Ransomware and phishing have traditionally been discussed as distinct cyberattack categories. Increasingly, however, ransomware operators are using phishing campaigns as a primary delivery method for their malicious payloads. By combining social engineering with ransomware deployment, attackers can achieve initial access more effectively, significantly increasing the likelihood of compromise and amplifying the overall threat to organizations and individuals alike.
Ransomware and Phishing: A match made in heaven
According to Deloitte, phishing remains one of the primary delivery mechanisms for ransomware. More recent industry research shows the threat continues to grow: 85% of organizations reported experiencing at least one ransomware attack in the previous year, and phishing was cited as the leading initial access vector, responsible for 35% of ransomware incidents, up from 25% in 2024. These findings underscore how cybercriminals are increasingly combining phishing and ransomware tactics to maximize the success of their attacks.
The logic? Phishing emails are easy to send and lure the unsuspecting victim in with minimal awareness of an attack. The carefully crafted device of a social engineering scheme, the emails are customized to specific targets and appear to be from legitimate, even familiar, senders. Faced with unmanageable email volumes, even many once-careful users fail to scrutinize incoming mail and note small changes that would otherwise be suspicious red flags. Once the victim opens an email from their “bank” or “internet service provider” and confirms a few account details – or even just clicks into the malicious fake site – the payload detonates and the work of stealing and/or encrypting sensitive data begins. Once this work is completed, users are locked out and a ransom note appears.
Phishing on Social Media
While popularly exploited on email servers, phishing attacks are not confined to inboxes. One of the rising vectors is social media. Collaboration tools like Teams and Slack are prime grooming places for establishing trust and exploiting “coworkers”. Online spaces like LinkedIn are particularly vulnerable to facilitating attacks; as platforms built for connecting with strangers, they encourage direct messages which often contain links to shared professional interests. Many of those links are credible – some are not. Unfortunately, with ransomware one click is all it takes.
Ransomware operators also glean the personal information shared on social networking sites to craft a more custom-built attack. The authenticity and believability of many of the messages – “Hey Don, it was great talking to you at DEF CON. Here’s that link I was telling you about” – can fool even the most savvy. And, as Deloitte states, “many users are simply not sufficiently skeptical when it comes to receiving requests to do things like transfer funds, open attachments, or provide sensitive information.”
AI-Powered Ransomware
For years, one of the few constraints on highly targeted ransomware campaigns was the amount of human effort required to execute them. Crafting convincing phishing messages, researching victims, impersonating trusted contacts, and tailoring lures to specific organizations demanded time, skill, and resources—making large-scale personalization difficult.
That advantage is rapidly disappearing.
Generative AI now enables threat actors to automate much of the reconnaissance, content creation, translation, and social engineering that once required dedicated operators. Attackers can produce highly personalized phishing emails, chat messages, fake websites, and supporting content at a scale that was previously impractical. As a result, organizations are facing a new generation of phishing campaigns that are both more convincing and more numerous.
The threat extends beyond text. AI-generated audio, video, and image manipulation technologies have matured to the point where attackers can convincingly impersonate executives, vendors, colleagues, and even family members. Deepfake-enabled fraud has already been used to authorize fraudulent wire transfers, bypass identity verification processes, and facilitate ransomware intrusions through social engineering. What was once a novelty has become an operational tool in the cybercriminal toolkit.
The significance of this shift cannot be overstated. Traditional phishing often relied on obvious warning signs—poor grammar, awkward phrasing, or suspicious formatting. AI eliminates many of those indicators. Modern phishing messages can be grammatically flawless, contextually relevant, and tailored to the recipient's role, interests, and recent activities. Combined with realistic voice cloning and video impersonation, attackers can create interactions that appear authentic across multiple communication channels simultaneously.
Deepfakes in cyberattacks are no longer an emerging threat; they are an established one. As AI lowers the cost of deception and increases its realism, organizations must assume that future phishing attempts may include convincing synthetic voices, videos, and identities. The challenge is no longer detecting poorly crafted scams—it is verifying whether seemingly legitimate communications are genuine at all.