Skip to main content
CybersecurityMalware & Ransomware

AI-powered ransomware: Stunning New Risk Exposed

AI-powered ransomware: Stunning New Risk Exposed

AI-powered ransomware: what PromptLock means for defenders

“We knew automation would change criminal tradecraft. We did not expect it to be this fast.” That private observation from a veteran incident responder now feels prophetic. Security researchers at ESET have revealed a new strain of AI-powered ransomware, dubbed PromptLock, that combines a locally hosted generative model with traditional extortion techniques. The result is a more adaptive, stealthier threat that shifts how defenders must think about detection, containment, and policy.

PromptLock is written in Go and leverages the open-weight model gpt-oss:20b from OpenAI, invoked locally via the Ollama API. Rather than shipping a fixed suite of scripts and routines, the malware queries the LLM to synthesize Lua code on demand, tailoring payloads to the infected host and its environment. Because the model runs on-premises, PromptLock can produce and execute malicious code without continuous remote command-and-control communications, reducing observable network chatter and complicating attribution.

How a local LLM changes ransomware dynamics

– Agility: An LLM lets the malware generate bespoke scripts that target the specific configuration of a victim environment—file paths, services, or processes—without needing a large repository of prebuilt modules.
– Evasion: Dynamically generated code undermines signature-based approaches. Each compromise can produce unique artifacts, so byte-pattern detection and static indicators lose reliability.
– Scale and democratization: Operators can run more complex campaigns with smaller teams because the LLM offloads technical tasks like crafting exploit scripts or obfuscating payloads. This lowers the barrier to entry for less skilled cybercriminals.

Technical anatomy of PromptLock

ESET’s analysis highlights a few repeatable components:
– Golang binary that serves as the malware orchestrator and communicates with the local Ollama agent.
– Invocation of gpt-oss:20b, an open-weight model that organizations can host outside OpenAI’s cloud, enabling offline generation.
– Generated Lua snippets that perform common ransomware behaviors—discovery, lateral movement, file encryption, and payload execution—executed by embedded interpreters on the host.

Because the LLM is local, operators avoid reliance on persistent C2 infrastructure for payload generation. That reduces the attack surface for network-based interdiction and emphasizes the need to monitor host-level activity.

Practical defensive measures

Detection must evolve from static signatures toward layered controls that assume code can be synthesized at runtime. Recommended actions include:

– Inventory and access control for local model hosting: Identify endpoints and servers capable of running LLMs and restrict access to the Ollama API or similar agents. Treat any local-serving model as sensitive infrastructure.
– Runtime and behavioral telemetry: Expand logging to capture process creation, unusual script execution (Lua or other embedded interpreters), anomalous use of local-serving ports, and suspicious parent-child process chains.
– Least-privilege and segmentation: Limit which processes can execute generated scripts, enforce strict process privilege separation, and segment networks to reduce lateral movement potential.
– Application control and code integrity: Implement allowlisting where feasible, and monitor for rapid changes in binaries or scripted payloads that bypass traditional execution controls.
– Incident response updates and tabletop exercises: Incorporate AI-assisted attack scenarios into playbooks and drills. Ensure responders know how to isolate hosts running local models and preserve forensic evidence that may include ephemeral model outputs.

Policy and industry implications

Open-weight model releases accelerate both defensive research and offensive misuse. Policymakers and platform vendors must strike a balance: enabling innovation and testing while reducing risk. Possible levers include responsible release practices, secure-by-default settings for local-serving tooling (e.g., authentication, audit logs, rate limits), and clearer requirements for vendors that distribute LLM hosting platforms.

There is also an argument for defensive openness: defenders benefit when they can run models in-house to emulate attacks and harden controls. But broad access means malicious actors only need one successful adaptation to cause outsized damage, so governance, standards, and incentives for safer model distribution are essential.

Operational risk and supply chain considerations

Organizations should assume adversaries will use generative AI. Third-party risk assessments must evaluate whether suppliers host local models that could be co-opted. Contracts and audits should require evidence of secure hosting, access controls, and monitoring around any on-premises model-serving infrastructure.

Forensic and attribution complications

When models synthesize code, distinguishing human authorship or tool-specific signatures becomes harder. Forensic teams will need to expand their toolsets to examine model prompts, local API logs, and transient artifacts. Preserving Ollama or similar API logs could be critical in investigations, as they may contain generated outputs or invocation metadata.

Conclusion: adapting to AI-powered ransomware

PromptLock’s use of gpt-oss:20b via Ollama demonstrates that adversaries will rapidly integrate capable models into malware. This does not mean defenses are hopeless—rather, defenders must pivot to behavioral analytics, hardened model-hosting practices, stricter access controls, and updated incident playbooks that assume adversaries can synthesize code on demand. Policymakers and vendors must also respond with safer release practices and secure defaults for local-serving tooling. The balance between innovation and risk will determine whether the next chapter of cyber conflict favors those who weaponize intelligence or those who build robust controls around it.