(Photo by Utku Ucrak/Anadolu via Getty Images)
Don't miss out on our latest stories. Add PCMag as a preferred source on Google.
UPDATE 9/4: The PromptLock ransomware is actually a research project from a team at the New York University Tandon School of Engineering.
"The Tandon researchers had uploaded their prototype to VirusTotal during testing procedures, and the files there appeared as functional ransomware code with no indication of their academic origin," the school said. "While it is the first to be AI-powered, the ransomware prototype is a proof-of-concept that is non-functional outside of the contained lab environment."
Original Story:
Whether for malicious purposes or simply research, someone appears to be using OpenAI’s open-source model for ransomware attacks, according to antivirus company ESET.
On Tuesday, ESET said it had discovered “the first known AI-powered ransomware,” which the company has named PromptLock. It uses OpenAI's gpt-oss:20b model, which the company released earlier this month as one of two open-source models, meaning a user can freely use and modify the code. It can also run on high-end desktop PCs or laptops with a 16GB GPU.
ESET says PromptLock runs gpt-oss:20b “locally” on an infected device to help it generate malicious code, using “hardcoded” text prompts. As evidence, the cybersecurity company posted an image of PromptLock’s code that appears to show the text prompts and mentions the gpt-oss:20b model name.
The ransomware will then execute the malicious code, written in the Lua programming language, to search through an infected computer, steal files, and perform encryption.
“These Lua scripts are cross-platform compatible, functioning on Windows, Linux, and macOS,” ESET warned. “Based on the detected user files, the malware may exfiltrate data, encrypt it, or potentially destroy it.”
ESET appears to have discovered PromptLock through malware samples uploaded to VirusTotal, a Google-owned service that catalogs malware and checks files for malicious threats. However, the current findings suggest PromptLock might simply be a “proof-of-concept” or “work-in-progress” rather than an operational attack. ESET noted that the file-destruction feature in the ransomware hasn’t been implemented yet. One security researcher also tweeted that PromptLock actually belongs to them.
At 13GB, the gpt-oss:20b model's size raises questions about viability. Running it could also hog the GPU's video memory. However, ESET tells PCMag that, "The attack is highly viable. The attacker does not need to download the entire gpt-oss model, which can be several gigabytes in size. Instead, they can establish a proxy or tunnel from the compromised network to a server running the model and accessible via the Ollama API. This technique, known as Internal Proxy (MITRE ATT&CK T1090.001), is commonly used in modern cyberattacks."
In its research, ESET also argues that it's "our responsibility to inform the cybersecurity community about such developments." John Scott-Railton, a spyware researcher at Citizen Lab, also warned: "We are in the earliest days of regular threat actors leveraging local/private AI. And we are unprepared."
In its own statement, OpenAI said, "We thank the researchers for sharing their findings. It’s very important to us that we develop our models safely. We take steps to reduce the risk of malicious use, and we’re continually improving safeguards to make our models more robust against exploits. For example, you can read about our research and approach in the model card."
OpenAI previously tested its more powerful source model, gpt-oss-120b, and concluded that despite fine-tuning, it “did not reach High capability in Biological and Chemical Risk or Cyber risk."
Disclosure: Ziff Davis, PCMag's parent company, filed a lawsuit against OpenAI in April 2025, alleging it infringed Ziff Davis copyrights in training and operating its AI systems.