Diluvian

This method uses its own encryption to avoid EDR alerts. It looks like the process can be defeated if the disk is encrypted; without the benefit of the operating system to decrypt the files, it reads the location of the master file table and iterates through looking for specific file signatures. If the disk is encrypted at the file table level or the file level, reading the raw information from the disk will prevent it from correctly identifying the signatures or getting anything useful from the files.

(?<!\d) -> Not sure why you're doing this.

\d+\. -> Look for at one or more digits followed by a period. None of the sentences have numbers before the period, and if the previous section didn't exclude them, this would.

\.\d+ -> look for a period followed immediately by one or more numbers. This should get most of the trailing 0's, but you'll miss the ones on their own newline and following a quotations mark.

\.0\ -> If you only have a single character you'd like to remove, there's no harm in enumerating it.

This validates what researchers have been seeing in the wild -- ransomware attackers have been vibe-coding exploits based on feeding CVEs to an LLM. 51% delivering valid code and reproducing the attack seems a bit high. Even a system for generating exploit code that gets it right 5% of the time is alarming, as a good attacker only needs to get through once. The good defender needs to block it every single time.

LLMs are making an already lopsided playing field even more skewed to red team.