AI is biggest cyber threat to CISOs, NCC Group warns

Artificial intelligence is the biggest threat facing chief information security officers, according to NCC Group's latest analysis of ransomware activity.

Its first-quarter threat review found 775 ransomware attacks in March, up 22% from February. Across the quarter, attacks totalled 2,112, down 3% from the previous quarter, but still pointed to what NCC Group described as a volatile threat landscape.

The findings come as businesses and public bodies face growing concern over the use of AI by criminal groups and hostile state-backed actors. NCC Group said the technology is reshaping both external attack methods and internal security risks, particularly where organisations adopt AI tools without clear controls.

It pointed to AI's use in propaganda, social engineering and software development, noting that threat actors are using tools including Google Gemini to translate messages more accurately and make fraudulent communications more convincing.

At the same time, organisations are creating new weaknesses through their own use of generative AI. These include over-reliance on "vibe coding", which can produce insecure code, and using AI platforms to generate passwords that may appear strong but remain predictable.

That combination of external and internal risk is putting more pressure on security leaders, particularly as boards ask for clearer plans on resilience and incident response. Even as AI changes the threat environment, NCC Group argued that companies still need to focus on basic controls.

"AI is accelerating cyber risk in both scale and complexity, and underestimating this shift will quickly leave businesses of all sizes exposed. Not only are CISOs facing AI-driven ransomware and social engineering threats, but internal risk from unsecure AI platforms and practices is leaving the door open to attackers.

"CISOs need to be clear that truly resilient organisations will be getting security basics right and treat cyber security as a board-level priority," said Matt Hull, vice president of cyber intelligence and response at NCC Group.

Ransomware trends

Ransomware activity remained concentrated among a small number of groups. Qilin led the rankings in March with 136 attacks, accounting for 18% of the monthly total, and also topped the first quarter with 340 attacks.

Other groups rose quickly. Gentlemen recorded 149 attacks in the quarter and NightSpire logged 136, placing them among the most active names in NCC Group's data. Some claims made by newer groups were difficult to verify, reflecting a longstanding problem in tracking ransomware operations and victim numbers.

North America continued to bear the brunt of activity, accounting for 51.74% of attacks in March and 52% across the first quarter, according to the analysis.

Industrial companies were hit harder than any other sector, suffering 233 attacks in March, or 30.06% of the total, and 643 over the quarter.

The review also highlighted a March incident involving Interlock, which exploited a critical vulnerability in Cisco Secure Firewall Management Centre. According to NCC Group, the flaw allowed arbitrary Java code execution with root-level privileges and showed how ransomware groups are pursuing larger enterprise targets rather than relying solely on broad, opportunistic attacks.

That shift adds weight to longstanding advice on layered security, patching and tested recovery plans. NCC Group said the Interlock case underlined the need for defence in depth where zero-day vulnerabilities are involved.

Hull linked the first-quarter figures to wider disruption efforts by law enforcement. He said the slight quarter-on-quarter decline came alongside pressure from operations including the FBI's Operation Winter SHIELD and Europol's disruption of the malicious proxy known as SocksExport.

"Ransomware attacks increased by almost a quarter in March, bringing the total in Q1 2026 to 2112. This 3% decline from Q4 2025 coincided with key government pressure, such as the FBI's Operation Winter SHIELD and Europol's disruption of the malicious proxy 'SocksExport'.

"AI might be reshaping how organisations operate, but too many businesses are still falling short on foundational controls: identity security, access controls, help desk processes and visibility across cloud and on-premises environments. Being prepared to respond makes the difference between weeks and months of recovery time. Simulate incidents, test your plans, run exercises, and check that back-ups actually work," said Hull.