AI Is Supercharging Ransomware. How Your Backup and DR Strategy Should Evolve

Artificial intelligence is reshaping cybersecurity on both sides of the screen. Security teams are using AI to spot anomalies and automate response. Ransomware operators are doing the same to move faster, scale their attacks, and learn from every successful breach.

Recent research paints a clear picture. A joint study from MIT Sloan and Safe Security found that around 80 percent of analyzed ransomware attacks already use some form of AI, and that number is expected to grow. Acronis reports that publicly known ransomware victims increased by roughly 70 percent in early 2025 compared with the same periods in 2023 and 2024. Other threat reports from firms such as ReliaQuest show that average breakout time – the window between initial access and meaningful lateral movement – has dropped to about 18 minutes.

For IT and security teams, this means the gap between “something looks odd” and “critical systems are encrypted or data is gone” is getting smaller. The goal is not to panic, but to adjust. Backup and disaster recovery strategies need to reflect the reality of AI powered attacks.

How attackers use AI today

AI adoption by cybercriminals is no longer theoretical. It shows up in day to day tradecraft.

Research from Anthropic and ESET highlights threat groups that use generative AI tools to design, refine, and even market ransomware. One group, referred to as GTG 5004, reportedly turned to AI assistants to help create and sell malicious code without deep in house expertise. ESET also uncovered PromptLock, an AI powered ransomware prototype that uses a local language model to generate scripts and decide which files to search, copy, or encrypt during an attack.

The “front end” of many compromises is changing as well. In the Acronis Cyberthreats Report H1 2025, social engineering and business email compromise campaigns increased from about 20 to more than 25 percent of observed attacks year over year. Phishing alone accounted for a quarter of all attacks, and more than half of the attacks targeting managed service providers. AI generated lures, deepfake audio, and convincingly tailored messages are part of that trend.

Taken together, the pattern is clear. Attackers use AI to:

• Automate reconnaissance and password guessing
• Generate convincing phishing messages and voice or video deepfakes
• Write and mutate malware to evade static detection
• Build and operate ransomware as a service platforms that lower the bar for new affiliates

When AI reduces the effort and expertise required to launch an attack, volume and variety grow. That is the environment defenders are living in today.

Automation and the shrinking response window

Threat intelligence from ReliaQuest and others shows how automation has changed the tempo of ransomware campaigns.

Analysts found that around 80 percent of the ransomware as a service groups they examined now incorporate automation and AI in their tooling. Over a short period, average breakout time dropped from around 48 minutes in 2024 to roughly 18 minutes in mid 2025, with some cases progressing in as little as six minutes.

For defenders, that acceleration has practical consequences:

• Manual investigation and approval for every containment action may simply be too slow.
• By the time a human analyst has triaged an alert, ransomware operators may have moved laterally, escalated privileges, discovered key file shares, and started encrypting or exfiltrating data.
• Even if endpoint protection eventually blocks execution, there is a real possibility that attackers have already deleted or corrupted accessible backups.

In short, automation on the attacker side should prompt a thoughtful review of how you protect backups and how you plan to use them under stress.

Why traditional backup thinking falls short

Many traditional backup strategies were built in an era of slower, more predictable threats. AI accelerated ransomware breaks several of the assumptions that guided those designs.

Backups are now a primary target

Modern ransomware operators actively look for backup servers, storage repositories, and administrative consoles. Recent reports, including Zscaler’s ransomware analysis, highlight a strong shift toward extortion driven attacks and data theft, with a steep rise in the amount of data stolen and an increase in public naming of victims. In a significant number of incidents, attackers quietly corrupt backups in advance or delete backup volumes at the moment they launch encryption.

Long dwell times contaminate restore points

AI assisted tooling makes it easier for attackers to maintain low profile access for weeks or months. That means backdoors, remote access tools, or dormant malware may exist inside your environment well before an obvious incident. When backups capture that environment, they can also capture the footholds an attacker has created.

