New Ransomware Leverages AI: Introducing PromptLock
ESET researchers have identified a new variant of ransomware that draws on generative artificial intelligence (GenAI) to execute its attacks. Dubbed PromptLock, this malware is notable for its ability to run a locally accessible AI language model to create malicious scripts on the fly.
A Shift in Cyber Threats
The emergence of PromptLock signals a transformative change in the landscape of cyber threats. Anton Cherepanov, a senior malware researcher at ESET, remarked that this kind of development shifts how cybercriminals orchestrate their attacks. Alongside fellow researcher Peter Strýček, Cherepanov has conducted an in-depth analysis of this innovative form of ransomware.
Cross-Platform Capabilities
One of PromptLock’s striking features is its ability to generate Lua scripts that work across various platforms, including Windows, Linux, and macOS. This cross-platform functionality allows it to scan local files and assess their contents in real-time. Based on specific text prompts that have been predefined, it can decide whether to exfiltrate sensitive information or encrypt the data, increasing its effectiveness as a ransomware tool.
Embedded Destructive Function
Within the code of PromptLock, there exists a destructive function. Although this feature is not activated at present, its mere inclusion in the code raises serious concerns about what future iterations of the malware could do.
Technical Specifications
PromptLock employs the SPECK 128-bit encryption algorithm and is constructed in Golang, a programming language known for its efficiency. Early versions of this ransomware have already been spotted on VirusTotal, a popular malware analysis platform. While ESET currently views PromptLock as a proof of concept, the threat it poses is tangible.
AI: Making Attacks Easier
With the help of generative AI, the complexity and execution of cyber attacks have become significantly easier. Cherepanov stated that the requirement for teams of skilled developers is greatly diminished; a well-configured AI model is sufficient to produce intricate, self-adapting malware. This capability could profoundly complicate detection efforts, making the lives of cybersecurity defenders considerably harder.
Malicious Scripts Delivered via API
PromptLock utilizes a publicly accessible language model via an API, allowing it to send generated malicious scripts directly to infected machines. Intriguingly, among the prompts used is a Bitcoin address that is allegedly linked to Satoshi Nakamoto, the mysterious figure behind Bitcoin. This association could point to deeper motives or a specific targeting strategy by the developers of the ransomware.
Raising Awareness in Cybersecurity
In an effort to educate and inform the cybersecurity community, ESET has made detailed technical specifications about PromptLock publicly available. The malware has been categorized as Filecoder.PromptLock.A, emphasizing its potential as a serious security threat.
By shedding light on the mechanics and implications of PromptLock, ESET aims not just to inform but also to prepare cybersecurity professionals for the evolving landscape of threats posed by AI-assisted malware. With the capabilities of generative AI in the hands of cybercriminals, vigilance and proactive defense will be essential.
