AI is the biggest threat facing CISOs, NCC Group analysis finds
- Ransomware attacks totalled 775 in March 2026, a 22% increase from February
- Global ransomware attack volume remained high in Q1 2026, declining 3% from Q4 2025
- Qilin led with 136 attacks in March, making up 18% of all attacks and 16% in Q1 2026
- North America was consistently targeted for over half of all attacks, with 51.74% in March, and 52% in Q1
- Industrials accounted for almost a third of all incidents in March, with 233 attacks (30.06%), totalling to 643 in Q1
Manchester, 29th April - Analysis of cyber attacks in NCC Group’s Q1 2026 Threat Pulse has found that AI is the biggest threat posed to CISOs in the coming years. Cyber attacks increased by 22% month-on-month in March 2026, highlighting the growing impact of AI weaponisation and poorly governed adoption. Human involvement is now central to ensuring both responsible use and sustained operational resilience.
AI as a malicious actor
The sophisticated potential that AI poses to malicious attacks is being rapidly adapted by all types of threat actors, from nation states to hacktivists. In early 2026, politically motivated, AI-generated deepfake propaganda was used in the Ukraine-Russia war -likely to become a more popular tactic used by threat actors with dozens of elections taking place globally in 2026.
In social engineering tactics, AI, commonly Google Gemini, is being used to help threat actors accurately translate messages and improve their legitimacy. The cost of developing AI software is declining, and we can expect to see threat actors taking advantage of its dynamic decision-making capabilities at all stages of the attack chain.
AI practice insecurity
A growing over-reliance on vibe coding, which has been found to generate unsecure code, is cause for serious security concerns. The practice of using generative AI platforms to create passwords is also worrying, as how they are trained can lead them to produce passwords that that appear strong but are easy to predict. When CISOs are mapping the threat which AI poses, they need to assess their own internal security hygiene in the same way they analyse external threats.
Matt Hull, VP of Cyber Intelligence and Response at NCC Group said, “AI is accelerating cyber risk in both scale and complexity, and underestimating this shift will quickly leave businesses of all sizes exposed. Not only are CISOs facing AI-driven
ransomware and social engineering threats, but internal risk from unsecure AI platforms and practices is leaving the door open to attackers.
“CISOs need to be clear that truly resilient organisations will be getting security basics right and treat cyber security as a board-level priority.”
Learnings from ransomware’s evolving tradecraft
While Qilin led in Q1 2026 with 340 attacks, newer groups such as Gentlemen (149) and NightSpire (136) have also emerged high in the ranks, coming third and fourth respectively. While exaggerated claims have always gone hand in hand with ransomware, a lack of verified victims have thrown their activities into question.
A ransomware incident in March highlighted the importance of defence-in-depth strategies for zero-day vulnerabilities. Interlock carried out a ransomware campaign on a critical-severity vulnerability in Cosco Secure Firewall Management Centre, allowing it to execute arbitrary Java code with root-level privileges. The group typically pressures victims to pay a ransom through double-extortion tactics, and its activity suggests a shift from opportunistic exploitation to more impactful enterprise-level vulnerabilities.
Matt Hull, VP of Cyber Intelligence and Response at NCC Group, added, “Ransomware attacks increased by almost a quarter in March, bringing the total in Q1 2026 to 2112. This 3% decline from Q4 2025 coincided with key government pressure, such as the FBI’s Operation Winter SHIELD and Europol’s disruption of the malicious proxy ‘SocksExport’.
“AI might be reshaping how organisations operate, but too many businesses are still falling short at foundational hurdles - identity security, access controls, help desk processes and visibility across cloud and on-premises environments. Being prepared for how to respond makes the difference between weeks and months of recovery time - simulate incidents, test your plans, run exercises, check that back-ups actually work.”