PromptLock: The Dawn of AI-Powered Ransomware and How to Defend Against It

Posted on by
Contents show
PromptLock: The Dawn of AI-Powered Ransomware and How to Defend Against It Illustration of an artificial-intelligence brain transforming into a ransomware padlock.
A split-tone illustration showing a neural-network brain morphing into a padlock wrapped in binary code.

1. Introduction

Ransomware has evolved relentlessly for more than a decade—from basic screen lockers to double-extortion schemes and, most recently, triple-extortion campaigns that threaten data leaks, DDoS, and legal harassment in one fell swoop. But on 26 August 2025, researchers at ESET disclosed proof-of-concept malware that pushes ransomware into truly uncharted territory. Nicknamed PromptLock, this strain is believed to be the first to weaponize an on-device large language model (LLM) for generating its malicious payload in real time.

Instead of packing static, pre-compiled code, PromptLock carries nothing more than a curated set of prompts. Once executed, those prompts are fed to a locally running instance of gpt-oss-20b through the Ollama API. The model obliges by producing Lua scripts that enumerate the victim’s system, analyse file contents, select high-value data, exfiltrate it, and finally encrypt it with the lightweight SPECK-128 cipher. In short, the malware writes itself on the victim machine.

Why is that a watershed moment? Because security tooling historically relies on signatures, heuristics, and behavioural baselines built around known code patterns. When the malicious logic is born on the endpoint—tailored on the fly to that very environment—those traditional controls lose enormous visibility. PromptLock demonstrates that the cost and complexity barrier for AI-native malware has fallen dramatically. With open-source models, offline inference engines, and prompt-engineering tutorials widely available, the next wave of ransomware crews can iterate faster and hide deeper than ever before.

This article offers a 360-degree analysis of PromptLock: its architecture, the LLM plumbing under the hood, the cross-platform scripting techniques, and the broader ramifications for defenders. We will close with a pragmatic playbook you can apply today to harden your WordPress-managed infrastructure—and the rest of your estate—against this new breed of adaptive, AI-fuelled ransomware.

2. What Makes PromptLock a Game-Changer?

At first glance PromptLock might look like just another Golang binary uploaded to VirusTotal. Dig a little deeper, however, and three disruptive attributes emerge:

  1. On-the-fly code generation – Traditional ransomware hard-codes its file-system crawler, encryption routine, and network communication. PromptLock instead ships with prompts such as “Act as a cross-platform Lua code generator. Produce a script that enumerates OS details for Windows, Linux, and macOS…”. The malicious logic is synthesized at runtime, meaning two victims might receive entirely different payloads.
  2. Local LLM inference – The attackers do not call OpenAI’s cloud. They run gpt-oss-20b locally, sidestepping OpenAI’s TOS, rate limits, and content filters. Running the model on the victim’s network also eliminates tell-tale traffic to external AI services that most SOCs would flag.
  3. Cross-platform reach – By tasking the model to generate Lua code, PromptLock achieves platform agnosticism. Lua’s embeddable interpreter exists for Windows, Linux, macOS, BSD, and even mobile OSes. A single prompt yields scripts that work almost anywhere.

Combined, these three traits mark a paradigm shift. Security teams can no longer assume that static analysis tools, YARA rules, or simple network IOCs will suffice. Defensive focus must move upstream—toward prompt detection, model tamper-proofing, and runtime policy enforcement that can inspect AI-generated code in memory.

3. Inside the PromptLock Attack Chain

PromptLock’s flow can be mapped to four distinct stages. While ESET’s sample is a proof-of-concept, each stage is production-ready enough to inspire copycats.

3.1 Stage 1 – Deployment & Local LLM Setup

The initial Golang executable embeds the Ollama runtime and the 20-billion-parameter model weights for gpt-oss-20b. On execution it:
• Drops the model to C:\ProgramData\gpt-oss-20b (Windows) or /var/lib/gpt-oss-20b/ (Linux).• Spins up an Ollama REST endpoint on 172.42.0.253:8443.• Confirms model integrity with a SHA-1 checksum.• Spawns a background process to keep the model resident in RAM, minimizing disk I/O fingerprints.

By shipping the model with the payload, the threat actor avoids large network downloads that might tip off egress filters. The only unusual indicator is a local service listening on an uncommon port—something many organisations sadly ignore.

