As ransomware attacks accelerate in speed and sophistication, 38% of security leaders rank AI-enabled ransomware as their top concern — the most frequently cited worry about AI-related security issues according to CSO’s new 2025 Security Priorities study.
That concern appears to already be well founded, as a second study released today, CrowdStrike’s 2025 State of Ransomware Survey, provides a snapshot of how the ransomware threat is evolving, revealing cybersecurity pros’ fears surrounding the use of AI in ransomware attack chains, as well as the need to for CISOs to build better — and more intelligent — defenses to match AI-powered attackers.
“From malware development to social engineering, adversaries are weaponizing AI to accelerate every stage of attacks, collapsing the defender’s window of response,” Elia Zaitsev, CTO at CrowdStrike, said in announcing the survey’s findings. “The 2025 State of Ransomware Survey reinforces that legacy defenses can’t match the speed or sophistication of AI-driven attacks. Time is the currency of modern cyber defense — and in today’s AI-driven threat landscape, every second counts.”
Where ransomware stands today
CrowdStrike surveyed 1,100 IT and cybersecurity decision-makers across Australia, France, Germany, India, Singapore, United Kingdom, and United States to ask how they assess their ransomware readiness and navigate the evolving ransomware landscape, including the emergence of AI-enhanced threats.
The following are the top takeaways from CrowdStrike’s report:
Most organizations get hit with ransomware and some suffer from overconfidence: Of the organizations surveyed, 78% reported experiencing a ransomware attack within the past year. Of those, half believed they were “very well prepared” for ransomware, but fewer than a quarter recovered from an attack within 24 hours. These statistics bear out what CrowdStrike calls the “confidence illusion,” a disparity between the expectation and reality of the organization’s ability to recover from an attack quickly.
Ransomware payments are no safety nets: According to the CrowdStrike survey, 83% of paying victims were attacked again, and 93% had data stolen anyway, with backups proving unreliable. Nearly 4 in 10 respondents said they were unable to restore the data they lost fully.
Phishing is the most common attack vector: Phishing was cited by 45% of ransomware victim respondents as the initial point of compromise. Other frequently cited entry points include vulnerability exploits (40%), supply chain compromise (35%), compromised credentials (33%), malicious downloads (32%), misuse of remote monitoring and management (RMM) tools (31%), and insider threats (27%).
Ransomware attacks are costly: According to the survey results, organizations reported an average downtime cost of US$1.7 million per incident, but also incurred significant non-quantifiable costs. Among these were reputational damage, which affected 34% of victim organizations; legal and regulatory penalties, which impacted 24% of organizations; and publicly released or stolen data affected 24% of victims.
Post-attack improvements help but are often inadequate: CrowdStrike’s survey results indicated that just about half (51%) of organizations increased general cybersecurity investment following attacks, and 47% improved detection and monitoring capabilities. Nearly half of the respondents (45%) said they enhanced training and awareness programs. But, only 38% addressed the specific issue they identified as enabling the attack.
Gen AI-enabled phishing is a top concern: 82% of the organizations surveyed believe generative AI makes phishing emails more challenging to identify, even for well-trained employees. Most organizations (87%) consider AI-generated social engineering tactics more convincing than traditional methods.
Legacy defenses fall behind AI tools: CrowdStrike’s research suggest that AI-powered threat detection tools are eclipsing the standard threat intelligence techniques. AI-powered threat detection leads adoption at 53% among surveyed organizations, followed by automated incident response at 51% and AI-enhanced phishing detection at 48%. Most security teams (85%) acknowledge traditional detection methods are not keeping pace with modern threats.
Ransomware’s AI-powered future
Although CrowdStrike’s latest survey doesn’t provide a full picture of AI’s use by ransomware gangs, the fact that generative AI is proving highly effective in crafting phishing emails that lead to ransomware infections shows the tip of the iceberg CISOs face.
CrowdStrike Field CTO Cristian Rodriguez tells CSO, “We’re seeing AI touch every stage of the ransomware attack chain and it starts with phishing. Still the No. 1 entry point, AI-powered phishing campaigns are tricking employees into opening the door to corporate networks. The next wave will be even more deceptive, as AI-generated deepfakes emerge as a major driver of future ransomware attacks.”
According to Rodriguez, the ability to use AI to create malware is also rapidly evolving. “We’re increasingly seeing ransomware-as-a-service providers leverage AI-developed malware to deploy and disrupt systems,” he says. “So, AI is pervasive across the ransomware threat lifecycle — and it’s only accelerating.”
In the AI era, speed is the new battleground. Attackers move from intrusion to encryption in minutes, not hours. “The data really reinforces that speed is the biggest challenge,” Rodriguez says. “Ransomware has always been a race to contain and neutralize, but AI has taken it to another level — attackers are moving from intrusion to encryption in minutes, not hours. The pace of today’s adversaries is what makes speed in modern security so important.”
Analysis from managed detection and response firm Huntress earlier this year showed the average “time to ransom” — from initial access to extortion — to be 17 hours, with some groups narrowing that window to 4 to 6 hours. But that was eight months ago in a rapidly advancing field.