Ransomware’s Evolving Edge: Why Recovery, Not Ransom, Is the Real Metric That Matters

In an era where generative AI is reshaping both enterprise defenses and criminal arsenals, the ransomware game is shifting—but not disappearing. The Semperis 2025 Global Ransomware Report offers a sobering perspective: while attack success rates have seen a modest dip, business disruption and ransom payments remain widespread, with identity infrastructure emerging as the most targeted fault line.

According to the survey of 1,500 IT and security professionals across ten countries, 78% of organizations were hit by ransomware in the past year. Of those successfully breached, a staggering 73% were hit more than once—and 31% three times or more.

“If attackers start getting less money, they will adapt and pivot to something that can increase their profit margins,” warns Jeff Wichman, Director of Incident Response at Semperis. That prediction is already unfolding. Attackers are moving beyond traditional encryption-based extortion, employing more personal and legally threatening tactics—including physical threats against staff and threats to file regulatory complaints.

Paying for the Illusion of Safety

Globally, 69% of victims paid the ransom, and in the U.S., that figure jumps to 81%. Worse, 55% of paying victims shelled out multiple times. And still, nearly one in five paid victims received either no decryption keys or corrupted ones. For some, even successfully unlocking their data led to further betrayal—3% reported their data was later leaked or misused.

“Paying ransoms should never be the default option,” argues Mickey Bresman, CEO of Semperis. “It’s a downpayment on the next attack.”

Identity Infrastructure: The Bullseye

One of the most troubling revelations is the exploitation of identity infrastructure—Active Directory, Entra ID, and Okta were compromised in 83% of attacks. Despite this, only 66% of companies have an Active Directory recovery plan, and just 60% maintain dedicated identity-specific backups.

“You can’t simply bolt on identity security,” warns Chris Inglis, former U.S. National Cyber Director and now a strategic advisor to Semperis. “Identity resilience must be addressed at the core.”

Sanjay Poonen, CEO of Cohesity, reinforces that view: “Once attackers access your data, the trust is broken. You can’t be sure it won’t be misused later… Protecting sensitive data at every level is essential.”

AI Arms Race: Democratized Offense, Automated Defense

The report outlines a stark dichotomy: AI is empowering defenders with faster containment and anomaly detection—but it’s also handing aspiring cybercriminals a launchpad.

“Even a technical beginner can write and improve their own string of ransomware,” says Yossi Rachman, Director of Security Research at Semperis. “That has created a sort of democratization of ransomware-development capability.”

To stay ahead, experts recommend automating detection and recovery. AI- and ML-powered tools that flag indicators of compromise and instantly initiate countermeasures are now essential—not optional.

Recovery Readiness: The Real Resilience Metric

Perhaps the most jarring insight? Only 23% of organizations recovered from ransomware within a day—down from 39% last year. Meanwhile, the number of organizations taking a week or more to bounce back jumped from 11% to 18%.

“If you don’t properly secure your environment,” says Wichman, “you’re going to pay more for your insurance—or you’re going to become uninsurable.”

And it's not just about tools. As Sean Deuby, Principal Technologist at Semperis, points out, “Successful cyber defense depends on people, processes, and technology. The people part is just as critical.”

Beyond the Firewall: The Human and Third-Party Factor

Crisis training, documentation, and regular testing are key pillars of readiness, according to the report. But there's another risk hiding in plain sight: supply chains and third-party vendors.

“You might have very good security,” notes Malcolm Turnbull, former Australian Prime Minister and a Semperis advisor. “But what about the law firms you deal with? The accounting firms? Trusted consultants can make you vulnerable.”

Where We Go From Here

There’s no silver bullet—but there is a shift in mindset.

“I do believe that we can make ransomware a shocking anomaly,” said Jen Easterly, former Director of the Cybersecurity and Infrastructure Security Agency (CISA). That vision may seem utopian, but it’s not naïve. It’s aspirational—and increasingly necessary.

For now, the takeaway is clear: ransomware may be adapting, but so can defenders. And in this new landscape, readiness isn’t about avoiding the breach—it’s about being prepared to recover from it, fast. The winners won't be those who pay their way out of trouble, but those who never have to.