The crazy, true story behind the first AI-powered ransomware

#### [Security](/security/)**2** The crazy, true story behind the first AI-powered ransomware============================================================**2** tldr; boffins did it——————–[Jessica Lyons](/Author/Jessica-Lyons ‘Read more by this author’) Fri 5 Sep 2025 // 20:11 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/09/05/real_story_ai_ransomware_promptlock/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=The%20crazy%2c%20true%20story%20behind%20the%20first%20AI-powered%20ransomware) [](https://twitter.com/intent/tweet?text=The%20crazy%2c%20true%20story%20behind%20the%20first%20AI-powered%20ransomware&url=https://www.theregister.com/2025/09/05/real_story_ai_ransomware_promptlock/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/09/05/real_story_ai_ransomware_promptlock/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/09/05/real_story_ai_ransomware_promptlock/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=The%20crazy%2c%20true%20story%20behind%20the%20first%20AI-powered%20ransomware&summary=tldr%3b%20boffins%20did%20it) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/09/05/real_story_ai_ransomware_promptlock/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) interview It all started as an idea for a research paper.Within a week, however, it nearly set the security industry on fire over what was believed to be the first-ever AI-powered ransomware.A group of New York University engineers who had been studying the newest, most sophisticated ransomware strains along with advances in large language models and AI decided to look at the intersection between the two, develop a proof-of-concept for a full-scale, AI-driven ransomware attack – and hopefully have their research selected for presentation at an upcoming security conference. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aLwGeMitvP_IFuBsuZ5Y9QAAABA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)’There’s this gap between these two technologies,’ NYU engineering student and doctoral candidate Md Raz told *The Register* . ‘And we think there’s a viable threat here. How feasible is an attack that uses AI to do the entire ransomware life cycle? That’s how we came up with [Ransomware 3.0](https://arxiv.org/pdf/2508.20444v1).’ ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLwGeMitvP_IFuBsuZ5Y9QAAABA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)So Raz, along with his [fellow researchers](https://engineering.nyu.edu/news/large-language-models-can-execute-complete-ransomware-attacks-autonomously-nyu-tandon-research), developed an AI system to perform four phases of a ransomware attack. The engineers tested the malware against [two models](https://www.theregister.com/2025/08/07/run_openai_gpt_oss_locally/): OpenAI’s gpt-oss-20b and its heavier counterpart, gpt-oss-120b. It generates Lua scripts customized for each victim’s specific computer setup, maps IT systems, and identifies environments, determining which files are most valuable, and thus most likely to demand a steep extortion payment from a victim organization.’It’s more targeted than a regular ransomware campaign that affects the entire system,’ he described. ‘It specifically targets a couple of files, so it’s a lot harder to detect. And then the attack is super personalized. It’s polymorphic, so every time you run it on different systems, or even multiple times on the same system, the generated code is never going to be the same.’ ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLwGeMitvP_IFuBsuZ5Y9QAAABA&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)In addition to stealing and encrypting data, the AI also wrote a personalized ransom note based on user info and bios found on the infected computer.