Data theft changes what “success” looks like

Restoring systems quickly is still essential, but it is only part of the story. If sensitive data was quietly exfiltrated days or weeks earlier, you now have to consider legal requirements, contractual obligations, and customer communications. Backup and recovery plans need to account for this reality, not just for uptime.

Manual, ad hoc recovery is too slow

If attackers can move from initial access to meaningful lateral movement in minutes, recovery cannot depend on improvised runbooks and heroic effort. Teams need documented, rehearsed procedures aligned to clear priorities so that a stressful day does not become a chaotic one.

Four changes to make in your backup and DR strategy

The good news is that there are practical steps you can take to meet this moment with calm and clarity. To keep pace with AI driven ransomware, consider these changes.

1. Shorten and tier your RPOs

Not every system requires the same recovery point objective, but your most critical services deserve more protection.

Reevaluate backup schedules for key databases, virtual machines, and SaaS platforms that support revenue, safety, or regulated information. Use a tiered model that gives your highest value workloads more frequent backups and near term snapshots. Where possible, separate credentials and infrastructure for these backup jobs so that a compromised general admin account cannot easily alter or disable them.

2. Enforce immutability and isolation

Immutability is a powerful safeguard when attackers move quickly and actively target backups.

Choose storage options and backup platforms that support immutable recovery points for a defined retention period. Combine that with:

• Logical isolation of backup networks from production
• Separate authentication paths and privileged accounts for backup administration
• At least one copy of critical backups stored offsite or in a different security domain

The goal is to make it meaningfully harder for an attacker to encrypt or delete every viable restore point in a single move.

3. Tie security signals to backup and DR actions

As attacks speed up, coordination between security, backup, and DR teams becomes more important.

When high confidence alerts trigger, your environment should be able to respond with protective backup actions, such as:

• Preserving recent snapshots beyond their normal retention
• Capturing additional, immutable restore points before systems are shut down
• Logging extra forensic details about affected workloads

Automation here does not replace people. Instead, it gives your team stronger options and better evidence once they begin to execute a response plan.

4. Rehearse AI era recovery scenarios

Regular DR testing is one of the most supportive things you can do for your future self and your colleagues.

Design tabletop exercises and limited scope failover tests with three assumptions in mind:

• Some backups may be unavailable or untrustworthy because attackers touched them
• At least one domain or management system could be compromised
• Data theft is a real possibility, not only encryption

Working through these scenarios in a controlled setting helps you uncover gaps in tooling, documentation, and communication long before an actual incident.

What “AI ready” backup and recovery looks like with CyberFortress

Responding effectively to AI powered ransomware requires more than a storage platform. It calls for a recovery strategy built around speed, integrity, and human clarity.

CyberFortress BaaS

CyberFortress Backup as a Service helps organizations implement policy driven, immutable backups with offsite protection and logical separation from production. This design reduces the chance that attackers can tamper with every copy of your data, even if they gain privileged access in part of your environment.

CyberFortress DRaaS

Disaster Recovery as a Service focuses on orchestrated failover for critical workloads. By defining applications, dependencies, and priorities ahead of time, your team can move from detection to recovery using repeatable runbooks instead of improvising while pressure is high.

CyberFortress BRaaS

Backup Recovery as a Service provides planning, testing, and guidance so you can validate that your strategy holds up against realistic scenarios, including fast moving, AI assisted attacks. This work includes mapping business processes to technical components, setting practical RPO and RTO targets, and conducting meaningful recovery exercises.

AI is helping attackers move faster and hit harder, but it also gives defenders a clear reason to strengthen their foundations. A thoughtful backup and disaster recovery strategy, grounded in real world risk and tested ahead of time, can turn a frightening headline into a challenge you are prepared to meet.

If you would like to review whether your current backup and DR approach is ready for this new wave of ransomware, a conversation with a CyberFortress backup expert is a supportive next step.