 publicly disclosed ransomware attacks in January
NCC Group reported 741 publicly disclosed ransomware incidents in January, a 17% month-over-month decline but still close to the 696 cases logged in January 2025. The firm said the dip should not be interpreted as reduced overall risk.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware and initial-access tradecraft evolves with new evasion and extortion techniques
Reporting and research published in mid-January 2026 highlights continued **high ransomware activity** and rapid evolution in initial-access and evasion tradecraft. A Symantec/Carbon Black Threat Hunter Team study cited by *Help Net Security* reports ransomware actors claimed **4,737 attacks in 2025**, with only brief slowdowns after major disruptions; the abrupt April 2025 shutdown of **RansomHub** was followed by affiliates quickly shifting to other operations, while **LockBit** failed to recover after late-2024 law-enforcement action. The same reporting notes a broader shift toward **extortion models that don’t rely on encryption**, emphasizing data theft and coercion as groups diversify pressure tactics. Multiple technical reports describe how attackers are improving delivery and resilience. *BleepingComputer* says **Gootloader** now uses heavily malformed ZIP files—concatenating **500–1,000** ZIP archives and manipulating ZIP structures (e.g., truncated `EOCD`)—to crash or defeat common analysis tools while still extracting via Windows’ default utility, supporting its role as an initial-access vector often preceding ransomware. *The Register* reports **DeadLock** ransomware uses **Polygon smart contracts** to frequently rotate proxy infrastructure for victim communications (via an HTML wrapper pointing victims to the *Session* messenger), complicating blocking and takedown efforts; Group-IB notes DeadLock also departs from typical double-extortion by lacking a public data-leak site and instead threatening underground data sales. Separately, Microsoft-observed phishing described by *KnowBe4* shows threat actors exploiting **email routing/spoofing misconfigurations** to make phishing appear internal (often leveraging **Tycoon2FA**), while ReliaQuest’s trend report and a separate write-up on **CastleLoader** describe human-driven initial access (spearphishing/drive-by) and social-engineering lures such as **ClickFix** being used to stage loaders and follow-on payloads—underscoring that access-broker and loader ecosystems continue to feed ransomware and broader intrusion activity.
Mar 21, 2026
Industry reporting highlights ransomware shift to stealthy, long-dwell intrusions and increased zero-day exploitation
Multiple security reports and commentary describe **ransomware operators shifting from fast “smash-and-grab” encryption to stealthier campaigns** that prioritize long-term access, data theft, and operational leverage. VulnCheck’s 2026 exploit intelligence findings indicate that while only a small fraction of newly disclosed vulnerabilities are exploited in the wild, the exploited set drives outsized impact; the report also assesses that ransomware-linked vulnerability exploitation is increasingly **zero-day-led**, with over half of ransomware-associated CVEs first identified via active exploitation. The same analysis notes rapid weaponization dynamics (including growth in public PoCs and noisy, low-quality AI-generated exploit code) that can distort prioritization while attackers move faster than patch cycles—an issue that is particularly consequential for **OT environments** where downtime and patch latency are common. Several other items in the set are not reporting on this specific ransomware/zero-day trend and instead provide general security guidance or leadership content. These include broad, non-incident overviews of financial-sector threats, dark web monitoring decision-making, AI skills discussions, board-level risk/metrics perspectives, and DDoS readiness best practices; they do not add concrete, corroborating detail to the ransomware zero-day/long-dwell access narrative beyond general context that cybercrime is evolving and defenders should focus on actionable risk signals.
Mar 21, 2026
AI-Driven Ransomware Escalation and Defensive Innovations
Ransomware attacks are becoming increasingly sophisticated and rapid, largely due to the integration of artificial intelligence (AI) by threat actors. Security leaders are expressing heightened concern over AI-enabled ransomware, with 38% of CISOs ranking it as their top security issue according to recent industry surveys. The 2025 State of Ransomware Survey by CrowdStrike highlights that 76% of organizations struggle to keep pace with the speed of AI-powered attacks, revealing a significant gap between perceived and actual preparedness. Despite high confidence levels, 78% of surveyed organizations have experienced a ransomware attack in the past year, underscoring the urgent need for improved defenses. Adversaries are leveraging AI to accelerate every stage of the attack chain, from malware development to social engineering, drastically reducing defenders' response windows. In response, cybersecurity professionals are exploring innovative defensive measures, such as malware vaccines, which were a focal point at the recent ONE Conference in The Hague. These vaccines work by making cosmetic changes to Windows systems, such as creating decoy files, editing registry keys, or simulating infection markers, to trick ransomware into aborting its attack. Techniques include placing fake mutex objects or running processes that signal to malware that the system is already compromised or is a virtual machine, thereby deterring infection. Some methods, like the EmoCrash kill switch developed by Binary Defense, have successfully disabled specific malware strains by manipulating registry entries. However, while these proactive measures show promise, they also carry risks, particularly when altering system registries. The rapid evolution of AI-driven ransomware is outpacing traditional security tools, prompting calls for more intelligent, adaptive defenses. Security teams are urged to reassess their readiness, invest in advanced endpoint protection, and consider novel approaches like malware vaccines as part of a layered defense strategy. The convergence of AI in both offensive and defensive cyber operations marks a pivotal shift in the threat landscape, demanding continuous innovation and vigilance from defenders. As ransomware continues to rampage across industries, the balance between prevention and cure is being redefined by the capabilities of AI on both sides. Organizations must recognize that legacy defenses are insufficient against the speed and sophistication of modern ransomware. The cybersecurity community is actively researching and sharing new techniques to stay ahead of attackers, but the challenge remains formidable. Ultimately, the fight against AI-enabled ransomware will require a combination of technological innovation, strategic investment, and ongoing education for security professionals.
Mar 21, 2026