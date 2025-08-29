Zensec (formally Solace Cyber) alerts the cybersecurity community to the emergence of PromptLock, the first known AI-powered ransomware, discovered by ESET researchers.



Although not yet active in the wild, this proof of concept strain demonstrates the disturbing potential of generative AI to revolutionise ransomware tactics.



PromptLock leverages OpenAI’s gpt oss:20b model via the Ollama API, running locally to generate Lua scripts in real time. These dynamically produced scripts enable:



• Enumeration and inspection of local filesystems

• Decision-based exfiltration, encryption (via SPECK 128-bit), and potential future destructive actions

• Cross-platform compatibility across Windows, macOS, and Linux environments



ESET emphasises that PromptLock remains a proof-of-concept and that no active ransom campaigns have been detected. Nevertheless, the architecture signals how AI could soon render ransomware more adaptable and evasive.



What Makes It Distinctive



• Non-deterministic behaviour: Each execution produces different code, complicating detection by traditional cybersecurity tools

• Local model execution: The AI model runs on, or proxied through, the infected device—eliminating reliance on external APIs and reducing exposure

• Written in Golang for portability across different operating systems



Managing Director of Zensec David Wing said: “The discovery of AI-powered ransomware like PromptLock is a stark reminder of how quickly cyber threats are evolving. Our commitment remains the same – stay ahead of the curve and equip businesses with the intelligence, tools, and guidance they need to defend against these next-generation threats.”





In light of this threat, organisations are advised to:



• Increase monitoring and threat hunting, especially around AI infrastructure, Ollama endpoints, and Lua execution environments.

• Implement network segmentation and limit AI-model access to contain misuse.

• Apply behaviour-based detection to flag anomalies and non-deterministic script execution.

• Train cybersecurity teams on prompt injection vulnerabilities and AI misuse scenarios.

• Regularly update and back up data and revisit disaster recovery and incident response plans.



About Zensec

Zensec is a leading provider of cybersecurity services, including threat intelligence, incident response, ransomware preparedness, and staff training. We empower organisations to anticipate, withstand, and recover from sophisticated cyber threats with proactive, intelligent protection.



Press Contact:

Richard Bessant

Commercial Director

Zensec

rbessant@solaceglobal.com

07407 688 826

www.zensec.co.uk