Express Computer

Home  »  Guest Blogs  »  Cracking the code: How ransomware uses cryptography, AI, and stealth to stay ahead

Cracking the code: How ransomware uses cryptography, AI, and stealth to stay ahead

Guest BlogsNewsSecurity
By Express Computer
Karmendra Kohli
0 87

By Karmendra Kohli, CEO & Director, SecurEyes

Ransomware has evolved into a formidable challenge in the cybersecurity landscape. No longer limited to quick, opportunistic attacks, today’s ransomware operations are sophisticated, prolonged, and deeply strategic. As we observe Ransomware Awareness Month, it is imperative to go beyond the basics and delve into the inner workings of this digital menace, especially how it leverages cryptography, artificial intelligence (AI), and advanced stealth techniques to maximise its impact.

The cryptographic core of ransomware

At the heart of every ransomware attack lies a fundamental concept: encryption. Understanding how modern ransomware encrypts data offers insights into both its strength and the challenges defenders face. Most sophisticated variants today use a hybrid approach, combining symmetric and asymmetric encryption techniques to achieve both speed and security.

Symmetric encryption, such as AES (Advanced Encryption Standard), uses the same key for both encrypting and decrypting data. This method is fast, making it suitable for encrypting large volumes of files on a victim’s device. However, the weakness lies in key management—if the symmetric key is intercepted, the entire encryption can be undone.

To overcome this, ransomware uses asymmetric encryption to secure the symmetric key itself. In asymmetric encryption, there are two keys: a public key to encrypt and a private key to decrypt. The ransomware first encrypts the victim’s data using a symmetric key, then encrypts that key using its own public key. As a result, even if a victim manages to extract the encrypted symmetric key, it is useless without the attacker’s private key. Only upon ransom payment (usually in cryptocurrency) is the private key shared, allowing data recovery.

This combination of speed and control makes hybrid encryption a powerful tool in the ransomware arsenal.

AI & machine learning: A double-edged sword

Artificial Intelligence (AI) and Machine Learning (ML) are reshaping ransomware in unprecedented ways—empowering both attackers and defenders. On the offensive side, attackers are using AI to enhance stealth, speed, and precision.

AI-enabled ransomware can rapidly analyse vast amounts of data to identify vulnerable targets, distinguishing between weak and strong systems. Machine learning models help attackers sift through publicly available information to craft highly targeted spear-phishing emails, which often serve as the initial access vector.

Moreover, AI is driving the creation of polymorphic and metamorphic malware—malware that constantly changes its code structure to avoid detection. Like a biological organism adapting to survive, these variants make traditional signature-based detection tools nearly obsolete.

Some ransomware groups are even deploying AI-powered chatbots to negotiate ransoms in real-time, enabling 24/7 interaction with victims and increasing the chances of successful payment. Additionally, ML algorithms help adversaries reverse-engineer security products and identify exploitable vulnerabilities faster than ever before.

But this technological advancement is not one-sided.

On the defensive front, AI and ML are critical in establishing behavioural baselines—defining what is “normal” within a system and flagging deviations that suggest a ransomware event. AI systems monitor process behaviours, identify abnormal file encryption activity, and even predict potential threats based on historical attack patterns. Increasingly, AI is being used not just for incident detection, but for automated incident response, enabling faster containment and mitigation.

APT-like behaviour in ransomware operations

Another shift in the ransomware landscape is its growing resemblance to Advanced Persistent Threats (APTs)—cyberattacks traditionally associated with espionage and nation-state actors. Modern ransomware campaigns no longer aim for just quick payouts. They focus on long-term persistence, deeper infiltration, and larger impact.

For instance, many attackers now practice double extortion: not only encrypting data but also exfiltrating it. Victims face the dual threat of losing access to their files and having their sensitive information publicly leaked if they refuse to pay. Attackers often store the stolen data in public cloud drives or file-sharing services, ready to expose it.

Additionally, ransomware actors increasingly use techniques like “living off the land”, where legitimate system tools are misused for malicious purposes. For example, Windows’ built-in del command can be used to destroy backups or logs. Because it is a standard system command, endpoint detection tools (EDRs) may not flag it as malicious.

Attackers are also leveraging process injection to insert malicious code into legitimate processes, and in some cases, actively terminating EDR and antivirus programs to blind security teams before encrypting files.

The rise of such tactics shows that ransomware is not just a technical nuisance, it is a full-fledged, multi-stage intrusion strategy designed for maximum damage and pressure. In essence, ransomware is adopting the persistence, stealth, and operational complexity of APTs—blurring the line between criminal groups and nation-state-like campaigns.

Ransomware is here to stay—So is our responsibility

This shift in ransomware behaviour signifies a deeper transformation: from opportunistic crime to strategic cyber warfare. The goal is no longer just quick financial gain—it is about sustained presence, maximising impact, and increasing the likelihood of ransom payment through psychological and increasing the likelihood of ransom payment through psychological manipulation and strategic pressure tactics. To counter growing ransomware threats, organisations and individuals must boost cybersecurity awareness, update systems, and secure regular offline backups. Building strong detection and response frameworks is essential, as is assessing third-party risks. With attackers evolving, our defences must too—starting with continuous awareness and proactive security practices at every level.

Express Computer

Express Computer is one of India's most respected IT media brands and has been in publication for 24 years running. We cover enterprise technology in all its flavours, including processors, storage, networking, wireless, business applications, cloud computing, analytics, green initiatives and anything that can help companies make the most of their ICT investments. Additionally, we also report on the fast emerging realm of eGovernance in India.

You might also like More from author
Leave A Reply

Your email address will not be published.