A digital currency mining operation, continuously active since 2019, has apparently incorporated ransomware potentially crafted using artificial intelligence (AI) into its malicious activities.
Fresh research conducted by the FortiCNAPP division, a component of FortiGuard Labs, has revealed the initial documented instance of a connection between the H2miner mining operation and the Lcryx ransomware.
The research team discovered this correlation during an examination of a group of virtual private servers (VPS) employed for mining Monero, a specific type of cryptocurrency.
The investigation brought to light digital samples associated with prior H2miner intrusions, which were initially reported in 2020, but have since been updated with revised configurations.
Furthermore, the FortiCNAPP team identified a novel iteration of the Lcryx ransomware, designated “Lcrypt0rx.” Lcryx is a ransomware variant based on VBScript, which was initially detected in November of 2024.
The analysis suggests that Lcrypt0rx lacks the complexities found in more sophisticated ransomware families. Nonetheless, it introduces unique strategies for reducing system performance, disrupting the user interface, and embedding redundant scripts.
This malware also integrates commercially available hacking tools and data-stealing programs, expanding its capabilities beyond simple data encryption.
FortiCNAPP suggests that the ransomware family exhibits several unique characteristics that suggest that artificial intelligence might have been used in its creation.
Flaws Found in AI-Potentially Generated Lcryx Ransomware
The FortiCNAPP team indicated that they have noticed growing use of large language models (LLMs) among malicious actors in recent years.
However, this approach to ransomware development has resulted in notable deficiencies and illogical behaviors within the script. These specific indicators have prompted the team to suspect that the Lcryx ransomware originated through the use of AI.
For example, multiple functions are replicated throughout the script without apparent justification, suggesting automated code generation without adequate optimization.
The code also displays flawed encryption methods, repetitive object creation, and improperly formatted syntax within the ransomware.
The script also engages in illogical actions, such as attempting to open encrypted files in Notepad, which FortiCNAPP pointed out, serves no practical purpose and lacks operational coherence.
Even the URL provided in the ransom note contains errors. The .onion address presented in the ransom note (http://lcryptordecrypt7xfzq5tclm9jzpwq72uofgy2znkdsxm54zbcu2yid[.]onion) fails to adhere to the correct TOR address structure. This might have been a placeholder in preparation of a shift from v2 to v3 onion services.
The capacity to disable antivirus protection also appears ineffective, as the methods intended to disable Bitdefender and Kaspersky antivirus software are inaccurate, most likely due to LLM inaccuracies.
Analyzing the Relationship Between H2miner and Lcryx
The operational overlap between H2miner and Lcryx could suggest collaboration between the parties involved in order to maximize profits.
However, other possibilities exist for the merging of these operations.
Firstly, the operators of H2miner could have independently developed Lcrypt0rx to improve their profits.
Alternatively, the H2miner operators could be redeploying Lcrypt0rx to conduct mining activities while shifting the blame.
The FortiCNAPP team concluded, “This campaign reflects a broader trend: the accessibility of cybercrime, in which pre-made tools, LLM generated code and cheap infrastructure lowers the bar for entry enabling even low-skill actors to launch campaigns that can have significant impact.”