ESET researchers have revealed PromptLock, a proof-of-concept ransomware that dynamically generates malicious code using a local AI model. Written in Go, it employs OpenAI’s gpt-oss:20b via the Ollama API to produce Lua scripts at runtime. These scripts enumerate files, exfiltrate data, and encrypt it using SPECK 128-bit, with potential (but not yet active) destructive capabilities.

Designed for cross-platform deployment across Windows, Linux, and macOS, the non-deterministic script generation complicates detection by traditional tools. The presence of a Bitcoin address linked to Satoshi Nakamoto further points to ransom demands.

While not seen in real-world attacks, PromptLock signals the growing sophistication of ransomware threats.