ESET has verified that samples of PromptLock uploaded to VirusTotal in late August 2025 were not part of an in-the-wild campaign but an academic proof-of-concept (PoC) developed by researchers at NYU Tandon School of Engineering. Despite the clarification, ESET maintains its original assessment: PromptLock is the first publicly known ransomware specimen that delegates malicious logic to a large language model (LLM), and the concept is poised to transition from laboratory to criminal use.
What is PromptLock and why it’s framed as “Ransomware 3.0”
The authors position PromptLock as “Ransomware 3.0”: a class of attacks where orchestration and payload generation are offloaded to an LLM. According to the researchers, the prototype relies on gpt-oss-20b—described as an OpenAI model with open weights—running locally via the Ollama API. On the victim host, the LLM generates Lua scripts on demand to enumerate files, prioritize targets, exfiltrate data fragments, and encrypt content. Because Lua is cross‑platform, the approach spans Windows, Linux, and macOS.
Inside the LLM orchestrator: atomic tasks and delegated decisions
PromptLock functions as an orchestrator that launches from an initial binary and then delegates planning, decision‑making, and payload creation to the LLM. A key design choice is decomposing the operation into small, natural‑language prompts that look legitimate in isolation; the model never sees the end‑to‑end criminal objective. The researchers note that once the orchestrator starts, control shifts to the LLM for the ransomware lifecycle. While an LLM may refuse overtly destructive tasks, tests on Windows hosts and Raspberry Pi show it can frequently generate and execute effective malicious steps.
Academic origin and the VirusTotal upload incident
A team of six NYU Tandon professors and researchers built PromptLock as a controlled PoC that is not intended to function outside a lab environment. Samples were uploaded to VirusTotal for testing without an academic label, attracting ESET’s attention. ESET later updated its report to acknowledge the origin, while underscoring the unchanged takeaway: the technique is viable and readily weaponizable.
Attack economics: low cost, scalable, and harder to fingerprint
The authors estimate a full run consumes about 23,000 tokens, roughly $0.70 at GPT‑5 API pricing by their calculation. Leveraging smaller open‑weights models can drive costs near zero when executed locally. This economic profile favors scale: a low barrier to entry, combined with unique, per‑run code generation, erodes the effectiveness of signature‑based detection and static indicators of compromise (IOCs).
Defensive implications: polymorphism, speed, and blurred lines
On‑the‑fly LLM generation introduces variability and polymorphism, weakening traditional signature and IOC strategies. Because logic and tooling are delegated to an LLM, artifacts are less consistent and attribution becomes harder. Cross‑platform Lua and prompts that resemble legitimate IT automation further complicate discrimination between admin scripting and malicious activity. The concern aligns with broader ransomware economics: Chainalysis estimates that ransomware payments exceeded $1 billion in 2023, reinforcing the durability of the crime model and the incentive to adopt AI for faster, stealthier operations.
Risk reduction for AI-powered ransomware
Harden execution control: implement allowlisting and platform controls (e.g., AppLocker, WDAC) and block unnecessary interpreters—including Lua—on endpoints and servers.
Prioritize behavioral EDR/XDR: collect telemetry on script execution, creation of transient files, unusual file enumeration, and encryption patterns. Leverage AMSI, PowerShell Constrained Language Mode, and canary files for early signals.
Limit blast radius: enforce least‑privilege access, rigorous segmentation, and just‑in‑time admin. Monitor service accounts and lateral movement pathways.
Resilience and recovery: maintain offline/immutable backups, verify backup integrity, and perform routine restoration drills to validate RTO/RPO assumptions.
Govern local LLM use: inventory and control open‑weights models and runtimes (e.g., Ollama), restrict who can deploy them, and monitor for unsanctioned inference processes on corporate systems.
Data protection: apply DLP policies and file/volume‑level encryption to reduce the value of exfiltrated data and support double‑extortion resistance.
PromptLock demonstrates that a language model can coordinate the ransomware kill chain with minimal human micromanagement. Organizations should update threat models to include LLM‑orchestrated ransomware, invest in behavioral monitoring and script control, and run tabletop and red‑team exercises for AI‑assisted attack scenarios. Addressing this risk class early—before it is routinely weaponized—can materially reduce the impact of future incidents.
