NYU Scientists Develop, ESET Detects First AI-Powered Ransomware
ESET security researchers made waves last week when they announced the discovery of what they dubbed “PromptLock,” the first known generative AI-powered ransomware that can decide on its own whether to exfiltrate, encrypt, or even destroy data, and locally uses a freely available language model from OpenAI to generate malicious Lua scripts on the fly.
Early variants of PromptLock have landed on VirusTotal, though the researchers wrote that it hasn’t been seen in actual attacks. They said it appears to be a proof-of-concept or a work in progress rather than a fully realized ransomware, though the threat it represents is real.
That belief was backed up this week when the researchers were contacted by a group of professors, research scientists, and PhD students at NYU Tandon School of Engineering that last week had published a research paper describing what they called Ransomware 3.0, a malware protoype they developed that uses large language models (LLMs) to autonomously plan, adapt, and executive a ransomware attack.
ESET malware researchers Anton Cherepanov and Peter Strýček wrote that the research prototype developed by the academics “closely resembles the PromptLock samples discovered on VirusTotal” and added that “this supports our belief that PromptLock was a proof of concept rather than fully operational malware deployed in the wild. Nonetheless, our findings remain valid – the discovered samples represent the first known case of AI-powered ransomware.”
No Surprise
None of it should come as a surprise, Cherepanov and Strýček added, given the quick embrace of generative AI by threat actors and the rise of ransomware as a key cyberthreat over the past several years.
“AI models have made it child’s play to craft convincing phishing messages, as well as deepfake images, audio and video,” they wrote. “The ready availability of these tools also drastically lowers the barrier to entry for less tech-savvy attackers, allowing them to punch above their weight.”
That includes, in the realm of ransomware, which they called a “scourge [that] has, over the years, tested the cyber-mettle of countless organizations, with this type of malware also increasingly deployed by APT groups. As AI is already used by all types of threat actors to varying degrees, it’s also set to help power an increase in the volume and impact of ransomware attacks.”
Taking the Next Step
In their research paper, which was published on the arXiv site, the NYU group said their research and development of Ransomware 3.0 pushes what bad actors have already done with AI a significant step further.
“Recent research at the intersection of generative AI and malware has shown that LLMs can be used to create malicious payloads,” they wrote. “However, prior studies have primarily focused on offline code generation and prompt jail-breaking.”
They pointed out that one example of malware – BlackMamba – where AI was used to create a prototype of an on-the-fly AI-generated Python keylogger that used LLMs, though it didn’t include a performance evaluation feature. Ransomware 3.0 – or PromptLock – is different, they wrote.
It “uses LLMs to orchestrate all phases of its attack chain, including autonomous synthesis and deployment of tailored malicious payloads on the fly, adapting to the execution environment and personalizing extortion demands,” they wrote. “We examine the feasibility and ramifications of Ransomware 3.0, which invokes an LLM to probe the victim environment, locate sensitive information, devise and execute an attack vector, and generate personalized extortion notes, thereby enacting the entire ransomware campaign with no human operator.”
Ransomware 3.0 also includes a behavioral evaluation capability “to promote future defenses,” they wrote.
Windows and Linux Variants
ESET’s Cherepanov and Strýček wrote that PromptLock uses OpenAI’s gpt-oss-20b model locally through the Ollama API to generate malicious Lua scripts on the fly and then executes it. PromptLock leverages Lua scripts generated from hard-coded prompts to find what’s on the local filesystem, inspect files it’s targeting, and exfiltrates and encrypts data.
The ransomware is written in Go, which, like Rust, is a versatile and cross-platform programming language that has become popular among malware writers. The ESET researchers said they found both Windows and Linux variants of PromptLock that had been uploaded to VirusTotal.
“Regardless of the intent behind PromptLock, its discovery points to how AI tools can be used to automate various stages of ransomware attacks, from reconnaissance to data exfiltration, at a speed and scale once thought impossible,” Cherepanov and Strýček wrote. “The prospect of AI-powered malware that can, among other things, adapt to the environment and change its tactics on the fly may generally represent a new frontier in cyberattacks.”
The Threat of AI-Powered Ransomware
Cybersecurity vendors for the past couple of years have speculated how AI could be used by ransomware groups. Craig Fretwell, global head of security operations for Rackspace Technology, wrote this week that “the era of ‘click to encrypt, wait for ransom’ ransomware is fading. The business model that once crippled thousands of companies is evolving, and not in a good way. You’re now facing a smarter, more manipulative threat: AI-powered data extortion. This isn’t a future scenario. It’s happening now.”
Fretwell noted that the number of ransomware payments dropped between 2023 and 2024, thanks to organizations using better backups and stronger recovery strategies, as well as growing legal pressure that discouraged ransom payments.
That said, attackers adapted by not only adapting but exfiltrating huge datasets and using generative AI to transform stolen emails, chat logs, contracts, financial data, and source code into “targeted, high-pressure extortion.”
Analyzing Data, Bypassing Defenses
They’re using LLMs like OpenAI’s GPT-4 and Meta’s LLaMA 2 to quickly analyze and prioritize stolen data, interpret sentiment and context like fear, shame, or tension in internal conversations, map conversations between executives about sensitive subjects like acquisitions, and sort data for maximum impact.
“Most security tools are designed to catch obvious threats such as encryption activity, malware or persistent binaries,” Fretwell wrote. “AI-powered extortion bypasses these defenses altogether, operating in ways that leave no traditional indicators for detection. Attackers quietly extract data, process it off-network and then disappear. The extortion threat comes later, with no obvious indicator that a breach occurred. No malware. No encryption. No red flags — until the ransom note arrives.”
