Ransomware 2.0: Cyber Defence in the Age of AI | SITS
Blog

Ransomware 2.0: How AI is rewriting the rules of Cyber Defence

Artificial intelligence is changing the rules of cyber defence – and making ransomware attacks more dangerous than ever.
3 Minutes

Artificial intelligence has profoundly changed the world of work, research and cybersecurity. But the same technologies that are designed to protect businesses today are also available to cybercriminals. Generative AI is increasingly being used to develop malware, personalise phishing campaigns, automate social engineering attacks and circumvent security barriers.

This development significantly aggravates the threat situation in 2025: attacks are getting faster, more targeted and harder to detect. In this article, we highlight the most important AI-supported attack scenarios – from AI-generated ransomware to autonomous attack agents and prompt injection attacks – and show how companies can realign their defences.

What is AI-generated Ransomware?

Traditional ransomware encrypts data and demands a ransom. With generative AI, attackers are taking this approach to a whole new level. Examples from recent analyses show:

  • Claude Code from Anthropic was misused by hackers to program malware, identify vulnerabilities and write customised blackmail letters.[1]
  • A proof-of-concept called PromptLock showed how AI can dynamically conceal and adapt ransomware.

Attacks can be prepared, professionalised and scaled in a very short time, often without in-depth technical knowledge. This is what makes AI ransomware so dangerous: it is flexible, automated and highly unpredictable.

Insider threats posed by AI agents

Another area in which AI is changing the rules of the game is modified insider threats. According to a recent Exabeam study, 64% of companies consider AI-driven insider threats to be more dangerous than traditional external attacks.[2]

Why?

AI agents are able to operate inconspicuously in corporate networks using stolen access data. They continuously analyse log files, adapt their behaviour to the environment and imitate the activities of normal users. Even experienced SOC teams have difficulty distinguishing these movements from legitimate processes, which makes detection and defence significantly more difficult.

This means that the ‘insider’ is no longer just a frustrated employee or external partner, but also an autonomous AI agent moving around the corporate network.

Cybercrime as a Service: AI as an attack tool

Ransomware-as-a-Service (RaaS) used to be a business model, but today AI is adding a new dimension. According to a report by Anthropic and other experts, attackers are already using AI for:

  • Research: Scanning for vulnerable targets in seconds
  • Malware generation: Adapting malicious code to specific systems
  • Social engineering: Creating convincing phishing emails / fake identities
  • Automated campaigns: AI handles the entire process, from initial infection to extortion

This development means that attacks are becoming faster, more complex and more personalised. Companies are facing a threat that is scaling in terms of both quality and quantity.[1][3]

Protection with AI: Defence on equal terms

Defenders must use AI just as attackers do, otherwise they will lose out in the race for security.[4] Today, attacks are developing at a speed that is difficult to keep track of without automated support. AI-based defence systems not only help to evaluate large amounts of data in real time, but also to detect subtle attack patterns that human analysts would miss. Only those who actively develop their security architecture with AI technologies will remain resilient in this dynamic environment.

The most important approaches include:

Behavioral Analytics

AI-powered systems detect anomalies in user, endpoint and network behaviour. Unexpected patterns are flagged immediately, even if the malware itself is new. Since this approach is not based on known signatures but on behavioural deviations, it is particularly well suited to combating novel, AI-powered attacks.

Anomaly detection using small AI models

In addition to large language models (LLMs) such as GPT or Claude, smaller, specialised models (e.g. LLaMA, Mistral) are used in defence. They check queries, code or commands for manipulation in real time.

Prompt injection defence

AI systems themselves must be protected against attacks such as ‘prompt injection’. Here, attackers manipulate inputs in such a way that an AI model reveals confidential information or performs incorrect actions.

LLM-Protection Layer

Additional security layers that specifically monitor language models and block dangerous outputs are gaining in importance.

Practical Recommendations for Businesses

To be prepared against AI-based attacks, organisations should implement the following steps:

  • Introduce UEBA: User & Entity Behaviour Analytics helps to quickly detect suspicious activity.
  • Automate incident response: AI can pre-sort and classify incidents and respond more quickly.
  • Implement compliance requirements: Increasing regulatory requirements are a driver for better security architectures. The NIS2 directive, as well as other standards and regulations, require companies to provide greater protection – a good reason to introduce modern AI security solutions.
  • Expand awareness programmes: Employees need to understand that phishing and social engineering are now often perfected by AI.
  • Continuous monitoring: Dark web scans and threat intelligence services (e.g. CTI-as-a-Service) help to identify new patterns early on.

