The Autonomous Hacker: AI, Ransomware, and the New Rules of Cyber Defense

90% of your cyber risk comes from just 2 vectors. See why AI has made social engineering more dangerous and how phishing-resistant MFA can stop it.

Stop guessing about AI threats. Get the facts on how autonomous bots are changing the landscape of social engineering.   While the "hacker in a hoodie" is a relic of the past, the new reality is AI-enabled social engineering that is significantly more effective than human-led attacks. In this deep dive, Roger Grimes (38-year security veteran and KnowBe4 CSO Advisor) translates the complex world of AI and Quantum threats into a practical survival guide for SMBs and IT Directors.

The Translation Promise

Cybersecurity often feels like a "glass of champagne" filled with endless bubbles of compliance and risk. This video translates complex vulnerability metrics into actionable advice, focusing on the two specific vectors that account for nearly 90% of your total risk profile.

What You Will Learn

  • The 90% Rule: Why social engineering and unpatched software remain your two biggest risks, even in the AI era.  
  • The ROI of AI Attacks: Why AI-driven social engineering is 24% more effective than human attempts.  
  • The Negotiator's Trap: How ransomware actors target and delete backups before you even know they are in your system.  
  • QR Code Vengeance: Why your current defense tools struggle to block malicious links that exist for less than ten minutes.  
  • Phishing-Resistant MFA: Why 90% of MFA methods are easily bypassed and how to implement FIDO-enabled tools like YubiKeys.  
  • The 3-2-1 Backup Blueprint: The essential architecture for maintaining offline, clean data copies.  

Resources Mentioned

  • Free Book Offer: Roger is offering a free PDF copy of his latest book, How AI and Quantum Impact Cyber Threats and Defenses. To get yours, email him directly at rogerg@knowbe4.com.  
  • CISA Known Exploited Vulnerabilities (KEV) Catalog: The essential list for prioritizing patches based on real-world exploits.  
  • Phishing-Resistant MFA: Learn more about FIDO-enabled YubiKeys and Passkeys to stop credential theft.  
  • Password Management: Protect your credentials with tools like 1Password or LastPass.  
  • KnowBe4: Explore security awareness training at knowbe4.com.  

Podcast Timestamps

  • 00:00 – The AI Hacker Era
  • 00:30 – Introduction: Roger Grimes (KnowBe4)
  • 00:56 – New Book: How AI and Quantum Impact Defense
  • 01:12 – 90% of the Risk: People & Unpatched Software
  • 01:55 – Training People: Why it Still Matters
  • 03:04 – Current QR Code Threats
  • 03:52 – Agentic AI-Enabled Ransomware: Impact on SMBs
  • 04:32 – High-Level Ransomware Prevention Tactics
  • 05:16 – Ransomware Negotiation Trap: How Hackers Target Backups
  • 06:20 – The 3-2-1 Rule for Backups
  • 06:30 – The MFA Gap: Why Most Fail
  • 07:21 – Phishing Resistant MFA: FIDO and YubiKey
  • 07:52 – Password Managers: Essential Tool
  • 08:19 – How to Patch on a Budget
  • 08:59 – CISA KEV: Free Prioritization Tool
  • 09:25 – Free Resources: AI & Quantum Threats Guide

The Autonomous Hacker: AI, Ransomware, and the New Rules of Cyber Defense Transcript

I think our kids and grandkids, when they hear the term hacking or hacker, are gonna think of an AI autonomous bot. They're not gonna think like, we when we heard hacker for our whole lives, we would think of somebody, you know, usually a young male, you know, over a keyboard and a hoodie with Jolt Cola or something like that. Well, it it's now not that way. It's somebody that is using AI and that autonomous AI bot, and it's really, again, taking off right now.

Hello, and welcome back. My name is Jen Stone. I'm one of the principal security analysts here at SecurityMetrics. So excited about our guest today.

His name is Roger Grimes. He is a thirty eight year plus computer security professional, CISO advisor at KnowBe4. Roger is known for his often contrarian fact filled viewpoints and rapid paced presentations. Roger Grimes, welcome to this podcast.

So glad to be here. Thanks for having me.

What did I miss?

I just recently released my sixteenth book Amazing.

Back in January called How AI and Quantum Impact Cyber Threats and Defenses.

That's a very timely book. I'm sure people will be interested to read that. One of the things that you have said is that social engineering is a factor in, what was it, ninety three percent of all successful data breaches?

Yeah. You know, it depends on the stat, but I see seventy to ninety percent really routinely. I think most people get so overwhelmed by all the cybersecurity things and compliance things that you're told that you need to worry about. You see them as, you know, like bubbles in a glass of champagne. But what they don't tell you is that just one or two of these things, social engineering being number one, unpatched software and firmware being number two, those two things added up together account for almost the whole glass. For most businesses, social engineering, unpatched software and firmware is probably ninety percent of the risk.

With these burgeoning AI avenues, do you still feel that's the right place for SMBs to focus, is on the For sure, training and awareness is one of the best things you can do.

If you get any message that's brand new that you were not expecting, asking you to do something you've never done before, you need to treat that with a healthy level of skepticism. And again, seventy, at least seventy to ninety percent of the problem involves the human. And we don't like to say that they're a problem. It's just that attackers know that I can get if I can trick you into clicking on a link or opening this document, I pass I bypass your firewalls and your antivirus and all the other stuff immediately.

We know that AI enabled social engineering is at least twenty four, twenty five percent more effective at social engineering people than if a human tried it. And here's the kicker. The stat that really got me is that the scams that involved AI Sold four point five times more value. Only the dumb attacker wouldn't use AI.

