Have you ever seen a movie where the villain uses AI to automatically hack systems, gaining access to the files and gain control of the infrastructure? What if such a threat turned into a reality?

The world’s first AI-powered ransomware is already here, and it is dangerous in more ways than one could think of.

Even though it is a proof of concept developed by a team of researchers and professors in New York, it shows the level of threat and danger that future threats could pose.

Let us explore what PromptLock is, how it works, what makes it unique, and some preventive measures that can be implemented against threats.

What is PromptLock?

PromptLock is a ransomware that uses GenAI to orchestrate attacks. It was created as a project by a team of six computer science professors and researchers from New York University as a proof of concept showing that open source LLMs can be used to create sophisticated ransomware attacks.

While it was meant to be non-functional outside their lab environment, the team uploaded the ransomware to VirusTotal (owned by Google), which offers an online service for scanning URLs and files using multiple engines to detect viruses, malware, and other threats.

The team also simulated attacks on multiple platforms to test the ransomware’s adaptivity, and they found that it easily executed across Windows, Linux, Raspberry Pi OS, and macOS.

It uses Ollama API to remotely access OpenAI’s GPT-OSS-20b (LLM) through a proxy tunnel to effectively:

• Orchestrate all the stages of a ransomware attack.
• Generate malicious scripts in real-time. These scripts are Lua scripts(specific scripts used for automation) based on hard-coded prompts for performing multiple jobs across all the stages of the attack.
• Deploy tailored payloads.

Based on predefined prompts, PromptLock automatically decides whether it has to exfiltrate data or encrypt data, making it highly challenging for defense mechanisms to detect its presence.

How does it work?

It uses hardcoded prompts to automate stages of a ransomware attack using scripts generated in real-time. Let us see how it works step by step:

• User runs a malicious binary containing PromptLock code
• Launches a local instance of LLM
• Generates Lua scripts (based on hardcoded prompts)

Lua scripts perform multiple actions across all stages of attack without raising suspicion of scanners. They perform actions like:

• Scanning
• Enumerating the local filesystem
• Exfiltrating and encrypting data using the SPECK cipher, which is light, fast, and efficient
• Generating ransom notes

Stages of a ransomware attack

Reconnaissance – Infection – Escalation – Scanning – Encryption – Ransom note/payday

What makes the ransomware dangerous?

PromptLock is more dangerous than any other ransomware because it:

Is highly unpredictable

As opposed to traditional ransomware that uses repeating signatures or code patterns, PromptLock uses unique patterns and code, making it highly challenging for detectors to detect it.

Automates attack

It automatically orchestrates an attack using scripts that perform all the actions in each stage of the attack, from scanning & enumerating files to creating ransom notes.

Uses a strong cipher

PromptLock uses the SPECK cipher, which is super light and efficient, allowing attackers to encrypt files without consuming much time or resources.

Can target multiple platforms

Using PromptLock, attackers can easily target multiple widely used platforms like Windows, Linux, and macOS.

Makes attacking easy for criminals

It makes it easier even for attackers with little coding knowledge to carry out attacks.

Costs almost nothing to carry out an attack

As per the 21-page paper published by the team behind the proof of concept, it costs almost nothing to carry out the attack. It uses 23 tokens per end-to-end run that costs around $0.70. With smaller models, it can cost almost nothing, making it highly affordable for any hacker.

Proves that cyber attacks will be more dangerous

It proves how attackers can use AI to build dangerous payloads and create an adaptive ransomware that can automatically learn and improve its attack.

What can be done against such threats?

Monitor the usage of AI – restrict or track calls to LLM model APIs

Monitor if there is unusual execution of scripts across endpoints and servers

Use zero trust to monitor AI-generated content and establish control and monitoring of inputs

Create IR playbooks that are tailored against AI-driven and adaptive attacks

Adopt behavior detection – Detectors like EDR must go beyond code signatures and watch execution patterns

Harden systems by limiting process permissions, applying least privilege rules, and isolating workloads

Secure API keys by rotating them and mitigating their exposure

Deploy DLP tools to monitor traffic and block unusual activity

Train people to recognize AI-driven attacks and new threat models.