A new report has detailed how AI is fuelling the rapid development of global ransomware attacks, and warns that the proliferation of tailored LLMs is poised to significantly amplify cyber-criminals reach and impact.
Kaspersky’s State of Ransomware Report 2025 has revealed that ransomware operators are becoming heavily reliant on AI tools, particularly in malware development, using these to create AI-generated code, complete with flawless comments, designed to evade detection.
Among the most proliferate threat actors observed using AI is the FunkSec group, which emerged in late 2024 and quickly gained notoriety by surpassing more established actors like Cl0p and RansomHub, claiming eighty-five victims in December alone.
According to an earlier report from Check Point Research, while FunkSec’s code points to inexperienced malware authors, their use of AI has enhanced their capabilities, with messages between group members linking the creation of their custom ransomware to AI agents, as well as an AI chatbot designed solely to support malicious activities.
Building on that trend, Kaspersky’s research highlights how LLMs marketed on the dark web have lowered the technical barrier to creating malicious code, phishing campaigns and social engineering attacks, with threat actors able to craft highly convincing lures or automate ransomware deployment.
Looking ahead, the cybersecurity outfit warns that as more innovative concepts such as Robotic Process Automation and LowCode become more popular and widely available, budding ransomware developers will turn to these visual, AI-assisted drag-and-drop interfaces to further automate their attacks.
Kaspersky’s study also points to another major shift taking hold among ransomware groups, illustrated by the likes of FunkSec, with RaaS (Ransomware-as-a-Service) now the go-to model for attackers.
In 2024, RaaS platforms like RansomHub thrived by offering malware, technical support and affiliate programs that split the ransom, and enabled less-skilled actors to execute sophisticated attacks, contributing to the emergence of multiple new ransomware groups in 2024 alone.
Research from Searchlight Cyber in February backs these findings, with a detailed ‘threatscape’ study identifying 94 ransomware groups posting victims in 2024, a 38% increase on 2023, with 49 new groups observed operating, reflecting a fracturing within the ransomware landscape.
Though traditional ransomware operations haven’t disappeared, RaaS models have taken the lead thanks to their scalability and profit potential, with these platforms offering nascent threat groups services like initial access brokering and data exfiltration, which Kaspersky said will reinforce their dominance.
Meanwhile, Kaspersky’s study predicts that ransomware actors will further evolve by exploiting unconventional vulnerabilities that are often overlooked by cybersecurity operations.
Perhaps best demonstrated by the Akira gang’s use of a webcam to bypass endpoint detection and response systems and infiltrate internal networks, attackers are likely to increasingly target entry points like IoT devices, smart appliances or misconfigured hardware in the workplace.
With 70% of UK organisations already having fallen victim to security incidents caused by overlooked or unmanaged assets, ransomware actors will capitalise on expanding attack surfaces to refine their tactics, focusing on stealthy reconnaissance and lateral movement within networks.
Recommended reading
“In our report, we highlight that there is a concerning shift toward exploiting overlooked entry points — including IoT devices, smart appliances, and misconfigured or outdated workplace hardware,” said Dmitry Galov, head of research centre for Kaspersky’s Global Research and Analysis Team.
“These weak spots often go unmonitored, making them prime targets for cybercriminals. To stay secure, organisations need a layered defence: up-to-date systems, network segmentation, real-time monitoring, robust backups, and continuous user education.
“Building cyber awareness at every level is just as important as investing in the right technology.”
Related
