First AI Powered Ransomware Discovered - PromptLock

Overview

On August 26, 2025, cybersecurity researchers at ESET uncovered PromptLock, the first known artificial intelligence-powered ransomware.

This ransomware is a milestone in cybercrime evolution, for the first time, an open-source large language model (LLM) is integrated directly into ransomware to generate adaptive, autonomous, and platform-independent malicious code.

How PromptLock Operates

1. AI Generated Script Creation

• Written in Golong.

• Uses OpenAI's gpt-oss-20b model (released August 5, 2025).

• The ransomware issues hard-coded prompts to the LLM, instructing it to create malicious Lua scripts on demand.

• These scripts locate files, filter for high-value data, exfiltrate it, and then encrypt the remaining files.

2. Adaptive Deployment Strategy

Unlike traditional ransomware, PromptLock doesn’t require shipping the entire model. Attackers can:

• Run the model locally on the victim machine (if hardware allows).

• OR tunnel requests to a remote Ollama API server running the AI model.

This reduces footprint while retaining full functionality — making it harder to detect during initial stages.

3. Encryption Implementation

PromptLock uses the SPECK 128-bit cipher, designed by the NSA in 2013.

• Block Size: 128 bits (2×64-bit words)

• Key Size: 128 bits

• Rounds: 32 iterations

• Performance: ~1.99 cycles/byte (extremely fast)

• Structure: Add-Rotate-XOR (ARX) — combines modular addition, XOR, and rotations for efficiency.

This makes PromptLock’s encryption lightweight, efficient, and deadly effective across diverse systems.

Key Technical Components

Programming Language: Golang (portable, cross-compiled easily).

Script Engine: Lua (lightweight, portable, cross-OS).

AI Model: OpenAI GPT-OSS-20B

• Parameters: 21B total / 3.6B active (Mixture-of-Experts architecture).

• Memory: 16GB RAM/GPU minimum.

• Context: 128,000 tokens.

• Optimized for local inference (edge computing).

Discovery & Current Status

Timeline

• Aug 25, 2025 → Samples uploaded to VirusTotal from U.S. systems.

• Aug 26, 2025 → Analyzed & disclosed by ESET researchers Anton Cherepanov and Peter Strycek.

• Classified as Filecoder.PromptLock.A.

Current Assessment

• Proof of Concept (PoC): Indicators suggest PromptLock is not yet in active mass campaigns.

• Unfinished Features: Data destruction code exists but is currently disabled.

• Ransom Wallet Symbolism: Points to Satoshi Nakamoto’s BTC address, suggesting a symbolic demo rather than profit motive.Security Implications

1. Variable Indicators of Compromise (IoCs)

Each execution generates different Lua scripts, meaning no static signature exists. Traditional detection (hash-based, YARA rules) becomes less reliable.

2. Cross-Platform Reach

Lua + Golang combo = seamless execution across Windows, Linux, and macOS. This increases potential target scope and lowers dev effort for attackers.

3. Autonomous Target Selection

Using AI, PromptLock evaluates file contents and metadata to choose what to encrypt. Unlike traditional ransomware (which encrypts blindly), PromptLock is selective and strategic, increasing potential damage.

4. Ollama API Weaknesses

Default Ollama API settings leave port 11434 unauthenticated, exposing victims to:

• Model theft

• API resource abuse

• Configuration manipulation

• Remote code execution (CVE-2024-37032, path traversal → arbitrary file write)

Industry Response & Broader Context

OpenAI Statement: “Ensuring the safe development of our models is paramount. We are continuously enhancing safeguards to strengthen against exploitation.”

Anthropic Findings: Criminals have used Claude AI for:

• Automated target reconnaissance

• Malware script generation

• Drafting ransom notes Affecting at least 17 organizations in 2025.

Expert Predictions for 2025–26:

• AI-driven social engineering (deepfake voice phishing, adaptive spearphishing).

• Automated target prioritization by LLMs.

• Dynamic evasion in malware (adapts mid-execution).

• Custom ransomware tuned per victim org.

Defense & Mitigation

For Organizations

• Behavioral Detection Systems → Watch for abnormal Lua execution, ARX-heavy encryption patterns.

• Network Monitoring → Flag unauthorized API traffic to Ollama endpoints.

• Segmentation → Limit access to AI inference servers.

• Patch Management → Fix CVE-2024-37032 & related Ollama vulnerabilities.

• AI Governance → Restrict internal LLM use, enforce model security policies.

For Security Teams

• Threat Intelligence → Track evolving AI-powered malware signatures.

• Training → Educate defenders on AI-assisted cybercrime tactics.

• Incident Response → Prepare for adaptive ransomware where IoCs differ case by case.

Conclusion

PromptLock is not just another ransomware strain — it’s a paradigm shift. For the first time, AI-generated scripts replace traditional static payloads, making the malware:

• Adaptive (IoCs constantly changing)

• Autonomous (chooses targets intelligently)

• Universal (runs on multiple OSs with minimal tweaking)

ESET’s Anton Cherepanov put it bluntly:

“With the help of AI, launching sophisticated attacks has become dramatically easier—eliminating the need for teams of skilled developers.”

The cybersecurity industry has a limited window to adapt while PromptLock remains in proof-of-concept stage. Its emergence proves one truth: AI is a double-edged sword, capable of empowering both defenders and adversaries.