In August 2025, ESET researchers discovered something that security professionals had been warning about for years: the first known AI-powered ransomware. They named it PromptLock.
The samples weren't from a nation-state hacking group or a sophisticated criminal enterprise. They came from NYU's Tandon School of Engineering, where researchers had uploaded their proof-of-concept to VirusTotal as part of a peer-reviewed study. The academic prototype was sophisticated enough that ESET initially couldn't determine whether it was research or a real threat.
That ambiguity is the point. The line between what AI can theoretically do and what malicious actors will actually deploy just got a lot thinner.
How PromptLock Works
Traditional malware is pre-compiled: attackers write malicious code, package it, and distribute it. Detection systems learn to recognize those packages through signatures, behavioral patterns, and heuristics. It's an arms race, but defenders have established playbooks.
PromptLock operates differently. The malware itself is written in Golang, but instead of containing pre-written attack logic, it embeds natural language prompts. At runtime, it invokes a locally-hosted large language model (specifically gpt-oss-20b via the Ollama API) and instructs that model to generate malicious Lua scripts on the fly.
Those dynamically generated scripts handle the entire ransomware lifecycle: filesystem enumeration, target file identification, data exfiltration, and encryption using the SPECK 128-bit algorithm. The approach works across Windows, Linux, and macOS without modification.
The NYU team called their approach "Ransomware 3.0" because it represents a fundamental shift in how attacks are constructed. As lead researcher Md Raz explained, the system generates polymorphic variants that adapt to execution environments. Each run produces different bytecode, telemetry signatures, and timing patterns despite starting from identical prompts.
The cost to run a complete attack campaign using commercial APIs: approximately $0.70. Using open-source models: free.
Why This Changes Defensive Calculus
The security implications go beyond just "ransomware got smarter." This represents a category shift that undermines core assumptions in defensive security.
Signature-based detection becomes unreliable. Traditional antivirus and endpoint detection rely on recognizing known malicious patterns. When the malicious code is generated fresh for each execution, there are no stable signatures to match. ESET's analysis noted that indicators of compromise may vary between executions, introducing significant challenges for threat identification.
Behavioral analysis gets harder. Defenders have increasingly relied on behavioral detection: watching for suspicious patterns like rapid file encryption or unusual data access. But AI-generated attacks can vary their behavior: different execution order, different timing, different patterns. The variance is a feature, not a bug.
The attack surface expands. The NYU research showed the AI correctly identified 63-96% of sensitive files depending on the environment. The model understands context. It knows what's valuable. A traditional ransomware might encrypt everything and hope some of it matters; an AI-powered variant can prioritize targets intelligently.
This connects directly to the agentic AI risks I explored in When Your AI Agent Becomes an Insider Threat. In that post, I described how AI agents with enterprise access represent a new category of privileged identity that can be compromised. PromptLock demonstrates the flip side: AI systems being purpose-built as attack tools rather than compromised after deployment.
The Broader Pattern
PromptLock isn't an isolated development. Anthropic has documented threat actors using Claude for large-scale extortion campaigns targeting healthcare and government organizations. The same capabilities that make AI useful for automation make it useful for automating attacks.
The OWASP framework for agentic applications I discussed previously identified "Unexpected Code Execution" as a top-10 risk: agents that can generate and execute code create pathways for attacker-controlled code to run on target infrastructure. PromptLock is essentially that risk packaged as a standalone weapon.
What makes this moment significant isn't that AI-powered malware is possible; security researchers have been demonstrating proof-of-concepts for years. It's that the gap between academic demonstration and deployable capability has collapsed. The NYU team intentionally withheld implementation details to prevent malicious exploitation, but the architecture is now public. The technique is documented. The models are freely available.
What Defenders Need to Do
The security community's recommendations for addressing AI-powered threats cluster around several key areas:
Monitor AI service connections. PromptLock relies on invoking an LLM at runtime. Organizations should be monitoring outbound connections to AI services (including local inference servers like Ollama) and flagging unexpected usage patterns. If a process on your network is suddenly making calls to a language model API, that's worth investigating.
Strengthen behavioral baselines. Since signature detection becomes less reliable, behavioral monitoring becomes more important. But the baseline needs to be granular: not just "is this process encrypting files" but "is this process accessing files in an unusual pattern, even if the specific pattern varies."
Assume polymorphism. Security teams need to move away from thinking about specific malware variants and toward thinking about attack capabilities. The question isn't "do we detect PromptLock" but "do we detect ransomware behaviors regardless of how the code was generated."
Treat AI deployment as security-relevant. Any AI capability deployed in your environment, whether it's a coding assistant, a customer service agent, or a local LLM running on a developer laptop, is potentially relevant to your security posture. The AI governance principles I've written about previously apply here: you can't secure what you don't know about.
Implement robust backup and recovery. This isn't new advice, but it's worth emphasizing. Ransomware succeeds when organizations have no alternative to paying. Tested, air-gapped backups remain the most reliable defense against encryption-based extortion, regardless of how sophisticated the encryption tool becomes.
The Uncomfortable Reality
The NYU researchers positioned their work as an early warning system: demonstrating the threat so defenders can prepare before malicious actors deploy similar capabilities. That's a legitimate research purpose, and their decision to withhold key implementation details reflects responsible disclosure practices.
But the cat is out of the bag. The architecture is public. The models are available. The cost is negligible. Security teams that are still planning their AI security strategy based on 2024 threat models are already behind.
The shift I described in the insider threat piece, where AI agents represent a new category of privileged identity, now has a counterpart: AI itself becoming a force multiplier for attackers. Both trends point in the same direction. Organizations need to treat AI security not as a future consideration but as an immediate operational requirement.
PromptLock was a proof-of-concept uploaded to VirusTotal by academic researchers. The next discovery might not be.
Sources:
