By Spencer Young, SVP EMEA & APAC at Delinea
Ransomware continues to pose a serious and growing threat to organisations of all sizes. While some progress has been made in how businesses respond, particularly in the number choosing not to pay ransom, the pace and scale of attacks is increasing. According to Delinea’s 2025 State of Ransomware Report, 69 percent of organisations experienced a ransomware breach in the past year, with more than one in four hit multiple times.
These figures reflect how much the threat has evolved. Ransomware is no longer a one-off disruption. It is an ongoing risk, with attackers constantly shifting tactics and exploiting gaps in defences. AI is playing a major role in this evolution, helping attackers move faster and with more precision. Yet in many organisations, preventative security measures are still lagging.
Paying less, but the problem is not going away
Our research found that just 57 percent of organisations paid ransom following an attack last year, down from 76 percent the previous year. This is a positive trend and suggests more businesses are investing in recovery plans and listening to guidance from authorities. However, fewer payments have not led to fewer attacks.
Instead, ransomware groups are relying more heavily on extortion. The threat of stolen data being leaked is now central to most campaigns, with the majority of victims being threatened with data exposure and having their data stolen at the point of attack. This approach gives attackers new leverage, especially over organisations that hold sensitive or regulated data.
Even when ransoms are paid, the outcome is far from guaranteed. A quarter of organisations that paid did not recover all of their data. This highlights the importance of strengthening threat detection and response, rather than relying on payment as a way to resolve incidents.
Boards are paying attention, but gaps remain
These developments are significantly contributing to increased awareness among senior leadership. Nine in ten executives expressed concern about ransomware, and more board members are recognising the wider business risks these attacks present.
However, what is most troubling is that the concern does not always translate into action. Despite the growing impact of ransomware, key preventative measures are still underused. Key security measures, such as least privilege access and application control are still not used widely. These are basic yet effective controls that limit how far an attacker can move through a network once inside.
In an environment where ransomware is more targeted and persistent, these gaps in coverage leave organisations more vulnerable than ever. It also puts more pressure on IT and security teams to contain the fallout when an attack does occur.
AI is changing the dynamic
AI is being used by both attackers and defenders. On the attacker side, AI helps automate reconnaissance, write convincing phishing emails, and generate fake content such as audio or video to impersonate trusted individuals. This speeds up the attack process and makes it easier for threat actors to reach larger numbers of targets with minimal effort.
Most organisations are now using AI as part of their defence strategies. In many cases, this involves integrating AI tools into security operations centres, where they help detect unusual behaviour, identify indicators of compromise, and prioritise incidents. AI is also playing an increasing role in access management, where it supports real-time monitoring and policy enforcement.
The challenge is that attackers are constantly adapting, and AI lowers the barrier to entry for less skilled actors. This puts pressure on businesses to improve their detection speed and automate responses wherever possible.
Identity continues to be the weak point
Most ransomware attacks begin with a compromised identity. Whether credentials are stolen through phishing, purchased from criminal forums, or obtained using social engineering, they provide a simple and effective way for attackers to gain access.
This makes identity security one of, if not the most important defences an organisation can have. Practices such as least privilege access, privileged access management and strong authentication significantly reduce the chance of lateral movement or privilege escalation once an attacker is inside. When combined with AI-driven monitoring, these controls also improve an organisation’s ability to detect abnormal behaviour early.
As identity continues to remain a weak spot for many organisations, even as other areas of cyber security mature, improving this area simply has to be a priority for any business looking to reduce risk and improve resilience.
From concern to prevention
Ransomware is no longer just a technical, one-off issue that can be dealt with by paying the ransom after the first successful compromise, data back-ups, or insurance policies. It is an on-going strategic business risk that affects operations, customer trust, financial performance and long-term planning. While awareness is improving at executive level, there is still work to be done to close the gap between concern and preparedness.
Identity security, supported by AI and built on the fundamental principle of attack prevention, gives organisations a clearer path forward. It is no longer enough to rely on backups or response plans alone. The goal now must be to stop attackers gaining access in the first place, or at the very least, limit their ability to do damage once inside.
The next phase of ransomware defence is not about reacting faster but about preventing more. And that starts with identity.
