AI-Powered Cyberattacks Drive 190% Ransomware Surge and 25:1 Machine-to-Human Identity Imbalance

TL;DR: AI-driven attacks have pushed ransomware detections up 190% and session hijacking up 23% while machine identities now outnumber human users 25 to 1. The imbalance expands the attack surface for managed service providers and small businesses alike.

The 2026 State of MSP Threat Report from Guardz shows attackers are using AI to accelerate identity‑based intrusions across email, cloud, and endpoint environments. Rather than deploying new malware, threat actors “log in” with stolen credentials or hijacked sessions to move laterally and persist undetected. This shift means traditional signature‑based defenses see fewer alerts while the volume of successful logins rises.

Ransomware behavioral detections rose 190% over a 50‑day window, indicating a sharp increase in file‑less and living‑off‑the‑land techniques. Session hijacking incidents grew 23% over a 180‑day period, allowing attackers to bypass multi‑factor authentication by stealing web session cookies. In Microsoft 365 environments, non‑human identities such as service accounts and application objects now exceed human users by a ratio of 25:1, creating a largely unmonitored entry point.

The surge in ransomware and session hijacking reflects attackers exploiting the same weaknesses—weak passwords, misconfigured cloud permissions, and excessive privileges—more efficiently with AI automation. For MSPs, a single compromised remote‑monitoring‑management tool can expose every client in their portfolio, amplifying risk. Defenders should enforce least‑privilege access for service accounts, rotate credentials regularly, and enable continuous monitoring of non‑human identity logins. Deploying detection rules for MITRE ATT&CK T1563 (Steal Web Session Cookie) and T1078 (Valid Accounts) can catch session hijacking attempts. Enforcing conditional access policies that require MFA for all privileged and non‑human accounts reduces the chance of credential abuse. Organizations should also patch known vulnerabilities in RMM tools such as ScreenConnect (CVE‑2022‑XXXXX) and AteraAgent, and enable logging of OAuth token usage to detect abuse (MITRE ATT&CK T1528). Looking ahead, watch for AI‑enhanced detection platforms that correlate identity anomalies across cloud, email, and endpoint data to keep pace with the speed of automated attacks.