Why AI could make ransomware and phishing harder to stop

The UK’s Government Communications Headquarters says AI will almost certainly increase the volume and impact of cyber attacks over the next two years. The biggest near-term gains are expected in ransomware, reconnaissance, social engineering, and faster analysis of stolen data.

Why AI could make ransomware and phishing harder to stop

Artificial intelligence is not expected to reinvent cybercrime overnight. But according to the UK’s Government Communications Headquarters, it is likely to make many existing cyber threats faster, broader, and harder to spot over the next two years.

AI changes the scale of familiar cyber threats

The assessment from GCHQ says AI will almost certainly increase both the volume and the impact of cyber attacks in the next two years. That does not mean every attacker suddenly gains advanced capabilities. The report’s central point is narrower: AI improves parts of the cyber attack process that criminals and state-backed actors already use.

Ransomware is expected to be the biggest beneficiary in that period. The reason is practical. AI can help attackers with access operations, information gathering, reconnaissance, social engineering, and the analysis of stolen data. Those are the kinds of tasks that sit around ransomware campaigns and can make them easier to run or harder to defend against.

Lindy Cameron, CEO of the GCHQ’s National Cyber Security Centre, described the change in measured terms: “The emergent use of AI in cyber attacks is evolutionary not revolutionary, meaning that it enhances existing threats like ransomware but does not transform the risk landscape in the near term.”

That distinction matters. The warning is not that AI creates an entirely new category of cyber risk in the near term. It is that attackers can use AI to improve tactics, techniques and procedures that already exist.

Who benefits from AI-enabled cyber activity

The assessment says all types of cyber threat actor are already using AI to varying degrees. That includes state and non-state actors, skilled and less skilled groups, financially motivated criminals, hackers-for-hire, hacktivists, nation-states, and commercial firms that serve them.

The benefits are expected to be uneven. Less-skilled actors may gain help with access and information gathering. More experienced threat actors may use AI to identify vulnerabilities and bypass security defenses more efficiently. The most sophisticated uses are expected to remain limited to actors with quality training data, significant expertise in both AI and cyber, and resources.

The report also says more advanced uses are unlikely to be realised before 2025. Moving toward 2025 and beyond, commoditisation of AI-enabled capability in criminal and commercial markets will almost certainly make improved capability available to cyber crime and state actors.

In plain terms, AI may widen the field at the lower end while also sharpening the tools available to better-resourced attackers. That is why the same technology can affect novice cybercriminals and state actors in different ways.

Phishing may become harder to judge

The assessment identifies social engineering as the area where AI is likely to have the biggest impact, especially for less-skilled actors. Generative AI can help produce more convincing interaction with victims and create lure documents without the translation, spelling, and grammar mistakes that often expose phishing attempts.

GCHQ officials wrote: “Generative AI (GenAI) can already be used to enable convincing interaction with victims, including the creation of lure documents, without the translation, spelling and grammatical mistakes that often reveal phishing.” They added: “This will highly likely increase over the next two years as models evolve and uptake increases.”

The concern is not limited to polished wording. The assessment says that to 2025, GenAI and large language models will make it difficult for everyone, regardless of their level of cyber security understanding, to assess whether an email or password reset request is genuine, or to identify phishing, spoofing, or social engineering attempts.

That creates a defensive challenge. Many people have learned to look for awkward wording or obvious mistakes in suspicious messages. If AI removes some of those signals, attackers may be able to make routine lures look more credible.

Security researcher Marcus Hutchins questioned how far that advantage goes. “I believe the best phishing lures will always be the ones written by a human,” he said in an interview. “I don’t think AI will enable better lures, but better scale. Instead of a single perfect phishing lure, you might be able to output several hundred decent ones in the same time. AI is very good at quantity, but these models still struggle a lot when it comes to quality.”

That caveat does not erase the risk. It reframes it. AI may not always create the best phishing message, but it can help produce more acceptable attempts in less time.

Stolen data becomes more useful to attackers

Another key issue is what happens after attackers obtain internal data. The assessment says AI will almost certainly make cyberattacks against the UK more impactful because threat actors will be able to analyse exfiltrated data faster and more effectively, and use it to train AI models.

That could strengthen later social engineering. If an attacker trains a large language model on data from a specific target, the resulting lures can refer to details such as the suppliers that target uses. Those references can make a pretext seem more convincing.

This is one reason AI matters even when it is not directly breaking into systems. It can support the surrounding work: sorting stolen information, finding useful context, and helping attackers build messages that appear more tailored to the victim.

The near-term outlook

The GCHQ assessment, titled “The near-term impact of AI on the cyber threat,” focuses on the next two years. Its key judgments describe a risk landscape where existing threats become more effective, efficient, and harder to detect.

The main expected effects include:

  • AI improving reconnaissance and social engineering.
  • Ransomware benefiting from easier access and information gathering operations.
  • More impactful attacks against the UK through faster analysis of exfiltrated data.
  • Continued use of AI by ransomware criminals and other threat actors in 2025 and beyond.
  • Broader access to AI-enabled capability through criminal and commercial markets over time.

The assessment also arrived two weeks after NSA Cybersecurity Director Rob Joyce said the intelligence agency expects AI to help threat actors develop more convincing phishing documents, according to NBC News. He said the NSA has already seen cybercriminals and hackers who work for foreign intelligence agencies using various chatbots to appear as native English speakers.

The practical takeaway is direct: AI is likely to make cyber defense more difficult because it improves the attacker’s workflow. The near-term threat is not a sudden transformation, but a steady upgrade to ransomware, phishing, reconnaissance, and the use of stolen data.