Agentic AI is here and cybersecurity will never be the same

The cybersecurity world is about to face its biggest shakeup since ransomware first locked up hospital computers. While most of us have been asking ChatGPT to write emails and create vacation itineraries, cybersecurity experts have been watching with growing concern as AI progresses from “smart assistant” to “independent operator.”

According to Malwarebytes’ 2025 State of Malware report, this year will mark a fundamental shift as “agentic AI”—artificial intelligence that can reason, plan and act on its own—becomes available to both cybersecurity professionals and criminals alike.

“Our research shows that ransomware will continue to be a potent threat to businesses this year,” said Marcin Kleczynski, Founder and CEO of Malwarebytes in a statement. “The shift from large ransomware groups to smaller, unpredictable threat actors, combined with the increasing role of AI, means businesses must increase their cybersecurity vigilance and make holistic endpoint security a priority..”

What will agentic AI mean for each side?

Unlike today’s AI systems that respond to prompts but can’t take independent action, agentic AI acts more like a colleague than a tool. These systems can navigate computer networks, carry out complex tasks with minimal guidance, and solve problems they encounter along the way.

For cybersecurity teams perpetually short on staff, these AI agents could monitor networks overnight, keep track of vulnerable systems, or scan for suspicious activity. However, the same technology could allow hackers to target multiple victims simultaneously, turning what was once labor-intensive into an automated process.

“In a world where cybersecurity suffers a perpetual skills gap and labor-intensive ransomware struggles to scale, the arrival of autonomous AIs could be a game-changer,” the report states.

The ransomware field Is filled with new players

While AI advances loom on the horizon, traditional cybercrime continues to evolve. The ransomware landscape underwent dramatic shifts in 2024 after law enforcement took down LockBit, one of the most prolific ransomware groups, in February. Meanwhile, another major player, ALPHV, imploded when its operators stole a $22 million ransom from their own affiliate.

These disruptions created a vacuum quickly filled by smaller “dark horse” groups. By October 2024, the top ten ransomware gangs accounted for just 37% of known attacks, down from 83% in February 2023.

“It appears that over time the tools and tactics for carrying out ransomware attacks have become more widely known and the barrier to entry for smaller groups has been lowered,” the report notes.

This democratization spells trouble for potential targets, as more criminal groups now have access to ransomware capabilities. The result? Attacks increased 13% year-over-year, and an unknown victim paid a record $75 million ransom to a group called Dark Angels.

New tactics for more successful attacks

Modern ransomware gangs have adapted their tactics to boost their chances of success:

• Night shift attacks—Most ransomware deployments occur between 1 a.m. and 5 a.m. when IT staff are asleep.
• Lightning speed—The entire attack cycle, from initial access to encryption, has shortened from weeks to hours.
• Living off the land—Attackers increasingly use legitimate software tools instead of malware to avoid detection.

“The most pressing security challenge has shifted from stopping malicious software to stopping malicious people using legitimate software,” the report explains.

Windows Remote Desktop Protocol (RDP) remains the most common entry point, used in 58% of ransomware cases analyzed by Malwarebytes. After gaining access, attackers often deploy commercial remote desktop software like AnyDesk or ConnectWise to maintain control—tools that look legitimate on corporate networks.

Like the rest of us: Mac users now face greater threats

For years, Mac users enjoyed relative safety from serious malware. That changed in 2024 with information-stealing malware like Atomic Stealer (AMOS) and Poseidon dominating the Mac threat landscape.

These sophisticated programs steal passwords, cryptocurrency, and authentication cookies before sending them to cybercriminals. Poseidon, which emerged in June 2024, quickly captured 70% of Mac information stealer detections.

“2024 has shown that change can happen quickly in the Mac malware landscape and organizations must ensure their Macs are as well defended against an upsurge in attacks as their Windows machines,” the report warns.

The future of security in an AI-powered world

As 2025 unfolds, security teams face the dual challenge of evolving ransomware tactics and the imminent arrival of autonomous AI tools. “The shape of cybersecurity in 2025 could rest on who embraces the technology successfully,” the report concludes.

Organizations that adapt quickly—implementing 24/7 monitoring, focusing on behavior-based detection rather than traditional antivirus, and potentially deploying defensive AI tools—will be best positioned to navigate the looming shakeup.