Executive Summary

A new report from CrowdStrike, the "2025 State of Ransomware Survey," reveals a significant confidence crisis among security leaders. A commanding 76% of organizations surveyed believe they are losing the race against adversaries who are leveraging Artificial Intelligence (AI) to power their attacks. The survey indicates that threat actors are using AI to accelerate the entire ransomware lifecycle, collapsing the response window for defenders. A strong majority (85%) of respondents agree that legacy security tools are becoming obsolete against these advanced threats, and 48% now consider AI-automated attacks to be their top ransomware concern. The report also highlights the ineffectiveness of paying ransoms, as 83% of organizations that paid were attacked again.

Threat Overview

The survey's findings point to a paradigm shift in the ransomware landscape, driven by the weaponization of AI. Adversaries are no longer just using AI for isolated tasks; they are integrating it across the entire attack chain. According to the report, this includes:

• Accelerated Attack Velocity: AI is used to automate reconnaissance, vulnerability discovery, and lateral movement, drastically reducing the time from initial breach to payload deployment. This "collapses the defender's window of response," as described by CrowdStrike's CTO.
• Enhanced Social Engineering: 87% of organizations report that AI is making phishing lures more convincing and harder to detect. The use of deepfakes for social engineering is also cited as a major emerging threat.
• Sophisticated Malware: AI can be used to generate polymorphic malware that constantly changes its signature to evade detection by traditional antivirus tools.

The consequence is that nearly half of organizations fear they cannot detect or respond quickly enough to an attack. This fear is substantiated by the finding that fewer than 25% of victims recover within 24 hours, and a similar number suffer major business disruption or data loss.

Technical Analysis

The weaponization of AI impacts several phases of the MITRE ATT&CK framework:

• Reconnaissance: AI can be used to automate the scanning of public sources (websites, social media, breach dumps) to build highly detailed profiles of target organizations and individuals (T1596 - Search Open Technical Databases).
• Resource Development: AI-powered large language models (LLMs) can generate highly convincing and grammatically perfect phishing emails at scale, making T1566 - Phishing more effective.
• Initial Access: AI can be used to analyze code for zero-day vulnerabilities or to craft payloads that bypass specific security controls.
• Defense Evasion: AI can generate polymorphic code (T1027 - Obfuscated Files or Information) that changes with each infection, making signature-based detection useless.
• Lateral Movement: AI can analyze network data in real-time to identify the most efficient path for lateral movement, automating the decision-making process for the attacker.

Impact Assessment

The primary impact highlighted by the report is the erosion of defensive capabilities. Legacy, signature-based tools are proving ineffective, and security teams are struggling to keep up with the speed of automated attacks. This leads to longer dwell times, more successful ransomware deployments, and greater business disruption. The survey's finding that paying a ransom is not a solution (with 83% of payers being re-targeted and 93% having their data stolen anyway) reinforces the need for a focus on prevention and resilience rather than reaction. The rise of AI-powered attacks will force organizations to invest in next-generation, AI-driven security platforms to fight fire with fire.

Cyber Observables for Detection

Detecting AI-powered attacks requires a shift from static IOCs to behavioral indicators:

Detection & Response

1. AI-Powered Defense: The report's core message is that organizations must adopt AI-driven security platforms to counter AI-powered attacks. This involves using machine learning for D3-UBA: User Behavior Analysis and process monitoring to establish a baseline of normal activity and detect subtle anomalies that indicate a breach.
2. Speed of Response: Focus on Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR). Implement Security Orchestration, Automation, and Response (SOAR) platforms to automate initial response actions, such as isolating a compromised host, to match the speed of the automated attack.
3. Threat Hunting: Proactively hunt for threats based on behavioral hypotheses rather than waiting for alerts. For example, hunt for legitimate tools like PowerShell being used for anomalous activities, a common sign of a hands-on-keyboard or automated attack.

Mitigation

• Adopt an AI-Driven Security Platform: Replace legacy AV with a modern EDR/XDR platform that uses machine learning to detect and prevent threats based on behavior, not just signatures.
• Identity Security: With AI making phishing more effective, identity has become the new perimeter. Implement robust identity security controls, including MFA, identity threat detection and response (ITDR), and privileged access management.
• Zero Trust Architecture: Assume that a breach will occur. Implement a zero-trust model where no user or device is trusted by default, and access to resources is strictly controlled and continuously verified.
• Resilience and Recovery: Since prevention is not foolproof, focus on resilience. Ensure you have immutable backups and a well-tested incident response and disaster recovery plan to minimize disruption and enable recovery without paying a ransom. This aligns with D3-FR: File Restoration.