COMMENTARY: Artificial intelligence (AI) has reshaped industries and redefines customer service. AI has also been weaponized in more insidious ways — most notably, by ransomware operators.A new and deeply troubling trend has emerged: cybercriminal groups now use AI-powered chatbots, virtual assistants, and automated live chats to conduct negotiations with their victims. By mimicking the tone and appearance of legitimate customer service portals, these systems introduce a chilling level of professionalism to what’s essentially extortion.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]For security teams, we can take solace in knowing that the same technologies that enable the threat actors can also empower defenders. Teams and ransomware negotiators can now deploy AI-driven bots or virtual assistants to engage, stall, or counter AI-powered extortion attempts.AI plays a growing role in negotiation analytics, allowing defenders to analyze a hacker’s tone and behavior. It can also assess ransom demands, offer counterproposals, simulate payment readiness, and prolong talks to allow more time for incident response. Finally, it can help negotiators avoid overpaying or falling for bluffs.From a threat intelligence standpoint, teams can use AI and machine learning algorithms to train data sets from past ransomware cases to advise on probable negotiation outcomes, predict settlement ranges, flag untrustworthy groups, and support decision-making with insight into threat actor reputations.
Examples of AI-driven ransomware negotiations
Ransomware groups no longer experiment with these tactics — they’re actively using them in real-world operations. Below are several notable examples that highlight how AI and automation are already shaping the modern ransomware playbook:LockBit: A pioneer in the use of automated negotiation portals, LockBit was the first major ransomware group to issue unique victim logins and incorporate live chat features. Their interfaces include real-time countdown timers for double-extortion deadlines (data leak and ransom) and operators posing as customer support agents, a calculated move to create urgency and mimic corporate help desks.Black Basta, RansomHouse, HIVE, and DarkSide/BlackMatter:These ransomware groups have incorporated bot-like templates and interfaces into their dark web negotiation portals. Often hosted on Tor sites, these chat interfaces deliver automated responses and scripted psychological threats, such as warnings of permanent data loss. Countdown timers and blunt ultimatum messaging are common tactics used to pressure victims into quick compliance.GLOBAL GROUP: This group uses Ransomware-as-a-Service to route its victims to a negotiation panel in which an AI chatbot initiates conversation. The bot automates communication, verifies decryption capabilities, maintains urgency through visible timers, and escalates threats regarding data leakage. The use of AI lets the group engage in negotiations 24/7 across time zones and languages. Human affiliates can monitor progress and intervene when necessary, creating a scalable and persistent extortion mechanism.This AI-driven evolution in ransomware tactics introduces two primary risks:- Automated scalability: By using AI to automate parts of the extortion process, threat actors can scale their operations dramatically. AI lets them manage numerous victims in parallel, run behavioral models to predict payment likelihood, adjust tactics mid-negotiation, and maximize financial outcomes using game theory and linguistic sentiment analysis.
- Psychological manipulation: Victims aren’t just dealing with scripts — they’re engaging with dynamic, AI-generated messages designed to intimidate, confuse, and coerce. These systems are designed to set the pace of negotiations, verify ransom payment options, and even provide technical assistance, creating an efficient “customer service” experience for ransomware extortion. It's psychological warfare at scale.
