PromptLock: the First AI-Powered Ransomware Using OpenAI

Security researchers at ESET have uncovered what may be the first AI-powered ransomware, PromptLock, introducing a new paradigm in cyber threats. This isn't just another malware variant; it represents ransomware that autonomously crafts its own malicious actions using AI. At its core is OpenAI’s gpt-oss:20b model, employed locally via the Ollama API to dynamically generate Lua scripts that target and compromise systems across Windows, macOS, and Linux.

Despite still being a proof-of-concept (PoC), PromptLock stands as a troubling signal of what's possible—giving attackers the power to generate evasive behavior in real time. Its capabilities include:

• Dynamic script generation, executing instructions that change per environment, such as file enumeration, exfiltration, and encryption

• Usage of SPECK 128-bit encryption, a lightweight but effective NSA-developed algorithm

• A Bitcoin address tied to Satoshi Nakamoto embedded, a likely red herring or signature

• Detected variants on VirusTotal, though destruction functionality hasn’t been implemented yet

PromptLock: The Primary Concerns

Because PromptLock generates non-deterministic scripts based on LLM prompts, each attack looks different, thereby making traditional detection tools less effective. And since the LLM runs locally, defenders lose visibility into where the attack originated.

How AI is Reshaping the Ransomware Playbook

PromptLock isn’t an isolated anomaly; it's part of a broader trend highlighted by Anthropic and ESET: AI is increasingly enabling cybercriminals to automate and enhance attack methods.

For example:

• GTG-5004 has used Anthropic’s Claude model to sell ransomware with evasion tactics

• GTG-2002 leveraged Claude Code to automate the entire ransomware pipeline, from creation to extortion, targeting critical sectors

This shift shows that even low-skilled adversaries can now harness AI to generate sophisticated malware, pushing cyber warfare into a new era.

Mitigation Strategies: Adapting to AI-Powered Threats

• Behavioral Detection & Threat Hunting

  • Deploy EDR that analyzes behavior patterns rather than static indicators.

  • Monitor for unusual AI model behaviors or local LLM usage.

• Endpoint Isolation & Execution Controls

  • Limit or audit execution of local models (e.g., via Ollama).

  • Use application allowlists and strict script execution policies.

• Network Segmentation & Least Privilege Access

  • Segment critical assets to reduce malware impact.

  • Require strict authorization for modifying sensitive systems.

• Proactive Red Teaming & Scenario Planning

  • Simulate AI-driven threats in tabletop exercises and pen tests.

  • Test detection readiness against dynamically generated scripts.

• Visibility & Transparency in AI Use

  • Log where LLMs are deployed.

  • Update policies to restrict unauthorized local model usage.

What does this mean for security leaders?

• Barrier to entry for creation of malware has dropped: Local LLMs democratize attacker tools

• Signature-based detection is increasingly insufficient: Non-deterministic behaviors demand advanced defenses

• AI-powered ransomware is no longer sci-fi: PromptLock proves it's technically feasible (and on the horizon)

In this evolving threat landscape, it's crucial for organizations to maintain agility. The key to resilience isn’t just blocking attacks; it’s anticipating them.

Conclusion

The discovery of PromptLock, the first ransomware powered by OpenAI’s gpt-oss:20b model, marks a turning point in cybersecurity. While still in a proof-of-concept stage, it highlights the growing reality that attackers are already experimenting with AI as a weapon, not just a tool. By leveraging local language models, ransomware can now dynamically generate new attack paths, evade traditional detection, and scale in ways we’ve never faced before.

For CISOs and security teams, the implications are clear: yesterday’s defenses will not withstand tomorrow’s AI-driven threats. Traditional, signature-based tools are no longer enough. To stay ahead, organizations must invest in behavioral detection, endpoint controls, segmentation, and proactive AI threat modeling.

PromptLock may only be the beginning, but it is a warning worth heeding. Defenders who evolve quickly—embracing AI defensively, rehearsing adversary simulations, and tightening governance over where AI runs in their environments—will be best positioned to protect their data, customers, and reputation in this new era of cyber warfare.