ESET reports AI-Powered ransomware called "PromptLock" that uses local AI models to generate scripts
Take action: At this moment, ransomware with AI generated scripts is still experimental, but this type of malware will soon become very real. One practical defense is having an egress firewall that stops any unknown process from reaching out to the internet, like Lulu for Mac.
Learn More
ESET Research has discovered what they describe as the first known artificial intelligence-powered ransomware, which they have named "PromptLock."
This malware is an evolution in ransomware design, using OpenAI's gpt-oss:20b model locally via the Ollama API. PromptLock uses hard-coded prompts fed into a local instance of the gpt-oss:20b model, which then generates Lua scripts on demand. These scripts perform file system enumeration, data theft, and encryption.
ESET has identified both Windows and Linux variants uploaded to VirusTotal, classified under the identifier Filecoder.PromptLock.A. The malware's architecture enables it to run on Windows, macOS, and Linux environments without requiring separate builds.
Since the gpt-oss:20b model can run locally and is reachable via an API call, such a model can be hosted on any number of servers globally, and antimalware detectors can't identify it via DNS requests to OpenAI or other LLM providers. Also the LLM providers can't detect the malware since no requests arrive on their servers.
The ransomware includes logic for potentially destructive actions, but ESET noted that file destruction routines do not appear to be fully implemented yet.
The malware has a hardcoded Bitcoin address associated with Satoshi Nakamoto, the pseudonymous inventor of Bitcoin. Security researchers believe this is a red herring or symbolic gesture, not a functional ransom payment mechanism.
ESET emphasized that PromptLock appears to be a proof-of-concept still under development and may be an experiment not intended for malicious deployment. Multiple indicators suggest the sample is a proof-of-concept or work-in-progress, not a fully operational malware. Researchers have not observed any active deployment of PromptLock in real-world attacks, and several key functionalities appear incomplete.
ESET advises defenders to monitor for anomalous Lua script execution, particularly those involving system enumeration or encryption routines. Security teams should also watch for proxy tunneling linked to the Ollama API and implement detection mechanisms for the provided file hashes.
PromptLock currently appears to be experimental, but its existence demonstrates the potential for artificial intelligence to significantly enhance the capabilities of malicious software. As AI models become more accessible and powerful, the cybersecurity community must prepare for a new generation of adaptive, intelligent threats that can evolve their tactics in real-time.