3.2 Stage 2 – Prompt Engineering for Malice

PromptLock next assembles JSON bodies like the following (redacted for brevity):

The prompts are surprisingly well-crafted—free of typos, structured, and often include unit tests the generated script must pass. Researchers also found a decoy Bitcoin address (purportedly Satoshi Nakamoto’s genesis wallet) embedded in one prompt, perhaps as an Easter egg or smoke screen.

3.3 Stage 3 – Lua Script Generation & Execution

The model’s response is parsed line-by-line and written to /tmp/.plock-<hex>.lua. The Golang wrapper then launches the Lua interpreter shipped in the payload. Key behaviours observed:
System enumeration – Commands such as os.getenv("USER"), io.popen("hostname"), and Windows-specific WMI queries.• File discovery – Recursive walks starting at the user profile, skipping system directories, and filtering by extensions .docx, .csv, .sql, .pem, etc.• Content inspection – Regexes to detect PII (\d{3}-\d{2}-\d{4} for US SSNs, (?i)password\s*= in config files).Results are written back to a simple key-value database (BoltDB) bundled with the malware.

3.4 Stage 4 – Data Exfiltration & SPECK Encryption

For each high-value file, PromptLock initiates dual actions:

  1. Exfiltration – Files are base64-encoded and sent over HTTPS to a randomly chosen subdomain on mlcdn[.]net. The TLS client fingerprint is spoofed to mimic Chrome 122, complicating JA3-based detection.
  2. Encryption – The same file is encrypted locally with SPECK-128/ECB. A unique key is derived from SHA-256(hostname + username + PID) and then encrypted with the attacker’s RSA-2048 public key, following the classic hybrid-crypto model.

Victims receive a README_UNENCRYPTABLE.txt ransom note instructing them to pay 0.05 BTC for the decryptor—roughly $1 400 at today’s exchange rate. The PoC note is non-professional, hinting that the authors aren’t seasoned ransomware operators yet.

4. Why Golang + Lua? A Cross-Platform Power Combo

Golang has become the de-facto language for modern malware because it produces single-file static binaries, supports easy concurrency, and frustrates reverse engineers with its symbol-stripped builds. Lua, meanwhile, is a lightweight, embeddable scripting language embraced by game engines, IoT firmware, and security tools like Nmap.

By fusing the two, PromptLock enjoys:
Native performance (Golang) + dynamic flexibility (Lua).• Minimal external dependencies—perfect for air-gapped or low-footprint attacks.• The ability to regenerate Lua scripts per victim, while the Golang orchestrator remains mostly unchanged.• Reduced detection surface; Lua byte-code looks benign and is often whitelisted inside enterprise sandboxes.

5. The gpt-oss-20b Model & the Ollama API Explained

gpt-oss-20b is an open-source, 20-billion-parameter LLM released under an Apache 2.0 license. While not state-of-the-art compared with GPT-4, it offers a strong balance of language capability and compute cost. Crucially:
• It can run on a single high-end GPU (RTX 4090) or a modern CPU with quantization.• No usage telemetry flows back to the model authors, removing legal or ethical friction for bad actors.

Ollama provides a plug-and-play REST layer so developers—malicious or otherwise—can spin up a local LLM with one CLI command. PromptLock leverages endpoints like /v1/chat/completions exactly as a normal app would. Because the traffic is loopback (172.42.0.253), no firewall egress rules ever trigger.

The irony is palpable: the same tooling that empowers privacy-minded developers also gives ransomware crews the infrastructure to evade cloud-based content filters and to iterate rapidly during red-team ops.

6. Indicators of Compromise (IOCs)

While AI-native malware reduces static artifacts, ESET still published several forensic breadcrumbs:

SHA-1 hashes (family Filecoder.PromptLock.A):
24BF7B72F54AA5B93C6681B4F69E579A47D7C102AD223FE2BB4563446AEE5227357BBFDC8ADA3797BB8FB75285BCD151132A3287F2786D4D91DA58B8F3F4C40C344695388E10CBF29DDB18EF3B61F7EF639DBC9B365096D6347142FCAE64725BD9F73270161CDCDB46FB8A348AEC609A86FF5823752065D2

Network artifacts:
• Local listener 172.42.0.253:8443 (Ollama).• Outbound TLS to *.mlcdn[.]net.• User-agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 with JA3 fingerprint 4d7a28d9ea4a4a ….

Defenders should convert these into YARA, Suricata, and EDR watchlists without delay.

