Too often, organizations find themselves playing catch-up with ransomware attackers, according to John Dodds, director of product management for Nutanix.
“Do you want to come home and find your house completely burned down, and then someone hands you a check and says, ‘Here’s your ransomware warranty. Good luck getting back to normal,’” Dodds asks.
“Or would you rather the smoke detector goes off, so the fire department can come and put it out?”
The growing severity of ransomware attacks, coupled with the difficulty of responding to them, led Nutanix to create Nutanix Data Lens, a SaaS and on-premises solution that provides protection, monitoring and protection directly at the storage layer, where organizations house their sensitive data.
“Storage systems need to be able to defend themselves against ransomware,” said Tuhina Goel, Nutanix’s director of AI product marketing.
“The idea is that instead of using third-party software, the storage system should have inherent capabilities to defend itself against threats. That’s exactly what we’re doing with Nutanix Data Lens, paired with Nutanix Unified Storage.”
In September 2025, Anthropic detected suspicious activity that looked to disrupt the company. An investigation brought to light a revelation: Self-directed agentic AI can now do just about anything a team of highly trained human attackers can do.
For instance, ransomware AI agents can map networks, identify high-value data stores and generate ransomware payloads that rewrite themselves in real-time to evade detection.
“Attackers are using agentic AI even in the extortion and negotiation phase of attacks,” Goel said. “This means that the number of attacks that can be attempted are no longer bound by expertise or resource constraints.”
Security Boulevard found that data exfiltration, where an attacker transfers data from a computer or other device, is the primary leverage mechanism in about three out of four (73%) ransomware cases. Bitsight also uncovered a growing number of instances of threat actors utilizing legitimate platforms, such as Discord, Slack, or other collaboration tools. The actors can use these platforms to exfiltrate data, host payloads and manage their operations from one central location. The added complexity of ransomware threats makes protection more critical.
“You need to not only detect and block ransomware signatures, but you also need to have an eye on the behavior of users and the system in real time,” Goel added. “You will need multiple layers of defense in depth to protect your environment.”
CrowdStrike’s State of Ransomware Survey found that 76% of respondents believe it’s getting harder to be fully prepared against ransomware attacks due to the evolution of AI-powered attacks. Even tried-and-true attacks, such as phishing emails, are growing in sophistication. In the same survey, 82% of respondents said generative AI is making those emails harder to identify, including for well-trained employees.
Healthcare and financial services are common targets. However, the reality is that every industry is at risk, including public education, as the 2026 Canvas attacks that stole data related to 275 million students, teachers and staff demonstrated. ShinyHunters, the group behind the attacks, reportedly reached an agreement with Instructure, the developer of the Canvas platform. That agreement included a promise to delete the data, though analysts are skeptical of such promises.
“‘We destroyed the data’ is a standard line from extortion groups once a payment is made or negotiations conclude, but time after time, it has proven untrue,” Halcyon Ransomware Research Center SVP Cynthia Kaiser told The Register. “ShinyHunters, in particular, has a documented history of recycling, reselling, and re-leveraging stolen data across campaigns.”
This evolution into “Ransomware 5.0” may seem like an unclimbable mountain, but security and IT teams have access to the same tools that their attackers do. Gael noted the best way to fight fire is with fire.
“AI is becoming the only way to match machine-speed attacks,” she said. “Organizations must deploy AI-assisted detection and behavioral analytics to spot the subtle anomalies that traditional ransomware and data exfiltration protection misses. By the time that a human is able to respond, it may be too late.”
AI is the catalyst to creating a proactive and evolving defense, helping monitor access patterns, score permission risks, and automatically execute threat-blocking protocols before data can be compromised.
Protecting against AI agent-powered and other sophisticated attacks also requires a mindset shift. For years, CISOs had a primary focus of perimeter prevention or point solutions. Now, the key focus is defense in depth. Toel stressed that being able to recover or prevent some attacks using known ransomware signatures isn’t enough. New AI attack models can modify known signatures in a matter of seconds, easily evading attacks.
“You need to be able to prevent attacks by shutting them down without human intervention, monitor user and system behavior using AI anomaly detection and be able to recover from a known good version if the worst happens,” she said.
In 2025, illicit crypto volume reached a record high of $158 billion. Bitcoin was a primary method a few years ago, with extortioners often requesting their payment in BTC instead of traditional cash wire transfers. However, Bitcoin is not tied to the U.S. dollar or common commodities like gold. That constant volatility has resulted in wild valuation swings, causing attackers to rethink their demands.
