Srsly Risky Biz: Ransomware Uses AI To Amp Up Negotiations
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Amberleigh Jack. This week's edition is sponsored by Sondera.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

It's commonly thought that ransomware operators are simply using AI to hack more companies. However, some operators are employing AI to generate leverage so they can extract more money in negotiations with victims.
A leading example is FulcrumSec, a data extortion group that started operating around September 2025 and uses simple techniques to breach organisations. It typically gains access by taking advantage of hardcoded or exposed credentials, unpatched applications or misconfigured storage.
The group claims to have breached 25 organisations and stolen several terabytes of data using these techniques.
It doesn't need AI to hack, but has been using it to analyse stolen data so it can apply more pressure to victims.
A GuidePoint Security report published last week detailed FulcrumSec's use of AI to analyse stolen data and establish a firm negotiating position: "We know what we have taken, here it is, and this is why we have set the ransom at this amount".
In June this year, FulcrumSec reached out to DataBreaches[dot]Net regarding its compromise of Danish pharmaceutical company Novo Nordisk, the maker of Wegovy and Semaglutide. It claimed to have stolen 1.3TB of data containing 700,717 files.
FulcrumSec said it had captured valuable intellectual property (IP) including five undisclosed drug programs, in-development drug and RNA delivery programs and private AI models for particular medical and drug discovery purposes.
The group told DataBreaches that it used a team of AI agents to analyse those private models and that it believes the stolen data could save competitors three to five years of program development. Its initial ransom demand to Novo Nordisk was for USD$25 million.
The information about the IP FulcrumSec stole was coupled with a description of Novo Nordisk's security posture, which the group claimed was "absolutely catastrophic" and "boggles the mind".
To us, this sounds like FulcrumSec is attempting to frame the incident in a way that would have any class action lawyer salivating. It wouldn't be the first time a data breach has resulted in a lawsuit, so presumably this is part of FulcrumSec's extortion pitch.
FulcrumSec's modus operandi also includes using AI to generate detailed reports which it then provides to threat researchers and journalists, nicely formatted, complete with logo and all, in order to apply more pressure to victims.
For example, after compromising the technology company Avnet in October last year, the group gave the vx-underground X account a report on the breach. According to vx-underground, the group provided "an autobiography, a breakdown of the data they possess, their motives for the compromise, information on their logo design (and why their logo was chosen), a complete file listing from the compromise, a breakdown of the files (what it is, what they are, what they contain) [and] images of the files".
vx-underground said the group had done "every bit of research and write up for me". To add insult to injury, FulcrumSec claimed it had used an OpenAI key it had stolen from the victim to pay for ChatGPT to summarise the victim's own data.
FulcrumSec isn't the only ransomware operation GuidePoint Security highlights as using LLMs to amp up pressure in negotiations. The security firm believes the DragonForce ransomware group, around in various forms since 2023, is using LLMs to "manufacture plausible [psychological] pressure".
During negotiations the group has claimed to have legal counsel on staff which, GuidePoint Security says, is "to pressure victims by implying that DragonForce has insight into a victim's reporting requirements and legal exposure from the data leak".
Both DragonForce and FulcrumSec have a verifiable track record of stealing data, being involved in extortion negotiations and sometimes actually getting paid.
A contrast from previous AI hacks for extortion
This is a clear contrast from earlier reports of AI-enabled hacking for extortion. Those reports described incidents disconnected from mechanisms to make money from ransomware incidents.
In April we wrote about a single hacker who breached nine Mexican government agencies. He did so within weeks with the assistance of a variety of LLMs. Another individual in Ethiopia hacked at least 14 companies in partially automated attacks.
In both cases the hacking itself was very successful, but when it came to turning that access into cash, both hackers struggled.
Similarly, early this month security firm Sysdig reported on what it called JADEPUFFER, "agentic ransomware: a complete extortion operation driven end-to-end by a LLM". This malware did all the hacky things very well, but the extracting-money-from-victims side of things felt a bit half-baked.
Take its encryption scheme, for example. It locked up victims' files, but did not store or send encryption keys. Encrypted files, therefore, could never be recovered. Its ransom note also asked for payment to the example address provided in Bitcoin documentation. Finally, the email address in its ransom note does not appear in threat intelligence databases or in victim forums, which suggests it has never been used before.
Established operators seizing AI opportunities
Of course, there are some established ransomware operators taking advantage of AI-enabled hacking.
Last month's so-called FortiBleed campaign, which has been linked to the INC and Lynx ransomware groups, was an AI-driven hacking operation. In that case, credential harvesting has been used to feed data extortion campaigns.
This is the subject of a Risky Business Features interview with Technology Editor James Wilson that will be published here today.
Two ransomware industry trends are relevant here.
