A cryptomining botnet that has been active since 2019 has added a likely AI-generated ransomware to its operations.
New analysis by FortiCNAPP team, part of FortiGuard Labs, has identified the first incident of an overlap between H2miner and Lcryx ransomware.
The team uncovered this link during an investigation into a cluster of virtual private servers (VPS) used for mining Monero (a type of cryptocurrency).
The investigation uncovered samples associated with prior H2miner campaigns that were documented in 2020 but have since been updated with new configurations.
The FortiCNAPP team also identified a new variant of the Lcryx ransomware, dubbed “Lcrypt0rx.” Lcryx is a VBScript-based ransomware strain first observed in November 2024.
It was assessed that Lcrypt0rx lacks the sophistication of more advanced ransomware families. However, it introduces distinct techniques for degrading system usability, UI interference and redundant embedded scripts.
It also bundles commercially available hack tools and infostealers, expanding its functionality beyond simple encryption.
FortiCNAPP said that the ransomware family exhibits several unusual characteristics that suggest it may have been generated using AI.
AI-Generated Lcryx Ransomware Harbors Several Flaws
The FortiCNAPP team said they have observed the growing adoption of large language models (LLMs) by threat actors in recent years.
However, this method of ransomware development has led to some critical flaws and illogical behavior within the script. It is these indicators which have led the team to suspect the Lcryx family of ransomware was generated using AI.
For instance, multiple functions are repeated throughout the script with no clear reason, suggesting automated code generation without optimization.
There is also evidence of flawed encryption logic, redundant object creation and malformed syntax within the ransomware.
The script also conducts illogical behaviors like attempting to open encrypted files in Notepad, which FortiCNAPP noted has no practical function and makes no operational sense.
Even the ransom note URL has errors. The .onion address in the ransom note (http://lcryptordecrypt7xfzq5tclm9jzpwq72uofgy2znkdsxm54zbcu2yid[.]onion) does not conform to valid TOR address specifications. It may have been a placeholder during a transition from v2 to v3 onion services.
Antivirus disabling functionality is also shown to be ineffective, as the methods to disable Bitdefender and Kaspersky antivirus products are incorrect and are likely LLM hallucinations.
Examining the H2miner-Lcryx Connection
The operational overlap between H2miner and Lcryx could indicate collaboration between the operators to maximize financial gain.
However, there are other possibilities for the joining of force.
First, H2miner operators could also have developed Lcrypt0rx to increase profits.
Alternatively, H2miner operators could be reusing Lcrypt0rx to conduct mining operations while shifting the blame.
The FortiCNAPP team concluded: “The campaign reflects a broader trend: the commodification of cybercrime, where access to prebuilt tools, LLM-generated code, and cheap infrastructure lowers the barrier to entry, enabling even low-skill actors to launch high-impact campaigns.”