The ransomware negotiators who spend their days dealing with cybercriminals will tell you the same thing: it used to be easier. Not easy – but easier. You knew who you were dealing with, you knew their track record, and if you paid, there was a reasonable chance you would get your data back.
That predictability is gone.
"In the early days, there were certain threat actor groups that were known, and there was a little bit of honor amongst thieves," said Patrick Bourk (pictured), vice president, cyber and professional lines at Navacord.
"While the ransomware negotiators knew who the people [behind the attacks] were, they used to have a better sense of knowing whether you [as a victim] are going to get your data back if you make the payment."
What changed is not the existence of cybercrime. It is the economics of it, and AI has been the accelerant.
"I really see this as very much a tool of unbridled efficiency," Bourk said. "It makes things go really fast. The idea is to take the mundane administrative tasks and supercharge them."
For legitimate businesses, that means faster workflows and cheaper operations. For threat actors, it means something more dangerous: the ability to experiment at scale, with no regulatory guardrails and no accountability.
"Threat actors don't follow rules, not that there are a lot of guardrails around AI anyway, but they have a real opportunity to experiment and do all sorts of crazy stuff," Bourk said.
The result is a threat landscape that is simultaneously more sophisticated and more chaotic. Bourk reaches for an unlikely analogy to describe AI's current state.
"AI is like this annoying teenager," he said. "They jump into stuff, they break things, they occasionally lie, and it's got to be contained."
The containment problem is most visible in what the industry now calls ransomware as a service, a development that has fundamentally changed who can launch a cyberattack and how.
"In the same way that we have software as a service (SaaS), we now have ransomware as a service," Bourk said. "Threat actors will find a vulnerability and rather than exploit it themselves, they'll put it up for sale on the dark web, who would like access to this vulnerability that I found, use it however you want and pay me a commission to access it."
The practical consequence is a flood of inexperienced operators into a space that once required real technical skill. The barrier to entry has collapsed.
"The tools are easy to use," Bourk said. “In theory, anybody can figure out how to do this."
What that has produced is a new class of threat actor – hobbyists who purchase access to vulnerabilities they do not fully understand and attempt attacks they are not equipped to execute properly.
"They end up stealing things, and they feel they've encrypted things, but they don't really know how encryption keys work. So it's just made it really, really messy."
For the ransomware negotiation firms that sit at the sharp end of these incidents, the shift has made an already difficult job significantly harder.
"The ransomware negotiation firms will say it used to be a lot easier because you knew what you were dealing with, but now it's just sort of multiplied," Bourk said.
The chaos does not stay contained within criminal networks. Bourk pointed to an incident during the early stages of the Russia-Ukraine conflict that illustrated how quickly things can spiral. A Ukrainian member of a Russian-aligned ransomware gang took exception to the gang's public support for the invasion and leaked the group's tactics and threat intelligence for the world to see.
"Everybody thought this was fantastic because you had this Ukrainian freedom fighter exposing the tactics of the bad guy," Bourk said. "Well, unfortunately, all that did was allow for other hobbyist threat actors to see what they're doing and then mimic it."
The episode captured something broader about the current moment in cybercrime. The old order – defined groups, known tactics, negotiable outcomes – has given way to something far less legible.
