AI Security Wire

Published

- 4 min read

GhostCircuit: The Ransomware Group Automating Victim Reconnaissance with AI

GhostCircuit ransomware AI-assisted attacks RaaS reconnaissance threat actor
img of GhostCircuit: The Ransomware Group Automating Victim Reconnaissance with AI

Overview

GhostCircuit is a ransomware-as-a-service (RaaS) operation first identified in October 2025. The group distinguishes itself from contemporaries through the systematic integration of LLM-based tooling into its post-compromise operational pipeline — specifically the reconnaissance and lateral movement phases that follow initial access. Intelligence from incident responders suggests this tooling has cut the group’s median time-to-ransomware-deployment from several days to under 18 hours in well-monitored cases.

AttributeDetail
MotivationFinancial — ransomware encryption + data extortion
First observedOctober 2025
TargetingMid-market enterprises across all sectors; healthcare and legal firms preferred
Average ransom demand$1.2M–$4.5M USD
GeographyUS, UK, Australia, Canada
Notable TTPsAI-assisted internal network reconnaissance, automated Active Directory enumeration
Affiliate modelRaaS — recruits initial access brokers and penetration testers

AI-Assisted Reconnaissance: How It Works

Post-compromise, traditional ransomware operators spend significant time manually enumerating the internal network: identifying domain controllers, locating file servers and backup systems, mapping trust relationships, and identifying high-value targets for data exfiltration before encryption. This process is time-consuming and requires skilled operators.

GhostCircuit’s tooling — internally named PRISM based on strings recovered from captured samples — automates this process using a locally-hosted LLM (believed to be a fine-tuned 7B–13B parameter model) running on attacker infrastructure, with the compromised environment’s data piped to it via an implant.

PRISM Workflow

Stage 1 — Bulk data collection: The implant gathers:

  • Active Directory LDAP dump (users, groups, computers, OUs)
  • Network configuration (subnets, DNS records, DHCP leases)
  • File share enumeration
  • Installed software inventory
  • Backup configuration files

Stage 2 — LLM-based analysis: The collected data is fed to the PRISM model, which produces a structured attack plan including:

  • Identified domain controllers and their roles
  • File server locations and estimated data volumes
  • Backup system identification (and recommended destruction order)
  • High-privilege accounts to target for credential theft
  • Recommended lateral movement path to achieve domain admin
  • Prioritised list of data to exfiltrate before encryption (based on file path and name heuristics suggesting financial, legal, or customer data)

Stage 3 — Operator review and execution: The output is a human-readable briefing document that a relatively unskilled affiliate can follow to execute the attack. GhostCircuit effectively lowers the skill floor for its affiliates by offloading the analysis and planning work to the AI tooling.

Observed TTPs

Initial Access

GhostCircuit primarily purchases initial access from initial access brokers (IABs) operating on darknet forums. Observed access vectors in confirmed incidents:

  • VPN appliance vulnerabilities (Ivanti, Fortinet, Citrix)
  • Compromised remote desktop credentials (acquired via credential stuffing or phishing)
  • Exploitation of unpatched edge devices

Post-Compromise Behaviour

The PRISM-generated plan is executed using a combination of living-off-the-land binaries and custom tooling:

  • Credential theft — Mimikatz variants, NTDS.dit extraction via VSS manipulation
  • Lateral movement — PsExec, WMI, and SMB lateral movement using harvested credentials
  • Backup destruction — VSS deletion, Veeam configuration tampering, network-attached backup targeting
  • Data exfiltration — Rclone configured to upload to attacker-controlled cloud storage; the PRISM-identified file paths are passed directly as exfiltration targets

Ransomware Deployment

GhostCircuit deploys a custom ransomware payload with the following characteristics:

  • Intermittent encryption (encrypts portions of files to maximise speed)
  • Ransomware note personalised with victim organisation name and specific stolen data samples as proof
  • Onion-hosted negotiation portal with a 72-hour initial deadline

Detection Opportunities

The AI-assisted reconnaissance phase, while fast, is not silent. Indicators that PRISM-style tooling has been deployed:

IndicatorNotes
Mass LDAP enumerationLarge-volume LDAP queries from a compromised workstation; not typical user behaviour
Bulk file metadata collectionRapid enumeration of file share directory listings without reading file contents
Outbound data transfer to cloud storageRclone or similar tool exfiltrating to Mega, S3, or similar
VSS deletion commandsvssadmin delete shadows /all or PowerShell equivalent
Mimikatz process executionProcess name, hash, or in-memory signatures
Unusual NTDS.dit accessVolume shadow copy creation followed by NTDS.dit file access

The PRISM collection phase — mass LDAP enumeration and file share enumeration — is the earliest detectable stage and represents the best opportunity for detection and response before ransomware deployment.

Incident Response Notes

Confirmed GhostCircuit incidents have the following consistent characteristics that aid attribution:

  • The ransomware note always includes a phrase beginning “Your network has been carefully selected…”
  • Data is exfiltrated to a consistent set of cloud storage providers (Mega.nz and Backblaze B2 have been observed)
  • The negotiation portal uses a custom chat interface with a specific CSS fingerprint
  • Backup destruction precedes encryption by approximately 2–4 hours in all confirmed cases

Recommendations

  1. Detect AD enumeration — deploy detections for mass LDAP queries from endpoints. A workstation performing 10,000+ LDAP lookups in a short window is almost certainly compromised.
  2. Protect backup infrastructure — isolate backup systems from the corporate network; require MFA for any backup configuration changes; test restores regularly.
  3. Implement egress filtering — block or closely monitor outbound connections to cloud storage services (Mega, B2, Rclone endpoints) from servers.
  4. Canary files — place high-fidelity canary files in locations that PRISM-style tooling would enumerate (top-level shares, “Finance”, “Legal” folders); access to these files should trigger immediate alerts.
  5. Privileged access workstations — ensure domain admin credentials are only usable from dedicated jump hosts; this limits the lateral movement paths available even if credentials are compromised.