Researchers flag code that uses AI systems to carry out ransomware attacks | CyberScoop<\/title> <meta name=\"description\" content=\"The malware, called PromptLock, essentially functions as a hard-coded prompt injection attack on a large language model, inspecting local filesystems, exfiltrating files and encrypting data.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/prompt-lock-eset-ransomware-research-ai-powered-prompt-injection\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Researchers flag code that uses AI systems to carry out ransomware attacks\"> <meta property=\"og:description\" content=\"The malware, called PromptLock, essentially functions as a hard-coded prompt injection attack on a large language model, inspecting local filesystems, exfiltrating files and encrypting data.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/prompt-lock-eset-ransomware-research-ai-powered-prompt-injection\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-08-26T20:20:42+00:00\"> <meta property=\"article:modified_time\" content=\"2025-08-26T20:20:44+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/researchers-flag-code-that-uses-ai-systems-to-carry-out-ransomware-attacks-2.jpg\"> <meta property=\"og:image:width\" content=\"3029\"> <meta property=\"og:image:height\" content=\"1854\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"djohnson\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1754500264g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1755632305g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1753281318g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/85712\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=85712\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fprompt-lock-eset-ransomware-research-ai-powered-prompt-injection%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fprompt-lock-eset-ransomware-research-ai-powered-prompt-injection%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-85712 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/prompt-lock-eset-ransomware-research-ai-powered-prompt-injection\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"27.610918544194\">\n<div class=\"single-article__header-content\" readability=\"38.427947598253\">\n<p> The malware, called PromptLock, essentially functions as a hard-coded prompt injection attack on a large language model, inspecting local filesystems, exfiltrating files and encrypting data. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/85712\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"392\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/researchers-flag-code-that-uses-ai-systems-to-carry-out-ransomware-attacks.jpg?resize=640%2C392&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/researchers-flag-code-that-uses-ai-systems-to-carry-out-ransomware-attacks-2.jpg 3029w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/researchers-flag-code-that-uses-ai-systems-to-carry-out-ransomware-attacks-2.jpg?resize=300,184 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/researchers-flag-code-that-uses-ai-systems-to-carry-out-ransomware-attacks-2.jpg?resize=768,470 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/researchers-flag-code-that-uses-ai-systems-to-carry-out-ransomware-attacks-2.jpg?resize=1024,627 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/researchers-flag-code-that-uses-ai-systems-to-carry-out-ransomware-attacks-2.jpg?resize=1536,940 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/researchers-flag-code-that-uses-ai-systems-to-carry-out-ransomware-attacks-2.jpg?resize=2048,1254 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/researchers-flag-code-that-uses-ai-systems-to-carry-out-ransomware-attacks-2.jpg?resize=600,367 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/researchers-flag-code-that-uses-ai-systems-to-carry-out-ransomware-attacks-2.jpg?resize=274,168 274w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/researchers-flag-code-that-uses-ai-systems-to-carry-out-ransomware-attacks-2.jpg?resize=551,337 551w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/researchers-flag-code-that-uses-ai-systems-to-carry-out-ransomware-attacks-2.jpg?resize=1103,675 1103w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/researchers-flag-code-that-uses-ai-systems-to-carry-out-ransomware-attacks-2.jpg?resize=1377,843 1377w\" sizes=\"(max-width: 1103px) 100vw, 1103px\"><figcaption> Thief coming out of the door in the shape of Enter key. Cybersecurity, hacking, phishing concept. Vector illustration. <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"40.749213424227\"><body readability=\"82.847239263804\"><\/p>\n<p>Researchers at cybersecurity firm ESET claim to have identified the first piece of AI-powered ransomware in the wild.<\/p>\n<p>The malware, called PromptLock, essentially functions as a hard-coded prompt injection attack on a large language model, causing the model to assist in carrying out a ransomware attack.<\/p>\n<p>Written in Golang programming code, the malware sends its requests through Ollama, an open-source API for interfacing with large language models, and a local version of an open-weights model (gpt-oss:20b) from OpenAI to execute tasks.<\/p>\n<p>Those tasks include inspecting local filesystems, exfiltrating files and encrypting data for Windows, Mac and Linux devices using SPECK 128-bit encryption.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>According to senior malware researcher Anton Cherepanov, the code was discovered Aug. 25 by ESET on VirusTotal, an online repository for malware analysis. Beyond knowing that it was uploaded somewhere in the U.S., he had no further details on its origins.