Two laptops.
Photo: freestocks/Unsplash

AI + ransomware = “terrifying”

Protocol Enterprise

Hello and welcome to Protocol Enterprise! Today: why cash-rich ransomware groups might be hiring AI experts sooner than anyone would like, Microsoft’s channel chief leaves the company, and this week in enterprise tech startup investments.

Spin up

A surge of interest in observability tools hasn’t yet translated into faster responses to incidents when they are detected. According to research from, 64% of survey respondents said it usually takes them more than an hour to recover from incidents, up from 47% last year.

The real AI race

In the perpetual battle between cybercriminals and defenders, the latter have always had one largely unchallenged advantage: The use of AI and machine learning allows them to automate a lot of what they do, especially around detecting and responding to attacks. This leg up hasn't been nearly enough to keep ransomware at bay, but it has still been far more than what cybercriminals have ever been able to muster in terms of AI and automation.

That’s because deploying AI-powered ransomware would require AI expertise. And the ransomware gangs don’t have it. At least not yet.

But given the wealth accumulated by a number of ransomware gangs in recent years, it may not be long before attackers do bring aboard AI experts of their own, prominent cybersecurity authority Mikko Hyppönen said.

  • Some of these groups have so much cash — or bitcoin, rather — that they could now potentially compete with legit security firms for talent in AI and machine learning, according to Hyppönen, the chief research officer at cybersecurity firm WithSecure.
  • Ransomware gang Conti pulled in $182 million in ransom payments during 2021, according to blockchain data platform Chainalysis. Leaks of Conti's chats suggest that the group may have invested some of its take in pricey "zero day" vulnerabilities and the hiring of penetration testers.
  • "We have already seen [ransomware groups] hire pen testers to break into networks to figure out how to deploy ransomware. The next step will be that they will start hiring ML and AI experts to automate their malware campaigns," Hyppönen told Protocol.
  • If this happens, Hyppönen said, "it would be one of the biggest challenges we're likely to face in the near future."

While doom-and-gloom cybersecurity predictions are abundant, with two decades of experience on matters of cybercrime, Hyppönen is not just any prognosticator. He has been with his current company, which until recently was known as F-Secure, since 1991 and has been researching — and vying with — cybercriminals since the early days of the concept.

  • When it comes to ransomware, for instance, automating large portions of the process could mean an even greater acceleration in attacks, said Mark Driver, a research vice president at Gartner.
  • Currently, ransomware attacks are often very tailored to the individual target, making the attacks more difficult to scale, Driver said.
  • Even so, the number of ransomware attacks doubled year-over-year in 2021, SonicWall has reported — and ransomware has been getting more successful as well.
  • "It's not worth their effort if it takes them hours and hours to do it manually. But if they can automate it, absolutely," Driver said. Ultimately, “it's terrifying.”

If cybercrime groups hire AI talent with some of their windfall, Hyppönen believes the first thing they'll do is automate the most manually intensive parts of a ransomware campaign. The actual execution of a ransomware attack remains difficult, he said.

  • "How do you get it on 10,000 computers? How do you find a way inside corporate networks? How do you bypass the different safeguards? How do you keep changing the operation, dynamically, to actually make sure you're successful?" Hyppönen said. “All of that is manual."
  • Monitoring systems, changing the malware code, recompiling it and registering new domain names to avoid defenses — things it takes humans a long time to do — would all be fairly simple to do with automation. "All of this is done in an instant by machines,” Hyppönen said.
  • That means it should be very obvious when AI-powered automation comes to ransomware, according to Hyppönen.
  • "This would be such a big shift, such a big change," he said. "We would definitely not miss it."

While AI talent is in extremely short supply right now, that will start to change in coming years as a wave of people graduate from university and research programs in the field, noted Ed Bowen, managing director for the AI Center of Excellence at Deloitte.

