Overview

• ESET found the sample on VirusTotal on August 25 with an upload traced to the United States and reports no observed deployments in its telemetry.
• PromptLock generates cross‑platform Lua scripts to enumerate files, inspect contents, exfiltrate data and encrypt data across Windows, macOS and Linux.
• The ransomware is written in Go and uses the SPECK 128‑bit cipher for file encryption according to the researchers’ analysis.
• ESET warns indicators of compromise may change on each execution due to AI‑generated payloads, prompting a shift toward behavioral monitoring and LLM endpoint controls.
• Operation depends on access to an Ollama‑hosted GPT‑OSS:20B model locally or via a proxy, a requirement that imposes resource and segmentation hurdles, and the prompts include a Bitcoin address associated with Satoshi Nakamoto.