PromptLock Reveals New AI-Driven Ransomware Threat

• ESET identifies PromptLock, a ransomware using generative AI to autonomously create malicious scripts and target files across multiple platforms.

AI Enables Autonomous Malware Behavior

Security researchers at ESET have discovered a novel ransomware strain named PromptLock, which utilizes generative artificial intelligence to execute attacks. Unlike conventional malware, PromptLock runs a locally accessible AI language model that generates malicious scripts in real time. During infection, the AI independently determines which files to search, copy, or encrypt, introducing a new level of autonomy in cyberattacks. This development marks a significant shift in how threat actors may operate in the future.

Anton Cherepanov, senior malware researcher at ESET, emphasized that PromptLock reflects a broader transformation in the cybersecurity landscape. The malware’s ability to generate Lua scripts compatible with Windows, Linux, and macOS increases its versatility. Based on predefined prompts, it scans and analyzes local files before deciding whether to exfiltrate or encrypt them. Although a destructive function is embedded in the code, it remains inactive for now.

Technical Characteristics and Distribution

PromptLock is written in Golang and employs the SPECK 128-bit encryption algorithm, a lightweight cipher developed for constrained environments. Early samples have already appeared on VirusTotal, a platform used for malware analysis and sharing. ESET currently treats PromptLock as a proof of concept, but warns that its capabilities pose a genuine threat. The use of AI significantly lowers the barrier to entry for launching sophisticated attacks, reducing the need for coordinated developer teams.

Cherepanov noted that a well-configured AI model can now produce complex, adaptive malware capable of evading traditional detection methods. This shift could make the work of cybersecurity professionals more difficult, especially as AI-generated code evolves rapidly. PromptLock accesses a freely available language model via an API, allowing malicious scripts to be delivered directly to infected devices. One prompt even includes a Bitcoin address reportedly linked to Satoshi Nakamoto, adding a curious detail to the malware’s configuration.

Implications for Cybersecurity Defense

ESET has released technical documentation to inform and prepare the cybersecurity community for emerging threats like PromptLock. The malware has been officially classified as Filecoder.PromptLock.A, signaling its entry into tracked ransomware families. As AI continues to influence malware development, defenders must adapt their strategies to counter increasingly autonomous and unpredictable threats. The discovery underscores the need for proactive monitoring and collaboration across the security industry.

While PromptLock is not yet widespread, its design suggests that future variants could become more destructive and harder to detect. The integration of generative AI into malware represents a turning point in threat evolution. Security teams will need to account for AI-driven decision-making in their defense models. ESET’s findings serve as an early warning of what may lie ahead in the next phase of cyberattack innovation.