  • "Today, all security companies rely heavily on machine learning — so we know exactly how hard it is to hire experts in this field. Especially people who have expertise both in cybersecurity and in machine learning. So these are hard people to recruit," he told Protocol. "However, it's becoming easier to become an expert, especially if you don't need to be a world-class expert."
  • That dynamic could increase the pool of candidates for cybercrime organizations who are, simultaneously, richer and “more powerful than ever before," Hyppönen said.
  • Should this future come to pass, it will have massive implications for cyber defenders, in the event that a greater volume of attacks — and attacks against a broader range of targets — will be the result.
  • Between attackers and defenders, "you're always leapfrogging each other" on technical capabilities, Driver said. "It's a war of trying to get ahead of the other side."

— Kyle Alspach (email | twitter)


The speed at which security has been built up over the last 12 months has been a derivative benefit of what we’ve seen during the pandemic. Privacy, compliance and security are three legs of the same stool. What we’re seeing increasingly is that intersection continuing to happen. RingCentral has invested in all those elements.

Learn more

Channel flipping at Microsoft

Microsoft channel chief Rodney Clark is leaving the technology giant to take a job at an outside company.

The 24-year Microsoft veteran’s departure comes just more than a year after being appointed to what he then described as a “destination role” and “dream job” at Microsoft. Last March, he replaced Gavriella Schuster, who had held the channel chief role for five years.

As corporate vice president of Channel Sales, Clark oversaw the Microsoft Partner Network’s 400,000-plus companies that sell and support its enterprise products and services and build their own solutions and devices around them.

Clark joined Microsoft in 1998 and had been leading its IoT and mixed-reality sales for more than 3.5 years when he landed the channel chief position.

“For 24+ years I have been able to learn, grow and work for the best company in the world,” Clark said in a LinkedIn post on Monday. “My family has been raised with Microsoft, and my community has been shaped by Microsoft.”

Clark has accepted a new job as an executive officer at an unnamed, publicly traded company that partners with Microsoft, according to a blog post on Monday by Nick Parker, Microsoft’s corporate vice president of Global Partner Solutions.

Parker said Microsoft is actively discussing Clark’s replacement and expects to have a new leader in place by the beginning of its new fiscal year in July. The company plans to introduce its new channel chief at Microsoft Inspire, its annual partner conference that runs July 19-20.

— Donna Goodison (email | twitter)

Upcoming at Protocol

Join Protocol enterprise editor Tom Krazit May 18 at 10 a.m. PT for a series of high-level executive interviews filmed at SAP Sapphire 2022. Hear from CIOs from leading consumer packaged goods companies on the role of enterprise tech in transforming their business models and navigating a new era of digital transformation.

RSVP here.

Financial corner

Rippling was valued at $11.25 billion after raising $250 million for its HR platform.

Abnormal Security was valued at $4 billion after raising $210 million to provide security services for cloud-based email systems.

Aiven was valued at $3 billion after raising $210 million for its open-source cloud data platform.

Paddle was valued at $1.4 billion after raising $200 million to provide back-end billing services for SaaS products.

Stord was valued at $1.3 billion after raising $120 million for its supply chain logistics software.

Material Security was valued at $1.1 billion after raising $100 million for its email-based security services.

Evisortraised $100 million to provide AI-based contract management services.

Supabaseraised $80 million for its open-source alternative to Google’s Firebase development platform.

— Aisha Counts (email | twitter)

Around the enterprise

North Korean technology workers are trying to get IT jobs inside U.S. companies in order to steal trade secrets, according to a federal government warning.

Rakuten is dumping OpenStack in favor of a homegrown application development platform, as even stalwart telco users move on from OpenStack.

Santander, Spain’s largest bank, has moved 80% of its IT infrastructure into AWS and Microsoft Azure, it said in reporting last year’s financial results Monday.


At RingCentral, we’re focused on making hybrid work simpler for organizations so they can best set up, run and manage their business. We’re asking ourselves what's the benefit that we can derive, or that we can enable, that is better than the best-in-class in the industry?

Learn more

Thanks for reading — see you tomorrow!

Recent Issues