PromptLock is an AI-powered ransomware variant written in Golang that uses the gpt-oss:20b model locally via the Ollama API to generate malicious Lua scripts in real-time. The generated Lua scripts use hard-coded prompts to enumerate the local filesystem, inspect target files, exfiltrate selected data, and perform encryption across Windows, Linux, and macOS. The ransomware crafts custom ransom notes based on affected files and the infected machine type, including personal computers, company servers, or power distribution controllers. The sample acts as a proof-of-concept using SPECK 128-bit to lock files, with potential for data exfiltration or destruction and variable IoCs between executions, complicating detection. Artifacts were uploaded to VirusTotal on August 25, 2025.
PromptLock leverages Lua scripts generated from hard-coded prompts to enumerate the local filesystem, inspect target files, exfiltrate selected data, and perform encryption,
These Lua scripts are cross-platform compatible, functioning on Windows, Linux, and macOS.
PromptLock uses Lua scripts generated by AI, which means that indicators of compromise (IoCs) may vary between executions,
This variability introduces challenges for detection. If properly implemented, such an approach could significantly complicate threat identification and make defenders' tasks more difficult.
Collection
[
|
...
]