Conclusion

The era of AI-generated ransomware is already in full swing. Companies are facing a rapidly evolving threat landscape: from AI-created malware to insider agents to fully automated attack campaigns.

The good news is that companies can use the same technology to strengthen their defences. AI versus AI – that is the reality of cyber defence in 2025.

Those who act now will not only strengthen their resilience, but also secure their future.

Sources

[1] Barrett, B. (2025) Anthropic admits hackers have ‘weaponized’ its tools – and cyber experts warn it’s a terrifying glimpse into how quickly AI is changing the threat landscape. ITPro. Available at: https://www.itpro.com/security/cyber-crime/anthropic-admits-hackers-have-weaponized-its-tools-and-cyber-experts-warn-its-a-terrifying-glimpse-into-how-quickly-ai-is-changing-the-threat-landscape

[2] Exabeam (2025) 'From Human to Hybrid: How AI and the Analytics Gap Are Fueling Insider Risk'. Available at: https://www.exabeam.com/hubs/from-human-to-hybrid-how-ai-and-the-analytics-gap-are-fueling-insider-risk/

[3] Sabin, S. (2025) Hacker used AI to launch unprecedented cyberattack – and it could happen again. Tom’s Guide. Available at: https://www.tomsguide.com/ai/hacker-used-ai-to-launch-unprecedented-cyberattack-and-it-could-happen-again

[4] Newton, C. (2025) Artificial intelligence is changing cybersecurity: Here’s how companies are responding. Business Insider. Available at: https://www.businessinsider.com/artificial-intelligence-cybersecurity-large-language-model-threats-solutions-2025-5

Category Tags
AI Assessment & Advisory Cloud Platform Security Cloud Platform Security Cloud Platform Security Cyber Defense Cyber Resilient Workplace Identity & Access Management NIS2 NIS2 Optional Security & IT Solutions SITS Zero Trust
The Cyber Chronicle Newsroom
We provide you with the latest news, data and trending topics.
NIS2
December 16, 2025
NIS2aaS - Comprehensive support for NIS2 implementation
Learn more
AI
October 23, 2025
Ransomware 2.0: How AI is rewriting the rules of Cyber Defence
Learn more
Cloud Platform Security
October 17, 2025
Governance & Oversharing: How Copilot becomes a Productivity Booster
Learn more
NIS2
September 26, 2025
NIS2, DORA & Co: Aren’t we all part of someone’s relevant supply chain?
Learn more
Security & IT Solutions
September 16, 2025
Digital Resilience starts with Security by Design - That's why Managed Services are strategically unavoidable
Learn more
Cloud Platform Security
September 02, 2025
Copilot Usecases: Transforming Business Workflows from Personal to Organizational Impact
Learn more
Cloud Platform Security
July 17, 2025
If Copilot still doesn't ignite … yet
Learn more
Cyber Resilient Workplace
April 10, 2025
How Resilient Is Your Workplace IT Really?
Learn more
SITS
April 09, 2025
From 1 April 2025: mandatory reporting of cyberattacks on critical infrastructure in Switzerland
Learn more
Cyber Defense
March 28, 2025
Managed SOC: advantages, costs & finding top providers (checklist)
Learn more
Cloud Platform Security
December 09, 2024
Secure Identities: Current trends
Learn more
Cloud Platform Security
November 28, 2024
Microsoft Entra: A portrait of a versatile product family
Learn more
Identity & Access Management
November 13, 2024
Identity meets Resilience
Learn more
NIS2
November 04, 2024
NIS2 & Penetration Tests: Getting Grip on NIS2-compliant Technology
Learn more
Identity & Access Management
October 21, 2024
Resilience by Identity
Learn more
Identity & Access Management
October 04, 2024
Getting a Grip on Cryptography
Learn more
We’re here for you
Fill in the form and our experts will get in touch.

You are currently viewing a placeholder content from HubSpot. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.

Unblock content Accept required service and unblock content
More Information