On August 27, cybersecurity company ESET published a blog post announcing the discovery of "the world's first AI-powered ransomware," dubbed PromptLock. The ransomware uses the gpt-oss:20b model to generate malicious Lua code locally on infected devices, capable of searching, stealing, and encrypting files across Windows, Linux, and macOS systems.
The program reportedly uses OpenAI's recently open-sourced gpt-oss:20b language model, which can run locally on high-end PCs or laptops with 16GB of video memory and is freely modifiable and usable by anyone. The PromptLock ransomware uses a preset text prompt to invoke the gpt-oss-20bg model, generating malicious code directly on infected devices. This code, written in Lua, is cross-platform and executable on Windows, Linux, and macOS. It has the ability to search for user files, steal data, and encrypt files. While no file-destructive capabilities have been detected, the possibility of future hackers improving and upgrading it remains.
The model itself is 13GB in size, requiring significant memory usage when running directly. However, ESET points out that attackers can avoid loading the entire model locally by establishing an internal agent (MITRE ATT&CK T1090.001) or tunneling the victim's network to the model running on an external server, accessing it through the Ollama API.
Security experts believe PromptLock may be a proof-of-concept or an attack tool still under development. However, Citizen Lab researcher John Scott-Railton warns that this is an early sign of threat actors exploiting local or private AI, and that we are not yet prepared to defend against it. In response, OpenAI thanked the researchers for their notification and stated that it has taken steps to mitigate the risk of malicious exploitation and will continue to improve its protection mechanisms. OpenAI's previous testing of the larger gpt-oss-120b model found that even after fine-tuning, its capabilities for biological, chemical, and cyber risks did not reach high-risk levels.
