After reading recent reports of AI’s impact on cybercrime, one might assume that the world is about to enter an era of frightening, AI-powered ransomware attacks.
As Trend Micro put it in its November 2025 report, The AI-Fication of Cyberthreats: “The tools, tactics, and procedures that once required coordinated human effort can now be executed rapidly and at scale through highly automated infrastructures.”
As for ransomware, this “will evolve into AI-driven, fully automated operations that scan, exploit, and extort with minimal human input.” Worse, ransomware-as-a-service (RaaS) platforms will democratize the technology, making it accessible to any and every cybercriminal regardless of expertise – in effect, AI-ransomware-as-a-service.
Arguably, this will mean the end of ransomware as we know it and the beginning of something completely new. This will be a world in which the attack surface of today will become the much larger extortion surface of tomorrow, and in which every facet of an organization (data, systems, supply chain, employees, customers, partners) will now be a target for blackmail. (Remember when it was only files that were at risk?) The word ‘ransomware’ doesn’t really do this AI-driven nightmare justice.
Open sesame
And yet the talk of cybercrime and AI tends to ignore the fact that ransomware has flourished perfectly well without it. Adding AI to the mix might make ransomware sound more potent, but it is far from being a prerequisite for its success.
Despite the tales of spectacular attacks, the reality is that ransomware is a prosaic business that feeds on everyday weaknesses that nobody bothered to fix or knew existed. Many of these weaknesses have been known for decades. As long as these issues persist, adding AI offense will make life easier for cybercriminals without altering the fact that the door is already often standing half open for them to walk through.
In today’s ransomware attacks, that usually means exploiting one of three things: user credentials, VPN gateways, and core infrastructure such as firewalls. Figures from cyber-insurer Coalition covering 2024 found that 58% of ransomware incidents were traced to an issue with perimeter security appliances, which would cover the theft of credentials as well as exploits targeting vulnerabilities.
Third quarter 2025 figures from another insurer, Corvus Insurance, back this up, with the company’s figures for the same time period showing that VPN weaknesses alone accounted for 50% of claims in a two-month period. A possible cause was that defenders had upgraded a popular vendor’s VPN equipment, but, incredibly, forgot to change the default password. On the new installation
Or take the recent attack on M&S that brought one of the UK’s most respected retailers to its knees for months and cost hundreds of millions in lost business and remediation. The cause? The attackers were able to socially engineer a credential reset for a privileged user. One tiny authentication gap and a company turning over billions found itself at the mercy of a few attackers in a back room.
While it’s true that AI can, in principle, automate vulnerability exploitation on a much larger scale, it still needs those weaknesses to exist in the first place. The concern around the effect of AI on ransomware shouldn’t distract from the need to tackle today’s weaknesses.
Arguably, the more likely effect of AI on ransomware won’t be how it attacks, but what it attacks. What better target for AI-driven ransomware than to target AI itself? This is perhaps where we are really heading: an era of denial-of-service attacks targeting vulnerable AI systems that organizations will soon not be able to live without.