In 2025, Ransomware as a Service (RaaS) underwent a profound shift from opportunistic, volume-driven attacks to highly targeted precision strikes, enabling affiliates to focus on high-value organisations with tailored reconnaissance and rapid execution.
This evolution has accelerated the industrialisation of cybercrime, lowering barriers for even low-skilled operators while amplifying disruption.
As we look to 2026, artificial intelligence is poised to supercharge the entire RaaS ecosystem—from automated victim selection and vulnerability exploitation to AI-driven phishing, polymorphic malware, and even autonomous extortion negotiations—making attacks faster, more evasive, and harder to trace.
For CISOs and cybersecurity leaders in Asia, where rapid digital transformation in sectors like finance, manufacturing, and critical infrastructure has outpaced mature defences in some markets, this convergence demands urgent attention. Prioritising cyber resilience, supply chain scrutiny, and AI-enhanced detection will be essential to counter these sophisticated threats in 2026.
In an exclusive with FutureCISO Martin Zugec, technical solutions director at Bitdefender, emphasised two major trends observed in 2025: opportunistic initial access combined with highly targeted execution. These developments underscore the industrialisation of cybercrime and the need for proactive, prevention-focused defences.
Opportunistic initial access and targeted execution
Zugec highlighted a fundamental shift in attack entry points. “Initial access is much more opportunistic than it used to be in the past, but the execution of the attack, the second stage, once they get inside, is much more targeted than it used to be,” he said. Attackers now exploit widely used software vulnerabilities as soon as proof-of-concept code emerges, rather than targeting specific organisations.
He explained: “Anytime there is one of these vulnerabilities… all the big cybercriminal groups are going to pretty much monitor the situation, and as soon as they have functional code, proof-of-concept code that they can use. They just compromise all the companies that are using that software.” Once inside, attackers focus on critical infrastructure to cause maximum disruption while maintaining secrecy, limiting negotiation leverage.
This rapid exploitation trend has accelerated since 2022, with mainstream adoption by 2025. Zugec noted that patching cycles have shrunk dramatically: “Today, you are down to less than 24 hours for the patching. That is the reality of 2025.”
Independent research supports this, with reports indicating that almost 30% of known exploited vulnerabilities are weaponised within 24 hours of disclosure.
The industrialisation of cybercrime
The industrialisation of cybercrime is directly reflected in Zugec’s observations about the maturation of RaaS into a gig-economy-like model, where low-skilled affiliates can execute sophisticated attacks using standardised playbooks.
He described the ecosystem as operating “really the same way as Uber or Airbnb,” with affiliates acting as the “drivers” who carry out hands-on operations. He further noted that “all of them are following very similar playbooks,” and “one of the groups discovered new attack, new technique, all of them are going to copy it.”
This rapid dissemination of techniques across groups is a hallmark of industrialised operations, enabling even less experienced actors to achieve high-impact results.
Rethinking business continuity for total paralysis
Precision ransomware targets infrastructure for total operational paralysis, rendering traditional business continuity plans (BCPs) inadequate. Zugec warned that attackers routinely compromise backups: “Every single ransomware group that we are tracking from the top 10… is going to cook up your backups.”
He added that backups, historically designed for natural disasters or errors, fail against malicious actors: “The window of opportunity is up until the attackers get the required permissions on your systems. But once they have it, once they launch the attack, it's really, really hard to get back.”
Zugec urged a shift to prevention: “CISO needs to do is they need to start designing their environments to be hostile for these attackers, to be unpredictable, to have honeypots deployed… start locking down the environment, start hardening it, start making it unpredictable for the attackers.”
The rise of AI-powered precision ransomware
The rise of AI-powered precision ransomware ties into the narrative’s emphasis on the shift to targeted, infrastructure-focused attacks in 2025, which Zugec predicts will continue and intensify into 2026.
While he remains sceptical about widespread offensive AI use today (“We have not seen any attackers in real life using AI”), he highlights emerging risks from agentic AI and rushed deployments creating “long-term security debt.”
The precision aspect is evident in his description of attackers moving from mass encryption to “much more targeted” strikes on critical infrastructure, aiming for “total operational paralysis.”
Zugec described himself as an “AI realist,” noting that AI-generated attacks remain “technically on lower-level text compared to attacks done by humans.”
Defensive AI, he argued, is mature: Bitdefender has used AI since 2008 and adversarial networks since 2019. Polymorphism, often hyped as AI-driven, has existed for over a decade. Real risks lie in agentic AI deployments: “Most of the deployments that exist are unsecured, and the protocol itself… the security included is optional.”
Third-party reports align with Zugec's caution, with limited real-world AI-powered ransomware cases observed in 2025, often limited to proof-of-concepts.
Supply chain risks and third-party AI usage
Supply chain attacks remain challenging, exacerbated by generative AI. Zugec noted upstream compromises like SolarWinds and daily incidents involving vendors. Generative AI worsens this: “Gen AI is making this problem even worse than it was before… a lot of organizations are creating really long-term security debts with approach to AI.”
Large firms have robust processes, but smaller vendors rush implementations: “These smaller companies are taking shortcuts because they have to.” This trend is supported by reports of supply chain attacks doubling since April 2025.
Living-off-the-land dominance and detection challenges
Most attacks are malware-free: “84% of [incidents] were using this living off the land attack techniques,” Zugec said, citing Bitdefender research on 700,000 incidents. Attackers use built-in tools to target domain controllers and backups.
Detection requires human oversight: “If you don't have anyone monitoring these environments, you will not even know someone is in your network.” Zugec recommended cyber threat intelligence and EDR/XDR with monitoring, ideally via MDR for smaller organisations.
Building effective security teams
Zugec advised evaluating teams on people, processes, and technology: “If anyone tells you, we don't need people because we have AI, that is not going to be a really good experience for you.” He stressed threat intelligence to filter hype and prioritise real risks.
Zugec's perspective highlights a mature ransomware ecosystem where prevention, intelligence, and realistic assessments are essential. As threats evolve, organisations must adapt defences to counter opportunistic, targeted attacks effectively.
For cybersecurity leaders in Asia, the message is clear: 2026 demands a proactive pivot from reactive detection to prevention-focused resilience. Prioritise hardening environments against predictable playbooks, as Zugec recommends, while embracing threat intelligence to filter hype from real risks.
Invest in monitoring for living-off-the-land techniques, secure agentic AI deployments to avoid creating "long-term security debt," and strengthen supply chain scrutiny to counter upstream and third-party vulnerabilities.
By building unpredictable, hostile environments and fostering cross-border collaboration, CISOs can turn industrialised threats into managed risks—ensuring operational continuity amid an era of autonomous, precision ransomware.
