top of page
Search

Securin Report on Ransomware in 2025: AI Acceleration, Infrastructure Warfare, and the Collapse of Digital Trust

  • 6 hours ago
  • 4 min read

Ransomware in 2025 did not simply grow louder. It grew smarter, faster, and far more strategic.


According to the Securin Ransomware Index Report 2025, attackers confirmed 7,061 victims across 117 active groups, marking a year defined not by chaotic opportunism but by calculated pressure campaigns. The report argues that ransomware has crossed a structural threshold. It now behaves less like smash-and-grab cybercrime and more like coordinated infrastructure warfare.


The shift is visible across everything from AI-assisted phishing to hypervisor encryption, from collaboration platform exploits to boot-level persistence. If 2024 was about data theft and double extortion, 2025 was about trust collapse.


AI Is Not Running Ransomware. It Is Accelerating It.


The biggest misconception of the year was that artificial intelligence is autonomously launching ransomware campaigns. Securin’s analysis paints a more grounded picture.


“AI didn’t replace ransomware operators. It made them faster, cheaper and more scalable. The real impact of AI is acceleration, not autonomy,” the report notes.


Across observed campaigns, AI showed up in four operational domains:

  • Code generation

  • Adaptive execution

  • Social engineering

  • Negotiation automation


Groups such as FunkSec demonstrated how generative AI lowers the barrier to entry by assisting with malware development. Other actors experimented with runtime adaptability. PromptLock, for example, embedded a locally hosted large language model to dynamically generate malicious scripts during execution, reducing reliance on static payloads.


Meanwhile, Global Group automated extortion negotiations with AI chatbots inside Tor portals, allowing operators to manage hundreds of simultaneous victim interactions.


The implication for CISOs is clear. AI is compressing ransomware economics. Development cycles shrink. Phishing improves. Language barriers disappear. Campaign velocity increases.


As Securin CEO Srinivas Mukkamala puts it:


“In 2025, AI turbocharged ransomware economics by accelerating vulnerability weaponization—from rapid discovery and exploit crafting to intelligent multi-vector chaining (AI-powered phishing for entry, identity compromise for escalation, exploits for propagation)—maximizing compromise scale and extortion ROI at machine speed. Defenders must counter with AI-driven proactive resilience: prioritized vulnerability management, strong identity controls, deception, and autonomous hunting to break these efficient attack chains before they cascade. The advantage belongs to those who deploy defensive AI faster than adversaries weaponize offensive AI.”


The Rise of Hybrid Threat Actors


Ransomware consolidation defined 2025.


While 117 groups were active, three operators dominated market share: Qilin, Akira, and CL0P. Together they bent the ecosystem around them, functioning less like criminal gangs and more like distributed enterprises.


Qilin alone accounted for 835 confirmed victims, focusing heavily on Linux and ESXi hypervisors. Its strategy was simple but devastating: own the virtualization layer and you freeze entire businesses.


Akira recorded 650 victims across 14 industries, calibrating intrusions based on sector-specific infrastructure mapping and vulnerability correlation.


CL0P, with 517 victims, operated through a resilient, cell-based affiliate structure, proving that dismantling infrastructure does not dismantle capability.


The consolidation produced a feedback loop: better affiliates generate more revenue, which funds better tooling, which attracts stronger affiliates. The result is what Securin describes as a cybercriminal aristocracy.


For defenders, this blurs the line between financially motivated criminals and hybrid actors with state-like tradecraft.


Commercial Facilities Became the Primary Target


The sector data reveals a major pivot.


Commercial facilities, including retail infrastructure, malls, hotels, and public venues, were the most targeted industry in 2025, with 997 confirmed victims.


Manufacturing followed with 846 victims, then Information Technology at 818.


This is not random targeting. It reflects leverage economics.


Attackers are prioritizing:

  • High visibility

  • Immediate public disruption

  • Supply chain multiplication effects

  • Institutional trust erosion


Manufacturing intrusions extended beyond IT networks into production lines, robotics, and industrial control systems, creating direct economic ripple effects.


Healthcare, once informally shielded by criminal “ethics,” saw 473 confirmed victims in 2025. The taboo has largely evaporated.


The pattern is strategic. Ransomware now selects sectors based on pressure yield, not technical convenience.


From Single CVEs to Exploitation Chains


Perhaps the most important evolution was how vulnerabilities were weaponized.

Attackers stopped treating CVEs as isolated entry points. Instead, they orchestrated exploitation chains combining authentication bypass, code injection, deserialization flaws, and trust-boundary violations across platforms such as SharePoint, Fortinet appliances, hypervisors, and UEFI systems.


SharePoint vulnerabilities in 2025 illustrated this shift, with actors chaining multiple flaws to achieve platform-wide compromise rather than single-system access.


Fortinet authentication bypass campaigns dissolved perimeter assumptions, enabling lateral movement and VPN trust collapse.


HybridPetya’s abuse of signed drivers and Secure Boot trust chains demonstrated boot-level persistence that undermined foundational computing models.


Even decade-old flaws like CVE-2015-2291 continued to appear in active exploitation chains, highlighting governance failures rather than technical limitations.


The takeaway is blunt. Patch severity scores alone are insufficient. Weaknesses must be analyzed in combination.


When Ransomware Became Information Warfare


The most disturbing case study in the report is the “DOGE Big Balls” campaign.

Unlike traditional ransomware, this operation blended encryption with disinformation, personal harassment, and false attribution narratives.


The campaign weaponized public information, injected conspiracy themes into ransom communications, and attempted to manipulate media narratives.


Securin describes this as a watershed moment: ransomware operating simultaneously across technical, psychological, and political dimensions.


At that point, ransomware stops being just a cybersecurity issue. It becomes a governance and resilience problem.


The Five Pillars of Modern Ransomware


Securin’s analysis resolves 2025 activity into five structural pillars:

  1. Platform convergence and cross-system exploitation

  2. Supply chain weaponization and trust exploitation

  3. Psychological operations integration

  4. Infrastructure specialization

  5. Economic optimization and strategic targeting


These pillars explain why traditional perimeter security models continue to fail.

Modern ransomware assumes breach. It exploits trust relationships. It applies pressure across infrastructure and narrative layers.


2026: Resilience Over Prevention


The report closes with a stark conclusion: ransomware is now a pressure strategy, not merely a malware problem.


Traditional intrusion prevention is insufficient. Organizations must design operations to continue functioning under active attack.


Zero-trust architectures, identity hardening, behavioral analytics, rapid isolation capabilities, and crisis-ready leadership are no longer advanced maturity markers. They are baseline requirements.


The environment that emerged in 2025 is unlikely to recede. AI will continue compressing attacker economics. Hybrid actors will continue consolidating power. Trust relationships will remain prime targets.


Ransomware did not just evolve this year. It matured.


And for defenders heading into 2026, resilience is no longer optional.

bottom of page