Published
- 4 min read
By Allan D - Editor, AI Security Wire
GhostCircuit: The Ransomware Group Automating Victim Reconnaissance with AI
Eighteen hours from initial access to ransomware deployment. That’s the number that should concern you.
GhostCircuit first appeared in October 2025 and quickly distinguished itself from other ransomware-as-a-service operations in one specific way: it integrated LLM-based tooling into the post-compromise phase that normally slows attackers down. The part that requires a skilled operator to sit in your network, manually mapping domain controllers, locating backup systems, identifying where the crown jewels live. GhostCircuit automated that.
| Attribute | Detail |
|---|---|
| Motivation | Financial: ransomware encryption + data extortion |
| First observed | October 2025 |
| Targeting | Mid-market enterprises across all sectors; healthcare and legal firms preferred |
| Average ransom demand | Estimated $1.2M–$4.5M USD (per incident response industry reports) |
| Geography | US, UK, Australia, Canada |
| Notable TTPs | AI-assisted internal network reconnaissance, automated Active Directory enumeration |
| Affiliate model | RaaS: recruits initial access brokers and penetration testers |
PRISM: The AI Reconnaissance Engine
The tooling (internally named PRISM based on strings recovered from captured samples) is a locally-hosted LLM, believed to be a fine-tuned 7B–13B parameter model running on attacker infrastructure. The compromised environment’s data is piped to it via an implant.
What it does is straightforward. What it changes is the skill floor.
Stage 1: Bulk data collection: The implant gathers:
- Active Directory LDAP dump (users, groups, computers, OUs)
- Network configuration (subnets, DNS records, DHCP leases)
- File share enumeration
- Installed software inventory
- Backup configuration files
Stage 2: LLM-based analysis: That data goes to PRISM, which produces a structured attack plan. It identifies domain controllers and their roles. It flags file server locations and estimated data volumes. It recommends a backup destruction order and maps out the path to domain admin. The prioritised exfiltration list draws on file path and name heuristics: anything that looks like financial, legal, or customer data goes to the top.
Stage 3: Operator review and execution: The output is a human-readable briefing document. A relatively unskilled affiliate can follow it without needing to understand what they’re doing. This is the point. GhostCircuit doesn’t need to recruit skilled operators: it just needs people who can follow instructions.
Observed TTPs
Initial Access
GhostCircuit primarily buys initial access from brokers on darknet forums rather than conducting its own intrusion operations. Observed access vectors in confirmed incidents:
- VPN appliance vulnerabilities (Ivanti, Fortinet, Citrix)
- Compromised remote desktop credentials acquired via credential stuffing or phishing
- Exploitation of unpatched edge devices
Post-Compromise Behaviour
The PRISM-generated plan is executed using a combination of living-off-the-land binaries and custom tooling:
- Credential theft: Mimikatz variants, NTDS.dit extraction via VSS manipulation
- Lateral movement: PsExec, WMI, and SMB lateral movement using harvested credentials
- Backup destruction: VSS deletion, Veeam configuration tampering, network-attached backup targeting
- Data exfiltration: Rclone configured to upload to attacker-controlled cloud storage; PRISM-identified file paths are passed directly as exfiltration targets
Ransomware Deployment
GhostCircuit deploys a custom ransomware payload using intermittent encryption: it encrypts portions of files to maximise speed rather than completeness. The ransom note is personalised with the victim organisation name and includes specific stolen data samples as proof. Negotiation happens on an onion-hosted portal with a 72-hour initial deadline.
Detection Opportunities
The AI-assisted reconnaissance phase, while fast, is not silent. The implant still has to touch your network.
| Indicator | Notes |
|---|---|
| Mass LDAP enumeration | Large-volume LDAP queries from a compromised workstation; not typical user behaviour |
| Bulk file metadata collection | Rapid enumeration of file share directory listings without reading file contents |
| Outbound data transfer to cloud storage | Rclone or similar tool exfiltrating to Mega, S3, or similar |
| VSS deletion commands | vssadmin delete shadows /all or PowerShell equivalent |
| Mimikatz process execution | Process name, hash, or in-memory signatures |
| Unusual NTDS.dit access | Volume shadow copy creation followed by NTDS.dit file access |
The PRISM collection phase is the best window you have. Mass LDAP enumeration from a workstation isn’t subtle: a workstation doing 10,000 LDAP lookups in a short window is almost certainly compromised. Catch it there and you catch it before backup destruction and encryption start.
Incident Attribution Markers
Confirmed GhostCircuit incidents have consistent characteristics useful for attribution:
- The ransomware note always includes a phrase beginning “Your network has been carefully selected…”
- Data is exfiltrated to a consistent set of cloud storage providers: Mega.nz and Backblaze B2 have both been observed
- The negotiation portal uses a custom chat interface with a specific CSS fingerprint
- Backup destruction precedes encryption by approximately 2–4 hours in all confirmed cases
What to Do About It
- Detect AD enumeration: deploy detections for mass LDAP queries from endpoints. This is table stakes. If a workstation is doing 10,000+ LDAP lookups in a short window, something is very wrong.
- Protect backup infrastructure: isolate backup systems from the corporate network; require MFA for any backup configuration changes; test restores regularly. Untested backups are not backups.
- Implement egress filtering: block or closely monitor outbound connections to cloud storage services (Mega, B2, Rclone endpoints) from servers.
- Canary files: place high-fidelity canary files in locations that PRISM-style tooling would enumerate (top-level shares, Finance, Legal folders); any access to these files should trigger an immediate alert.
- Privileged access workstations: ensure domain admin credentials are only usable from dedicated jump hosts. This limits lateral movement paths even after credential compromise.
References
Frequently Asked Questions
- How does GhostCircuit use AI to accelerate ransomware attacks?
- GhostCircuit uses a locally-hosted fine-tuned LLM called PRISM to automate post-compromise reconnaissance. After gaining initial access, their implant collects Active Directory dumps, network configuration, file share listings, and backup configurations, then feeds this data to PRISM, which produces a structured attack plan identifying targets, lateral movement paths, and prioritised exfiltration targets, cutting median time to ransomware deployment to under 18 hours.
- What is the earliest detectable phase of a GhostCircuit attack?
- The PRISM collection phase (specifically mass LDAP enumeration from a compromised workstation) is the earliest detectable stage. A workstation performing 10,000 or more LDAP lookups in a short window is almost certainly compromised and represents the best detection opportunity before backup destruction and ransomware deployment occur.
- What defensive measures are most effective against GhostCircuit's tactics?
- Detecting mass LDAP enumeration from endpoints, isolating backup infrastructure from the corporate network with MFA-gated configuration access, implementing egress filtering to block outbound connections to cloud storage services like Mega.nz, and placing canary files in high-value share locations that PRISM-style tooling would enumerate are the highest-impact controls.