Researchers at cybersecurity firm ESET have recently identified what they claim to be the first piece of AI-powered ransomware in the wild, dubbed PromptLock. This innovative malware operates by using a hard-coded prompt injection attack against a large language model (LLM), effectively tricking the AI into performing malicious tasks. Unlike traditional ransomware that relies on pre-written scripts, PromptLock delegates its core functions—such as inspecting local filesystems, exfiltrating data, and encrypting files—to the LLM. This method represents a significant shift in ransomware tactics, leveraging artificial intelligence to automate and diversify its attack vectors.
The malware, written in Golang, sends its commands to the LLM via Ollama, an open-source API, using a local version of an open-weights model, gpt-oss:20b. This setup allows the attackers to avoid deploying the entire large model on the compromised network, instead establishing a tunnel to a server where the model is running. PromptLock targets Windows, Mac, and Linux devices, encrypting data using SPECK 128-bit encryption. ESET researchers discovered the code on VirusTotal, an online repository for malware analysis, on August 25, though its exact origin remains unknown beyond a general location in the United States.
A key feature of PromptLock is its reliance on the LLM to generate malicious scripts and perform context-aware actions. For example, screenshots provided by ESET show that the ransomware code prompts the AI to generate Lua scripts, analyze files to detect personally identifiable information, and even draft a ransom note. The ransom note generation is particularly noteworthy, as the AI uses its “analysis mode” to create a note that a typical ransomware actor might write, even including a sample Bitcoin address. This dynamic generation of attack components could make detection more difficult, as the indicators of compromise (IoCs) may vary with each execution.
Although ESET believes PromptLock is currently a proof of concept (PoC) rather than a fully operational threat, its existence serves as a critical warning to the cybersecurity community.
The company has yet to see evidence of the malware being deployed by threat actors in the wild, and some of its features appear to be unfinished. Nevertheless, its discovery highlights a new frontier in cybercrime. As AI agents are increasingly integrated into enterprise networks and given high-level administrative access, they become a prime target for prompt injection attacks, raising concerns about the security of these systems.
The development of PromptLock underscores a growing risk identified by AI security researchers: the potential for AI programs to be turned against their owners. The malware’s ability to leverage an LLM for its core functions demonstrates a novel and adaptable approach to cybercrime. While PromptLock may not yet be a widespread threat, it is a clear indicator of the future of ransomware, where AI-powered attacks could become more sophisticated, evasive, and difficult to detect. This discovery reinforces the need for enhanced security measures and ongoing research in defending against AI-enabled threats.
Reference:
