ESET Research has identified “PromptLock,” the first AI-powered ransomware that utilizes a local AI model to generate malicious components dynamically. This ransomware leverages OpenAI’s gpt-oss:20b model via the Ollama API to create custom, cross-platform Lua scripts, enhancing its attack potential. Unlike traditional ransomware with pre-compiled logic, PromptLock generates scripts on-the-fly to perform malicious activities such as system enumeration, file inspection, data exfiltration, and encryption, using a lightweight SPECK 128-bit cipher for encryption. Currently, PromptLock is in a proof-of-concept stage with indications it is still under development, including a non-functional data destruction feature. Surprisingly, it contains a Bitcoin address linked to Satoshi Nakamoto, adding intrigue to its analysis. As the use of local large language models becomes more prevalent, cybersecurity teams must prepare for this evolving threat landscape. Key indicators of compromise (IoCs) have been documented, including specific SHA1 hashes for detection.
Source link
