Today we’re joined by Dominic Jainy, an IT professional whose work at the intersection of artificial intelligence, machine learning, and blockchain provides a unique lens on the evolving digital threat landscape. We’ll be exploring the seismic shifts in ransomware tactics, from attackers leveraging AI to compress attack timelines to their use of remote encryption and legitimate IT tools to remain undetected. Our conversation will delve into why 2025 has become the most severe year on record for these attacks and what organizations must do to build a resilient defense against these faster, stealthier, and more disruptive cybercrimes.
With remote encryption making up 86 percent of ransomware activity in 2025, how are attackers leveraging unmanaged or shadow IT systems for these strikes, and what steps can security teams take to gain visibility into these blind spots? Please provide a specific example.
It’s a chillingly effective tactic that has completely changed the game. Attackers are exploiting the chaos of modern IT environments. Imagine a developer spinning up a test server for a short-term project and then forgetting about it. That server isn’t patched, monitored, or managed by the central security team. Attackers find this forgotten device, compromise it, and use it as an internal launchpad. From there, they can push encryption commands across the network to your most critical, protected servers. Because the malicious process isn’t running on those core systems, your endpoint security sees nothing wrong. You’re left feeling the devastating impact of the encryption without a clear source, like a ghost in your machine. The first and most critical step for security teams is to assume these blind spots exist and actively hunt for them. Comprehensive asset discovery and network mapping are no longer just good housekeeping; they are fundamental to survival.
Adversaries are increasingly using legitimate IT tools and stolen credentials to blend in, often operating at night or on holidays. Can you describe what this “living off the land” approach looks like in practice and how defenders can distinguish malicious activity from normal network traffic?
This “living off the land” approach is what makes these new attacks so insidious. The adversary is no longer a bull in a china shop, dropping obvious malware. Instead, they are a whisper, using the very tools your own administrators use every day. Picture this: it’s 3 a.m. on a Sunday. An attacker uses stolen credentials for a legitimate IT account to log in. They use PowerShell to move through the network and access file shares, just as an admin might. They aren’t triggering malware alerts because, technically, no malware is being used. Distinguishing this requires a shift from looking for “bad files” to looking for “bad behavior.” You have to have systems that can ask intelligent questions in real time: Why is this admin account, which usually works 9-to-5, suddenly disabling backup services on a holiday? Why is it attempting to access a hundred thousand files in a minute? It’s the context and timing that betray them, and that’s why having experts watching and responding around the clock is so vital—the signs are incredibly subtle and easy to miss.
AI agents can now reportedly create exploits in minutes and run multiple intrusions autonomously. How does this compress the typical attack timeline from discovery to extortion, and what new defensive strategies are essential for countering these machine-speed threats?
The introduction of AI has put the entire attack lifecycle on hyper-speed. In the past, a skilled human attacker might spend days or weeks on reconnaissance, finding a vulnerability, and then carefully moving through a network. Now, an AI agent can take a newly announced vulnerability, create a working exploit for it in minutes, and then autonomously launch coordinated attacks against thousands of potential targets simultaneously. The timeline from initial breach to the final extortion demand can shrink from days to mere minutes. A single operator, armed with these AI tools, can now execute an operation with the scale and speed that was once reserved for massive, state-sponsored teams. The only effective defense against a machine-speed threat is a machine-speed response. This means moving beyond manual intervention to automated containment. Your defensive systems must be empowered to not just detect an anomaly but to instantly isolate affected endpoints, sever malicious connections, and trigger recovery protocols without waiting for human approval. When the entire attack unfolds in less time than it takes to get your incident response team on a conference call, automation is your only hope.
Given that intrusions often progress before security teams realize an incident is underway, what practical, step-by-step measures should an organization take to protect its recovery paths and backups from being disabled by attackers? Could you walk us through the first three critical actions?
This is absolutely crucial because attackers know that if they can destroy your ability to recover, their ransom demand becomes almost impossible to refuse. The first critical action is to enforce architectural separation. Your backups should not exist on the same network or use the same authentication credentials as your primary environment. Think of it as an airlock; there should be no simple path from one to the other. Second, you must implement immutability. This means creating backup copies that cannot be altered or deleted for a set period, even by an administrator with the highest level of privileges. This creates a version of your data that is untouchable by the attacker. And third, you need to relentlessly test your recovery plan. It’s not enough to have backups; you must regularly and rigorously attempt to restore from them to ensure they work and that your team knows the procedure cold. An untested backup is just a hope, not a strategy.
What is your forecast for ransomware?
My forecast is that the line between sophisticated state-level cyber warfare and mainstream cybercrime will continue to blur, largely driven by the proliferation of AI. We are entering an era where ransomware operations will be executed with terrifying autonomy and scale, making them more frequent and far more disruptive. Attacks that impact entire supply chains or critical infrastructure in 135 countries will become more common, not less. The barrier to entry for causing widespread chaos is dropping precipitously. Consequently, the focus for defenders must shift from prevention alone to an assumption of breach. Resilience—the ability to fight back, restore operations, and continue functioning in a degraded state—will become the single most important cybersecurity metric. It will no longer be about building an impenetrable wall, but about being able to withstand the inevitable siege.