Data extortion is becoming the preferred business model because it is easier to carry out and quieter than encrypting ransomware. As organisation's backup strategies improve, encryption adds cost and complexity without increasing the likelihood that victims will pay up.
At the same time, data extortion payment rates are falling.
The INC/Lynx strategy here is to use AI to hack more often to make up for less frequent paydays. FulcrumSec is taking the opposite approach and trying to maximise profits by amplifying their leverage in negotiations.
Our take-home message here is that nerdy, technically focused ransomware actors use AI to hack, but sophisticated ransomware actors? They use it to negotiate.
The Bugpocalypse Is Here, Officially
While the cleansing blast of AI is exposing decades of insecure coding practices, the resulting vendor patch frenzy is causing headaches for organisations trying to keep up.
This month's Microsoft Patch Tuesday addressed 570 vulnerabilities, adding to another 50-odd vulnerabilities patched by Microsoft earlier in July. That's up from 200 last month. Around 10% of the most recent bugs are rated critical.
In addition, Google has patched 428 non-Microsoft Chromium vulnerabilities, which will be ported to the Edge browser.
It’s not just Microsoft and Google patching like crazy, either. Adobe is doubling releases and moving to a twice-monthly patch cycle. This month, to date, the vendor has patched 88 vulnerabilities.
The optimists among us could easily look at this as good news. AI is sweeping away decades of technical debt accumulated through insecure coding practices. And big platforms are not only finding lots of bugs, they are also pushing out lots of patches. That's got to be positive, right?
Unfortunately, here at Risky Business we're not known for our optimistic world view. Having a patch available is great, if it's applied. Unfortunately, the reality is that many organisations don't apply them, and never will.
Unpatched vulnerabilities remain a significant entry point into organisations, a fact highlighted in this year's Verizon Data Breach Investigations Report.
And patches can be analysed by bad actors to understand the flaw and find ways to compromise any unpatched instances. And while AI helps to discover software flaws and patch them, bad actors can also use AI to reverse engineer patches to generate exploits.
The end result of all this patching may be that cloud services and the minority of systems with sysadmins that patch like crazy are better protected, sure.
But for the majority that either patch slowly or don’t even patch at all? Their systems end up being less secure.
While we are somewhat optimistic that big tech shops are using AI tools to write more secure code, we expect coding agents are YOLOing the vast majority of new code being written today, without giving a rat's ass about being secure.
So although an avalanche of bugs is being fixed, this patch frenzy is not going to eliminate vulnerabilities. It is just going to leave those who don't commit to proper patching processes even more exposed to threats.
Watch James Wilson and Tom Uren discuss this edition of the newsletter:
Three Reasons to Be Cheerful This Week:
- Global fraud bust: INTERPOL has announced that Operation First Light, an anti-fraud action involving 97 countries, has resulted in the interception of USD$293 million worth of illicit assets and the arrest of over 5,800 individuals. First Light focused on what INTERPOL described as "social engineering scams and associated money laundering". It's the biggest arrest count from a single operation that we can recall!
- First joint EU-UK cyber sanctions: The EU and UK have announced sanctions targeting Russian state and criminal cyber actors. Curiously, although both announcements attribute December 2025 attacks on Poland's energy grid to the FSB's Centre 16, not a single FSB official was named. Instead, the sanctions package lists criminal actors and officials in the GRU, Russian military intelligence.
- Companies in Europe can scan for CSAM: The Record reports the European parliament has revived legal protections for big tech companies such as Google, Microsoft and Meta which allowed them to scan for and report illegal Child Sexual Abuse Material (CSAM) on their services. The previous law allowing voluntary scanning had lapsed. Scanning content is contentious, but we are glad that the status quo in which scanning unencrypted material is authorised will remain until 2028.
Sponsor Section
In this Risky Business sponsor interview, James Wilson chats with Sondera CEO Josh Devon about why guardrails and instruction files aren’t enough to keep AI agents from going haywire. EDR, DLP and other traditional controls can't and won't prevent agents from going rogue. Josh explains Sondera’s “principle of least autonomy” for agents: let them do useful work, but put them in a deterministic policy harness so they can’t leak secrets, abuse tools or wander off-task.
Shorts
Finally, A Gold Eagle. Just What Cybersecurity Needed
This week the White House announced the launch of Gold Eagle, a new "clearinghouse" for cyber security vulnerability disclosure and coordination.
Normally, we'd place this kind of news item in the reasons to be cheerful section of the newsletter, but this is just all a bit weird. The initiative is being run out of the Treasury Department and Treasury Secretary Scott Bessent gets top billing in the White House's announcement.
CISA, the organisation with actual experience in collating, assessing and disseminating vulnerability gets one mere mention in the announcement.
And then there's the name. Gold Eagle. Wut?
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss just how important exploits are for cyber operations using data published in a new paper authored by two members of Ukraine’s cyber security agency.
Or watch it on YouTube!