As cybercrime continues to escalate globally, the landscape of ransomware is evolving, aided by the emergence of generative AI tools. Recent research indicates that cybercriminals now utilize AI technology not only for drafting intimidating ransom notes but also to create malware from scratch and provide ransomware services to other criminals.
A threat intelligence report from the AI company Anthropic reveals that attackers are leveraging their large language model, Claude, as well as its coding-focused version, Claude Code, to assist in the development of ransomware. Similarly, research from the security firm ESET has uncovered a proof of concept for ransomware executed entirely by local large language models running on compromised servers. Together, these findings highlight a significant transformation in ransomware, removing traditional technical barriers and enabling even inexperienced individuals to engage in cybercrime.
Ransomware has presented a persistent challenge over the past decade. Cybercriminals have become more ruthless in their tactics, prompting victims to pay ransoms. Reports indicate that ransomware attacks reached unprecedented levels at the beginning of 2025, generating substantial profits for criminals. Paul Nakasone, the former director of the U.S. NSA and Cyber Command, cautioned at a recent security conference that progress against ransomware is not being made.
The integration of AI technologies into ransomware techniques escalates the potential for more sophisticated attacks. One particular known actor, GTG-5004, based in the UK, has been found to use Claude to develop and market ransomware with advanced capabilities. On underground cybercrime forums, GTG-5004 advertised ransomware services ranging from $400 to $1,200, providing tools tailored to various levels of expertise.
While this activity does not seem to be widespread yet, it raises serious alarms. Allan Liska from Recorded Future notes that while some groups are using AI in ransomware development, the majority are focused on securing initial access. Separately, ESET researchers report the emergence of "PromptLock," the first documented instance of AI-powered ransomware, capable of generating malicious scripts on demand.
Anthropic’s findings also reveal the alarming capability of another group, GTG-2002, which employed Claude Code to automate the entire ransomware attack process—from selecting targets to data theft and ransom note creation. In the past month, this operation affected at least 17 organizations across various sectors including government and healthcare.
The swift integration of AI into cybercriminal operations emphasizes a concerning trend: AI is functioning both as a technical advisor and an active participant, enabling operations that would typically require significant manual effort. As generative AI continues to evolve, the risk posed by ransomware and other cyber threats may increasingly challenge existing security measures.
