Cybersecurity researchers at ESET have uncovered what they believe to be the first known AI-powered ransomware, a new malware strain named PromptLock. While the good news is that it doesn’t appear to be fully functional yet, its discovery marks an unsettling turning point in the evolution of cybercrime.

A Proof of Concept – But a Warning Sign

ESET’s Anton Cherepanov and Peter Strycek revealed that PromptLock is likely a proof-of-concept or a work in progress, rather than a weapon currently being deployed in real-world attacks. However, even in its unfinished state, the malware demonstrates just how easily artificial intelligence can be harnessed by criminals to strengthen their attack chains.

How PromptLock Works

At its core, PromptLock takes advantage of OpenAI’s gpt-oss-20b model, running locally through the Ollama API. This allows the ransomware to dynamically generate malicious Lua scripts on an infected machine, making its behaviour unpredictable and harder to detect.

The scripts can:

• Scan the local filesystem

• Identify and inspect files

• Exfiltrate selected data

• Encrypt targeted content

Although the code includes references to file destruction, this feature does not yet appear to be operational.

The ransomware itself is written in Go (Golang), a programming language increasingly favoured by cybercriminals for its versatility across platforms. Early analysis shows that both Windows and Linux variants of PromptLock have already been uploaded to VirusTotal.

Why AI Raises the Stakes

Artificial intelligence has already lowered the barrier for entry into cybercrime. Attackers with limited technical knowledge can now generate convincing phishing campaigns, realistic deepfakes, and automated attack scripts at the click of a button. PromptLock is the latest example of how these tools can be weaponised to amplify threats.

What makes AI-driven malware especially concerning is its ability to adapt in real time, altering its tactics to evade detection and maximise impact. This could transform ransomware from a static attack into a dynamic, evolving threat capable of operating at scale.

What This Means for Businesses

Although PromptLock itself may not yet pose an immediate danger, its discovery is a clear warning: AI will increasingly become part of the attacker’s toolkit. Organisations must prepare for a future where ransomware is not just widespread, but smarter, faster, and harder to defend against.

Practical steps include:

• Strengthening endpoint detection and response (EDR) solutions

• Maintaining offline, encrypted backups

• Training staff to spot phishing and social engineering tactics

• Keeping systems patched and monitored

How Black Sheep Support Can Help

At Black Sheep Support, we understand that the cyber threat landscape is evolving faster than ever — and AI-driven attacks like PromptLock are only the beginning. That’s why we offer Cyber Security & Health Checks, providing a comprehensive review of your organisation’s IT security posture. Whether you need guidance with the fundamentals or support in implementing more advanced protections, our expert team is here to help.

Is your business truly cyber secure? With Black Sheep Support, you gain more than just technical expertise — you gain a partner that helps you intelligently safeguard your business, empower your team, and navigate the complex, ever-changing cyber landscape with confidence.