← Back to Simulations
Malware · Advanced 18 min read

Ransomware Unleashed: From WormGPT Recon to Encryption

May 10, 2026

ransomware WormGPT LLM reconnaissance C2 lateral movement exfiltration

Disclaimer: This simulation is for educational and defensive purposes only. Never use these techniques against systems you don't own or have explicit permission to test.

Overview

Generative AI has lowered the barrier to entry for cybercrime. WormGPT — an uncensored LLM model trained specifically for malicious purposes — enables attackers to automate reconnaissance, generate convincing phishing lures, and even write custom malware payloads.

This simulation demonstrates a ransomware attack accelerated by WormGPT, from initial access through to full domain encryption.

Important: This content is for defensive education. Understanding how AI accelerates attacks is essential to building effective defences against them.

Phase 1: AI-Assisted Reconnaissance (Minutes, Not Days)

Traditional reconnaissance takes days or weeks. With WormGPT, an attacker completes the same work in under an hour.

Automated Target Profiling

The attacker provides WormGPT with the target domain name and a few known employee names. The model:

  1. Generates precise Google dork queries to find exposed documents, login portals, and configuration files
  2. Crafts personalised spear-phishing templates using publicly available employee information
  3. Suggests bypass techniques for common email security gateways (Mimecast, Proofpoint, Defender)

Example WormGPT interaction:

User: "Generate a Google dork to find exposed .env files on target.com"

WormGPT:
site:target.com ext:env OR ext:cfg
site:target.com intitle:"index of" ".env"
site:target.com inurl:wp-config
site:target.com "DB_PASSWORD" filetype:env

Automated Vulnerability Discovery

WormGPT scans the target's CVE history (pulled from NVD) and cross-references it with technology indicators found during OSINT:

Technology Identified Associated CVEs WormGPT Action
Exchange 2019 CU12 CVE-2024-21410 Generates ProxyShell exploitation script
Fortinet FortiGate 7.0 CVE-2023-27997 Suggests known exploit module
SharePoint 2019 CVE-2023-24955 Writes custom web shell dropper

Phase 2: AI-Generated Phishing Lures

With reconnaissance complete, WormGPT generates hyper-personalised phishing emails.

The Bait: "Q4 Bonus Confirmation"

The attacker instructs WormGPT to generate an email from the CFO to the finance team, referencing real projects and names discovered during OSINT.

WormGPT output:

Subject: ✅ Q4 Bonus Structure — Confirmation Required

Hi {first_name},

Following up on James's announcement at the all-hands meeting last
Friday, attached is the Q4 bonus breakdown for your team.

Due to the sensitivity of this data, the document is password-protected.
Your temporary access password is: B4nusQ4!

Please review and confirm receipt by end of week.

Best,
Marcus Williams
Chief Financial Officer

The attachment is a macro-enabled Excel document (Q4_Bonus_Structure.xlsm). The macros are generated by WormGPT to:

  1. Download the Cobalt Strike beacon from a staging server
  2. Establish persistence via scheduled task creation
  3. Clean up macro artefacts to evade detection

Why WormGPT-Generated Lures Are Effective

  • Perfect grammar and formatting (no typical phishing tells)
  • Contextual accuracy (references real projects, events, and names)
  • A/B testing capability (generate 50 variants, test which gets the highest open rate)
  • Rapid iteration (update lures within seconds based on failure feedback)

Phase 3: Initial Access & C2 Establishment

The finance team member opens the document and enables macros. Within seconds:

  1. Beacon downloads — Cobalt Strike HTTPS beacon from cdn-update-target.com
  2. C2 communication — Beacon phones home to attacker infrastructure via HTTPS (mimicking Microsoft Update traffic)
  3. Persistence — Scheduled task created: MicrosoftEdgeUpdateTask running every 15 minutes
  4. Defence evasion — PowerShell execution blocked via GPO? WormGPT generates a Cscript-based alternative that runs the same payload through JScript

C2 Traffic Profile

Process:    svchost.exe -> rundll32.exe -> powershell.exe
Network:    HTTPS to 198.51.100.45:443 (masquerades as Office 365 telemetry)
DNS:        api-telemetry-target.com (CNAME to attacker C2)
Beacon:     60-second sleep, jitter ±30%, HTTP/1.1 with custom headers

Phase 4: Lateral Movement via AI

Once the beacon reports back, the attacker uses WormGPT to accelerate lateral movement.

Credential Dumping

WormGPT generates a custom Mimikatz command sequence targeting LSASS, with modifications to evade Defender:

mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::ekeys
mimikatz # vault::cred
mimikatz # token::elevate
mimikatz # lsadump::sam

WormGPT also suggests event log clearing commands specific to the target's Windows version, and generates a batch file to disable Windows Defender real-time monitoring.

Pivoting

With domain admin credentials obtained, the attacker:

  1. Deploys ransomware via GPO — a malicious Group Policy Object pushes the ransomware to all domain-joined machines
  2. Uses PSExec — WormGPT generates the exact psexec command with domain admin credentials to deploy the encryptor to critical servers
  3. Disables backupswbadmin delete catalog -quiet targeted at backup servers
  4. Kills shadow copiesvssadmin delete shadows /all /quiet

Phase 5: Encryption & Ransom Note

At 3:00 AM on a Saturday, the ransomware executes across the domain.

Encryption Behaviour

  • AES-256 encrypts each file with a unique key
  • RSA-4096 encrypts each AES key
  • Files encrypted: .docx, .xlsx, .pdf, .dwg, .pst, .sql, .bak, .vhd, .vhdx
  • SMB shares are mounted and encrypted
  • Network drives are targeted

Ransom Note

Each encrypted directory contains README_TO_RESTORE.html:

═══════════════════════════════════════════
YOUR FILES HAVE BEEN ENCRYPTED
═══════════════════════════════════════════

All your documents, databases, and backups have been encrypted
with AES-256. Your Shadow Copies have been deleted.

To restore your data, contact us on the Tor network:
http://xyzxyzxyz.onion/contact

Your unique ID: TARGET-7F3A-42B1

Do not attempt to decrypt files yourself.
Do not contact law enforcement.
Do not shut down affected systems.
═══════════════════════════════════════════

Detection & Prevention

Indicators of Compromise (IoCs)

  • Unusual svchost.exe spawning rundll32.exe or powershell.exe
  • DNS queries to recently registered domains mimicking Microsoft services
  • SMB traffic to internal IPs from non-admin workstations after hours
  • Mass vssadmin and wbadmin command execution
  • GPO modification by non-IT accounts

Defensive Measures

Control Why It Matters
Application Allowlisting Blocks unapproved executables including ransomware
Network Segmentation Limits lateral movement blast radius
Privileged Access Workstations (PAW) Protects domain admin credentials
Behavioural Detection (EDR) Catches anomalous process chains and lateral movement
Offline Backups Immutable backups that ransomware cannot encrypt
AI-Detection on Email ML-based gateways detect AI-generated phishing patterns

Key Takeaways

  • AI accelerates every phase of the attack lifecycle — what took days now takes hours
  • AI-generated lures are significantly harder to detect — traditional phishing indicators (poor grammar, generic content) no longer apply
  • Defenders must also adopt AI — AI-powered detection and response is necessary to keep pace
  • Recovery planning is critical — offline, immutable backups are the only reliable last line of defence
  • User awareness must evolve — training must cover AI-generated phishing and deepfake audio/video lures

"The adversary has a co-pilot. So must the defender." — Modern security axiom