Security researchers have identified PromptLock, a new proof-of-concept ransomware that uses artificial intelligence to generate malicious scripts capable of stealing and encrypting data across Windows, macOS, and Linux systems. The malware employs OpenAI’s gpt-oss:20b model via the Ollama API to dynamically create Lua scripts for a range of attack functions.
“The investigation determined that an unauthorized actor may have accessed and copied certain files on our computer systems,” researchers explained in their disclosure.
How PromptLock Leverages AI to Generate Malicious Lua Scripts
PromptLock is written in Golang and connects through a proxy tunnel to access the large language model hosted on a remote server. Its hard-coded prompts instruct the model to create Lua scripts that can:
- Enumerate local filesystems
- Inspect and target sensitive files
- Exfiltrate collected data
- Encrypt compromised files
Researchers also noted code fragments suggesting data destruction functionality, though this feature has not been fully implemented.
Encryption Method and Choice of Algorithm
For file encryption, PromptLock relies on the SPECK 128-bit cipher. This algorithm, designed primarily for lightweight use cases such as RFID, is considered weak by modern standards. Its inclusion further indicates that PromptLock is not yet optimized for practical large-scale attacks.
Indicators That PromptLock is a Proof of Concept
ESET clarified that PromptLock has not appeared in real-world telemetry and was only identified after being uploaded to VirusTotal. Multiple characteristics suggest it is still a prototype:
- Use of a weak encryption algorithm unsuitable for ransomware operations
- Presence of a hard-coded Bitcoin wallet address linked to Satoshi Nakamoto
- Unfinished data destruction feature
Shortly after ESET’s disclosure, a researcher claimed ownership of the malware, stating that the project had leaked unintentionally.
Significance of PromptLock in AI-Powered Cybercrime
Despite being a concept, PromptLock illustrates how AI can lower barriers to cybercrime by dynamically generating malicious scripts. Its approach showcases how adversaries might achieve:
- Cross-platform targeting flexibility
- Real-time operational adaptation
- Enhanced evasion against static detection methods
This development follows similar findings from Ukraine’s CERT in July, when analysts uncovered LameHug, an AI-powered malware tool allegedly linked to Russian APT28 actors. LameHug uses Hugging Face APIs and Alibaba’s Qwen-2.5-Coder-32B model to generate Windows shell commands. While PromptLock leverages proxying to interact with AI models, LameHug uses direct API calls—both achieving dynamic attack generation in different ways.
MITRE ATT&CK Mapping for PromptLock
The table below highlights techniques that PromptLock likely uses based on current analysis.
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Supply Chain Compromise / Uploaded File | T1195/T1204 | Delivery via shared files (VirusTotal submission hints PoC distribution). |
| Execution | Command and Scripting Interpreter | T1059.003 | Lua script execution for malicious tasks. |
| Persistence | Modify Registry / System Scripts | T1112/T1037 | Potential persistence using system modifications. |
| Defense Evasion | Proxy Use | T1090 | LLM communication through proxy tunnels. |
| Credential Access | Unsecured Credentials | T1552 | Targeting sensitive files for credential theft. |
| Collection | File and Directory Discovery | T1083 | Identifies target files across local systems. |
| Exfiltration | Exfiltration Over Alternative Protocol | T1048 | Transfers stolen data using non-standard channels. |
| Impact | Data Encrypted for Impact | T1486 | File encryption using SPECK algorithm. |
