What’s Next in Ransomware: How Threat Actors Will Weaponize AI

Introduction

AI isn’t just showing up in your vendors’ workflows—it’s changing how attackers operate, too. Not by giving them “zero-day magic,” but by giving them speed and scale.

Black Kite’s ongoing monitoring of more than 150 ransomware groups shows that most attackers aren’t using AI to create new exploits or build autonomous malware. Instead, they’re using AI for something more practical—and, in many ways, more dangerous: to make reconnaissance, deception, and compromise dramatically faster.

Here’s a look at how cybercriminals are using AI today, where their tactics are headed next, and how third-party risk management (TPRM) strategies need to evolve in response.

Why AI Fits the Attacker’s Playbook

Cybercriminals have always been pragmatic. They don’t innovate for novelty—they innovate for efficiency. They adopt what works, abandon what doesn’t, and weaponize legitimate tools for malicious ends. AI fits that approach perfectly.

So far, our research team has seen attackers mostly use AI for support functions—phishing content generation, translation, and voice or image manipulation—but those efficiencies compound quickly. 

Phishing emails no longer sound “off.” Fake vendor invoices look authentic. Data mining that once required teams of analysts is now done by one person with the right prompt. The impact isn’t what AI creates—it’s how much time it compresses.

And when time compresses, risk scales—especially across interconnected vendor ecosystems.

How Threat Actors Are Using AI Today

Before we explore how attackers will use AI to accelerate supply chain attacks in the future, it’s important to understand how they’re using AI right now. (Dive deeper into this topic with our blog, AI in Ransomware: How Threat Actors Are (and Aren’t) Using AI.)

Most threat actors today aren’t deploying “AI malware.” They’re using AI the same way defenders do: to save time and increase productivity. Current use cases include: 

• Rapid Reconnaissance: With AI, attackers can now map vendor ecosystems almost instantly. It allows them to quickly correlate public partnerships, exposed credentials, and shared infrastructure to identify the path of least resistance.
• Highly personalized lures: Generative AI models make phishing and business email compromise (BEC) campaigns sound natural and credible. Ransom notes and extortion messages now read like corporate press releases, complete with fluent English and a polished tone.
• Automation of basic evasion: AI can mimic human browsing behavior, allowing bots to bypass CAPTCHA and identity checks. Attackers are already experimenting with these tactics to automate access and avoid basic filters.
• Lower barriers to entry: Underground communities circulate “jailbroken” LLMs and turnkey ransomware-as-a-service (RaaS) kits that generate ransomware notes, phishing templates, and basic malware scripts. The output may be crude, but it works—and it means almost anyone can now participate in cybercrime.

Criminals follow ROI, not hype. The tactics remain the same, but AI multiplies their efficiency. AI isn’t changing what cybercriminals do, but how fast they can do it.

Looking Ahead: 3 Ways Threat Actors Will Use AI in the Future

If AI’s current role is acceleration, its next will be amplification. In the near term, AI will expand adversary capability in three critical ways—and all of them directly impact your supply chain:

1. AI-driven relationship mapping

AI can already analyze public and leaked data to uncover relationships between organizations—who connects to whom, what technologies they use, and where dependencies overlap. Over time, these same capabilities will become faster and more automated, with AI acting as a tireless analyst continuously scanning for weak or high-value links in the chain.

Supply chain targeting won’t happen in predictable cycles—it will happen in real time. Threat actors won’t need to spend weeks mapping your ecosystem to find your weakest vendor. Their models will already flag which suppliers present the greatest opportunity or exposure, long before defenders even realize they’re exposed.

2. AI-enhanced malware evolution

AI won’t be used to write sophisticated new ransomware overnight, but it can easily repackage existing code into endless variants that can slip past traditional detection methods.

Cybercriminals will increasingly use AI models to adapt existing malware for specific environments, adjusting configurations, modifying payloads, and exploiting known weaknesses with minimal human effort. The danger isn’t “AI malware.” It’s conventional malware that’s evolving and spreading faster than defenders can keep up.

3. AI-automated operations

AI is accelerating a shift that’s already underway in the ransomware ecosystem. Large, disciplined operations are giving way to smaller, more opportunistic groups. As our 2025 Ransomware Report shows, dozens of smaller groups are replacing once-dominant names like LockBit and AlphV. 

AI will likely accelerate this decentralization by automating the operational drudgery—drafting ransom notes, translating communications, even managing negotiations. Illicit, criminal-facing LLMs like WormGPT are lowering the entry barrier even further. The result isn’t necessarily more advanced attacks, but many more of them—and each new actor puts more pressure on the supply chain.

Why the Supply Chain Is a Prime Target for AI-driven Cyber Attacks

The supply chain has always been a force multiplier for attackers. One compromised vendor can expose hundreds of downstream companies. AI doesn’t change that dynamic, it simply removes the manual work of finding the weakest link.

By analyzing public business data, leaked credentials, and shared infrastructure metadata, AI can map interdependencies between companies. It can also reveal which suppliers rely on the same third-party services or technologies, helping attackers model which compromise would create the greatest downstream impact and prioritize those targets accordingly.

We’ve already seen how that plays out. The 2024 CDK Global ransomware attack disrupted thousands of automotive dealerships through a single upstream breach. The Clop campaign against MFT software spread across retail and logistics ecosystems. Those operations were largely manual. With AI, similar campaigns will scale faster, spread wider, and be even harder to contain.

Adapting TPRM Strategies for AI-Driven Threats

While the most advanced AI-driven attacks haven’t yet materialized, broader adoption is inevitable. To build resilience now, CISOs and TPRM leaders should:

• Map exposure, not just vendors: Knowing who your vendors are isn’t enough. You need to understand how deeply each third party connects to your systems, data, and operations. Identify and prioritize the vendors with the greatest potential impact—those with privileged access, sensitive data, or close operational dependencies.
• Replace static oversight with continuous visibility: AI shortens the attack timeline from months to hours. Traditional point-in-time questionnaires can’t keep pace with AI-driven reconnaissance that runs 24/7. Continuous vendor risk monitoring is essential to proactively catch new risks as they emerge.
• Collaborate with vendors: Reducing third-party risk requires shared visibility and accountability. Tools like Black Kite Bridge™ let you share real-time risk intelligence, track remediation progress, and strengthen security across your entire supply chain.
• Quantify and translate AI-related risk: Frameworks like the Black Kite Global Adaptive AI Assessment (BK-GA³™) give organizations a standardized way to evaluate AI-related exposure. Combined with predictive indicators like the Ransomware Susceptibility Index (RSI™), these insights help teams anticipate where risk is likely to emerge.

The New Advantage: Intelligence That Predicts, Not Reacts

AI isn’t making attackers more creative—it’s making them more efficient. And efficiency at scale is what turns isolated vulnerabilities into systemic risk. The evolution of AI-driven threats won’t be defined by a single breakthrough, but by velocity. Adversaries will iterate, adapt, and exploit faster than manual defenses can respond.

That’s why continuous, predictive risk intelligence is now critical. The Black Kite Research Group tracks global threat actors and third-party exposures in real time, translating early indicators into quantifiable insights about who is being targeted, how, and why.

Attackers aren’t rewriting their playbooks with AI, they’re just running them faster. With Black Kite, organizations can identify at-risk vendors sooner, understand the methods likely to be used against them, and take informed action before threats turn into incidents.

Access the first truly global framework for assessing AI risk: Global Adaptive AI Assessment Framework™, BK-GA³™. Available free to the public here.