AI & ransomware reshape cyber threat landscape, report finds
Cybercriminals are accelerating their exploitation techniques, consolidating alliances, and weaponising artificial intelligence to outpace defenders, according to recent data. The latest quarterly analysis from Rapid7 reveals the evolving landscape of cyber threats, highlighting a trend towards fileless ransomware, real-time vulnerability attacks, and AI-powered phishing campaigns.
Exploitation trends
Although the number of newly exploited vulnerabilities dropped 21% from the previous quarter, attackers have shifted focus to leveraging unpatched vulnerabilities, some more than ten years old. These historic weaknesses continue to serve as effective attack vectors, as demonstrated by widespread exploitation of Microsoft SharePoint and Cisco ASA/FTD products through recently disclosed critical vulnerabilities.
The report finds that the timeline between public vulnerability disclosure and active exploitation is narrowing rapidly, putting additional pressure on organisations to accelerate their remediation efforts.
"The moment a vulnerability is disclosed, it becomes a bullet in the attacker's arsenal," said Christiaan Beek, Senior Director of Threat Intelligence and Analytics, Rapid7.
"Attackers are no longer waiting. Instead, they're weaponising vulnerabilities in real time and turning every disclosure into an opportunity for exploitation. Organisations must now assume that exploitation begins the moment a vulnerability is made public and act accordingly," said Beek.
Ransomware alliances
The quarter witnessed a rise in the number of active ransomware groups, increasing to 88 from 65 in the previous quarter. The data illustrates a consolidation of ransomware syndicates, with organisations collaborating to merge infrastructure, tactics, and even public relations strategies in a bid to expand their influence and capabilities. Major groups such as Qilin, SafePay, and WorldLeaks have experimented with fileless strategies, data leaks, and affiliate service offerings, including ransom negotiation assistance. These alliances targeted sectors such as business services, manufacturing, and healthcare.
"Ransomware has evolved significantly beyond its early days to become a calculated strategy that destabilises industries," said Raj Samani, Chief Scientist, Rapid7.
"In addition, the groups themselves are operating like shadow corporations. They merge infrastructure, tactics, and PR strategies to project dominance and erode trust faster than ever," said Samani.
AI-driven threats
The report highlights the growing impact of generative AI in facilitating cybercrime. Threat actors are using AI tools to automate and enhance the sophistication of phishing scams and malware generation. Notably, malware variants such as LAMEHUG now have adaptive capabilities, allowing them to issue dynamic new commands and evade conventional detection mechanisms.
Generative AI is credited with lowering barriers to entry for would-be attackers by enabling the creation of convincing, high-volume phishing campaigns with minimal technical skill. This rapidly changing landscape presents fresh challenges for security professionals trying to protect their organisations from evolving attack methods.
Nation-state actors
Simultaneously, state-affiliated groups from Russia, China, and Iran continue to refine their approaches. These operators are shifting from overt espionage to complex campaigns that integrate both intelligence gathering and disruptive manoeuvres. These campaigns often focus on compromising supply chains and identity infrastructure, using stealthy methods to achieve persistence and evade detection for extended periods.
The findings underscore a broader need for organisations to adapt their defensive strategies to match the speed and sophistication of contemporary threats. Rapid7's quarterly analysis provides data-driven insight into how adversaries' tactics are evolving.
