Cybersecurity researchers at ESET have identified a groundbreaking new form of ransomware powered by generative artificial intelligence (GenAI). This virus, called PromptLock, uses a locally available AI language model to create harmful scripts on the fly during an attack. This marks a new era in cybercrime.

Unlike traditional ransomware, PromptLock allows the AI itself to make decisions in real time — choosing which files to locate, copy, or encrypt during an infection. According to ESET senior malware researcher Anton Cherepanov, who investigated the malware with colleague Peter Strýček, this innovation could mark a critical shift in the cyber threat landscape.

Cyber Technology Insights : Gigamon Visualyze Bootcamp 2025: Unravel Hybrid Cloud with Deep Observability and AI

PromptLock is capable of creating Lua-based scripts that run seamlessly across multiple platforms, including Windows, Linux, and macOS. The malware scans local files, evaluates their content, and, based on preset prompts, decides whether the data should be stolen or encrypted. Although a destructive capability already exists in its code, researchers note that it has not yet been activated.

Technically, the ransomware is written in Golang and relies on the SPECK 128-bit encryption algorithm. Early samples of PromptLock have already been spotted on the malware repository VirusTotal. While ESET classifies it as a proof of concept, the risks it poses are far from theoretical.

Cyber Technology Insights : CyberArk Helps Optiv Transform Workforce Access, Applying Privilege Controls to Every Identity

“With AI, the barrier to creating complex and adaptive malware has dropped significantly,” Cherepanov warned. “What once required teams of skilled developers can now be achieved with a properly configured AI model. This could make ransomware campaigns harder to detect and far more difficult to defend against.”

Adding to its intrigue, PromptLock operates by tapping into a freely available AI model via API, which delivers malicious scripts directly to infected systems. Researchers also discovered that the ransomware’s prompt includes a Bitcoin wallet address reportedly associated with Satoshi Nakamoto, the elusive creator of Bitcoin.

Cyber Technology Insights : DTEX Names Mike Price CRO to Drive Global Growth in AI-Powered Insider Risk and Data Security

To participate in our interviews, please write to our CyberTech Media Room at sudipto@intentamplify.com