> This is literally, exactly the code that I wrote, and it’s the same functions and the same prompts. And they think it’s a real attackDuring testing, the researchers uploaded the malware to VirusTotal to see if any anti-virus software would flag it as malicious. Then the [news stories](https://www.theregister.com/2025/08/26/first_aipowered_ransomware_spotted_by/) about a new, AI-powered ransomware named PromptLock – and the messages – started coming in.’This is literally, exactly the code that I wrote, and it’s the same functions and the same prompts,’ Raz said. That’s when he and the rest of the researchers realized that ESET malware analysts found their Ransomware 3.0 binary on VirusTotal. ‘And they think it’s a real attack.’Another one of Raz’s co-authors got a call from a chief information security officer who wanted to discuss defending against this new threat. ‘My colleague said, ‘yeah, we made that. There’s a paper on it. You don’t need to reverse engineer the binary to come up with the defenses because we already outlined the exact behavior.’It all seemed very surreal. ‘At first I couldn’t believe it,’ Raz said. ‘I had to sift through all the coverage, make sure it is our project, make sure I’m not misinterpreting it. We had no idea that anyone had found it and started writing about it.’The NYU team contacted the ESET researchers, who [updated the social media post](https://x.com/ESETresearch/status/1963209716684718315) about PromptLock.* [First AI-powered ransomware spotted, but it’s not active — yet](https://www.theregister.com/2025/08/26/first_aipowered_ransomware_spotted_by/)* [It looks like you’re ransoming data. Would you like some help?](https://www.theregister.com/2025/09/03/ransomware_ai_abuse/)* [Crims laud Claude to plant ransomware and fake IT expertise](https://www.theregister.com/2025/08/27/anthropic_security_report_flags_rogue/)* [Crims defeat human intelligence with fake AI installers they poison with ransomware](https://www.theregister.com/2025/05/30/fake_ai_installers_carry_ransomware/)According to Raz, the binary won’t function outside of a lab environment, so the good news for defenders (for now, at least) is that the malware isn’t going to encrypt any systems or steal any data in the wild.’If attackers wanted to use our specific binary, it would require a lot of modification,’ he said. ‘But this attack was not too complicated to do, and I’m guessing there’s a high chance that real attackers are already working on something like this.’The lighter model, gpt-oss-20b, complied more readily with the team’s queries, Raz added, while the heavier version denied the researchers the code on a more frequent basis, citing OpenAI’s policies designed to protect sensitive data.However, it’s worth noting that the engineering students didn’t jailbreak the model, or inject any malicious prompts. ‘We just told it directly: generate some code that scans these files, generate what a ransom note might look like,’ Raz said. ‘We didn’t beat around the bush at all.’It’s likely that the AI complied because it wasn’t asked to generate a full-scale attack, but rather the individual tasks required to pull off a ransomware infection. Still, ‘once you put these pieces together, it becomes this whole malicious attack, and that is really hard to defend against,’ Raz said.Around the same time that ESET spotted Raz’s malware, and dubbed it the first AI ransomware, Anthropic warned that a cybercrime crew used its Claude Code AI tool in a [data extortion operation](https://www.theregister.com/2025/08/27/anthropic_security_report_flags_rogue/)Between both of these – systems developing malware that even security researchers believe to be a real ransomware PoC, and extortionists using AI in their attacks – it’s a good indication that defenders should take note, and start preparing for the inevitable future right now. ® **Get our** [Tech Resources](https://whitepapers.theregister.com/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/09/05/real_story_ai_ransomware_promptlock/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=The%20crazy%2c%20true%20story%20behind%20the%20first%20AI-powered%20ransomware) [](https://twitter.com/intent/tweet?text=The%20crazy%2c%20true%20story%20behind%20the%20first%20AI-powered%20ransomware&url=https://www.theregister.com/2025/09/05/real_story_ai_ransomware_promptlock/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/09/05/real_story_ai_ransomware_promptlock/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/09/05/real_story_ai_ransomware_promptlock/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=The%20crazy%2c%20true%20story%20behind%20the%20first%20AI-powered%20ransomware&summary=tldr%3b%20boffins%20did%20it) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/09/05/real_story_ai_ransomware_promptlock/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Ransomware](/Tag/Ransomware/)* [Research](/Tag/Research/)* [Security](/Tag/Security/) More like these × ### More