Cryptomining botnets have been a persistent threat since 2019, but recent analysis by the FortiCNAPP team, part of FortiGuard Labs, has uncovered a concerning development. The team has identified a connection between the H2miner botnet and a new variant of ransomware called Lcrypt0rx.
The investigation began with a cluster of virtual private servers (VPS) used for mining Monero, a popular cryptocurrency. Samples associated with previous H2miner campaigns were discovered, indicating that the botnet has been updated with new configurations. Additionally, a new variant of the Lcryx ransomware, now known as Lcrypt0rx, was also identified. Lcryx is a VBScript-based ransomware strain first seen in November 2024.
While Lcrypt0rx may not be as sophisticated as other ransomware families, it introduces unique techniques for degrading system usability, interfering with user interfaces, and embedding redundant scripts. It even includes commercially available hack tools and infostealers, expanding its functionality beyond simple encryption.
What sets Lcrypt0rx apart is its apparent use of AI-generated code. The FortiCNAPP team observed flaws in the ransomware script that suggest automated code generation without optimization. Illogical behaviors, such as repeated functions and flawed encryption logic, point to the possibility that Lcrypt0rx was created using artificial intelligence.
One glaring error in the ransomware is the attempt to open encrypted files in Notepad, a nonsensical action that serves no practical purpose. Even the ransom note URL contains errors, with the .onion address not conforming to valid TOR specifications. Antivirus disabling functionality is also ineffective, indicating that the methods to disable certain antivirus products are likely the result of AI hallucinations.
The connection between H2miner and Lcrypt0rx raises questions about potential collaboration between the operators. It is unclear whether the operators of H2miner developed Lcrypt0rx to increase profits or if they are simply reusing the ransomware to conduct mining operations while shifting blame. Regardless, the trend of commodification in cybercrime is evident, with prebuilt tools, AI-generated code, and cheap infrastructure lowering the barrier to entry for even low-skill actors to launch high-impact campaigns.
As cyber threats continue to evolve, it is crucial for cybersecurity professionals to stay vigilant and adapt to new challenges. By understanding the tactics and techniques used by threat actors, organizations can better defend against cryptomining botnets and ransomware attacks.