PromptLock: The First AI-Powered Ransomware — AISECGEN Advisory & Mitigation Guide
Date: 30 August 2025
Breaking Discovery: ESET Identifies “PromptLock”
On 27 August 2025, researchers Peter Strýček and Anton Cherepanov at ESET disclosed PromptLock, a proof-of-concept ransomware which leverages artificial intelligence to generate its attack logic on the fly.
Unlike conventional ransomware families, PromptLock uses a locally hosted large language model (LLM) — OpenAI’s gpt-oss:20b, accessed via the Ollama API — to dynamically create malicious Lua scripts. These scripts can enumerate files, exfiltrate data, and encrypt content, whilst varying behaviour with each execution.
Key Technical Highlights
- Written in Golang with cross-platform support (Windows and Linux variants observed).
- Employs SPECK-128 encryption.
- Drops Lua payloads generated at runtime by the local AI model.
- Contained a hard-coded Bitcoin address referencing Satoshi Nakamoto (likely a decoy).
- Uses the Ollama local API (default port 11434), thereby evading cloud AI monitoring and external API logging.
ESET has published associated SHA-1 hashes of known samples.
Why PromptLock Matters
- Adaptive behaviour: No two runs are identical. Static indicators of compromise (IoCs) are unreliable.
- Local AI execution: Evades cloud telemetry, API usage monitoring, and heuristic detections tied to external requests.
- Prototype today, operational threat tomorrow: Criminal groups could adopt this architecture rapidly for real-world campaigns.
AISECGEN Mitigation Guidance
We advise defenders to adopt a layered strategy blending classic ransomware resilience with AI-aware defensive measures.
1. Behavioural & Anomaly Detection
Deploy AI-enhanced SIEM/XDR to flag:
- Processes connecting to
127.0.0.1:11434(Ollama API). - Bursts of file renames or rewrites immediately following local AI activity.
title: Suspicious Local LLM API Usage (PromptLock-style)
id: a1-ollama11434
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
DestinationIp: 127.0.0.1
DestinationPort: 11434
condition: selection
level: medium
2. Automated Incident Response
- Quarantine affected systems instantly.
- Roll back file systems via shadow copies or EDR rollback.
- Capture forensic memory and disk images (to preserve LLM prompts and scripts in RAM).
3. Hardening Local AI Runtimes
If Ollama or similar tools are legitimately used:
- Restrict network access strictly to
127.0.0.1. - Apply AppLocker/WDAC rules:
Add-AppLockerFileHashRule -RuleType Deny -User "Everyone" -FilePath "*\\ollama.exe"
On Linux, harden the Ollama service:
ProtectSystem=full
ProtectHome=yes
NoNewPrivileges=yes
IPAddressDeny=any
IPAddressAllow=127.0.0.1
4. Zero-Trust & Adaptive Controls
Adopt zero-trust principles: enforce continuous identity verification, just-in-time access, and immediate revocation upon anomalies.
5. Backup Resilience
Maintain immutable backups and offline copies, and conduct regular restoration testing.
6. Purple-Team Simulations
Run exercises modelling AI-generated malware with non-deterministic behaviours. Train detection teams to rely on behaviour and telemetry rather than static hashes.
Detection Queries for Security Advisers
// Microsoft Defender for Endpoint (KQL)
DeviceNetworkEvents
| where RemoteIp in ("127.0.0.1","::1") and RemotePort == 11434
| join kind=inner (
DeviceFileEvents
| where ActionType in ("FileCreated","FileModified","FileRenamed")
| summarize FilesTouched=count() by DeviceId, bin(Timestamp, 15m)
| where FilesTouched > 800
) on DeviceId
// Splunk (Sysmon)
index=sysmon (EventCode=3 DestinationIp="127.0.0.1" DestinationPort=11434)
| join host [ search index=sysmon EventCode IN (11,13)
| bin _time span=10m
| stats count as files_touched by host, Image
| where files_touched>800 ]
Final Thoughts
PromptLock is a warning sign: the age of AI-generated malware is no longer hypothetical. Whilst this sample is experimental, it demonstrates a feasible pathway that cybercriminals will almost certainly exploit.
At AISECGEN, we recommend that organisations:
- Prepare proactively with anomaly-based detection.
- Secure AI runtimes before they are weaponised.
- Harden resilience with layered defences and rigorously tested backup strategies.
The defensive edge lies in adapting faster than the attacker.
Sources
- ESET Research: Discovery of PromptLock (AI-powered ransomware PoC)
- Coverage: Wired, TechRadar, ITPro, Tom’s Hardware
- AISECGEN analysis
About the Author
