This is not speculative. It is real. PromptLock is the first ransomware that uses an AI model to generate its malicious code in real time.
Introduction
This is not speculative. It is real. PromptLock is the first ransomware that uses an AI model to generate its malicious code in real time .
Discovered by ESET researchers in August 2025, PromptLock represents a shift in ransomware—it uses a local large language model (LLM) to generate malicious Lua scripts on the fly . Traditional signature-based detection is useless against this. Every attack can be different, generated on demand .
This article analyzes PromptLock’s architecture, its implications for cybersecurity, and what organizations must do to prepare for AI-generated threats.
What Is PromptLock?
PromptLock is a proof-of-concept ransomware that uses AI to generate its malicious code. It was discovered by ESET researchers in August 2025 and later confirmed to be academic research from NYU Tandon School of Engineering .
Key facts:
| Aspect | Details |
|---|---|
| Name | PromptLock |
| Type | AI-powered ransomware (proof-of-concept) |
| Discovered | August 2025 |
| Discovered by | ESET researchers |
| Origin | NYU Tandon School of Engineering (academic research) |
| AI model used | gpt-oss:20b via Ollama API |
| Encryption | SPECK 128-bit |
| Cross-platform | Windows, Linux, macOS |
How PromptLock Works
The attack chain is different from traditional ransomware :
Step 1: AI Model Invocation
The ransomware uses hard-coded prompts to query a local AI model (gpt-oss:20b) via the Ollama API .
Step 2: Malicious Script Generation
The AI model generates Lua scripts based on the prompts. These scripts are dynamically created, not pre-written .
Step 3: System Reconnaissance
The AI-generated Lua scripts scan the local filesystem, enumerating files and identifying targets .
Step 4: Data Exfiltration
The scripts identify and stage sensitive data for exfiltration .
Step 5: Encryption
Files are encrypted using the SPECK 128-bit encryption algorithm, with keys generated dynamically .
Step 6: Personalized Ransom Note
The AI generates a ransom note based on the files affected .
The key difference:
Traditional ransomware uses static, pre-written code. PromptLock’s code is dynamically generated, making each execution unique .
The Architecture
The role of Ollama:
Ollama is a framework that allows users to download different LLM models and run them on their computers. The ransomware uses the local AI model to generate malicious scripts, meaning the code is generated on the victim’s machine .
Why PromptLock Is Different
The cost advantage for attackers:
The prototype consumed approximately 23,000 AI tokens per complete attack execution, equivalent to roughly $0.70 using commercial API services . Open-source AI models eliminate these costs entirely.
The NYU Research Context
PromptLock was created by researchers at NYU Tandon School of Engineering as part of a study on AI-powered ransomware. The researchers used the name “Ransomware 3.0” to describe their work .
The researchers’ findings:
- AI systems can carry out all four phases of a ransomware attack: mapping systems, identifying valuable files, stealing or encrypting data, and generating ransom notes
- The AI models were highly effective at system mapping and correctly flagged 63-96% of sensitive files depending on environment type
- The AI-generated scripts proved cross-platform compatible, operating on Windows, Linux, and macOS without modification
- Each execution produced unique attack code despite identical starting prompts, creating a major challenge for cybersecurity defenses
The ESET Discovery
ESET researchers Anton Cherepanov and Peter Strýček discovered PromptLock on VirusTotal in August 2025. They were confident that their discovery marked a turning point in generative AI, showing how the technology could be exploited to create highly flexible malware attacks .
ESET’s findings:
- PromptLock uses AI to generate malicious code in real time
- The code is cross-platform compatible, functioning on Windows, Linux, and macOS
- The ransomware uses SPECK 128-bit encryption
- The malicious code is generated on the victim’s machine, not downloaded
- Each execution produces unique code, complicating detection
ESET’s assessment:
While it shows a certain level of sophistication and novelty, the current implementation does not pose a serious threat . The researchers confirmed it was a proof-of-concept.
The Risks
1. Detection Evasion
Traditional signature-based detection will not work against AI-generated code. Each execution produces unique code .
2. Lower Barrier to Entry
Low-skilled attackers can now launch advanced ransomware campaigns with AI support . The economic implications reveal how AI could reshape ransomware operations .
3. Cross-Platform Attacks
Lua scripts run on Windows, Linux, and macOS, giving PromptLock broad reach without platform-specific payloads .
4. Personalized Ransom Notes
AI-generated ransom notes, personalized based on the files affected, could increase psychological pressure on victims .