<\/p>\n<p>\u201cNotably, attackers don\u2019t need to deploy the entire gpt-oss-20b model within the compromised network,\u201d he said. \u201dInstead, they can simply establish a tunnel or proxy from the affected network to a server running Ollama with the model.\u201d<\/p>\n<p>ESET believes the code is likely a proof of concept, <a href=\"https:\/\/x.com\/esetresearch\/status\/1960365364300087724?s=46&t=dtqCMcf-olK_VbvIvBQlTg\">noting<\/a> that functionality for a feature that destroys data appears unfinished. Notably, Cherepanov told CyberScoop that they have yet to see evidence of the malware being deployed by threat actors in ESET telemetry.<\/p>\n<p>\u201cAlthough multiple indicators suggest the sample is a proof-of-concept (PoC) or work-in-progress rather than fully operational malware deployed in the wild, we believe it is our responsibility to inform the cybersecurity community about such developments,\u201d the company said on X.<\/p>\n<p>In screenshots provided by ESET, the ransomware code embeds instructions to the LLM, telling it to generate malicious Lua scripts, asking it to verify the contents of files to determine if they contain personally identifiable information and \u2013 using its \u201canalysis mode\u201d \u2013 generating a ransom note based on what the program thought a ransomware actor might write.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>It also provided a sample Bitcoin address \u2013 which appears to be the known address of the cryptocurrency\u2019s anonymous creator Satoshi Nakamoto \u2013 to use when demanding payment.<\/p>\n<p>It\u2019s a novel example of leveraging security holes in the prompting process, inducing an AI program to carry out the core functions of ransomware: locking files, stealing data, threatening and extorting victims and extracting payment.<\/p>\n<p>Researchers in AI security are increasingly highlighting the potential risk for businesses and organizations who deploy AI \u201cagents\u201d into their networks, noting that these programs must be given high level administrative access to carry out their jobs, are vulnerable to prompt injection attacks and can be turned against their owners.<\/p>\n<p>Because the malware relies on scripts generated by AI, Cherepanov said one difference between PromptLock and other ransomware \u201cis that indicators of compromise (IoCs) may vary from one execution to another.\u201d<\/p>\n<p>\u201cTheoretically, if properly implemented, this could significantly complicate detection and make defenders\u2019 jobs more difficult,\u201d he noted.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.5443037974684\">\n<div class=\"author-card\" readability=\"13\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/researchers-flag-code-that-uses-ai-systems-to-carry-out-ransomware-attacks-1.jpg?w=640&ssl=1\" alt=\"Derek B. Johnson\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Derek B. Johnson<\/h4>\n<p> Derek B. Johnson is a reporter at CyberScoop, where his beat includes cybersecurity, elections and the federal government. Prior to that, he has provided award-winning coverage of cybersecurity news across the public and private sectors for various publications since 2017. Derek has a bachelor\u2019s degree in print journalism from Hofstra University in New York and a master\u2019s degree in public policy from George Mason University in Virginia. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/prompt-lock-eset-ransomware-research-ai-powered-prompt-injection\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers flag code that uses AI systems to carry out<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[235,384,1009,4805,46],"tags":[236,388,1012,4807,54],"class_list":["post-7931","post","type-post","status-publish","format-standard","hentry","category-ai","category-artificial-intelligence-ai","category-eset","category-large-language-models","category-ransomware","tag-ai","tag-artificial-intelligence-ai","tag-eset","tag-large-language-models","tag-ransomware"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ai\/\" rel=\"category tag\">AI<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/artificial-intelligence-ai\/\" rel=\"category tag\">artificial intelligence (AI)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/eset\/\" rel=\"category tag\">ESET<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/large-language-models\/\" rel=\"category tag\">large language models<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a>","tag_info":"ransomware","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7931","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7931"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7931\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7931"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7931"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7931"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7931,"date":"2025-08-26T15:20:42","date_gmt":"2025-08-26T20:20:42","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=85712"},"modified":"2025-08-26T15:20:42","modified_gmt":"2025-08-26T20:20:42","slug":"researchers-flag-code-that-uses-ai-systems-to-carry-out-ransomware-attacks","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/08\/26\/researchers-flag-code-that-uses-ai-systems-to-carry-out-ransomware-attacks\/","title":{"rendered":"Researchers flag code that uses AI systems to carry out ransomware attacks"},"content":{"rendered":"