Slovakia-based cyber security vendor ESET said it has discovered “the first known” artificial intelligence-powered ransomware that generates malicious scripts on-the-fly on infected machines.
ESET called the ransomware “PromptLock”, and has uploaded Microsoft Windows and Linux samples to Google’s VirusTotal scanning site.
For now, ESET said there are multiple indicators that suggest the ransomware, which is written in Go, is a proof-of-concept (PoC) or work-in-progress, rather than fully functional malware deployed in the wild.
PromptLock accesses the Apache-licensed open source GPT-OSS:20b AI model from OpenAI via the Ollama API to generate scripts written in the Lua language.
It does not attempt to download the GPT-OSS model file with 20 billion parameters, which is several gigabytes in size.
Instead, ESET said an attacker can establish a connection through a proxy or tunnel from a compromised network to a server running the Ollama API with the AI model.
Hard-coded prompts are used to generate the Lua scripts which, when executed by the malware, enumerate the local file system of the compromised system, inspect target files, exfiltrate select data and perform encryption.
The malware also contains a prompt to implement the United States National Security Agency (NSA)-developed SPECK 128-bit encryption algorithm, to scramble files quickly.
Lua scripts used by PromptLock are cross-platform and run on the Windows and macOS operating systems, as well as Linux distributions.
PromptLock also has destructive functionality, but ESET said this appears not yet to be implemented.
Also, the Bitcoin address used in the AI prompt is the one associated with the cryptocurrency creator Satoshi Nakamoto, whose real identity has not been discovered.
ESET has been contacted by iTNews for further technical details on PromptLock.
Source link
