PromptLock: The First Glimpse of AI-Powered Ransomware - IT Support
All dispatches
Cyber Security2025-08-2712 min read

PromptLock: The First Glimpse of AI-Powered Ransomware - IT Support

🐑
Rodney
Head of Tech Realism · Black Sheep Support
Share this dispatch

August 27, 2025

The cybersecurity landscape is in a constant state of evolution, but every so often, a discovery emerges that signals a seismic shift. The recent uncovering of PromptLock by cybersecurity researchers at ESET marks just such a moment. This new malware strain, believed to be the first known AI-powered ransomware, is not yet fully functional, but its mere existence represents an unsettling turning point in the arms race between cybercriminals and defenders. For UK SMEs, who are increasingly targeted and often possess fewer dedicated security resources, understanding this new breed of threat is paramount. PromptLock demonstrates how artificial intelligence can be weaponised to amplify ransomware attacks, making them more dynamic, unpredictable, and ultimately, far harder to defend against. This guide will delve into what PromptLock signifies, explore the broader implications of AI in cybercrime, and, crucially, provide actionable advice for businesses to fortify their defences against this rapidly approaching future.

Understanding PromptLock: A New Breed of Threat

ESET’s Anton Cherepanov and Peter Strycek revealed PromptLock as a proof-of-concept or a work in progress, rather than an active weapon currently deployed in real-world attacks. However, even in its unfinished state, the malware offers a chilling preview of how easily artificial intelligence can be harnessed by criminals to strengthen their attack chains.

How PromptLock Leverages AI

At its core, PromptLock takes advantage of OpenAI’s gpt-oss-20b model, running locally through the Ollama API. This architecture allows the ransomware to dynamically generate malicious Lua scripts on an infected machine. This dynamic generation is what makes PromptLock fundamentally different from traditional ransomware. Instead of relying on pre-defined, static attack routines, PromptLock can adapt its behaviour in real-time, making it significantly more unpredictable and harder for conventional security solutions to detect and block.

The scripts generated by PromptLock can perform a range of malicious activities:

  • Scan the local filesystem: This allows the ransomware to understand the structure of the target system and identify valuable data.
  • Identify and inspect files: It can intelligently pick out specific file types or sensitive documents based on criteria it dynamically generates.
  • Exfiltrate selected data: Before encryption, PromptLock has the capability to steal sensitive information, setting the stage for double extortion tactics where data is not only encrypted but also threatened for public release. For UK SMEs, this raises significant GDPR concerns, as data exfiltration can lead to severe fines from the ICO and irreparable reputational damage.
  • Encrypt targeted content: The ultimate goal of ransomware, locking users out of their critical data.

Although the initial code included references to file destruction, this feature does not yet appear to be operational. However, its inclusion in a proof-of-concept highlights the potential for future variants to add data deletion to their arsenal, further increasing the potential for business disruption.

The Technical Foundation

The ransomware itself is written in Go (Golang), a modern programming language increasingly favoured by cybercriminals for its versatility across platforms. Go’s ability to compile into single, self-contained executables for various operating systems (Windows, Linux, macOS) makes it an ideal choice for malware developers seeking broad reach. Early analysis shows that both Windows and Linux variants of PromptLock have already been uploaded to VirusTotal, indicating the criminals’ intent to target diverse environments.

The Broader Impact of AI on Cybercrime

PromptLock is not an isolated incident; it's a stark indicator of a broader trend. Artificial intelligence has already begun to lower the barrier for entry into cybercrime, making sophisticated attacks accessible to individuals with limited technical knowledge.

Amplifying Existing Threats

  • Sophisticated Phishing Campaigns: AI can generate highly convincing and contextually relevant phishing emails, spear-phishing messages, and even deepfake voice or video calls. These attacks are tailored to individuals or specific organisations, making them significantly harder for employees to spot. The AI can analyse public information about a target to craft incredibly persuasive lures.
  • Automated Attack Scripts: Beyond PromptLock's dynamic Lua script generation, AI models can produce bespoke malware components, exploit code, and automated reconnaissance tools at scale, accelerating the attack lifecycle.
  • Social Engineering at Scale: AI can sift through vast amounts of open-source intelligence (OSINT) to build detailed profiles of potential victims, identifying vulnerabilities, relationships, and even emotional triggers to exploit. This makes social engineering attacks far more effective and harder to resist.
  • Evasion Techniques: AI can be used to develop polymorphic malware that constantly changes its signature, making it challenging for traditional signature-based antivirus solutions to detect. It can also learn from detection attempts to refine its methods, essentially becoming a self-improving threat.

