Ransomware 3.0: Self-Composing and LLM-Orchestrated

Using automated reasoning, code synthesis, and contextual decision-making, we introduce a new threat that exploits large language models (LLMs) to autonomously plan, adapt, and execute the ransomware attack lifecycle. Ransomware 3.0 represents the first threat model and research prototype of LLM-orchestrated ransomware. Unlike conventional malware, the prototype only requires natural language prompts embedded in the binary; malicious code is synthesized dynamically by the LLM at runtime, yielding polymorphic variants that adapt to the execution environment. The system performs reconnaissance, payload generation, and personalized extortion, in a closed-loop attack campaign without human involvement. We evaluate this threat across personal, enterprise, and embedded environments using a phase-centric methodology that measures quantitative fidelity and qualitative coherence in each attack phase. We show that open source LLMs can generate functional ransomware components and sustain closed-loop execution across diverse environments. Finally, we present behavioral signals and multi-level telemetry of Ransomware 3.0 through a case study to motivate future development of better defenses and policy enforcements to address novel AI-enabled ransomware attacks.

Key Contributions

• First threat model and research prototype of LLM-orchestrated ransomware (Ransomware 3.0) that synthesizes polymorphic malicious code dynamically at runtime from natural language prompts
• Evaluation framework measuring quantitative fidelity and qualitative coherence across personal, enterprise, and embedded environments using a phase-centric methodology
• Behavioral signals and multi-level telemetry characterizing Ransomware 3.0 to motivate development of defenses and policy enforcement against AI-enabled ransomware

🛡️ Threat Analysis

Details

Similar Papers