On World Anti-Ransomware Day, the conversation around cybersecurity has shifted decisively. Ransomware is no longer a question of if but when — and increasingly, how fast. With AI-generated attacks now probing networks continuously and average breakout times collapsing to under 30 minutes, the threat landscape has outpaced the defences most organisations were built to deploy.
For businesses across the Middle East, the stakes have never been higher. Attackers are no longer simply encrypting data. Modern threat actors are infiltrating identities, weaponising privileged access, exfiltrating sensitive information, and disrupting operations in sectors where downtime translates directly into economic, regulatory, and reputational fallout. Global ransomware damages are projected to have reached $57 billion in 2025 — nearly $156 million every single day — and the MEA region is firmly in the crosshairs.
What separates the organisations that recover from those that crumble is no longer the strength of their perimeter, but the resilience of their response. Detection, containment, identity security, immutable backups, and rapid recovery have become the new pillars of cyber strategy. Prevention alone is no longer enough; the modern mandate is the ability to keep operating, even while under attack.
To mark World Anti-Ransomware Day, leading cybersecurity voices across the region share their perspectives on how organisations can build true operational resilience in an era defined by AI-driven threats, identity-led attacks, and shrinking recovery windows.
Yahya Kassab, Senior Director & GM – KSA & Gulf, Commvault
Ransomware remains one of the most disruptive cyber threats facing organisations because attackers are no longer targeting data alone. Their focus has shifted to operations, recovery processes and the ability of a business to keep functioning under pressure.
The rise of AI-driven threats has narrowed the window between vulnerability discovery and real-world disruption.
What once appeared theoretical is now operational, requiring organisations to prepare for attacks that move faster and place greater pressure on business continuity.
Resilient operations, or ResOps, are becoming central to this shift. Organisations need the ability to detect anomalies early, isolate threats quickly and recover cleanly into secure environments without reintroducing malware or extending downtime. Cybersecurity is designed to keep threats out; ResOps prepares organisations for the moment attackers get in.
Anti-Ransomware Day is a reminder that resilience must be treated as a continuous discipline. The organisations best positioned to withstand ransomware will be those that can recover quickly and continue operating during an attack.
Mortada Ayad, VP – META, Delinea
AI has changed the economics of ransomware by enabling attackers to scale phishing, create convincing impersonations and personalise social engineering at speed. The entry point is becoming harder for employees to detect, while attackers are moving faster once inside.
Ransomware is increasingly identity-driven. Threat actors target credentials and privileged access early because these allow them to escalate, move laterally and disrupt operations before defenders can respond.
In sectors such as energy, government, aviation, healthcare and finance, downtime can carry immediate operational, regulatory and reputational consequences.
The conversation has therefore shifted from prevention alone to resilience. In 2026, the defining question will be how well organisations can maintain continuity during an attack. Identity security must sit at the centre of that strategy because most modern ransomware incidents involve compromised credentials or abused privileges.
Reducing standing privileges, enforcing MFA consistently, and adopting Just-in-Time and Just-Enough access models can limit attacker movement. Recovery plans also need to be tested under realistic conditions, not simply documented on paper.
Delinea focuses on securing the identity layer by helping customers enforce least privilege, remove standing privileges, secure credentials, apply MFA and enable JIT access across hybrid environments. Privileged session monitoring, audit trails and visibility into privileged activity help security teams detect suspicious behaviour faster and respond before ransomware becomes a major business disruption.
Fred Lherault, Field CTO EMEA/Emerging, Everpure
Many organisations still assume that having backups means they can recover within an acceptable timeframe. Modern, AI-enabled ransomware is challenging that assumption. With average breakout times falling sharply, security teams have far less time for detection, containment and response.
Traditional backup architectures were often designed for operational errors or isolated outages, not enterprise-wide cyber disruption. During a real incident, the focus on backup completion and storage efficiency can become a liability if critical systems are encrypted or production environments are taken offline for investigation.
For 24×7 enterprises, recovery objectives are now measured in hours rather than days.
Regulation and cyber resilience mandates are also pushing organisations toward architectures that minimise recovery time and reduce operational exposure.
Immutable snapshots on primary storage are becoming critical because they allow services to be restored without large-scale data movement. Strong isolation is also driving investment in storage-level replication, disaster recovery systems and Secure Isolated Recovery Environments, or clean rooms.
Everpure’s SafeMode Snapshots, built into the Purity operating environment that powers FlashBlade and FlashArray, provide immutable copies of data that cannot be altered or deleted by attackers, even if administrative credentials are compromised. Customers can restore verified clean data faster, reduce downtime and accelerate a safe return to operations.
