First AI-Driven Ransomware Developed Using OpenAI’s GPT-OSS:20B Model

ByAdmin

ESET, a cybersecurity company, has disclosed the discovery of an artificial intelligence (AI)-powered ransomware variant codenamed PromptLock. Written in Golang, this newly identified strain utilises the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts in real-time. The open-weight language model was released by OpenAI earlier this month. PromptLock leverages Lua scripts generated from hard-coded prompts to enumerate the local filesystem, inspect target files, exfiltrate selected data, and perform encryption. ESET noted that these Lua scripts are cross-platform compatible, functioning on Windows, Linux, and macOS. The ransomware code also embeds instructions to craft a custom note based on the “files affected,” with potential targets including personal computers, company servers, or power distribution controllers.

Currently, the identity of the malware’s creator remains unknown. ESET informed The Hacker News that PromptLock artifacts were uploaded to VirusTotal from the United States on August 25, 2025. The use of AI-generated Lua scripts means that indicators of compromise (IoCs) may vary between executions, introducing challenges for detection. If properly implemented, this variability could significantly complicate threat identification and make defenders’ tasks more difficult. Assessed as a proof-of-concept (PoC) rather than fully operational malware, PromptLock employs the SPECK 128-bit encryption algorithm to lock files. Analysis of the ransomware artifact suggests it could also be used to exfiltrate or even destroy data, although the functionality for actual erasure appears not yet to be implemented. ESET clarified that PromptLock does not download the entire model, which could be several gigabytes in size. Instead, attackers can establish a proxy or tunnel from the compromised network to a server running the Ollama API with the gpt-oss-20b model. The emergence of PromptLock highlights how AI has made it easier for cybercriminals, even those lacking technical expertise, to quickly set up new campaigns, develop malware, and create compelling phishing content and malicious sites. 

Categories: AI-Powered Ransomware, Cross-Platform Malware, Cybersecurity Threats 

Tags: AI, Ransomware, PromptLock, Golang, Lua, Encryption, Exfiltration, Cybersecurity, Malware, Detection 

Leave a Reply

Your email address will not be published. Required fields are marked *