Right. To what degree do you think QR code explosion among SMBs is driving another emerging entry point for malicious actors?

Boy, it's come back with a vengeance. The defense tools that you buy, the content filters, the antivirus, the your browser cannot as easily take that QR code and convert it into the, you know, the, HTTPS string that it's gonna become. Google says that the average malicious website does not exist for even ten minutes today. So it's really hard for a security vendor cybersecurity vendor to make a block list if the bad guys are actually creating and destroying that link in under ten Right.

Yeah. That's a really good point. And then speaking of AI, ransomware has been a problem for small businesses, but now we have agentic AI enabled ransomware.

How does that affect these SMBs?

I used to give talks for years saying, Hey, here's all these AI attacks that are coming. You don't really need to worry about them. A couple of months ago, had to change that to, Hey, you need to start to be worried. Hackers are taking these traditional attacks, social engineering, unpatched software and firmware, ransomware, password sealing Trojans, whatever it might be, and they're putting it until, just like you said, Gen A, you know, AI enabled agenic autonomous programs, and it really is showing a significant impact on cybersecurity.

I know that we could spend hours or days on ransomware. Could you maybe look at it from a high level and give some SMB business owners or IT folks just a little bit of guidance on what can they do today in terms of preventing it, and then maybe what they should do if it does happen?

You wanna make sure you have really good backups. Right? Because the ransomware, if it does get loose in your environment, is going to encrypt a lot of your confidential data and stuff like that. And I always say, even if you paid the ransom, most people that paid the ransom do not get all of their data back. I've had some CEOs brag to me they didn't pay the ransom, and it took them over a year to recover everything.

Yeah. And a lot of organizations don't realize that the the malicious actor is actually going to go and find your backup. They're going map everything and make sure that they have everything covered before you even know that they're there, so there's no way to fight it.

I tell you, one of their ploys is they'll ask for the ransom, and the person that's negotiating with them, the company person, in the back of their head, they're like, I'm not gonna negotiate with them because I have a backup. And so they tell them no or something like that. Then they go to try their backup, and the IT guy has told the boss, the CEO, the IT guy has told the CEO, yes, we have a backup. Of course, we have backups.

And so the CEO or the negotiator says, no. We're not paying your stupid ransom. Forget it. Then they find out that their backups are not there and that they don't work because they've been reencrypted or deleted or something like that.

They have to go back to the ransomware attacker now to negotiate. He has the upper hand, and he's now gonna double what he's gonna ask for you because you've now confirmed that they were successful in preventing you from getting a a known good clean backup. It it an offline backup should take somebody having to physically do something to get that backup online. They have this three, two, one rule.

You should have three copies of your data. One, the original copy of the data, two backups, and one of those backups should be offline.

How do SMBs balance the MFA is good with, but that that can be hacked?

You, for sure, should be protecting valuable data and systems with multi factor authentication. I've probably reviewed a hundred and sixty multi factor authentication methods in maybe twelve or fifteen are phishing resistant. Unfortunately, ninety percent of that stuff out there is easy for me to socially engineer. If you get sent a code to your phone that you're asked to type in, well, I can send you a fake email that looks like it's coming from the right place, And and you, unbeknownst to you, you you're sent to the wrong fake website.

You get that six digit code and you type it in, but you're typing it into a fake website that the hackers captured. They then disconnect your account, connect to your website, and take over your account. If you can use phishing resistant multifactor authentication, here's an example of one of those. This is called a Yuba key.

A Fido enabled YubaKey is phishing resistant. When someone when I use my YubaKey to log in, I have to not only put in my login name and password, but I have to insert my YubaKey and my USB port, and I have to touch. It's not a fingerprint reader. I just have to touch it. Or you can use something called a Fido passkey or something like that. But you wanna use something that I can't trick you out of. If you have to use a password, I'm a very big believer in using a password manager, you know, like 1Password or LastPass or something like that, because they they create very random, truly random passwords that are long and strong and different for every website and service that you use.

Yeah. I don't I don't know how I would function without a a password manager. I think that's an excellent recommendation. Well, so let's consider maybe the fact that a lot of SMBs do not have a big budget. What do you think is the best place for them to start?

The best advice and let me say, I've been doing this going on forty years. I cannot stress enough that you need to spend more time and attention fighting social engineering and making sure you've got your patch management down. Don't let some of the shiny stuff get you distracted. Last year, there was over forty seven thousand different publicly announced vulnerabilities, over forty seven thousand.

I think this year, it's likely to be closer to a hundred thousand. But what a lot of people don't know is less than one percent of those are ever exploited by a real world hacker. I tell people, subscribe to the CISA known exploited vulnerabilities catalog. It will tell you every time there's a piece of software firmware that's being used by real world attacker to exploit a real world target.

The better you do at focusing on the basics, preventing social engineering, patching better, and things like that, the better off your company's gonna be.

If someone is interested in learning more about NobelForward resources there, where should they go?

Go to knowbe4 dot com, and let me offer it to any of your listeners, anybody viewing or listening to this today. You can get a free copy of my latest book, How AI and Quantum Impact Cyber Threats and Defenses, just by emailing me at Roger, g r o g e r g, at Noble four dot com. And I promise I will not use or market to you. I will just give you a free PDF copy of my latest book that covers AI and quantum threats and how to defend against them for free.

Excellent summary. I really appreciate your time today, and and, thank you again. I know that our listeners will really appreciate the the information that you shared today.

Thank you. Thanks, everyone.

Get the Guide To PCI Compliance
Download
Get a Quote for Data Security
Request a Quote