Cybersecurity is a constant battle, with threat actors continuously evolving their methods. The emergence of AI-powered ransomware represents a significant leap forward in this arms race, posing a new challenge for defenders. A recent proof-of-concept (POC) developed by the University of New York (NYU) highlights just how dangerous this threat could become.

The researchers at NYU developed a polymorphic AI-powered ransomware in a controlled lab environment. This sophisticated malware was able to change its code with each new execution, making it incredibly difficult to detect. Alarmingly, tests against major Endpoint Detection and Response (EDR) and anti-virus vendors on VirusTotal showed that the AI-powered threat was not picked up by any of the leading vendors. The details of this study were published in an article from The Register.

If AI-powered Ransomware takes hold, is it over for cyber defenders?

The answer is not necessarily. While AI-powered ransomware is likely to be highly evasive, it is not going to be omnipotent. In order to be successful, any ransomware actor, whether human or AI, needs to be able to exploit key functions of the targeted operating systems, be it Windows, Linux, or Mac.

By understanding what functions are likely to be exploited, it is still possible to restrict or prevent these kinds of attacks from being successful. This is where the MITRE ATT&CK framework becomes an invaluable tool. MITRE ATT&CK provides a comprehensive list of adversarial tactics and techniques based on real-world observations. It provides a blueprint for understanding and mapping the behaviour of cyber attackers.

The key to defending against AI-powered ransomware lies in targeting these adversarial behaviours rather than the malware’s constantly changing code.

How to Prepare for the Threat of AI-Powered Ransomware

A good place to start would be to understand what MITRE ATT&CK techniques are most commonly exploited by ransomware threat actors and then to simulate these functions being exploited and manipulated.

Commonly manipulated MITRE ATT&CK techniques include:

  • Valid Accounts (T1078): Using legitimate credentials to gain access to a system.
  • PowerShell (T1059.001): Executing malicious commands using the Windows scripting tool.
  • Windows Command Shell (T1059.003): Using the command line to perform actions.
  • Scheduled Task/Job (T1053): Creating persistent access by scheduling malicious tasks to run.
  • Remote Desktop Protocol (RDP) (T1021.001): Gaining remote control of a machine.

Adversarial Exposure Validation tools, like Validato (www.validato.io), are designed to safely simulate how ransomware threat actors manipulate these MITRE ATT&CK techniques. The platform shows where an organisation may be exposed and then provides detailed information on how to restrict and harden environments so they cannot be exploited.

By focusing on adversarial behaviours and proactively hardening your systems, organisations can build resilience against the new and evolving threat of AI-powered ransomware.

Created: February 3rd, 2026

Reviewed: February 17th, 2026

Share

Related Posts

  • What to expect from a BAS tool

    The Breach and Attack Simulation (BAS) market is still relatively new for many companies and like all new ideas and concepts, it can take some time to fully understand how to embrace, so here are five key things that you should expect from a BAS tool. Validate security control effectiveness • test endpoint • lateral

  • The Claude Mythos Wake-Up Call: Why AEV is No Longer Optional

    The recent announcement of Project Glasswing by Anthropic has sent shockwaves through the cybersecurity community. By leveraging Claude Mythos, a frontier model with potent discovery capabilities, Anthropic has effectively signalled the start of a new era. We are no longer just defending against human hackers; we are defending against machine-speed, automated adversarial logic. For information

  • How to Demonstrate Continuous Compliance for DORA & NIS2

    Demonstrating Continuous Compliance for pivotal regulations like the EU’s Digital Operational Resilience Act (DORA) and the revised Network and Information Security Directive (NIS2) demands a profound evolution beyond traditional approaches. It necessitates a fundamental shift in mindset, moving decisively away from a static, audit-driven, and often reactive posture. The old paradigm, where cybersecurity compliance might

  • Continuous Compliance & Adversarial Exposure Validation

    The journey towards genuine, Continuous Compliance is far more than an exercise in drafting policies and implementing security controls. It demands a profound, persistent, and practical understanding of one crucial question: are our defences truly effective against sophisticated, ever-evolving adversaries? This is where the discipline of Adversarial Exposure Validation (AEV) – often termed Security Controls