PromptLock: A New AI-Powered Ransomware Strain Creates Unique, Elusive Scripts
Do Son 
The cybersecurity company ESET has released a report detailing its latest discovery: an artificial intelligence–driven ransomware strain codenamed PromptLock. This ransomware leverages OpenAI’s open-source GPT-OSS-20B model to dynamically generate scripts in real time for the theft of files and sensitive information.
Written in Golang, PromptLock utilizes the Ollama API to locally deploy the GPT-OSS model, which in turn produces malicious Lua scripts on demand. These scripts enumerate the local file system, identify target files, exfiltrate selected data, and carry out encryption.
The AI-generated Lua scripts are compatible with Windows NT, Linux, and macOS, allowing seamless cross-platform execution. This dramatically reduces the time required by attackers to write scripts and perform file theft in the course of a ransomware operation.
Notably, PromptLock appears to still be in the proof-of-concept stage and has not yet been deployed in real-world attacks. Instead of downloading the full model, it establishes a proxy or tunnel via the infected network and connects to an Ollama API server running GPT-OSS.
ESET emphasizes that the real concern lies not in PromptLock itself, but in the AI-generated Lua scripts. Since AI models rarely generate identical outputs to the same queries, each script produced is inherently unique.
This variability means that every execution of PromptLock could yield a different malicious script, making it extremely difficult for security software to detect threats through traditional signature-based methods. According to ESET, if weaponized effectively, this approach could significantly increase detection complexity and complicate defensive measures.
Furthermore, PromptLock highlights how AI enables cybercriminals—especially those with limited technical expertise—to quickly build new malicious campaigns, develop malware, craft convincing phishing websites, and launch more sophisticated attacks.
Related Posts:
- Taylor Swift Deepfake Scam: Fake Freebies Alert for Fans
- Google says “Android security has matured”, hackers are difficult and expensive to high severity exploits
- VPNs and Clouds: New Tools in the APT Arsenal, ESET Warns
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
