Dark web ransomware networks adopt AI tools to expand global cyber threats

Ransomware operations are undergoing a profound transformation as cybercriminal groups adopt artificial intelligence (AI) and automation to scale attacks, diversify targets, and accelerate campaigns. A new study reveals how modern ransomware ecosystems are evolving into structured, data-driven operations with measurable behavioral patterns.

Published in the Journal of Cybersecurity and Privacy, the study titled "AI-Amplification Indicator: An Actor-Level Scoring Framework for Ransomware Operations on the Dark Web" introduces a novel framework that shifts cyber threat analysis away from traditional metrics such as malware signatures and victim counts toward behavioral intelligence rooted in real-world activity. The research demonstrates that ransomware groups differ significantly in how they scale operations, coordinate attacks, and exploit AI-driven capabilities, offering a new lens for understanding cybercrime in the era of generative AI.

From malware to organized cyber ecosystems: the rise of AI-amplified ransomware

The study highlights a fundamental shift in ransomware operations from isolated incidents to coordinated, multi-stage campaigns resembling professional enterprises. Modern ransomware groups operate through structured workflows that include initial access, internal movement, data exfiltration, and public disclosure through leak portals.

This transformation is closely tied to the integration of artificial intelligence and automation, which reduce the cost and complexity of launching large-scale attacks. Generative AI, in particular, is enabling more convincing and personalized phishing campaigns, allowing attackers to target victims with tailored messages at scale. These capabilities significantly enhance the efficiency of social engineering, one of the primary entry points for ransomware attacks.

Despite these advancements, traditional threat assessments have struggled to keep pace. Most existing approaches remain focused on technical artifacts such as malware code or aggregate victim counts, offering limited insight into how different ransomware groups operate. The study addresses this gap by introducing the AI-Amplification Indicator, a framework designed to measure behavioral patterns at the actor level.

The framework evaluates ransomware groups across four key dimensions: AI-enabled social engineering, operational tempo, targeting breadth, and temporal scaling. Each dimension captures a different aspect of how attacks are planned, executed, and expanded, providing a more comprehensive view of cybercriminal behavior.

By applying this framework to real-world data collected from dark web leak sites, the researchers were able to construct detailed profiles of ransomware actors, revealing substantial variation in their operational strategies and capabilities.

Inside the AI-Amplification Indicator: measuring how ransomware groups scale

The AI-Amplification Indicator is a scoring system that translates observable ransomware activity into measurable behavioral signals. The framework is based on continuous monitoring of dark web leak portals, where ransomware groups publicly disclose victims as part of extortion strategies.

The dataset used in the study includes 147 verified victim organizations across 14 countries and activity attributed to 48 distinct ransomware actors during 2025. This data provides a robust empirical foundation for analyzing how different groups operate over time and across regions. Below are the components and their functions:

1. AI-enabled social engineering: This dimension evaluates whether ransomware groups use generative AI or automated systems to create scalable phishing campaigns. While evidence of such activity remains limited, the study identifies measurable signs of AI-assisted deception in a small number of cases, indicating an emerging trend rather than widespread adoption.
2. Operational tempo and orchestration: This component captures how frequently and rapidly groups release victim disclosures. This dimension reveals stark differences between actors, with some groups executing high-intensity burst campaigns over short periods, while others maintain steady activity over longer durations.
3. Measuring targeting breadth: It analyzes how widely groups distribute their attacks across sectors and countries. Some actors demonstrate highly diversified targeting strategies, spreading activity across multiple industries and geographic regions, while others focus on narrower, more specialized targets.
4. Temporal scaling dynamics: This component assesses how quickly groups expand their operations after initial activity and how long they sustain campaigns. This dimension distinguishes between actors that rapidly scale operations and those that grow more gradually over time.

Together, these indicators provide a multi-dimensional view of ransomware behavior, enabling systematic comparison of actors beyond simple metrics such as victim counts.

Uneven threat landscape: why ransomware actors differ in capability and impact

The analysis shows that a small number of groups account for a disproportionate share of activity, while many others operate at much lower levels of intensity. This uneven distribution reflects differences in organizational maturity, resource availability, and strategic approach. High-performing actors tend to combine rapid operational tempo, broad targeting strategies, and sustained campaign activity, indicating more advanced and coordinated operations. In contrast, lower-tier actors often exhibit sporadic activity, limited geographic reach, and slower scaling.

The study also reveals that victim counts alone are insufficient to assess the true capability of ransomware groups. Actors with similar numbers of victims can display very different operational profiles, depending on how they coordinate attacks, diversify targets, and scale campaigns.

For example, some groups specialize in burst-style campaigns, releasing multiple victim disclosures within a short time frame, while others maintain consistent activity over several months. Similarly, some actors focus on specific sectors or regions, while others adopt a more diversified approach, targeting multiple industries and countries simultaneously.

Another key insight is the limited but growing role of AI in ransomware operations. While most groups still rely on conventional methods, a small subset shows clear evidence of AI-assisted social engineering, suggesting that automation and generative AI are beginning to influence how attacks are conducted.

However, the study emphasizes that observable AI-driven behavior remains relatively rare, and most ransomware operations continue to rely on established techniques. This indicates that the full impact of AI on cybercrime may still be in its early stages, with significant potential for future growth.

Implications for cybersecurity strategy and future threat intelligence

To begin with, the research calls for a shift toward behavior-based threat intelligence. Traditional approaches that focus on technical indicators or aggregate metrics may fail to capture the complexity and variability of modern ransomware operations. By incorporating behavioral indicators such as tempo, diversification, and scaling, organizations can gain a more nuanced understanding of threat actors and prioritize defenses accordingly.

Next up, the study highlights the growing importance of AI in both offensive and defensive cybersecurity. As attackers begin to leverage generative AI to enhance social engineering and automate operations, defenders must adopt equally advanced technologies to detect and respond to evolving threats.

Third, the actor-level approach introduced in the study provides a practical framework for prioritizing resources. By identifying high-risk actors based on their behavioral profiles, organizations can focus monitoring and mitigation efforts on the most significant threats, improving overall security efficiency.

The research also points to the need for continued monitoring and data collection. Because ransomware activity is dynamic and constantly evolving, longitudinal analysis across multiple years and regions will be essential to understand long-term trends and the impact of emerging technologies.