Ransomware attackers shifted tactics in the second quarter of the year, increasingly leveraging AI-driven tools and organized crime cartels. At the same time, the willingness of victim companies to pay ransoms has dropped sharply, according to a new report from Check Point Research.
In Q2 2025 the ransomware landscape changed significantly. AI is now actively used to generate malicious code and craft tailored extortion messages. One example is the ransomware group Global Group, which offers “AI-assisted negotiation support” that automatically adjusts extortion strategies to maximize ransom demands. This trend allows cybercriminals to scale attacks quickly and reach more victims.
A new form of ransomware cartel is also emerging, with the group DragonForce standing out. Rather than directing operations centrally, DragonForce gives its affiliates freedom to choose their own targets and tactics while providing access to the cartel’s advanced ransomware tools and branding. This decentralized structure makes the threats harder to trace and to disrupt.
At the same time, willingness to pay ransoms among affected companies has fallen by roughly 25 percent, largely due to improved security practices and growing distrust in attackers’ promises to restore or protect stolen data.
“The trend is worrying but clear,” says Fredrik Sandström, a security expert at Check Point Software. The combination of AI and increased professionalization among cybercriminals raises the bar for organizations, forcing them to adopt more proactive and sophisticated security measures.
Companies should respond by strengthening preventive controls, improving incident detection and response capabilities, and investing in immutable backups and robust restoration processes. Better cyber hygiene, comprehensive employee training, and rapid threat intelligence sharing are also key to reducing the effectiveness of these increasingly automated and organized extortion schemes.
The report highlights several actionable steps for defenders: prioritize network segmentation to limit lateral movement, apply strict access controls and multi-factor authentication, regularly test backup integrity and recovery procedures, and use threat-hunting techniques to detect early indicators of compromise. Combining these measures with continuous monitoring and patch management helps reduce attack surfaces and the likelihood of successful ransomware incidents.
As ransomware groups adopt AI to optimize their campaigns and cartel-like models provide scale and anonymity, organizations must treat ransomware as a strategic risk. Board-level engagement, regular tabletop exercises, and investment in technologies that automate detection and response will be crucial. Collaboration across the industry and sharing of threat intelligence can further help defenders stay ahead of these evolving threats.
For the full findings and detailed recommendations, consult the Check Point Research report available on Check Point Software’s blog.