Ezzeldin Hussein, Regional Senior Director, Solution Engineering, META, SentinelOne
Ransomware attacks are increasingly operating at machine speed. Adversaries are using AI to build convincing phishing campaigns, automate reconnaissance, misuse identities and accelerate malware development faster than traditional security teams can respond.
The main risk for organisations is operational disruption, particularly in government, finance, aviation, energy and healthcare, where downtime can quickly affect services, customers and public trust. Cyber resilience now requires security architectures that can detect and respond immediately.
Enterprises need unified visibility across endpoints, identities, cloud environments and AI-based applications. Identity protection, AI-assisted threat hunting and automated response are becoming essential because attackers often target credentials and access paths before deploying encryption.
Operational resilience also depends on immutable backups, tested recovery procedures and executive-level incident response planning.
Organisations must address shadow AI and unmanaged AI adoption as part of their broader risk strategy.
SentinelOne’s Singularity Platform brings AI-SIEM, cloud, endpoint and identity capabilities into one AI-native architecture designed to detect, prevent and respond to threats autonomously. Behavioural AI helps identify ransomware activity before encryption, while Purple AI supports faster investigations, automated threat hunting and reduced response times. Automatic rollback and recovery capabilities are designed to help organisations minimise disruption and resume operations quickly.
Darrel Virtusio, Researcher, Acronis TRU
Ransomware is becoming more automated, scalable and targeted. AI is accelerating phishing, reconnaissance and credential harvesting, lowering the barrier to entry and helping attackers move faster once inside an environment.
Many attacks are also becoming quieter. Threat actors increasingly rely on stolen credentials and data exfiltration before visible disruption begins. By the time ransomware is deployed, attackers may already be deeply embedded.
For Middle East organisations, rapid digital growth and dependence on connected systems are widening the attack surface. Critical sectors face immediate operational and economic impact when disruption occurs. The biggest risk is no longer only the attack itself, but the inability to contain it and recover without major downtime.
The priority must be resilience. Strong authentication, tighter privilege control and reduced access can limit attacker movement, while isolated, immutable and tested backups remain essential for recovery.
Dependency mapping is also important, as many organisations can restore individual systems but struggle to recover full operations.
Acronis integrates prevention, detection and recovery into a single operational model. Its approach combines endpoint protection, behavioural detection and threat monitoring with backup and disaster recovery designed for speed. Immutable backups, isolated storage and automated workflows support safe restoration and help organisations maintain continuity when incidents occur.
Salah Suleiman, Managing Director, South Gulf, TrendAI
Ransomware remains one of the most serious cyber risks facing businesses across industries. In 2025, global ransomware damages, including ransom payments, downtime, recovery costs, reputational harm and regulatory fines, were projected at around $57 billion, equivalent to nearly $156 million per day.
Threat actors are no longer simply encrypting data. They are infiltrating networks, moving laterally and using AI to maximise disruption and pressure organisations into paying. The Middle East and Africa account for a notable share of global ransomware incidents, placing regional organisations under growing pressure to strengthen cyber resilience.
Cybersecurity priorities are shifting from reactive defence to proactive security.
Organisations need robust backup infrastructure, continuous threat monitoring and stronger user preparedness to reduce exposure and accelerate recovery.
Platforms such as TrendAI Vision One, powered by Trend Cybertron, are designed to support this posture through real-time detection, accelerated recovery and measurable reductions in cyber risk.
Resilience is no longer a peripheral safeguard. It is becoming a foundational requirement for organisations seeking to maintain continuity, preserve trust and operate securely in an increasingly hostile digital economy.
Ranjith Kaippada, Managing Director, Cloud Box Technologies
Ransomware attacks have become more complex as attackers use AI to identify vulnerabilities, automate phishing and launch large-scale campaigns with greater precision. Government, finance, healthcare and energy remain key targets because disruption in these sectors can have immediate operational consequences.
Threat actors are also relying on data theft before encryption, using sensitive information to increase pressure on victims.
Without a strong cybersecurity strategy, organisations risk operational disruption, reputational damage and financial loss.
Businesses need a layered approach that combines prevention, detection and recovery. Zero Trust architectures, strong identity controls and privilege management can reduce unauthorised access and insider risk. Continuous monitoring through SOC and MDR services can help detect and respond to threats before they escalate.
Backup and disaster recovery frameworks are also essential to reduce downtime and support continuity during incidents. Regular cybersecurity training remains important because human error continues to be a common entry point for attacks.
Cloud Box Technologies helps organisations strengthen their cybersecurity posture through services including SOC monitoring, MDR, XDR, email security, backup and disaster recovery, VAPT, MFA, Zero Trust architecture and secure cloud solutions. Its focus is on helping businesses detect suspicious activity early, protect sensitive data and maintain continuity against increasingly sophisticated ransomware threats.