Instead, they’re turning to stablecoins, such as Tether, where the value demanded during the initial attack is as close as possible to the actual payment. Stablecoin payments also take minutes, while Bitcoin transactions require more time to complete.
“Because the value is more stable, it allows the time required for money laundering, which is handy for criminals,” Toel said.
Whatever payment choice attackers settle on, they desire the same characteristics.
“Whether Bitcoin or some form of stablecoin, attackers are looking for something that can’t be held up, subject to seizure, or easily traced,” Toel said.
While attackers don’t want to be easily traced, having a proper digital trail is essential for organizations looking to protect themselves. The top reason for denied cyber insurance claims is “missing or inadequately enforced” security controls, according to Fitch Ratings and Slingshot IS. BSG Tech also called out that misrepresentation is a common issue. A company might answer “yes” to having a form of protection when it’s only partially implemented. Due to that lack of preparation, over 40% of all cyber insurance claims are denied.
“Insurers are demanding hard documentation—screenshots, policies, logs, and proof of backup tests—rather than simple ‘yes’ or ‘no’ answers,” Toel said. “If you can’t prove you are protecting yourself, it’s easy for the insurance companies to deny you or not insure you in the first place.”
Per Toel, there are three steps organizations can take right now to ensure they’re not left out in the dark around a cyber insurance claim:
Maintain Comprehensive Audit Trails: Deploy solutions that provide a detailed, searchable record of all user, file and object activity. This streamlines compliance reporting for regulations like HIPAA, GDPR and CJIS.
Demonstrate Cleanroom Recovery: Organizations that can prove data integrity and the ability to execute a clean recovery see faster claim approvals and stronger regulatory standing.
Implement Strict Data Sovereignty: For government agencies and highly regulated industries, ensuring that all data and metadata remain on-premises is critical for meeting compliance mandates and avoiding fines.
Dodds also highlighted that cybersecurity tools must continue to evolve to address the gaps created by new technologies.
“Every new cool technology that comes out immediately makes security more difficult because it's new,” Dodds said.
Nutanix Data Lens provides a proactive approach to monitoring, detecting and blocking ransomware attacks and insider threats. It provides enterprises with a framework for managing cybersecurity risks by defining the scope of an attack and responding swiftly.
“The best way to protect yourself is to assume you’re going to get attacked, and then ensure that you have immutable, air-gapped backups,” Dodds added. “That way, if it does happen to you, it’s an inconvenience you can recover from, rather than a disaster.”
He explained that the active monitoring capability of Nutanix Data Lens sets it apart from other solutions. Rather than relying on overburdened humans to track activity, organizations can use Nutanix Data Lens to sniff out suspicious behavior.
“If we're waiting for humans to do something, it’s going to be chaos by the time we finally realize something’s wrong,” he said.
Nutanix Data Lens has also evolved from strictly SaaS to now offering an on-premises option. Customers in federal, state, local and education (SLED); healthcare and other highly regulated industries typically can’t send metadata outside their four walls due to strict organizational regulations. With an on-prem solution, they can now use the intelligence, active defense and analytics of Nutanix Data Lens with 100% data sovereignty.
Beyond an extensive library of known ransomware signatures, Nutanix Data Lens offers Behavior-Based Anomaly Detection. Users can better understand the permissions in their Nutanix File Storage environments by seeing the full history of when a change took place, who made them, and the folders and subfolders that were affected.
“Nutanix Data Lens actively monitors how users and clients interact with data,” Goel said. “If it detects suspicious patterns like rapid encryption or mass deletion, it automatically blocks the user and stops the attack in its tracks.”
Additionally, Nutanix Data Lens enables one-click recovery, allowing organizations to rapidly bounce back from a ransomware incident.
“The goal is to get back to normal as quickly as possible, and we’ve thought about how we can automate and improve things at each step,” Dodds said.
Nutanix is exploring additional ways to leverage artificial intelligence to improve the tool, and Dodds is encouraged by what lies ahead.
“We’re not joking when we say our customers currently live in the future, and the Data Lens engineering team is working hard at helping them to stay in the future.”
Editor’s note: Learn more about Nutanix Data Lens and Nutanix Unified Storage.
Calvin Hennick is a contributing writer. His work appears in BizTech, Engineering Inc., The Boston Globe Magazine and elsewhere. He is also the author of Once More to the Rodeo: A Memoir. Follow him @CalvinHennick.
Joe Held updated this story. He is a writer, author and podcaster based in Austin, Texas. Connect with him on Twitter or LinkedIn.
© 2026 Nutanix, Inc. All rights reserved. For additional information and important legal disclaimers, please go here.