AI Is Now Being Used to Develop Ransomware. How to Protect Your Business From This New Threat

Customer support agent wearing a headset working at a computer with a colleague assisting beside her in a modern office.

It sometimes seems that artificial intelligence (AI) is everywhere. It’s in our homes, it’s in our cars, it’s in hospitals and transport hubs, and it’s most definitely in the workplace. AI is bringing countless potential benefits to all sorts of industries, but it was almost inevitable that the technology would also be leveraged by malicious actors involved in cybercrime of various kinds.

GCHQ’s National Cyber Security Centre warned in a report at the start of 2024 that AI would “almost certainly” increase the global ransomware threat over the next two years. We’re still firmly within that timeframe, and it has now been confirmed that AI-generated and AI-powered ransomware is starting to be deployed. 

Cybersecurity firm ESET recently revealed that it had discovered what is widely believed to be the first AI-powered ransomware variant. Codenamed PromptLock, the strain uses the gpt-oss:20b model from OpenAI. This is not the first time that AI has been used to develop malware, but it is thought that it may be the first case of ransomware using an AI model as its engine, and it represents a significant threat escalation. Meanwhile, US AI company Anthropic revealed that its technology has been “weaponised” by hackers to carry out sophisticated cyber-attacks, including ransomware extortions.

So, how is AI being used to create and run malware? What are the dangers, and what can you do to protect yourself against this newly emerging threat?

At the most basic level, generative AI can be used to craft more convincing or more threatening messages. This is useful for methods such as phishing attacks, which rely on tricking recipients into revealing sensitive information such as passwords, financial details, or personal data. It can also help with the intimidation aspect of ransomware attacks, as well as other aspects involved in the planning and execution of a ransomware campaign.

In the case of the Anthropic Claude ransomware, the company said: “Claude was allowed to make both tactical and strategic decisions, such as deciding which data to exfiltrate, and how to craft psychologically targeted extortion demands. Claude analyzed the exfiltrated financial data to determine appropriate ransom amounts and generated visually alarming ransom notes that were displayed on victim machines.”

As well as allowing for more sophisticated ransomware campaigns, AI may also serve to raise the sheer volume of attacks by lowering the barrier to ransomware creation. Previously, the creation and deployment of ransomware required a lot of technical expertise. The malicious actor needed to know – or at least have access to people who know – how to code, how to test malware against defences, and how operating systems work. AI is rapidly rewriting that narrative.

A would-be cyber-criminal with only a basic grasp of programming can now use an AI model to generate code snippets for tasks such as file encryption or data handling, without having to write it all from scratch. If the first version doesn’t quite work, they can simply feed the problem back into an AI assistant, which suggests fixes instantly. There is no need for laborious manual debugging, and the result is faster prototyping and more polished ransomware, all achieved in a fraction of the time and with far less expertise than would previously have been needed.

The relative ease and speed of development promised by generative AI ransomware also looks set to play a part in the ‘industrialisation’ of ransomware. This sort of attack is already a huge and rapidly increasing global problem. In the UK alone, the 2025 Cyber Security Breaches Survey found that while phishing remained the most common threat faced by UK businesses and charities, ransomware attacks had nearly doubled between 2024 and 2025. That meant an estimated 19,000 businesses were being targeted this year across the UK.

With the advent of AI being more regularly used within the malware and cybercrime sphere, the rate of attacks could ramp up significantly. Groups running ransomware-as-a-service operations can use AI to churn out countless variants of the same malware, each with slight differences designed to bypass different defences. A model can easily be trained, for example, to observe how anti-malware software typically flags suspicious behaviour. The AI can then suggest tweaks that allow the ransomware to look harmless until it strikes. Some criminals are already experimenting with polymorphic ransomware – code that rewrites itself each time it runs – or adaptive AI ransomware that only launches if the system looks like a real target. These types of tricks make traditional detection methods far less effective.

Once the ransomware variants are ready, criminal affiliates can rent or buy these ready-made packages, spreading them at scale without ever needing to understand the technical details.

All of this presents a huge challenge for those working on the cybersecurity side of the equation, as well as businesses and other organisations that could be the victims of an attack. Having comprehensive cybersecurity solutions in place is more vital than ever for businesses and organisations of all sizes and types. Relatively simple cyber hygiene measures such as relevant training, strong password policies, and suitable access protocols can do a lot to protect against some of the less sophisticated but depressingly effective threats. At the same time, businesses and cybersecurity partners need to be aware of – and have measures to deal with – emerging next-gen threats.

The use of AI to both develop and drive malware – sometimes referred to as Ransomware 3.0 – is a prime example. More variants, shorter development cycles, and a larger pool of attackers are all enabling the threat landscape to evolve faster than ever, but the good news is that AI is not just a tool for the bad guys to use. Cybersecurity has been described as a never-ending arms race, and the defenders are also leveraging AI to respond to the changing threats. Machine learning can be used to spot unusual patterns, detect malicious code, and automate responses at speed.

While there are lone wolf actors, cybercrime is also coalescing into an increasingly organised criminal business and, like most other businesses these days, it is exploring the ways that it can leverage AI. Cyber-criminals are leaning on AI to make ransomware smarter and easier to build, but defenders are racing to counter it with AI-driven defences of their own.

Join the Clipeum Security Community

Gain access to our exclusive Breach of the Week PDF series. One short case study every week, yours to download free.

When you submit your details through this form the information will be stored on our customer relationship database. Your information will only be used to answer your query with Clipeum IT and it will not be shared with a third party.

Get in touch

Have a quick question or want to learn more? Drop us a message and we'll get back to you shortly.

When you submit your details through this form the information will be stored on our customer relationship database. Your information will only be used to answer your query with Clipeum IT and it will not be shared with a third party.

Gain access to our exclusive Breach of the Week PDF series. One short case study every week, yours to download free.