AI-powered ransomware has arrived

August 27, 2025, Anton Cherepanov from ESET reported his discovery of PromptLock (see interview here) that would qualify as the first known AI-powered ransomware prototype.

It’s currently not known who is behind the malware, but ESET told The Hacker News that PromptLock artefacts were uploaded to VirusTotal from the United States on August 25, 2025.

PromptLock generates on-the-fly attack scripts to lock, exfiltrate, manipulate and destroy files.

PromptLock generates on-the-fly attack scripts that dynamically writes Lua code for file encryption and exfiltration. PromptLock is based on recently released OpenAI’s open-weight gpt oss:20b model. To avoid detection by OpenAI, PromptLock accesses the LLM locally via the open-source Ollama API.

Because it accesses the LLM locally, there are no external API calls which makes it hard to detect and trace. Since the file manipulation is dynamically written, it does not have a clear signature and cannot easily be detected using behaviour analysis.

While PromptLock is still a proof-of-concept, it marks a turning point in the weaponisation of AI. Defenders must now prepare for a world where malware is adaptive, AI-written, and increasingly evasive. And what’s more, it shows that script kiddies without deep technical skills can exploit it.

Hard to detect

Due to some its core mechanics, PromptLock is hard to detect:

• PromptLock uses OpenAI’s gpt oss:20b model, accessed locally via the open-source Ollama API, avoiding reliance on external APIs and detection by OpenAI.
• PromptLock dynamically generates malicious Lua scripts based on hard-coded prompts. These scripts orchestrate key ransomware actions: filesystem enumeration, file inspection, data exfiltration, encryption and potentially file destruction. Because it dynamically writes custom scripts, Indicators of Compromise vary across executions, making detection significantly harder.
• PromptLock can connect to an attacker-controlled Ollama server via a proxy or tunnel, rather than hosting the massive language model locally on the victim’s machine. This minimises resource demands on the infected host, further complicating detection based on behaviour.

Current Status

While still conceptual, PromptLock shows how AI integration into ransomware could dramatically change how malware is developed and deployed. Attackers without deep technical skills can leverage PromptLock to generate sophisticated malware. All they need to provide is a prompt.

PromptLock currently is a Proof-of-Concept only. It has been identified in malware repositories like VirusTotal and is currently believed to be a work-in-progress. There’s no evidence of active attacks.

ESET researchers Anton Cherepanov and Peter Strýček swiftly made technical details public to alert the cybersecurity community about this emerging threat.

Anthropic, however, disclosed in their August threat intelligence report several examples of threat actors misusing its Claude large language models (LLMs) to conduct a variety of malicious activities. The most notable of the examples was a recently disrupted campaign in which a “sophisticated cybercriminal operation” tracked as GTG-2002 abused Claude Code to conduct data extortion attacks against at least 17 different organisations across the world in a short period of time., see article in Dark Reader.

Recommendations

Monitor for PromptLock deployment. While PromptLock is a PoC now, it’s only a matter of time before variants could become real-world threats.

Develop detection strategies that leverage AI to anticipate and counter adaptive AI-powered attacks.

Ensure response playbooks account for smart, automated, and evasive malware.