Skip to main content
Emerging ThreatsMalware & Ransomware

Ransomware Defenses Hold, But New AI Threats Emerge

Hospital corridor with people walking, laptop on administrator's desk near large windows.

"On the other hand, the idea that that hospital systems continue to be some of the prime targets of ransomware actors is societally quite problematic and suggests that we cannot at all begin to rest on our laurels," said Megan Stifel, IST chief strategy officer.

Ransomware resilience has improved — but serious incidents still ripple

Efforts launched after the Colonial Pipeline compromise have produced measurable resilience in both public and private sectors, according to industry observers. The Institute for Security and Technology's public‑private Ransomware Task Force and a range of information‑sharing, law enforcement takedowns and diplomatic measures have made many attacks "tougher to execute," panelists said during a discussion marking the task force's first five years.

That progress, however, exists alongside persistent danger. Individual incidents can still trigger massive fallout, the panelists warned: the Colonial Pipeline hack produced days‑long gasoline shortages along the U.S. Eastern Seaboard, and a separate attack against Jaguar Land Rover shut down assembly lines and supply chains, triggering an estimated $2.5 billion in losses in Britain.

Federal posture is shifting; states may be asked to shoulder more

Panelist Michael Daniel, president and CEO of the Cyber Threat Alliance, said the once‑strong federal response appears to be waning. "White House officials [are] attempting to defund many cyber responsibilities and push them onto states, many of which don't have the resources to pick them up," he said, adding, "I don't see anything in the threat environment that warrants that level of retreat."

That shift in responsibility matters because many states lack the specialized funding and capabilities that fed‑level coordination once supplied, panelists argued — a structural change that could leave gaps in prevention, detection and coordinated incident response if not addressed.

Frontier AI like "Claude Mythos" raises a new threat vector

Speakers flagged a new risk from frontier artificial intelligence models. Anja Shortland, a King's College professor specializing in the economics of crime, warned that "Claude Mythos" and Mythos‑class models could hand attackers "superior hacking capacities" previously unavailable to many criminal actors.

Some Western intelligence officials, the panel heard, predict criminals will gain access to open‑source versions of Mythos‑class models within the next six to 12 months. Shortland said improved models could compress criminal operations: "you can contract these ransomware gangs that used to be maybe 100 people, down to maybe three or five," by using AI to identify sensitive data and to target ransom demands more precisely.

Existing AI already augments criminal operations

Even before the arrival of Mythos‑level models, AI is reshaping attacker tradecraft, panelists said. Jen Ellis, founder of NextJenSecurity, described how current AI tools streamline operations: automating phishing campaigns at scale, assisting in the creation of crypto‑locking malware and orchestrating attacks more efficiently. She added that attackers are "leveraging AI to reduce those barriers to entry, to flood the market and actually just to further support the aims of nation‑states that provide these safe havens."

Veeam's Coveware ransomware nit reported that the average value of ransom payments recently rose by 15%, which it attributed to "the continued success of sophisticated groups targeting large enterprises with data‑exfiltration‑only incidents." The same report warned that better frontier models could make a "true systemic extortion event" like WannaCry or NotPetya more likely, and that organizations will need to "ship fixes fast for the few systems that truly matter" and maintain software and asset visibility.

Which criminal groups profit, and why disruption matters

Coveware's analysis distinguishes between highly profitable, encryption‑capable groups and smaller operators focused on data theft. Groups named as commanding the most profits — Inc, Akira and Qilin — tend to encrypt victims' systems, while lone actors and groups such as ShinyHunters typically focus on data theft and recorded relatively lower profits, the report said. "Business interruption remains the strongest driver of payment outcomes," Coveware concluded.

What this means for hospital systems, policymakers, and security teams

  • Hospital systems: The panel singled them out as persistent prime targets; continuity of care and patient safety remain central concerns, and defenders cannot "rest on our laurels," in Megan Stifel's words.
  • Policymakers (federal and state): With White House officials reportedly shifting responsibilities to states, state governments will need to weigh whether they can fund and staff expanded cyber roles — or seek renewed federal coordination.
  • Security teams and technologists: Rising ransom values, AI‑enabled attacker efficiency, and the prospect of Mythos‑class models require faster patching for critical systems, better asset visibility, and compensating controls for legacy environments, per Veeam's Coveware guidance.

Five years after Colonial Pipeline prompted a multinational mobilization, the defenses appear to be holding in many respects. But the panelists' common refrain was that improvement does not equal complacency: targeted sectors like hospitals remain at risk, federal posture is changing, and advancing AI — from current tools to potential Mythos‑class models — stands to reshape attackers' capabilities and the economics of extortion. The next year, panelists warned, could prove decisive.

Original story