Former FBI cyber chief warns that amateur ransomware operators using AI are creating more chaos than sophisticated criminals, as their flawed attacks generate overwhelming volumes that distract defenders from serious threats.
The Rise of the Ransomware Wannabes
When Cynthia Kaiser left her role as deputy assistant director at the FBI's cyber division to lead Halcyon's new Ransomware Research Center, she brought with her two decades of experience tracking nation-state cyber threats from China, Russia, North Korea, and Iran. But what she discovered upon entering the private sector shocked even this seasoned cyber veteran: the most dangerous ransomware operators aren't the sophisticated criminal enterprises, but rather the amateur "wannabes" armed with AI tools.
"You're seeing criminals, wannabes who, in their hands, AI is even scarier than sophisticated actors who are incorporating some type of this technology," Kaiser told The Register at RSA Conference. "You have a bunch of wannabes, and if they can go from 0 percent to 5 percent or 10 percent effectiveness, that's great for them. But for IT and security professionals inside organizations, the biggest threat is the increased volume of these terrible, just ugly attacks."
The Iran Connection: Pay2Key's Destructive Turn
Kaiser's team at Halcyon has been investigating a range of ransomware incidents, from sophisticated state-sponsored operations to amateur attempts. One particularly concerning case involved Pay2Key, an Iranian-government-linked ransomware group that attacked a US healthcare organization in late February 2026.
The timing was notable, occurring around the start of US and Israeli military strikes against Iran. While Kaiser couldn't definitively link the attack to the regional conflict, the investigation revealed that Pay2Key had gained access to a compromised admin account several days before the attack and deployed ransomware, encrypting the environment in just three hours.
"They had to have been on the network before the attack, that access was already existing," Kaiser explained. "What it says is that there are existing accesses that a government-linked group like Pay2Key can operationalize at any given time."
What made this attack particularly alarming was its apparent shift from financially motivated crime to pure destruction. Unlike typical double-extortion ransomware campaigns where data theft precedes encryption, there was no evidence that any data had been stolen during this incident. This marked a significant departure from Pay2Key's previous tactics and aligned more closely with destructive cyber operations.
"It shows that there's this really distinct ransomware threat that has some government connections, and it appears in this case it was much more aimed at destruction than just the ransom and financial gain," Kaiser said.
The Speed of Sophisticated Criminals
While state-sponsored groups like Pay2Key pose significant threats, financially motivated criminal organizations have become increasingly efficient. Akira, a prominent ransomware operation, has demonstrated remarkable speed in its attacks, moving from initial access to full encryption in less than one hour in most of its hundreds of compromises over the past year.
Akira's technical sophistication extends to its decryption tools, which employ a "checkpoint" system that ensures large files can be recovered even if there's an interruption during the encryption process. This feature makes paying the ransom more appealing to victims who might otherwise resist.
"You don't have the dwell time that you used to have," Kaiser warned. "Ransomware is so different today than it was two years ago among these really sophisticated threat-actor groups."
Sicarii: When AI Makes Things Worse
The most illustrative example of AI's double-edged sword in cybercrime might be Sicarii, a ransomware operation that emerged in December 2025. Unlike sophisticated criminal enterprises, Sicarii's malware was fundamentally flawed in a way that highlights the dangers of amateur developers using AI tools without proper understanding.
The group's encryptor generated a new cryptographic key pair during every execution but then discarded the private key, meaning there was no recoverable master key. Victims might or might not be able to decrypt their files, depending on various factors.
"You need three things to make ransomware successful. You need a lock, you need a key - that's what the victims pay for - and you need to be able to put the key in the lock," Kaiser explained. "They forgot to make that keyhole, so it's destruction-ware now."
Kaiser believes Sicarii's developers used AI at every stage of development but failed to properly integrate the components. "They'd obviously used AI at every stage, and then they ugly-chained it together - I don't think they used an agent, it was just ugly coding at every stage," she said.
The Overwhelming Volume Problem
The real danger of these amateur operations isn't their sophistication but their volume. While sophisticated attacks like Akira's are stealthy and fast, amateur operations like Sicarii are noisy and obvious, triggering numerous security alerts.
"These attacks aren't very stealthy, and they will likely set off all kinds of security alerts," Kaiser noted. "But if you have such a huge volume that, and you're dealing with that, and especially if you don't use automation on your network, then as you're dealing with that, what other sophisticated threats are coming in?"
This creates a perfect storm for defenders: they must simultaneously deal with overwhelming numbers of unsophisticated attacks while remaining vigilant for the rare but devastating sophisticated intrusions. The cognitive load and alert fatigue can lead to missed detections of serious threats.
The Human Cost
Kaiser's transition from tracking nation-state threats to focusing on ransomware came with a significant shift in perspective. While Chinese pre-positioning on critical infrastructure represented a potential catastrophic threat, ransomware was already causing immediate harm.
"I'm also really angry about ransomware because ransomware targets hospitals today, it kills people today," Kaiser said, explaining her motivation for focusing on this threat. The human impact of ransomware attacks on healthcare organizations, where delays in treatment can be life-threatening, represents a moral imperative that transcends traditional cybersecurity concerns.
The Evolving Threat Landscape
The ransomware landscape has evolved dramatically over the past two years. Sophisticated groups have become faster and more technically advanced, while amateur operators have multiplied in number, empowered by AI tools that lower the technical barriers to entry.
For organizations, this means defense strategies must evolve accordingly. Traditional approaches focused on detecting and stopping sophisticated, stealthy attacks may leave organizations vulnerable to the volume-based attacks from amateurs. Meanwhile, the speed of professional operations means that dwell time for detection and response has shrunk dramatically.
Kaiser's warning is clear: the ransomware threat isn't just about the most sophisticated criminals anymore. The amateur wannabes, armed with AI and lacking proper understanding, may pose an even greater danger through their sheer numbers and the chaos they create.
As ransomware continues to evolve and expand its reach, organizations must prepare for both ends of the spectrum - the lightning-fast professional operations and the overwhelming volume of amateur attacks - while never losing sight of the human cost of these criminal enterprises.
Comments
Please log in or register to join the discussion