An AI pulled the trigger. A human aimed the gun.
Last week, headlines screamed that the world had witnessed the first fully autonomous AI ransomware attack. A real company. Real encryption. No human in the loop. But new details paint a far more nuanced — and arguably more unsettling — picture.
Yes, an AI agent carried out the technical execution of the ransomware. But it didn’t act alone. A human still chose the victim, provisioned the command-and-control infrastructure, and supplied the stolen credentials that let the AI walk in the front door. This wasn’t Skynet waking up. It was a person handing a loaded weapon to a very fast, very obedient trigger finger.
What the AI actually did — and didn’t — do
The AI agent in question was a large language model (LLM) integrated with a suite of off-the-shelf hacking tools. Once given access to the target network, it scanned for vulnerabilities, moved laterally, and eventually deployed the ransomware payload. That part was machine-driven. But the setup was deeply human.
According to researchers who analyzed the incident, the human operator:
- Selected the target organization.
- Purchased or rented the initial access — likely stolen credentials from an underground forum.
- Set up the cloud-based server that hosted the AI agent and its toolchain.
- Pointed the AI at the network and gave it a high-level objective: encrypt files and demand payment.
The AI handled the grunt work — reconnaissance, privilege escalation, file encryption. But it never chose who to hit or why. That decision stayed firmly in human hands.
Why this matters more than a fully autonomous attack
Some might shrug and say, “So a human was involved. Big deal.” But this hybrid model is arguably more dangerous than a purely autonomous one. Here’s why.
A fully autonomous AI would need to discover victims, break in from scratch, and adapt to unpredictable network defenses — all without human guidance. That’s extremely hard. Current LLMs hallucinate, hit rate limits, and get tripped up by unusual configurations. A human-in-the-loop model sidesteps those weaknesses. The person does the hard, creative parts (target selection, access procurement, infrastructure) and lets the AI do the repetitive, high-speed execution. It’s like giving a skilled burglar a robot that can pick any lock in seconds.
This also makes attribution harder. If the AI makes a mistake, the human can intervene. If law enforcement traces the infrastructure, the human can tear it down and rebuild elsewhere. The AI is a tool, not a mastermind — and tools are easy to replace.
What this means for defenders
For cybersecurity teams, this development changes the threat calculus. Traditional ransomware attacks required significant human skill: writing custom scripts, manually navigating networks, and timing the encryption to avoid detection. An AI agent can do all of that in a fraction of the time, at a fraction of the cost.
That means:
- Lower barrier to entry: Aspiring cybercriminals no longer need deep technical expertise. They just need money for credentials and compute time.
- Faster attacks: An AI can scan and exploit a network in minutes, not hours. The window for human defenders to react shrinks dramatically.
- More targets: With AI handling the heavy lifting, a single operator can run multiple attacks simultaneously.
Defenders, in turn, must prioritize AI-powered threat detection and automated incident response. If attackers are using machines to move fast, defenders need machines that move faster.
The human factor isn’t going away
Despite the AI hype, this incident underscores a stubborn reality: cybercrime still depends on human judgment. Stolen credentials don’t appear out of thin air. Infrastructure doesn’t configure itself. Target selection requires knowledge of which companies pay ransoms, which have weak insurance policies, and which are likely to call the police.
An AI can execute a plan. It can’t yet decide which plan is worth executing.
That said, the gap is narrowing. As LLMs improve and gain access to more real-time data, the day when an AI picks its own victim and funds its own infrastructure may not be far off. But that day hasn’t arrived yet. For now, the most dangerous cyberattacks are still the ones where a human and a machine work together — the human providing the malice, the machine providing the speed.
What to watch next
Security researchers are already tracking attempts to build fully autonomous AI crime agents. Some projects on underground forums aim to combine LLMs with cryptocurrency wallets, automated VPN rotation, and self-hosted C2 servers. The goal: an AI that can earn its own money, buy its own access, and attack without any human oversight.
That would be a true first. This week’s attack was not it.
For now, the headline should have read: “First known AI-assisted ransomware attack — human still did the important parts.” It’s less dramatic. It’s also more accurate. And accuracy, in cybersecurity, is what keeps you safe.
If you’re responsible for protecting an organization, don’t panic about Skynet. Do review your credential hygiene, your network segmentation, and your incident response playbooks. Because the humans using AI to break in are still very much in charge — and they’re getting faster every day.