LLMs Accelerate Ransomware: Boosting Speed, Volume

Large language models (LLMs) are fundamentally reshaping how ransomware groups orchestrate their attacks. Rather than developing novel malware strains, LLMs are significantly accelerating each phase of the established ransomware lifecycle, from initial reconnaissance to final extortion.

Crews can now write fluent phishing lures, localize ransom notes, and triage stolen data in many languages in minutes, not days.

This shift is already visible across crimeware ecosystems and is raising the overall tempo and reach of extortion operations.

Attackers use LLMs as a direct substitute for normal enterprise workflows.

Where a sales team would use an LLM to clean data and draft outreach, ransomware operators feed dumps of leaked documents and ask the model to find high‑value files, sensitive projects, or legal disputes that can increase ransom pressure.

The same pattern holds for infrastructure setup: low-skill actors can ask models to explain how to stand up C2 servers, build basic loaders, or script automation and get step‑by‑step guidance in simple language.

SentinelOne Labs researchers noted that LLMs are lowering barriers to entry while also helping existing crews move faster across more languages, tech stacks, and regions.

They observed no “super‑malware,” but clear gains in speed, volume, and multilingual reach, especially where LLMs assist with tooling, data triage, and negotiation.

At the same time, the classic ransomware landscape is splintering into many small crews and copycats, with state‑linked and crimeware actors blurring together in shared ecosystems.

A key trend involves local, self‑hosted models like Ollama, which help actors evade provider guardrails.

LLMs Accelerating the Ransomware Lifecycle

Instead of asking a single cloud LLM for an end‑to‑end ransomware kit, operators decompose the job into benign‑looking pieces and spread them across sessions and models.

A simple example is generating small code fragments and then stitching them together offline:-

python# fragment 1: file walker
for root, dirs, files in os.walk(start_dir):
    for name in files:
        process_file(os.path.join(root, name))

# fragment 2: simple XOR
def xor(data, key):
    return bytes(b ^ key for b in data)

None of these prompts alone look like ransomware, but combined with an actor‑written wrapper they can form an encryption routine and data‑stealing implant.

SentinelLabs identified early proof‑of‑concept tools such as PromptLock and MalTerminal that embed LLM prompts and API keys directly into code, showing how future ransomware could call local or remote models at runtime to generate or adapt payloads on demand.

This “prompts‑as‑code” pattern points to the real risk ahead: industrialized, multilingual extortion powered by AI‑accelerated workflows rather than fundamentally new forms of malware.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.