7. The Emerging Wave of AI-Native Ransomware

PromptLock is unlikely to stay unique for long. We are at the inflection point of a broader trend fuelled by:

  1. Open-source model abundance – Hundreds of GPT-class checkpoints now reside on Hugging Face. Quantized 7-b and 13-b versions run on laptops.
  2. Commodity inference runtimes – Ollama, LM Studio, llama.cpp, and vLLM lower the barrier to “bring your own model.”
  3. Prompt engineering tutorials – Blog posts, Discord servers, and even legitimate university courses publish step-by-step guides.
  4. Monetization frameworks – Ransomware-as-a-Service (RaaS) affiliates can simply swap their static locker module for a prompt pack.

Analysts speculate we will soon witness:
Polymorphic loaders – Prompts that ask the LLM to randomize API names and control-flow graphs per build.• Domain-specific social engineering – LLMs trained on niche industries to craft spear-phishing lures with insider jargon.• Self-healing implants – Agents that regenerate corrupted modules by re-querying the local model if a security product deletes them.

8. Strategic Implications for Defenders

The rise of AI-generated malware undermines several cornerstone assumptions:

Assumption 1: Malware binaries are of finite, catalog-able permutations.Reality: Each victim now receives unique Lua code, making hash-based blacklists obsolete.

Assumption 2: Sandbox detonations reveal full behaviour.Reality: PromptLock’s prompts can instruct the model to detect VM artefacts and neuter payload generation when virtualisation is sensed.

Assumption 3: Cloud AI services are chokepoints.Reality: With offline weights, exfiltration is the only outbound step, and even that can be proxied through compromised hosts.

For CISOs, that means doubling down on zero trust principles—least privilege, continuous verification, and, above all, defence in depth. Controls must extend from the gateway to the endpoint to the runtime memory space where scripts unfurl.

9. Best-Practice Playbook to Mitigate AI-Driven Ransomware

  1. Harden EDRs for Script-in-Memory DetectionEnsure your endpoint agents can inspect Lua, Python, JS, and PowerShell spawned from unknown parent processes. Behaviour is the new signature.
  2. Block Unsigned Local API ListenersA corporate asset rarely needs to run a REST service bound to 0.0.0.0. Egress micro-segmentation can kill Ollama before it breathes.
  3. Adopt Allow-List Execution PoliciesUse AppLocker (Windows) or fs-verity (Linux) so that only vetted binaries and interpreters run. No interpreter, no Lua.
  4. Monitor for Large Model FilesA 20-b parameter model is several gigabytes even when quantized. Flag sudden disk writes >1 GB inside %ProgramData% or /var/lib.
  5. Deploy Content-Disarm & Reconstruction (CDR)Strip macros, active content, and embedded interpreters from inbound files. This reduces beachheads for the initial Golang dropper.
  6. Exercise Immutable BackupsSnapshot frequently, store offline, and test restore. AI or not, ransomware’s leverage evaporates if you can roll back painlessly.
  7. Educate Users About LLM PhishingAwareness training must now cover AI-generated spear-phishing that sounds uncannily human. Use phishing simulations that leverage LLMs to keep pace.

10. Building an AI-Resilient Security Posture

Beyond tactical controls, organisations should treat AI threats as a strategic risk class.

Model Governance – Keep a software bill of materials (SBOM) for every on-prem LLM you deploy. Validate checkpoints, apply access controls, and rotate API keys.

Red-Team AI – Commission penetration tests that explicitly attempt LLM-assisted payloads. Capture lessons before adversaries do.

Threat Intel Integration – Subscribe to feeds that include prompt IOCs—yes, that is becoming a thing. Normalise them into your SIEM.

Cross-functional Collaboration – Security, data science, and DevOps teams must jointly own AI risk. Each brings unique visibility, from GPU workloads to anomalous network flows.

Regulatory Preparedness – Frameworks like the EU AI Act will demand risk assessments for AI systems. Get ahead of compliance now rather than bolt it on later.

11. Conclusion – Preparing for the Next Evolution

PromptLock may be a fledgling proof-of-concept, but it signals a future where ransomware authors tap the same generative AI revolution that is transforming legitimate software development. By harnessing local LLMs, they gain polymorphism, stealth, and an unprecedented ability to adapt to each victim environment in real time.

Security leaders must respond in kind—elevating behavioural analytics, enforcing strict execution policies, and widening visibility into the grey area where AI helpers could flip from productivity boosters to attack enablers. The playbook in this article will help you harden today, but continuous vigilance, shared threat intelligence, and a culture of assumed breach remain your best defences as the era of AI-powered ransomware begins.

Stay informed, stay patched, and stay resilient.

More Articles For You
Subscription Form