Criminal wannabes even more dangerous than the pros, says ex-FBI cyber chief

If they don't know what they're doing, you might never get your data back

by · The Register

interview It's the biggest threat today, but it took her a while to appreciate it. After spending two decades at the FBI and much of that time working to intercept and stop cyber threats from the likes of China and Russia, Halcyon Ransomware Research Center SVP Cynthia Kaiser says she was a "latercomer to really wanting to focus on ransomware."

"I was a Section Chief at the FBI, I was over in the nation state analysis - so North Korea, Iran, China, Russia - and at the time China was pre-positioning on our critical infrastructure, posing this existential threat," she told The Register during an interview at RSA Conference. 

"Ransomware was a slower evolution for me to realize that's who is stealing from us today, that's the threat facing us today - it's not the potential catastrophic threat of tomorrow," Kaiser said. "I'm also really angry about ransomware because ransomware targets hospitals today, it kills people today."

In June 2025, Kaiser left her post as deputy assistant director at the FBI's cyber division to lead security firm Halcyon's new Ransomware Research Center. It debuted a month later at Black Hat, and the center aims to stomp out the ransomware scourge, which combined with straight extortion attacks, cost American businesses and consumers nearly $155 million last year.

Over the last couple of months, her team has investigated ransomware infections ranging from an attack against a US healthcare organization attributed to an Iranian-government-linked group, Pay2Key, to intrusions carried out by much less sophisticated, newer ransomware-as-a-service operations like Sicarii.

Both ends of the ransomware spectrum can have disastrous, destructive impacts on business operations.

Iran-linked ransomware crew hits US healthcare

The Pay2Key infection happened in late February, around the start of the US and Israel military strikes against Iran. Halcyon's investigation found that the Iran-backed crew had gained access to a compromised admin account for several days before the attack - and then deployed ransomware and encrypted the environment in just three hours.

"They had to have been on the network before the attack, that access was already existing," Kaiser said, adding that she can't definitely link the ransomware infection to the war in the Middle East.

"What it says is that there are existing accesses that a government-linked group like Pay2Key can operationalize at any given time," she said. "And when I look at that, I think of the Albania attacks of 2022." The US government issued sanctions against Iran's Ministry of Intelligence and Security and its Minister of Intelligence in response to these earlier cyberattacks that shuttered Albania's online public services and websites.

"Iran was on those networks for 14 months, conducting espionage, collecting emails, and then they turned it over to an attack group to operationalize that access," Kaiser said about the 2022 intrusion. 

In the more recent Pay2Key attack against the healthcare organization, Kaiser said that the ransomware variant the group used showed a massive upgrade from its July 2025 intrusions, with better anti-detection capabilities built in. Plus, there's no evidence that any data was stolen during this attack, which is unusual for this particular crew and goes against the larger, more lucrative trend toward double-extortion ransomware infections. 

"It shows that there's this really distinct ransomware threat that has some government connections, and it appears in this case it was much more aimed at destruction than just the ransom and financial gain," Kaiser said.

Meanwhile, sophisticated financially motivated criminals like Akira's ransomware operatives are becoming even speedier in their attacks, moving from initial access to encryption in less than one hour. In most of their hundreds of compromises over the last 12 months, Akira spent less than four hours from initial access to full encryption, according to Halcyon's investigations.

Plus, the ransomware operators' decryption tool uses a special "checkpoint" system to ensure large files can be recovered even if there's an interruption in the encryption process, and this makes paying the ransom sound more appealing to victims.

For defenders, this means "you don't have the dwell time that you used to have," Kaiser said. "Ransomware is so different today than it was two years ago among these really sophisticated threat-actor groups." 

And … the wannabes

And then there are ransomware operations like Sicarii. This criminal group seemed to emerge in December, and it's most notable for its flawed malware. The Sicarii encryptor generates a new cryptographic key pair during every execution - but then discards the private key, meaning there's no recoverable master key and victims may or may not be able to decrypt their files.

"You need three things to make ransomware successful. You need a lock, you need a key - that's what the victims pay for - and you need to be able to put the key in the lock," Kaiser said. "They forgot to make that keyhole, so it's destruction-ware now."

Kaiser believes the "ransomware wannabes," as she calls them, used AI - but it didn't help them write better code or increase the sophistication of their attacks.

"They'd obviously used AI at every stage, and then they ugly-chained it together - I don't think they used an agent, it was just ugly coding at every stage," Kaiser said, adding that this illustrates the risk of cybercriminals, and not just the ones who are good at their jobs, incorporating AI into their attack chains.

"You're seeing criminals, wannabes who, in their hands, AI is even scarier than sophisticated actors who are incorporating some type of this technology," Kaiser said. "You have a bunch of wannabes, and if they can go from 0 percent to 5 percent or 10 percent effectiveness, that's great for them. But for IT and security professionals inside organizations, the biggest threat is the increased volume of these terrible, just ugly attacks."

These attacks aren't very stealthy, and they will likely set off all kinds of security alerts. "But if you have such a huge volume that, and you're dealing with that, and especially if you don't use automation on your network, then as you're dealing with that, what other sophisticated threats are coming in?" ®

China is using AI to sharpen every link in its attack chain, FBI warnsRSAC: Artificial intelligence is helping Beijing's goons break in faster and stay longerJessica Lyons, 29 Apr 2025Iranian ransomware crew reemerges, promises big bucks for attacks on US or Israel: Tells would-be affiliates they don't need to worry because cyberattacks don't violate a cease fireJessica Lyons, 09 Jul 2025US cybercrime losses pass $20B for first time as AI boosts online fraud: Bots are now firmly in the toolbox, helping crooks scale old scamsBrandon Vigliarolo, 07 Apr 2026Dutch healthcare software vendor goes dark after ransomware attack: ChipSoft's website remains down but emails are functioningConnor Jones, 08 Apr 2026