AI Driven Ransomware: A New Turning Point for Defense and Response
- Siwoo Lee
- Jun 4
- 5 min read
PAGO Gartner Security & Risk Management Summit On Site Report
PAGO is attending the 2026 Gartner Security & Risk Management Summit in National Harbor, Maryland, to gain deeper insight into how enterprise cybersecurity priorities are evolving. Through this on site report series, we are sharing key takeaways from discussions shaping the future of security operations and risk management.
This article is based on the session “Ransomware Reloaded: How AI Is Reshaping the Threat and the Defense” presented by Paul Furtado. The presentation explored how artificial intelligence is changing both ransomware operations and defensive strategies, and what security organizations should focus on as response windows continue to shrink.
Gartner SRM 2026 「Ransomware Reloaded」 session by Paul Furtado.
At the beginning of the presentation, Furtado referenced a reported incident in which a Hong Kong company transferred approximately $25 million after employees participated in a video conference featuring AI generated impersonations of executives. He described the event as a failure of trust, validation, and internal controls.
The incident illustrates how AI driven social engineering is already creating real business impact. Threat actors are using AI to improve the scale, speed, and effectiveness of activities that were previously more time intensive and difficult to execute. A recurring theme throughout the presentation was the growing speed of modern cyberattacks. AI is helping adversaries automate reconnaissance, vulnerability exploitation, lateral movement, and other stages of an intrusion. As a result, ransomware campaigns can move from initial access to data theft and extortion far more quickly than many organizations expect.
Today's ransomware operations extend well beyond file encryption. Data exfiltration, double extortion, triple extortion, and reputational pressure are now common elements of ransomware campaigns. As generative AI and automation become more widely adopted, security operations require the ability to assess threats, prioritize actions, and make informed decisions within shrinking response windows.
How AI Compresses the Ransomware Timeline
One of the key messages from the presentation was that AI is not introducing an entirely new ransomware model. Its influence is most visible in the speed and efficiency of existing attack workflows.
Threat actors continue to follow familiar attack paths. Initial access, execution, persistence, discovery, lateral movement, data exfiltration, encryption, and extortion remain core stages of a ransomware operation.
AI helps attackers move through these stages faster and with greater efficiency.
Research referenced during the presentation suggested that AI's current impact is most visible in enhanced social engineering, operational efficiency, and the broader accessibility of cybercrime capabilities. Rather than conducting fully autonomous attacks, AI is helping adversaries perform target research, create phishing content, improve malicious code, and automate reconnaissance activities.
Furtado emphasized that organizations should pay close attention to this shift in speed. As attackers automate more tasks throughout the intrusion lifecycle, defenders have less time to investigate alerts and determine appropriate actions. This places greater importance on understanding how multiple events connect to a larger attack sequence. Event timing, asset criticality, account privileges, and network movement patterns all contribute to a more complete understanding of risk.
Organizations that can quickly triage activity and identify high risk attack flows are better positioned to interrupt ransomware operations before significant damage occurs.
When Data Exfiltration Takes Only 72 Minutes
Another key takeaway focused on the shrinking gap between compromise and data theft. Detecting an alert is only one part of the response process. Once an attacker gains access, security teams must determine whether a compromise is legitimate, identify affected assets, assess the scope of exposure, and decide whether containment measures are required. Delays at any stage provide opportunities for attackers to continue advancing through the environment.
Research from Unit 42 referenced during the presentation showed that in some incidents, the fastest 25% of intrusions reached data exfiltration within just 72 minutes.
As attackers move through environments more quickly, organizations need stronger capabilities for correlating multiple signals into a single attack narrative. Reviewing alerts individually provides only part of the picture. For example, abnormal logins, PowerShell execution, internal scanning activity, large scale file compression, and unusual data transfers occurring within a short timeframe may indicate preparation for a ransomware attack. The level of risk rises further when critical systems or privileged accounts are involved.
In these situations, defenders need context that helps them understand threat progression, assess business impact, and determine response priorities. Investigation speed, containment decisions, and escalation criteria now play a central role alongside detection accuracy.
Deepfakes and Identity Fraud as Initial Access Vectors
Social engineering remains one of the most effective entry points for ransomware operators, and AI is making these attacks more convincing and more targeted.
Traditional phishing campaigns often relied on broad distribution and generic messaging. AI and machine learning allow attackers to create highly personalized content tailored to an individual's role, responsibilities, and business context. Information gathered from social media platforms, company websites, press releases, technical blogs, and employee profiles can be combined to create messages that closely resemble legitimate communications.
Email is only one part of the challenge. Identity fraud, deepfakes, voice impersonation, and agentic profiling are becoming more accessible through AI. Furtado noted that even short voice samples may be sufficient to imitate an individual's speech patterns, creating new opportunities for highly targeted social engineering campaigns.
These techniques are particularly relevant because successful social engineering often serves as the starting point for broader compromise activity. Credential theft, account access, MFA bypass attempts, SaaS access, internal system access, and privilege escalation can all follow a successful impersonation attack.
For security organizations, phishing related incidents should be evaluated within a broader operational context. Suspicious emails, voice impersonation attempts, login activity, MFA events, SaaS access patterns, privilege changes, and data access behavior should be analyzed together. The objective is to determine whether these activities form part of a larger ransomware operation rather than evaluating each event independently.
AI Defense Still Depends on Security Fundamentals
Although AI is enhancing both the sophistication and pace of attacks, the presentation emphasized that strong security fundamentals remain essential. Many successful compromises still originate from gaps in basic security controls.
Weak account protection, limited visibility, inconsistent policy enforcement, incomplete security tool coverage, and inadequate monitoring continue to create opportunities for attackers. Ransomware defense should be approached as a lifecycle that includes preparation, prevention, detection, mitigation, recovery, and root cause analysis.
Organizations often invest heavily in technology while operational readiness receives less attention. Effective incident response depends on clearly defined procedures that establish when accounts should be suspended, when systems should be isolated, and when recovery processes should begin. AI can support security operations in many areas, including log analysis, event correlation, investigation support, playbook recommendations, and initial triage activities.
Business context remains a key part of effective incident response. Environmental differences, operational requirements, account usage patterns, business impact considerations, and the risk of false positives all require human validation and judgment. AI can improve consistency and efficiency, while analysts provide the context and decision making needed for effective response.
The effectiveness of AI driven defense ultimately depends on how well AI capabilities are integrated into operational processes.
Conclusion
AI is shortening attack timelines and helping threat actors operate with greater speed and precision. As a result, organizations need stronger visibility into attack progression, a deeper understanding of threat context, and the ability to make response decisions under tighter operational timelines.
Furtado emphasized that the future of AI in cybersecurity centers on augmentation and automation. AI can improve analysis, accelerate investigations, and support operational efficiency while security teams remain responsible for risk evaluation, impact assessment, and response decisions.
Organizations facing modern ransomware threats must rapidly identify attack progression, understand potential impact, and execute the right actions before attackers reach their objectives. As AI continues to influence both attack and defense operations, speed, context, and decision quality will play an increasingly important role in ransomware resilience.
Written by: Siwoo Lee Threat Analyst | DeepACT MDR Center