Aaron Bugal, Field CTO APJ, Sophos
Ransomware is no longer just a cybercrime problem — it’s part of a wider threat ecosystem shaped by AI, geopolitics, and organised cybercriminal networks. In early 2026, UAE authorities confirmed coordinated campaigns targeting critical national infrastructure, with some attempts linked to AI-enabled phishing and advanced intrusion techniques. Incidents like the alleged breach of American Hospital Dubai show how ransomware has evolved into a data extortion business — attackers are no longer just locking systems, but stealing the crown jewels and monetising them in multiple ways.
The biggest regional risk is the convergence of speed and impact. UAE attack volumes have surged with geopolitical tensions, and AI is lowering the barrier to entry, allowing cybercrime to scale like a business — automated, adaptive, and always on. For healthcare, energy, and government, the risk is operational, reputational, and increasingly national in significance.
Organisations must move beyond prevention and design for resilience. Nearly half of UAE organisations hit by ransomware have chosen to pay. The priority now is speed and coordination — faster detection and response, stronger identity security, and isolated, tested backups.
The organisations that bounce back fastest aren’t the ones with the most tools, but those with the clearest plan.
At Sophos, our focus is on breaking the ransomware attack chain early and helping organisations recover quickly when attackers get through — combining AI-driven detection with human-led threat response. Our platform unifies endpoint, network, identity, and cloud telemetry into a single view, backed by Managed Detection and Response (MDR) teams that hunt threats in real time. Attackers look for speed and silence — what we deliver is visibility, disruption, and control.
Subhalakshmi Ganapathy, Chief IT Security Analyst, ManageEngine
Ransomware operations are becoming faster, more adaptive, and harder to distinguish from legitimate activity. AI is accelerating this shift — automating reconnaissance, improving phishing, and rapidly adapting malware to evade detection. What once required skilled operators can now be executed at scale.
The biggest challenge today is not the malware itself, but the difficulty in separating genuine threats from the overwhelming volume of security signals across hybrid environments. Attackers are increasingly targeting identity infrastructure, cloud workloads, and unmanaged SaaS to establish persistence before encryption begins. For Middle East organisations, the risk is amplified by rapid digital transformation across critical sectors like government, energy, healthcare, and finance.
In 2026, cyber resilience will depend less on the number of tools deployed and more on how effectively they work together.
Enterprises must prioritise detection quality over volume — combining behavioural analytics, threat intelligence, and identity monitoring across cloud, endpoint, and network environments. Identity security must sit at the core, since most modern attacks begin with compromised credentials.
At ManageEngine, our focus is on improving detection clarity and investigation efficiency. Through Log360, our unified SIEM platform, we help security teams detect ransomware activity earlier by combining correlation-based detections, behavioural analytics (UEBA), threat intelligence, and detection content mapped to MITRE ATT&CK. AI-assisted analysis helps teams trace lateral movement and prioritise response with better context — reducing investigation delays and strengthening resilience against evolving ransomware threats.
Walid Natour, Director – Security Engineering, Tenable
The era of human-speed defence is over. Frontier AI models have broken the economics of vulnerability discovery — what once took researchers weeks can now be done by AI-powered attackers in hours, collapsing the window between flaw discovery and ransomware exploit from months to minutes. For Middle East organisations, the biggest risk is no longer the ransomware payload itself, but the volume and velocity of AI-generated threats. Attackers are using AI to uncover zero-day vulnerabilities that have eluded humans for decades, then chaining minor software flaws, misconfigured cloud buckets, and excessive identity permissions to reach an organisation’s crown jewels.
In 2026, enterprises must abandon reactive firefighting and 30-day patch cycles. The priority is ruthless risk filtering and proactive exposure management. Standard tools flag around 60% of vulnerabilities as critical — operationally unworkable. Leaders must focus on the small fraction, often under 2%, that create a reachable attack path to critical assets.
Resilience demands continuous asset discovery and remediation handled at machine speed through automation. Close the attack path, and the technical vulnerability becomes irrelevant.
Tenable One, our AI-powered exposure management platform, is built to fight machine-speed threats with machine-speed defence — delivering a unified view of risk across IT, cloud, identity, and OT environments. Powered by Hexa AI, our agentic orchestration engine automates the triage, prioritisation, and remediation of exposures, narrowing the flood of alerts to the 1.6% of vulnerabilities posing legitimate business threats. For Middle East organisations, we also support data residency requirements while enabling teams to visualise attack paths and deploy autonomous patching with human-in-the-loop controls.
