AI is fueling a surge of new ransomware threats: Travelers

According to Travelers' cyber threat report for Q1 2026, 84 individual criminal groups posted more than 2,400 victim companies on ransomware leak sites on the dark web. During the first quarter, the three most active ransomware groups accounted for 34% of all leak site postings.

Overall activity in the first quarter was the highest ever recorded since Travelers started the study in 2020; the second-highest was Q4 2025.  Typically, according to the report, ransomware groups tend to cycle in and out of activity, and each peak of high activity is usually followed by a sharp drop. The latest data shows that the ecosystem of ransomware activity is becoming much more competitive: while 20 groups went inactive in Q1, 19 new criminal groups appeared.

"This is a new baseline of elevated activity that organizations need to treat as the operating environment going forward," said Lauren Winchester, Travelers' head of cyber risk services, in a Travelers Institute webinar held May 20, 2026. 

Christine Mapes, managing director and counsel of bond and specialty insurance at Travelers, noted in the webinar that just as companies are rapidly adopting AI tools, criminal groups are also employing AI in their cyber attacks.

"The quality and the volume of the business-email-compromise attacks and social-engineering attacks have increased in ways that absolutely call AI into the equation," said Mapes. "A phishing email that's grammatically perfect, tailored to the business and actually psychologically pleasing to the reader — that's all AI-generated."

Mapes also pointed out that AI is evolving in voice impersonation and deepfake video activity to perpetrate attacks. She recommends using a secondary verification channel, like calling a number that you know, for any request involving money or sensitive information.

Shadow AI, or the use of unapproved AI tools by employees, is another growing risk associated with data exfiltration.

"Think of an employee who's pasting sensitive customer data or proprietary data, belonging to their company, directly into a third-party platform," said Mapes. "They're trying to integrate AI into their daily workflow. That information may be stored or accessible to others as a result of that, which can create a privacy breach or a potential third-party liability for that organization, and that has nothing to do with an actual attacker being involved. It just happens by your employees adopting these tools without the proper oversight and governance policies."