Redazione RHC : 27 August 2025 14:24
Finally (metaphorically speaking), we’re here. ESET experts have reported the first ransomware program in which artificial intelligence plays a key role.
The new sample has been named PromptLock. It is written in Go and uses OpenAI’s gpt-oss:20b local template via the Ollama interface to generate malicious Lua scripts in real time.
The scripts run directly on the device and allow the program to list files on the disk, analyze their contents, download selected data, and encrypt them. The code runs equally on Windows, Linux, and macOS, making the threat cross-platform.
According to the author’s idea, the malware can not only copy or encrypt information, but also completely destroy it, although the destruction functionality has not yet been implemented.
In the generated prompts, the researchers found a Bitcoin wallet address associated with Satoshi Nakamoto’s identity, further fueling interest in the sample.
The SPECK algorithm with a 128-bit key is used as the file encryption mechanism. This choice indicates the experimental nature of the development rather than a tool ready for large-scale attacks.
Experts emphasize that so far all indications point to a prototype or demo version: copies found for Windows and Linux have been uploaded to VirusTotal, but there is no data on mass distribution.
Nevertheless, the fact that a generative model is used to dynamically create malicious code makes the threat fundamentally novel and worthy of the attention of the professional community.
ESET has classified the program as Filecoder.PromptLock.A and emphasizes that, even in concept form, such projects pave the way for the emergence of a new generation of ransomware.
Redazione