Automation enhances power of ransomware-as-a-service

04 November 2025

ReliaQuest has released a comprehensive report analysing the key drivers behind the increasing success of ransomware-as-a-service (RaaS) groups in the current cyber threat landscape.

The research emphasises the growing role of automation, attack customisation, and sophisticated tooling as the primary factors enabling these groups to operate more effectively and rapidly. According to the report, approximately 80% of analysed RaaS groups incorporate automation or artificial intelligence into their attack platforms, leading to faster attack speeds and significantly reduced response windows for security teams.

Alarmingly, the average time from initial access to lateral movement within a network — known as breakout time — has plummeted from 48 minutes in 2024 to just 18 minutes between June and August 2025. This rapid escalation leaves security teams with far less time to detect, analyse, and contain attacks before ransomware is deployed. Data from ReliaQuest indicates that teams relying solely on manual defenses have a mean time to contain (MTTC) of around eight hours, which substantially increases the risk of data theft and operational disruption.

The report highlights that attack customisation options, such as selectable encryption modes and targeted data prioritisation, are employed by 60% of the surveyed groups. These features allow threat actors to tailor attacks for maximum disruption or encryption strength, complicating incident recovery for victim organisations. Additionally, about half of these groups utilise advanced tools like endpoint detection and response (EDR) bypass scripts and automated log or backup deletion, further enhancing their ability to disable security measures and enforce extortion.

ReliaQuest’s analysis predicts that new threat groups such as ‘The Gentlemen’ and ‘DragonForce’ are poised to become significant players, owing to their adoption of advanced technical features including automation, prioritised encryption, and rapid lateral movement tactics. For example, The Gentlemen has already listed over 30 victims within its first month, exemplifying how automation and targeted attack methods can accelerate victim targeting and compromise.