Cybersecurity company ESET has identified a new ransomware variant, PromptLock, which is empowered with Generative AI. This malware employs a locally accessible AI language model to generate malicious scripts in real time, representing a turning point in cybercriminal methodology.
The discovery introduces a significant change to the cyber threat landscape. “The emergence of tools like PromptLock highlights a significant shift in the cyber threat landscape,” says Anton Cherepanov, Senior Malware Researcher, ESET. This evolution reduces the need for specialized developer teams to create complex, self-adapting malware, making sophisticated attack tools more accessible.
Ransomware development has traditionally required a high degree of technical knowledge for coding, implementation, and management. Cybercriminal groups invested considerable resources to create robust and difficult-to-detect malware.
The integration of Generative AI into the attack process, as seen in PromptLock, fundamentally alters this paradigm. An AI model’s ability to autonomously generate attack components significantly reduces the barrier to entry for malicious actors.
This advancement allows for the creation of threats that can dynamically adapt to their environment, which complicates detection and response efforts for security teams. The relevance for the business sector lies in the potential proliferation of more complex, personalized attacks that no longer require the infrastructure of large cybercrime syndicates.
A technical analysis by ESET indicates that PromptLock is written in the Golang programming language and uses the 128-bit SPECK encryption algorithm. Its core mechanism generates Lua scripts, a lightweight scripting language, which allows for cross-platform compatibility across Windows, Linux, and macOS operating systems.
A key feature of PromptLock is its autonomous decision-making capability. During an infection, the AI model analyzes local files and, based on predefined text prompts, determines whether to exfiltrate or encrypt data. The ESET report notes that while a destructive function is embedded in the code, it remains inactive in the analyzed variants.
The malware operates by using a freely available language model accessed via an API. This means the malicious scripts are generated and served directly to an infected device, which streamlines attack execution. Researchers also identified a Bitcoin address in the prompt, reportedly linked to Bitcoin creator Satoshi Nakamoto.
ESET classifies PromptLock as a proof of concept, designated Filecoder.PromptLock.A. Initial variants have appeared on the VirusTotal malware analysis platform. Although it is a proof of concept, the company states the threat is tangible.
According to Cherepanov, such threats, if properly implemented, “could severely complicate detection and make the work of cybersecurity defenders considerably more challenging.”
