Researchers at ESET have identified what they believe is the first instance of ransomware to use an integrated AI language model to generate malicious code on the fly.
Dubbed PromptLock, the malware leverages OpenAI's gpt-oss:20b model locally via the Ollama API, enabling cross-platform, dynamic script generation that enhances flexibility and detection evasion.
The discovery was publicly disclosed by ESET Research on X following analysis of malware samples uploaded to VirusTotal. The samples, targeting both Windows and Linux environments, are written in Golang and classified under the identifier Filecoder.PromptLock.A. ESET emphasized that PromptLock appears to be a proof-of-concept still under development, and may as well be an experiment not intended for malicious deployment. Still, its appearance marks a significant technical leap in ransomware evolution.
PromptLock's design allows it to generate Lua scripts on demand, using hard-coded prompts fed into the local instance of the gpt-oss:20b model. These scripts are used for file system enumeration, selective data exfiltration, and encryption. This design enables PromptLock to operate across Windows, macOS, and Linux environments without requiring separate builds, an unusual level of portability for ransomware.
ESET
The malware uses the SPECK 128-bit encryption algorithm for file locking and includes logic for potentially destructive actions, though ESET noted that file destruction routines do not appear to be fully implemented yet. Among the unusual elements in the code is a hardcoded Bitcoin address associated with Satoshi Nakamoto, the pseudonymous inventor of Bitcoin, a detail that may serve as a red herring or symbolic gesture rather than a functional ransom payment mechanism.
ESET
While the ransomware does not embed the entire LLM (which would add gigabytes to the binary), it sidesteps that issue by establishing an internal proxy to an attacker-controlled server running the Ollama API and the model. This tunneling method is a technique commonly used to bypass network restrictions while maintaining access to external resources.
PromptLock shares strategic similarities with LAMEHUG, an AI-powered malware previously deployed by suspected Russian APT groups in Ukraine. In that case, the attackers utilized HuggingFace's Qwen 2.5-Coder-32B-Instruct model to dynamically generate system commands, thereby granting the malware the flexibility to adapt across various environments. However, PromptLock pushes the boundary further by integrating the model locally, allowing for offline generation of malicious code and eliminating reliance on external APIs.
Unlike traditional malware, which relies on static logic, AI-integrated malware can alter its behavior in real-time based on context, environment, or system data, making it challenging to respond to this emerging threat.
ESET advises defenders to monitor for anomalous Lua script execution, particularly those involving system enumeration or encryption routines, and shared file hashes. Network administrators should inspect outbound connections for signs of proxy tunneling to LLM-serving infrastructure, especially via the Ollama API.
Leave a Reply