This post is also available in:
עברית (Hebrew)
New analysis by blockchain intelligence firm TRM Labs has revealed the emergence of at least nine previously unknown ransomware groups over the past year, with artificial intelligence playing a central role in their growth and tactics.
The report highlights how machine learning is enabling even inexperienced threat actors to enter the ransomware ecosystem. By using AI for code automation, social engineering, and the generation of polymorphic malware, groups can scale faster and adapt more quickly to security measures.
The nine newly tracked groups include names like Arkana Security, Dire Wolf, Frag, Sarcoma, AiLock, APTLock, Kairos (and its updated version Kairos V2), Weyhro, and Termite. Some, such as Termite, are believed to be rebranded versions of older groups like Babuk, while others—like AiLock—actively promote their use of AI in attacks. APTLock is suspected to have ties to the Russian state-sponsored threat actor known as Fancy Bear.
Unlike traditional ransomware strategies that focused primarily on encrypting data and demanding payment, these newer groups are increasingly relying on alternate forms of extortion. Tactics now include threatening reputational damage, regulatory scrutiny, and public data exposure—techniques aimed at maximizing psychological pressure on victims rather than just disrupting systems.
TRM Labs noted that several of the new groups exhibit significant operational maturity, with evidence of structured campaigns targeting mid-sized organizations in North America and Europe. Some operate under flexible affiliate models, similar to ransomware-as-a-service (RaaS), allowing less experienced actors to deploy pre-packaged attack kits.
The report also highlights a growing trend in cryptocurrency laundering tactics. While bitcoin remains the primary payment method for ransom demands, attackers are increasingly converting proceeds into alternative digital assets like Ethereum (ETH), Tron (TRX), and others to complicate tracking and tracing.
As more threat actors adopt AI-powered tools, TRM warns that traditional signature-based detection may no longer be sufficient. The firm recommends a shift toward behavior-based monitoring, AI-informed threat intelligence, and stronger zero-trust security frameworks to counter this evolving threat landscape.
