ESET uncovers PromptLock ransomware prototype powered by local LLMs

ESET reports the discovery of a new ransomware project called PromptLock, which utilizes a large language model for its core operations. The sample was detected on VirusTotal on August 25 and, so far, appears to be a proof-of-concept rather than an active campaign.

At its core, PromptLock is a hard-coded prompt-injection attack. The Golang loader communicates with a locally hosted model via the Ollama API and requests that it generate Lua scripts on demand. Those scripts enumerate files, sift for sensitive data, exfiltrate what they want, and then encrypt the rest across Windows, macOS, and Linux, using SPECK 128-bit encryption.

Two design choices matter for defenders. First, the ransomware drives the model locally (gpt-oss:20b through Ollama), so there is no external API traffic to track. Second, because LLMs are non-deterministic, the generated scripts will differ each time they're executed. That variability can obscure indicators of compromise and make signature-based detection more challenging.

ESET’s analysis also notes that attackers would not need to lug the full model into a victim network. A simple tunnel or proxy to an external Ollama host would do. The sample even includes instructions that have the model draft a ransom note and, tellingly, uses a widely known Bitcoin address tied to Satoshi Nakamoto as a placeholder. A data-destruction feature appears unfinished.

So far, there are no signs indicating that PromptLock is targeting victims, and ESET frames the discovery as an early warning to the security community. The key point is that the capability now exists, and operational deployment could follow.

If you run LLM-enabled services internally, assume that this playbook will become common. Inventory and lock down any Ollama or similar endpoints, restrict who can prompt local models, and monitor for automated Lua execution and sudden encryption activity. ESET’s researchers caution that shifting, model-generated scripts will complicate hunting, so focus on behavioral detection and containment rather than static signatures.