What makes AI-driven malware especially concerning is its ability to adapt in real-time, altering its tactics to evade detection and maximise impact. This could transform ransomware from a static, predictable attack into a dynamic, evolving threat capable of operating at unprecedented scale and sophistication.

Why UK SMEs Are Prime Targets for Evolving Ransomware

UK SMEs represent the backbone of the economy, yet they are disproportionately affected by cybercrime. Their unique characteristics make them particularly vulnerable to the evolving threat landscape, especially with the advent of AI-powered attacks.

Common Vulnerabilities

  • Limited Resources: Many SMEs operate with tight budgets and often lack dedicated in-house IT security teams. This means less investment in advanced security tools, fewer trained personnel, and often a reactive rather than proactive approach to cybersecurity.
  • Perception of Being "Too Small to Target": This dangerous misconception leads to complacency. Cybercriminals know that SMEs often have weaker defences, making them easier targets for quick payouts. AI-powered ransomware will allow attackers to scale their efforts, making even smaller targets economically viable.
  • Reliance on Digital Systems: Like larger enterprises, SMEs depend heavily on digital systems for operations, customer data, and financial transactions. A successful ransomware attack can cripple a business, leading to operational downtime, data loss, and severe financial implications.

UK-Specific Risks and Regulations

  • GDPR Compliance: The General Data Protection Regulation (GDPR) imposes strict rules on how personal data is collected, stored, and processed. A ransomware attack involving data exfiltration or loss can lead to significant non-compliance fines from the Information Commissioner's Office (ICO), which can be up to €20 million or 4% of annual global turnover, whichever is higher.
  • Supply Chain Risk: SMEs are often part of larger supply chains. A breach at an SME can have ripple effects, impacting larger clients and partners, making them attractive targets for sophisticated attackers aiming to compromise larger organisations indirectly.
  • Reputational Damage: For SMEs, trust is paramount. A data breach or prolonged service disruption due to ransomware can severely damage customer trust and brand reputation, which can be incredibly difficult to rebuild.

Proactive Defence Strategies Against AI-Powered Ransomware

Although PromptLock itself may not yet pose an immediate danger, its discovery is a clear warning: AI will increasingly become part of the attacker’s toolkit. Organisations must prepare for a future where ransomware is not just widespread, but smarter, faster, and harder to defend against.

1. Strengthen Endpoint Detection and Response (EDR) Solutions

Traditional antivirus (AV) software, relying on signature-based detection, struggles against polymorphic and dynamically generated malware like PromptLock. EDR solutions go beyond simple detection:

  • Real-time Monitoring: EDR continuously monitors endpoints (laptops, servers, mobile devices) for suspicious activities, not just known threats.
  • Behavioural Analysis: It uses AI and machine learning to identify anomalous behaviour patterns that might indicate a new or unknown threat, even if it has no known signature.
  • Automated Response: EDR can automatically isolate infected devices, terminate malicious processes, and roll back changes, significantly reducing the impact of an attack.
  • Threat Hunting: It allows security teams to proactively search for threats that might have bypassed initial defences.

2. Implement Robust Backup and Recovery Strategies

This is your last line of defence. Even if an attack succeeds, effective backups can minimise downtime and prevent data loss.

  • The 3-2-1 Rule: Maintain at least three copies of your data, stored on two different media types, with one copy kept off-site or offline.
  • Offline/Immutable Backups: Crucially, ensure that at least one set of your backups is completely isolated from your network (offline) or immutable (cannot be altered or deleted). This prevents ransomware from encrypting or deleting your backups.
  • Regular Testing: Routinely test your backup restoration process to ensure data integrity and that you can recover quickly and efficiently.
  • Version Control: Keep multiple versions of your backups, allowing you to roll back to a point before an infection occurred.

3. Comprehensive Employee Training and Awareness

The human element remains the weakest link in cybersecurity. AI-powered social engineering will make this even more critical.

  • Phishing Simulation: Regularly conduct simulated phishing attacks and provide immediate feedback and training to employees who click on malicious links or open infected attachments.
  • Social Engineering Awareness: Educate staff on the tactics used in social engineering, including deepfakes, urgent requests, and impersonation.
  • Strong Password Practices: Enforce the use of strong, unique passwords and encourage the use of password managers.
  • Reporting Suspicious Activity: Foster a culture where employees feel comfortable and empowered to report anything suspicious without fear of reprisal.