about* [Ransomware](/Tag/Ransomware/)* [Research](/Tag/Research/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/09/05/real_story_ai_ransomware_promptlock/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=The%20crazy%2c%20true%20story%20behind%20the%20first%20AI-powered%20ransomware) [](https://twitter.com/intent/tweet?text=The%20crazy%2c%20true%20story%20behind%20the%20first%20AI-powered%20ransomware&url=https://www.theregister.com/2025/09/05/real_story_ai_ransomware_promptlock/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/09/05/real_story_ai_ransomware_promptlock/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/09/05/real_story_ai_ransomware_promptlock/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=The%20crazy%2c%20true%20story%20behind%20the%20first%20AI-powered%20ransomware&summary=tldr%3b%20boffins%20did%20it) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/09/05/real_story_ai_ransomware_promptlock/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **2** COMMENTS #### More about* [Ransomware](/Tag/Ransomware/)* [Research](/Tag/Research/)* [Security](/Tag/Security/) More like these × ### More about* [Ransomware](/Tag/Ransomware/)* [Research](/Tag/Research/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### It looks like you’re ransoming data. Would you like some help?AI-powered ransomware, extortion chatbots, vibe hacking … just wait until agents replace affiliatesCyber-crime3 days -|](/2025/09/03/ransomware_ai_abuse/?td=keepreading) [#### Ransomware crews don’t care about your endpoint security — they’ve already killed itSome custom malware, some legit software toolsCyber-crime22 days -| 24](/2025/08/14/edr_killers_ransomware/?td=keepreading) [#### The intruder is in the house: Storm-0501 attacked Azure, stole data, demanded payment via TeamsDon’t let it happen to youCyber-crime10 days -| 19](/2025/08/27/storm0501_ransomware_azure_teams/?td=keepreading) [#### Could agentic AI save us from the cybercrisis?Many hands make light work in the SOCSponsored feature](/2025/08/07/could_agentic_ai_save/?td=keepreading) [#### Short circuit: Electronics supplier to tech giants suffers ransomware shutdownAmazon, Apple, Google, and Microsoft among major customersCyber-crime15 days -| 7](/2025/08/22/data_io_ransomware_attack_temporarily/?td=keepreading) [#### Kidney dialysis giant DaVita tells 2.4M people they were snared in ransomware data theft nightmareHealth details, tax ID numbers, even images of checks were stolen, reportedly by the Interlock gangCyber-crime15 days -| 15](/2025/08/22/davita_ransomware_infection/?td=keepreading) [#### AI spies questionable science journals, with some human help’Louis, I think this is the beginning of a beautiful friendship’Science6 days -| 18](/2025/08/31/ai_spies_questionable_science_journals/?td=keepreading) [#### First AI-powered ransomware spotted, but it’s not active — yetOh, look, a use case for OpenAI’s gpt-oss-20b modelCyber-crime11 days -| 1](/2025/08/26/first_aipowered_ransomware_spotted_by/?td=keepreading) [#### Amazon quietly fixed Q Developer flaws that made AI agent vulnerable to prompt injection, RCEMove along, nothing to see herePatches17 days -| 2](/2025/08/20/amazon_quietly_fixed_q_developer_flaws/?td=keepreading) [#### ChatGPT hates LA Chargers fansHarvard researchers find model guardrails tailor query responses to user’s inferred politics and other affiliationsAI + ML9 days -| 15](/2025/08/27/chatgpt_has_a_problem_with/?td=keepreading) [#### BGP’s security problems are notorious. Attempts to fix that are a work in progressSystems Approach Securing internet infrastructure remains a challenging endeavourNetworks10 days -| 15](/2025/08/27/systems_approach_securing_internet_infrastructure/?td=keepreading) [#### Boffins build automated Android bug hunting systemAI agent system said to have found more than 100 zero-day flaws in production appsSecurity1 day -| 2](/2025/09/04/boffins_build_automated_android_bug_hunting/?td=keepreading)

Related Tags:
NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 334 – Computer And Electronic Product Manufacturing

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 52 – Finance And Insurance

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 33 – Manufacturing – Metal

Electronics And Other

NAICS: 522 – Credit Intermediation And Related Activities

NAICS: 51 – Information

Phishing: Spearphishing Voice

Associated Indicators:

Threat Intel Solutions

The crazy, true story behind the first AI-powered ransomware

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us