ESET Discovers AI-powered Ransomware PromptLock

Facebook
Twitter
LinkedIn
Based on predefined text prompts, PromptLock autonomously determines whether to exfiltrate or encrypt data. (Image Courtesy: ESET)
Based on predefined text prompts, PromptLock autonomously determines whether to exfiltrate or encrypt data. (Image Courtesy: ESET)

ESET researchers have uncovered a new type of ransomware that leverages generative artificial intelligence (GenAI) to execute attacks. Named PromptLock, the malware runs a locally accessible AI language model to generate malicious scripts in real time. During infection, the AI autonomously decides which files to search, copy, or encrypt โ€” marking a potential turning point in how cybercriminals operate.

โ€œThe emergence of tools like PromptLock highlights a significant shift in the cyber threat landscape,โ€ said Anton Cherepanov, senior malware researcher at ESET, who analysed the malware alongside fellow researcher Peter Strรฝฤek.

PromptLock creates Lua scripts that are compatible across platforms, including Windows, Linux, and macOS. It scans local files, analyses their content, and โ€” based on predefined text prompts โ€” determines whether to exfiltrate or encrypt the data. A destructive function is already embedded in the code, though it remains inactive for now.

ESET Logo (Image Courtesy: ESET official Website)

The ransomware uses the SPECK 128-bit encryption algorithm and is written in Golang. Early variants have already surfaced on the malware analysis platform VirusTotal. While ESET considers PromptLock a proof of concept, the threat it represents is very real.

โ€œWith the help of AI, launching sophisticated attacks has become dramatically easier โ€” eliminating the need for teams of skilled developers,โ€ added Cherepanov. โ€œA well-configured AI model is now enough to create complex, self-adapting malware. If properly implemented, such threats could severely complicate detection and make the work of cybersecurity defenders considerably more challenging.โ€

PromptLock uses a freely available language model accessed via an API, meaning the generated malicious scripts are served directly to the infected device. Notably, the prompt includes a Bitcoin address reportedly linked to Bitcoin creator Satoshi Nakamoto.

Source

Share.

RELATED POSTS

Armor Dash gives C-suite and board leaders a real-time view of security posture, compliance, and AI readiness โ€” pulled directly from source systems, with nothing to assemble. (Image Courtesy: PRNewswire)
Armor Unveils Dash for unfiltered view of Cybersecurity and AI risk
Hewar Group launched ThinkMate, a digital and AI framework for its integrated MarCom operations, supporting structured AI adoption and digital capability development. Image courtesy: Hewar Group
Hewar Group launches ThinkMate
Aramco Executive Vice President of Technology and Innovation, Ahmad O. Al Khowaiter and Pasqal CEO, Wasiq Bokhari, at the launch of Saudi Arabiaโ€™s first Quantum Computer and the Middle Eastโ€™s first commercial Quantum Computing as a Service (QCaaS) platform. Image Courtesy: Aramco
Aramco and Pasqal Launch Saudi Arabiaโ€™s Quantum Computer

LATEST POSTS

WSFunded CEOs Albert Suriol and Iรฑaki Martรญnez at the Prop Firm London Expo, representing the companyโ€™s growing presence within the European prop trading industry. Image Courtesy-WSFunded
The platform brings together healthcare commerce, professional services, logistics, business transactions and technology solutions. Image Courtesy-MedSahra
OMODA & JAECOO continues strengthening its position as one of the worldโ€™s fastest-growing intelligent mobility brands after recording another month of exceptional global sales growth while accelerating the rollout of advanced intelligent driving technologies destined for the UAE. Image courtesy: OMODA & JAECOO
The opening of this branch also marks a key milestone in accelerating the shift of daily transactions to digital channels. Image Courtesy: alBaraka Bank