4. Diligent Patch Management and System Hardening

Vulnerabilities in software and operating systems are common entry points for ransomware.

  • Regular Updates: Implement a rigorous schedule for patching and updating all operating systems, applications, and firmware. Prioritise critical security updates.
  • Vulnerability Management: Regularly scan your network for vulnerabilities and address them promptly.
  • Least Privilege Principle: Ensure users and systems only have the minimum necessary access rights to perform their functions. This limits the lateral movement of an attacker if an account is compromised.

5. Multi-Factor Authentication (MFA) Across the Board

MFA adds an essential layer of security by requiring a second form of verification (e.g., a code from a phone app, a fingerprint) in addition to a password.

  • Mandate MFA: Implement MFA for all critical systems, cloud services, remote access, and privileged accounts. This significantly reduces the risk of account takeover, even if an attacker obtains credentials.

6. Network Segmentation

Divide your network into smaller, isolated segments.

  • Limit Lateral Movement: If one segment is compromised, the attacker's ability to move laterally to other parts of the network is severely restricted, containing the damage.
  • Protect Critical Assets: Isolate sensitive data and critical systems into highly protected segments with stricter access controls.

7. Develop and Test an Incident Response Plan

A well-defined incident response plan is crucial for minimising the impact of a breach.

  • Preparation: Outline clear roles, responsibilities, and communication channels for handling a cyber incident.
  • Detection & Analysis: Define procedures for identifying, assessing, and analysing security incidents.
  • Containment & Eradication: Detail steps to contain the spread of an attack and remove the threat from your systems.
  • Recovery: Plan for restoring operations and data from backups.
  • Post-Incident Review: Learn from each incident to improve future defences.

8. Consider Cyber Essentials Certification

For UK SMEs, achieving Cyber Essentials or Cyber Essentials Plus certification provides a robust baseline for cybersecurity. It demonstrates a commitment to protecting against common cyber threats and covers key areas like secure configuration, boundary firewalls, access control, malware protection, and patch management. It’s also often a prerequisite for government contracts.

The Role of Managed IT & Cyber Security Providers

Many UK SMEs find it challenging to implement and maintain these sophisticated defences internally. This is where a trusted managed IT and cyber security provider becomes invaluable.

  • Expertise and Resources: Providers like Black Sheep Support offer access to a team of experts, advanced security tools, and 24/7 monitoring capabilities that would be cost-prohibitive for most SMEs to maintain in-house.
  • Proactive Threat Intelligence: Stay ahead of emerging threats like PromptLock with up-to-date threat intelligence and adaptive security strategies.
  • Managed EDR and SIEM: Implement and manage advanced EDR solutions and Security Information and Event Management (SIEM) systems to provide comprehensive visibility and rapid response.
  • Incident Response Support: Have a dedicated team ready to assist immediately in the event of a breach, guiding you through containment, eradication, and recovery.
  • Compliance Guidance: Ensure your business adheres to UK regulations like GDPR and can demonstrate a strong security posture for certifications like Cyber Essentials.

Key Takeaways

The emergence of PromptLock signals a significant shift in the cyber threat landscape, where AI will increasingly empower attackers to create more dynamic, adaptive, and effective ransomware. For UK SMEs, the implications are profound, demanding a proactive and comprehensive approach to cybersecurity.

  • AI is a Game Changer: PromptLock demonstrates that AI can generate dynamic malware, making traditional signature-based defences less effective.
  • SMEs are Prime Targets: Limited resources and a perception of being "too small" make UK SMEs attractive to scalable, AI-driven attacks, with severe consequences for GDPR compliance and business continuity.
  • Proactive Defence is Essential: Relying solely on reactive measures is no longer sufficient. Businesses must implement advanced EDR, robust backups, strong authentication, and continuous training.
  • Human Element is Crucial: Employees remain the first line of defence against sophisticated social engineering attacks.
  • External Expertise is Invaluable: Partnering with a managed IT and cyber security provider can bridge the gap in resources and expertise, ensuring comprehensive protection against evolving threats.
  • Cybersecurity is an Ongoing Journey: It requires continuous vigilance, adaptation, and investment to stay ahead of increasingly sophisticated cybercriminals.

The future of ransomware is smarter, faster, and harder to defend against. Now is the time for UK SMEs to intelligently safeguard their businesses, empower their teams, and navigate this complex, ever-changing cyber landscape with confidence.

To take the next step

Book a Discovery Call

Back to all dispatchesEnd of Intelligence · BSS Digital Dispatch