Security researchers at Fortinet recently discovered something very unusual and concerning, an AI-generated ransomware called Lcrypt0rx is being deployed through an active cryptomining botnet named H2Miner. This appears to be one of the first real-world cases of artificial intelligence being used to generate ransomware.
The H2Miner botnet has been around since at least 2019. It mainly targets cloud servers and Linux-based systems to mine Monero (XMR) cryptocurrency. Over time, it has evolved and added more malicious tools to increase its profits. The latest addition is what’s grabbing headlines, a ransomware built with the help of AI.
What makes this case unique is how the ransomware, Lcrypt0rx, was created. Fortinet’s team observed signs that this ransomware wasn’t written by a human in the traditional sense. It appears to be automatically generated by an AI-based code generator, which is now being used by attackers to launch wider and more dangerous attacks.
The researchers noticed some unusual patterns in the code. The script was written in VBScript and was filled with strange mistakes. It had repeated logic, odd formatting, buggy behavior, and unnecessary or broken code blocks. All of these are common traits of AI-generated code, especially from less fine-tuned models.
For example, one weird behavior they found was that the ransomware tried to open encrypted files in Notepad, something that doesn’t make sense from an attacker’s point of view. It also included flawed commands for turning off antivirus protections and failed registry edits. These are classic signs that it was written by automation and not carefully tested by a human hacker.
Fortinet says their tests using AI-detection tools confirmed that the ransomware had an 85–90% chance of being AI-generated. This marks a big moment, AI tools are now being used in real cyberattacks, even if the results aren’t perfect yet.
Even though Lcrypt0rx is sloppy and contains lots of mistakes, it’s still being deployed with other malware in the H2Miner botnet. This means a single compromised machine might get infected with a Monero cryptominer, a backdoor tool like Kinsing or Cobalt Strike, and now, this AI-generated ransomware, all at once.
What’s especially worrying is that H2Miner isn’t just targeting regular PCs. It’s going after containers, cloud workloads, and Linux systems, which are often used by companies for hosting their infrastructure. That increases the potential damage significantly.
The campaign’s infrastructure was also analyzed. Researchers found a network of malicious servers that deliver the ransomware, miners, and backdoors. One script was responsible for launching all of them together, making it efficient for attackers to maximize both data theft and profit.
So why bundle ransomware with a miner? The theory is that attackers want to hit two goals: mine cryptocurrency in the background and at the same time lock the files to pressure companies into paying ransoms. Even if the ransomware fails, they still earn from mining.
In response, security experts are warning companies to improve their cloud security, especially with real-time monitoring tools that detect suspicious behavior like crypto mining, unexpected file encryption, or unauthorized access.
This development is a reminder of how quickly cyber threats are evolving. Attackers are starting to use AI not just for phishing or spam, but to actually generate malicious code, no matter how flawed it might be. It may not be perfect today, but it’s only a matter of time before these tools become more sophisticated.
The discovery of AI-generated ransomware inside a real botnet like H2Miner is a major shift in the cybersecurity landscape. It’s a wake-up call for defenders everywhere: the future of malware is being built by machines.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