5. Autonomous Operation
The system can perform reconnaissance, payload generation, and personalized extortion in a closed-loop attack campaign without human involvement .
Defense Strategies
The Bigger Picture
PromptLock may be a proof-of-concept, but it highlights a significant shift in the cyber threat landscape :
- Attackers can use local LLMs to make ransomware more adaptive and harder to predict
- AI is lowering the technical barrier to creating advanced ransomware
- Traditional signature-based detection is becoming less effective
- Organizations must shift to behavioral analytics and AI-enhanced defenses
The NYU researchers’ warning:
The cybersecurity community’s immediate concern when our prototype was discovered shows how seriously we must take AI-enabled threats. While the initial alarm was based on an erroneous belief that our prototype was in-the-wild ransomware and not laboratory proof-of-concept research, it demonstrates that these systems are sophisticated enough to deceive security experts into thinking they’re real malware from attack groups .
The bottom line:
PromptLock is a warning shot. AI-powered ransomware is no longer theoretical. It is here. Organizations must prepare now.
KNOWLEDGE CHECK QUIZ
Q: What makes PromptLock fundamentally different from traditional ransomware strains? Ans: Instead of using pre-written, static code, PromptLock utilizes a local Large Language Model (LLM) to dynamically generate its malicious Lua scripts at runtime, making each attack unique and invisible to signature-based detection.
Q: Which academic institution was responsible for creating the PromptLock proof-of-concept? Ans: The NYU Tandon School of Engineering (as part of a study they referred to as “Ransomware 3.0”).
Q: What specific local AI framework and port does the PromptLock attack chain target to generate its payload? Ans: It targets the Ollama API, typically communicating via localhost:11434, to query the gpt-oss:20b model.
Q: Why does the ransomware use Lua scripting for its generated payloads? Ans: Lua is a lightweight, cross-platform scripting language, allowing the AI-generated malware to execute seamlessly across Windows, Linux, and macOS environments without modification.
───
FREQUENTLY ASKED QUESTIONS (FAQ)
Q: If PromptLock generates new code every time, how can antivirus software stop it? Ans: Traditional signature-based antivirus cannot stop it. Defense requires Endpoint Detection and Response (EDR) systems that utilize behavioral analytics. These systems monitor for malicious actions—such as a process attempting to rapidly encrypt thousands of files or making unauthorized calls to a local AI API—and kill the process regardless of what the code looks like.
Q: Are cybercriminals currently using AI to write ransomware in the wild? Ans: While PromptLock was confirmed to be an academic proof-of-concept by NYU researchers, threat intelligence firms note that hostile actors are already experimenting with LLMs to draft phishing emails, write modular exploit code, and optimize reconnaissance. The transition to fully autonomous, wild AI ransomware is considered imminent.
Q: How can a company safely allow its developers to use local AI models without exposing the network to PromptLock-style attacks? Ans: CISOs must enforce strict network segmentation. Local LLMs (like Ollama or LM Studio) should only be installed in sandboxed, dev-only environments that lack read/write access to sensitive corporate file shares or production servers. Access to the AI APIs must be heavily authenticated and monitored.
Adv. Shoeb Hakim
Cybersecurity & AI Risk Advisor
📌 Follow me on LinkedIn for daily cybersecurity and AI risk insights: [https://www.linkedin.com/in/shoebhakim
📌 Visit my website for more articles: https://www.shoebhakim.com
📌 Visit my website for legal knowledge: https://www.vakilverse.com
📌 Visit my website for research fellowship: https://www.legalcomplaince.in
♻️ Share this article with your network.
Disclaimer: This article is for informational purposes only and does not constitute legal advice.
Hashtags: #AdvShoebHakim #PromptLock #AISecurity #Ransomware #CyberSecurity #AI #LLM #InfoSec #CyberThreat #AIThreat #RansomwareAttack #CyberDefense #AIandSecurity #Malware #EmergingThreats #CyberAwareness #ThreatIntelligence #ESET #NYUResearch #ProofOfConcept #PolymorphicMalware #BehavioralAnalytics #DefenseInDepth #Ollama #GPTOSS #LuaScripting #CrossPlatformRansomware #AIgeneratedMalware #CyberRisk #AITools #CyberAttack #IncidentResponse #SecurityOperations #CyberHygiene #ZeroTrust #CIEM #IAM #AIinCyber #FutureOfCyber #CyberWarfare #DigitalSecurity #ProtectYourData #CyberResilience
Leave a Reply