Why the removal of MIT's "jaw-droppingly bad" AI paper is a lesson for us all
Few people call out cybersecurity hype as bluntly as WannaCry hero Marcus Hutchins.
This week, the hacker-turned-cybersecurity researcher took to social media to take aim at a widely derided working paper by the MIT Sloan School of Management and vendor Safe Security, which the research community has savaged for overstating AI’s role in ransomware attacks.
The community’s main point of contention with the paper, which has since been removed, is its headline assertion that 80% of ransomware attacks in 2024 involved AI techniques, without going into any detail about how threat actors used AI.
First published as a PDF on MIT Sloan’s site in April this year, the paper claimed that it had examined 2,800 ransomware attacks and that 80% of them had been “powered by artificial intelligence.”
Hutchins, a former hacker who now works as a cybersecurity researcher, was one of many critics who have publicly scrutinised the methodology behind the claims, which the majority claim are either vague or false.
“The paper was so absurd I burst out laughing at the title. Then when I read their methodology I laughed even harder,” Hutchins said on LinkedIn.
He added: “Their definition of ‘AI-powered’ was already dubious. But what’s even more hilarious, they never even explained how they concluded that a threat actor was ‘using AI’.
“Many of the threat actors they cited as ‘using AI’ were ones I personally tracked as part of my day job and can testify did not use AI.”
CISOs force scrutiny
Another vocal critic of the paper – which MIT Sloan claims “is being updated following recent reviews” – has been respected cybersecurity researcher Kevin Beaumont, who roasted the report in a blog post Cyberslop.
Beaumont was prompted to pick the report apart, he said, because CISOs kept forwarding the paper to him, telling the researcher that he was wrong about AI not playing a major role in ransomware attacks.
Like Hutchins, he criticised the report for the way in which it was conducted: not naming sources, claiming that historic ransomware groups which have long since disbanded were using GenAI, and inaccurately describing malware like Emotet as being “AI-like.”
“It’s jaw-droppingly bad. It’s so bad it’s difficult to know where to start… The paper lumps almost every ransomware group into using AI, without a source.
“The paper talks about things like Emotet as being AI-like (total nonsense; it’s also a historic threat), ransomware groups which disappeared before generative AI using GenAI… There’s just so much going on here that it’s unbelievable this was put into the public domain like this.”
And yet, in September of this year, the paper was very much in the public domain when it was highlighted in a blog post by MIT Sloan which was picked up by the cybersecurity press including TechRadar and Security Boulevard (Beaumont screen shots these reports in his blog).
Beaumont also pointed out how a Financial Times article dated 3 November 2025 had quoted stats from the paper in a story it published, although he adds that these have since been removed.
Lessons learned
While the story is concerning, there are lessons to be learned.
What is particularly confusing and misleading about the original paper’s headline is the leap it makes from well-documented areas where we already know threat actors are using AI – for things like phishing, polymorphic malware coding, and deepfake social engineering – to implying that AI is used to automate the execution of ransomware attacks.
At most, there might be instances of this happening in labs as proof of concepts but there are no real-life examples of it (yet!). If we thought hard enough about this, then the 80% figure doesn’t make sense.
As a reporter under the pressure of a 24/7 news cycle, it’s clear to see how a mistake could be made: a journalist might read that headline, assume that the report covers all uses of AI by bad actors and not just ransomware, and perhaps not question the sense of it.
The security community has also called out the fragility between academic research and commercial interests: two MIT professors also sit on the board at Safe Security, which funded the collaboration.
Institutions like MIT carry weight, and when big claims are made without transparent data or solid definitions, it risks undermining trust.
This kind of misinformation also has serious implications for the heads of cybersecurity who were convinced that Beaumont was underplaying the role that AI has in ransomware attacks. If organisations act on flawed claims, their strategies, budgets, and risk assessments may be inaccurate.
That this misinformation comes from a cybersecurity company which is supposed to help CISOs is the ultimate irony, and one that Hutchins is happy to call out:
“Right now, a significant source of disinformation in cybersecurity comes from cybersecurity companies making up imaginary AI-powered threat actors to sell products.
“Their logic is that AI-powered threat actors could only be stopped by AI-powered security products, so you need to buy their AI-enabled magic box.
“In reality, AI models are bound by their training data. They can only do what they’re trained to do, which is things humans already knew how to do. Threat actors would not be able to use AI to create novel attacks, nor would security companies be able to use AI to stop them.”
Unlock more exclusive Cybernews content on YouTube.
