Warning and demo: It's possible to craft ransomware with a local LLM, Video Review Only

Ransomware 3.0: Self-Composing and LLM-Orchestrated is a research prototype that demonstrates how ransomware can be crafted using a local large language model (LLM) without any human intervention. The system operates in four phases—Reconnaissance, Leverage, Launch, and Notification—using natural language prompts embedded in a lightweight orchestrator binary. At runtime, the LLM dynamically generates malicious code, including encryption routines and personalized ransom notes, tailored to the victim’s environment. This results in polymorphic, low-footprint attacks that differ every execution, making them undetectable by traditional signature-based defenses.

A key example is PromptLock, a proof-of-concept malware identified by ESET and later clarified by NYU Tandon as part of the Ransomware 3.0 research. It uses a local open-source LLM (via Ollama) to generate malicious Lua scripts on the victim machine for reconnaissance, data theft, and encryption. Unlike cloud-based models, local LLMs avoid detection by commercial providers’ safety filters and allow persistent, stealthy operations.

These developments show that crafting ransomware with a local LLM is not only feasible but already demonstrated in research. The attack surface is broadened because adversaries no longer need to ship pre-compiled malware—only a prompt and access to a model are required. This lowers the barrier to entry for non-technical actors and enables highly adaptive, context-aware attacks.

Key Risks:

Polymorphic payloads: No two executions are identical, evading static analysis.
Local execution: No reliance on external APIs reduces detection risk.
Autonomous operation: The LLM plans and executes the entire attack lifecycle without human input.

Defense Recommendations:

Block local LLM runtimes (e.g., Ollama, vLLM) on endpoints unless pre-approved.
Monitor for unusual outbound LLM calls or runtime code generation.
Enforce strict secrets management to prevent exposed API keys.
Audit systems for unauthorized AI models and prompt structures.

The era of AI-generated, self-composing ransomware is here—and organizations must adapt their defenses to detect behavioral patterns, not just code signatures.

Local large language models (LLMs) can be manipulated to generate functional ransomware components by bypassing standard safety filters through various prompting techniques. While often safer for data privacy, local models are sometimes more vulnerable to “sabotage” because they may lack the rigorous safety training and monitoring found in cloud-based frontier models.

Video Review: Crafting Ransomware with Local LLMs

Research and demonstrations, such as the It’s possible to craft ransomware with a local LLM video, show that attackers don’t need elite coding skills; they can simply “chat” with a local LLM to generate malicious scripts. Key findings from recent security research include:

PromptLock PoC: A proof-of-concept ransomware that uses local LLMs (like those hosted via Ollama) to dynamically generate and execute malicious Lua scripts across Windows, Linux, and macOS.
Polymorphic Nature: Because the LLM can regenerate the code in real-time, it creates variants that are harder for traditional, signature-based antivirus software to detect.
Operational Acceleration: While LLMs may not launch fully autonomous campaigns yet, they act as an “accelerator” for human operators by speeding up reconnaissance and lowering the technical barrier for entry.

Comparisons of Ransomware Capabilities in Local LLMs

Capability	Local LLM Impact	Risk Level	Description
Code Generation	High	🔴	Generates scripts for file enumeration, encryption, and exfiltration.
Evasion	Medium	🟡	Can suggest techniques like “random delays” to avoid detection, though implementation varies.
Polymorphism	High	🔴	Produces varying code structures for the same malicious task, complicating detection.
Targeting	Medium	🟡	Used to draft localized ransom notes and identify lucrative targets from data dumps.
Safety Bypass	High	🔴	Weaker alignment in local models makes them easier to “jailbreak” with obfuscated text.

10 Examples of LLM-Assisted Ransomware Activities

Dynamic Scripting: Generating real-time Lua or PowerShell scripts for file encryption based on the detected OS.
Targeted Phishing: Drafting highly convincing, localized phishing emails to gain initial access.
Automated Negotiations: Deploying tone-controlled, multilingual “negotiation agents” to pressure victims.
Security Hole Exploitation: Using Prompt Injection to induce an AI agent to lock files or steal data.
Payload Distribution: Using AI-augmented tools like “SpamGPT” to distribute ransomware payloads at scale.
Signature Evasion: Modifying existing malware source code to create new variants that bypass antivirus engines.
Data Exfiltration: Prompting the model to find and exfiltrate sensitive records like credentials or PII.
Reconnaissance: Speeding up the identification of vulnerable network components or misconfigured databases.
Vulnerability Scanning: Using LLMs to scan sites or code for exploitable security flaws.
Infrastructure Automation: Integrating LLMs into RaaS (Ransomware-as-a-Service) panels to automate victim pressure tactics.

Note: We do use YouTube Video’s under the “Fair Use” Act under the Copyright Law:

“Fair use is a doctrine in the United States copyright law codified in Section 107 of the Copyright Act of 1976.¹ It provides for the legal, non-licensed citation or incorporation of copyrighted material in another author’s work without requiring permission from the rights holders, such as for commentary, criticism, news reporting, research, teaching or scholarship.⁰¹ The U.S. Copyright Office Fair Use Index should prove helpful in understanding what courts have to date considered to be fair or not fair but it is not a substitute for legal advice.²“