Ransomware threats expanding
Just as companies continually find ways to improve their defense against cyberattacks, those responsible for such attacks keep finding new techniques to use and weaknesses to exploit. Especially troubling: Cybercriminals are becoming faster and more efficient.
The average breakout time — how long it takes for an attacker to “move laterally from the initial foothold to high-value assets” — dropped from 62 minutes in 2023 to 48 minutes in 2024, an all-time low, according to CrowdStrike. In one particularly devastating case, an attacker broke out in just 51 seconds.
A number of cyber claims Lockton has helped to resolve in the last year highlight the wealth of opportunities presented by artificial intelligence (AI), which cyberattackers are using to carry out attacks and refine their methodologies. AI, for example, is increasingly being used to prevent detection by analyzing corporate cybersecurity defenses and develop polymorphic malware that continuously adapts to defeat those defenses.
Attackers are also using AI to:
- Simulate behaviors of legitimate users, enabling greater control and access to data and assets.
- Comb the internet and social media to identify potentially lucrative targets.
- Analyze corporate websites and other content to create bespoke, personalized phishing emails.
These advanced techniques continue to fuel large ransomware payments. In 2025, the median ransomware payment is $1 million, according to Sophos. Although this is half of the $2 million average payment made in 2024, it's still a sizable sum that can adversely affect many organizations' bottom lines. Beyond ransom payments, ransomware recovery costs can also be sizable. (See Figure 1.)
Beyond AI, attackers are experimenting with or growing more proficient in using several other techniques. These include:
Leak and shame sites.
In double extortion attacks, threat actors simultaneously encrypt data to hold for ransom and exfiltrate data they can expose on the dark web or sell to a third party. In recent years, attackers have increasingly operated dedicated websites through which they can publicly display exfiltrated personally identifiable information (PII), personal health information (PHI), and other sensitive information. The threat that sensitive data and information will appear on such sites provides attackers with more leverage against ransomware targets.
Triple extortion.
Triple extortion adds a third element beyond double extortion. Attackers could, for example, carry out a second attack on a target, such as a distributed denial-of-service attack or encrypting additional systems; attack a related organization; or blackmail individuals whose PII and PHI have been infiltrated.
Cloud computing and software as a service (SaaS) data theft.
As more companies employ cloud computing and SaaS, cybersecurity has become more complicated. Defense against attacks is the shared responsibility of both the cloud/SaaS providers and their customers. This can yield opportunities that savvy attackers can exploit.
In September 2023, for example, cybercrime group Scattered Spider gained access to MGM Resorts’ network and cloud environments through an SaaS tool, after which the group deployed ransomware to encrypt the company’s systems. The attack led to operations at dozens of resorts being disrupted for more than a week and the exposure of 37 million travelers’ personal information. A class-action lawsuit by the victims of the breach was settled in March 2025 for $45 million.
Decentralized ransomware as a service (RaaS) networks.
RaaS, which mimics SaaS models employed by legitimate businesses, has enabled virtually anyone to carry out ransomware attacks with relative ease, allowing individuals and groups to obtain ransomware code and malware from other hackers for a small fee. The decentralized nature of RaaS — countless individuals and affiliate groups, operating independently — makes it extremely challenging for businesses, cybersecurity consultants, and law enforcement to identify attackers and discern attack patterns.
Zero-day exploitation.
Ransomware group affiliates are increasingly taking advantage of software vulnerabilities that were previously unknown to developers and users. In mid-2023, for example, ransomware group CL0P exploited a zero-day vulnerability to steal data from 2,700 corporate users of a file transfer company, exposing the personal information of almost 100 million individuals.
