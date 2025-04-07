It's no secret that cybercriminals use artificial intelligence and large language models to raise their ransomware game. AI and LLMs can aid the crafting of more convincing phishing emails, enable ransomware to more easily bypass security defenses and avoid detection, and help target victims more effectively.

The AI and ransomware story is not all doom and gloom, however. AI provides a powerful assist to ransomware defense tools and best practices. With AI, detection software can more quickly and accurately identify ransomware attacks. AI can also accelerate mitigation and recovery efforts. Combined with threat intelligence data, AI can help security teams keep pace with emerging ransomware threats or shifts in tactics.

How AI makes ransomware attacks more dangerous People might assume that cybercriminals use AI only to craft phishing email messages that better persuade victims to click on malicious links. While that is a common use, AI enhances the chances of success for ransomware attacks at all levels. The following are some key ways that cybercriminals use AI with ransomware attacks: Research and reconnaissance. The more attackers know about potential victims, the better chance they have for a successful attack. Attackers use AI to identify victims, locate critical assets and assess vulnerabilities much more quickly and accurately than when that work is done manually. "[Reconnaissance is the] first thing attackers do," said Mark Lynd, head of executive advisory and strategy at Netsync, an IT and security consulting company and MSP. "They scan networks for vulnerabilities, misconfigurations, unpacked systems. It gives them a roadmap to get in and attack your organization. Once they get in, they can use an AI-driven bot to automate privilege escalation and spread ransomware laterally through the organization."

How to recover from a ransomware attack How to prevent ransomware in 6 steps Behavioral analysis. AI helps security tools analyze user and system behaviors to more quickly and accurately detect anomalies that might indicate a ransomware attack. A suspicious anomaly might be a new network traffic pattern or access from an unknown IP address or unusual location. "Most of the ransomware attacks come from unidentified networks," said Rele, who has co-authored a paper on using AI to detect ransomware.



Modern data platforms, such as Cohesive, Rubrik and Veeam, connect with extended or managed detection and response tools. These XDR/MDR products monitor and quarantine anything that looks suspicious. The top XDR and MDR products use AI to perform behavioral analytics to identify threats that might evade traditional signature-based detection. Because they are integrated with data platforms, the AI-enhanced detection and response tools help keep ransomware from corrupting data files and backups.

How to prevent AI-powered ransomware attacks The basics of ransomware prevention -- such as employee training, security controls and processes, response plans and data backups -- still apply in the world of AI. The enhanced threat that ransomware presents thanks to AI will require some tweaking of those basics. The following are some specific actions to consider. Update employee training. All users within the organization should understand what to look for. "Every company is launching AI, so you need to train the users first," Rele said. He suggested selecting a good training program and then running simulation tests. "Not everyone is going to absorb what's in the training. You need to run some simulations, like phishing drills." Rele recommends training tech staff as well on skills such as secure coding in an AI environment. As for training security teams, "A lot of the tools have AI capabilities now, but that doesn't mean that you need somebody on staff who's an AI expert," he said. "All you need is a good software engineer who can be trained on AI." Deploy AI-enhanced security tools at the network and endpoint levels. Having these tools in place is necessary to counter the speed at which an AI-enhanced ransomware attack can occur. Tools such as Darktrace or ExtraHop can automatically shut down a host if it sees files being encrypted and then restore them if needed. "You need some kind of a program that can do automated restore," Rele said. "Then, if you have an endpoint detection installed on your laptop, [the tool] will see that you're trying to do a malicious activity and it will cut the connection, give you an error and put the logs on screen. Then, your IT and security teams can look into the logs and figure out whether it's genuine." Rele views AI tools as crucially important. "The problem is that people don't want to invest in the right tools. Companies that have low budgets for AI tools or security tools -- that's where they're getting exploited. And then attackers know that." Create a baseline for network activity. Before AI can detect anomalous behavior on an organization's network, it needs to know what's normal traffic. Rele cited the example of an e-commerce business: AI knows from which states the order traffic is likely to originate; if that pattern deviates, the AI can send an alert to check whether that activity is genuine. AI can speed the process of identifying people with access to important data and their relationships with other key individuals. Monitor and limit publicly accessible data. Ransomware gangs can use AI to quickly gather and analyze information available online about a target organization. This helps them identify whom to target as well as the IT products used on a network and their vulnerabilities. "If a manufacturer has a use case about an organization and it mentions specific security products, networking products (Cisco, Fortinet, CrowdStrike), AI is amazing at collecting that information," Lynd said. With a simple prompt using an organization's name, AI pulls that information. "Once you have that, you can look at the CVE [list], which shows the vulnerability and exploits, and now you know what ports to look at. It's great at determining what organizations are vulnerable, where they're vulnerable and if they're low-hanging fruit." Have a tested incident response plan. Getting hit with an AI-enhanced ransomware attack means less time to respond and recover. If an incident response plan does not take this into account, then the impact of the attack will be far worse. "It's unbelievable how few organizations actually have a tested incident response plan," Lynd said. "Some of the nastier versions of ransomware can encrypt 55,000 files a minute. If you don't catch those early indicators of compromise, it's already [a] business continuity [issue]. If you're not careful, you end up in disaster recovery." Conduct tabletop exercises for AI-enhanced ransomware. Lynd recommends instant response tabletop exercises for hypothetical AI-enhanced ransomware attacks. This will help key defenders and other stakeholders better understand the threat and enables an organization to test and fine-tune its incident response plan.