Don’t miss out on our latest stories. Add PCMag as a preferred source on Google.
It turns out that an AI-powered ransomware discovered last week is actually a project from a team at New York University. Nevertheless, the research shows how open-source large language models could unleash new forms of disturbing and powerful ransomware attacks.
Cybersecurity vendor ESET flagged the “PromptLock” ransomware by uncovering samples on VirusTotal, a Google-owned service that catalogs malware and checks them against antivirus engines. Following the discovery, the NYU Tandon School of Engineering claimed responsibility for the mysterious ransomware creation.
According to the school, a team of six computer science professors and researchers developed PromptLock, but merely as a “proof-of-concept that is non-functional outside of the contained lab environment.” As part of their testing, the researchers also uploaded the ransomware to VirusTotal, but without indicating its “academic origin,” which led ESET to warn the public.
(Credit: Department of ECE, NYU Tandon School of Engineering)
Researchers call the prototype “Ransomware 3.0,” and published a 21-page paper going over their project, including the disturbing implications. The ransomware itself works as an “orchestrator” that can connect to one of OpenAI’s open-source large language models, which anyone can download and run over a server, including from a cloud provider.
The orchestrator, which can operate from a malicious file, “delegates planning, decision-making, and payload generation to an LLM,” the paper says. “Once the orchestrator is launched, the attacker relinquishes control and the LLM drives the ransomware lifecycle.” This involves the malicious file communicating to the large language model simply through natural language prompts, and then running the generated computer code.
(Credit: Department of ECE, NYU Tandon School of Engineering)
“In our orchestrator design, we do not utilize any specific jailbreaking techniques. Instead, we phrase the prompts for each task such that it looks like a legitimate request,” the paper noted. “The LLM never sees the full orchestration, but only the specific task, so it is likely to comply. Despite that, some tasks, such as extract and destroy, face a few refusals.”
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Ransomware 3.0 operates by first identifying sensitive files on a computer, analyzing them, and then launching an attack, either by stealing loads of data, encrypting the files, or even destroying them. As a final step, the malware will create an extortion note for the victim.
The team tested the attacks on a simulated server, Windows PC, and Raspberry Pi device and found that AI-powered ransomware often succeeded in generating and carrying out the malicious instructions.
Recommended by Our Editors
(Credit: Department of ECE, NYU Tandon School of Engineering)
The paper also reveals that it would cost little to run the AI-powered ransomware. “Our prototype consumes 23,000 tokens per end-to-end run, costing about $0.70 at GPT-5 API rates; smaller open-weight models can drive this to zero,” it says. In addition, the ransomware can generate unique computer code, making it hard for antivirus software to detect.
“Each execution produces unique attack code despite identical starting prompts, creating a major challenge for cybersecurity defenses,” the NYU Tandon School of Engineering added. “Traditional security software relies on detecting known malware signatures or behavioral patterns, but AI-generated attacks produce variable code and execution behaviors that could evade these detection systems entirely.”
ESET has since revised its report about PromptLock to note the academic nature behind the ransomware. “Nonetheless, our findings remain valid – the discovered samples represent the first known case of AI-powered ransomware,” the company said, underscoring how the theoretical threat could become real.
That said, the paper from the NYU team notes: “The prototype orchestrator abstracts away many dimensions of real-world ransomware campaigns… it does not implement persistence mechanisms, advanced evasion, privilege-escalation exploits, or lateral movements. The modular design, however, reveals the potential for powerful implementations.”
About Michael Kan
Senior Reporter
