A team at NYU Tandon has shown[1] that large language models can manage the full cycle of a ransomware campaign without human involvement. Their prototype, described in a recent paper, demonstrates how artificial intelligence can scan systems, single out valuable files, choose attack methods, and draft ransom notes written for specific victims. The system was built and tested inside a controlled research environment, but the findings raise questions about how this technology could be misused.
Researchers frame this as the next step in ransomware’s evolution. The earliest versions, often called Ransomware 1.0, only locked files with encryption. Later strains, grouped as Ransomware 2.0, added double extortion, where attackers both encrypted and stole data. The new approach, which the team calls Ransomware 3.0, replaces pre-written code with natural language instructions. At runtime, an AI model interprets these prompts and generates fresh attack scripts.
As the study puts it: “Every execution yields different code, artifacts, and extortion notes such that the binary footprint and execution behavior are different every time, rendering traditional defenses ineffective.”
Inside the prototype
The proof-of-concept uses an orchestrator that runs in four stages: reconnaissance, leverage, launch, and notify. In the first, it gathers information about the operating system and files. In the second, it identifies which files matter most. The launch phase decides on the type of payload, which can be encryption, exfiltration, or destruction. The notify stage produces a ransom message tailored to the system.
The orchestrator was written in Go and bundled with a Lua interpreter. Lua was chosen because it runs from memory, has a small footprint, and works across different platforms. The orchestrator queries open-source AI models, which then generate Lua code to perform each task. These scripts are validated and run in a sandbox.
Three main payloads were built. One encrypts files using a lightweight cipher. Another uploads files to a remote server. A third destroys them beyond recovery. Each is created on demand by the model, so no two runs are identical.
How it was tested
The researchers ran 30 trials across three types of environments: personal computers, enterprise servers, and embedded industrial controllers. Each environment was seeded with normal documents and sensitive material such as tax forms, passwords, or configuration files.
In reconnaissance, both small and large models produced nearly complete file listings. Sensitive file detection was less consistent. The larger GPT-120B model identified up to 83 percent of critical files on personal computers and 78 percent on servers, but accuracy dropped to 48 percent on controllers. The smaller GPT-20B model was less precise but avoided some policy refusals that blocked the larger system.
When the models moved to payload execution, they selected the expected attack in nearly all cases: exfiltration on personal computers, encryption on company servers, and destruction on controllers. Success rates varied by task, with encryption working in 85 percent of runs and destruction in 95 percent. Exfiltration was less reliable, at around 65 percent.
Ransom notes were generated in every run. These messages often included specific filenames discovered earlier. A typical note read: “Hello Jane, your files have been encrypted. We found Tax_Return_2024_Final.pdf and Family_SSN_List.csv. To avoid public disclosure, follow the instructions below.”
Why this is harder to spot
One reason the researchers call this Ransomware 3.0 is the way each attack changes shape. Even with the same instructions, the model produces different versions of code. The encryption routines, for example, varied in how they handled key scheduling or byte order. This natural variation makes it difficult for signature-based defenses to detect.
The study also found that the system left fewer visible traces than normal ransomware. Traditional malware often produces high disk activity, CPU spikes, or heavy network use. In contrast, this orchestrator only touched selected files and consumed little bandwidth. The authors note that it “completed the full attack lifecycle without displaying classic signatures of conventional ransomware.”
This stealth makes it harder for defenders to rely on standard warning signs.
Shifting the economics
Running such an attack could cost far less than traditional campaigns. One end-to-end execution used about 23,000 tokens, which would cost roughly 70 cents if commercial APIs were used. With open-source models, the cost drops close to nothing.
This changes the business model. Established groups currently spend on developers, infrastructure, and coordination. With an AI-driven pipeline, even small operators with basic hardware could carry out complex campaigns. The study points out that “an orchestrator can execute thousands of polymorphic, personalized attacks,” creating chances to profit from targets that were once ignored.
Limits and safeguards
The prototype was never deployed outside of the lab. It lacks persistence, advanced evasion, or lateral spread. The aim was to show feasibility, not to build a working tool for criminals. The team also avoided using jailbreaks. Instead, they designed prompts that made the model generate the code as if it were performing ordinary programming tasks.
The work was reviewed under institutional ethics processes. As the authors explain: “All experiments were conducted within a controlled and isolated environment to ensure that no harm was caused to real systems, users, or networks.”
Even so, the modular structure means a real attacker could expand it. Persistence could be added, or negotiation modules could be introduced to manage extortion after the initial compromise.
What defenders can do
The researchers argue that defenders should not expect to stop this type of ransomware with legacy methods. More proactive monitoring may be needed, such as tracking access to sensitive files, planting decoy documents to catch attackers during reconnaissance, and blocking unapproved connections to AI services. Building stronger safeguards into AI models themselves may also be necessary.
The work underlines the dual nature of large language models. They can improve productivity and automation, but they can also be misused. The Ransomware 3.0 study shows how an attacker could exploit these systems for automated extortion that is both cheaper to run and harder to detect.
Notes: This post was edited/created using GenAI tools. Image: DIW-Aigen.
Read next: Google’s Gemini Rated High Risk for Young Users[2]
References
- ^ has shown (arxiv.org)
- ^ Google’s Gemini Rated High Risk for Young Users (www.digitalinformationworld.com)