AI Accelerates Human-Led Ransomware Attacks

- Generative AI tools significantly lower the barrier for entry by scripting and automating tasks that previously required specialized knowledge, such as finding and exploiting vulnerabilities or creating malicious code. This enables less experienced malicious actors to participate in sophisticated, human-led ransomware campaigns. - AI is being used to supercharge the initial access phase of attacks, particularly through social engineering. It can generate highly convincing and personalized phishing emails, text messages, and even deepfake audio and video to trick victims into revealing credentials or deploying malware. - Human-operated ransomware campaigns leverage AI for advanced reconnaissance, automatically scanning social media and public data to identify high-value targets and tailor extortion demands. These attacks are more directed than automated variants like WannaCry, with human attackers manually deploying the ransomware on systems where it will have the greatest impact. - Attackers use AI to create polymorphic malware, which constantly alters its code to evade detection by traditional signature-based antivirus and security tools. In September 2024, a malware infection chain built entirely with AI-generated scripts targeted French internet users, continuously creating unique variants to complicate defenses. - The human element remains critical in these attacks, with operators making strategic decisions, moving laterally through networks, and exfiltrating sensitive data before encryption to use as additional leverage for extortion. In 74% of extortion campaigns in the second quarter of 2025, data exfiltration occurred before encryption. - Looking ahead, researchers have identified emerging threats like "AI-orchestrated" ransomware, where AI could dynamically plan and execute parts of the attack lifecycle. A proof-of-concept ransomware named "PromptLock" has already demonstrated the ability to use an AI model to generate malicious scripts on the fly.