Saturday, September 6, 2025
Latest:

Threatshub.org sponsored-Post

The Register

The crazy, true story behind the first AI-powered ransomware

TH Author

interview It all started as an idea for a research paper. 

Within a week, however, it nearly set the security industry on fire over what was believed to be the first-ever AI-powered ransomware.

A group of New York University engineers who had been studying the newest, most sophisticated ransomware strains along with advances in large language models and AI decided to look at the intersection between the two, develop a proof-of-concept for a full-scale, AI-driven ransomware attack – and hopefully have their research selected for presentation at an upcoming security conference.

“There’s this gap between these two technologies,” NYU engineering student and doctoral candidate Md Raz told The Register. “And we think there’s a viable threat here. How feasible is an attack that uses AI to do the entire ransomware life cycle? That’s how we came up with Ransomware 3.0.”

So Raz, along with his fellow researchers, developed an AI system to perform four phases of a ransomware attack. The engineers tested the malware against two models: OpenAI’s gpt-oss-20b and its heavier counterpart, gpt-oss-120b. It generates Lua scripts customized for each victim’s specific computer setup, maps IT systems, and identifies environments, determining which files are most valuable, and thus most likely to demand a steep extortion payment from a victim organization.

“It’s more targeted than a regular ransomware campaign that affects the entire system,” he described. “It specifically targets a couple of files, so it’s a lot harder to detect. And then the attack is super personalized. It’s polymorphic, so every time you run it on different systems, or even multiple times on the same system, the generated code is never going to be the same.”

In addition to stealing and encrypting data, the AI also wrote a personalized ransom note based on user info and bios found on the infected computer. 

This is literally, exactly the code that I wrote, and it’s the same functions and the same prompts. And they think it’s a real attack

During testing, the researchers uploaded the malware to VirusTotal to see if any anti-virus software would flag it as malicious. Then the news stories about a new, AI-powered ransomware named PromptLock – and the messages – started coming in.

“This is literally, exactly the code that I wrote, and it’s the same functions and the same prompts,” Raz said. That’s when he and the rest of the researchers realized that ESET malware analysts found their Ransomware 3.0 binary on VirusTotal. “And they think it’s a real attack.”

Another one of Raz’s co-authors got a call from a chief information security officer who wanted to discuss defending against this new threat. “My colleague said, ‘yeah, we made that. There’s a paper on it. You don’t need to reverse engineer the binary to come up with the defenses because we already outlined the exact behavior.”

It all seemed very surreal. “At first I couldn’t believe it,” Raz said. “I had to sift through all the coverage, make sure it is our project, make sure I’m not misinterpreting it. We had no idea that anyone had found it and started writing about it.”

The NYU team contacted the ESET researchers, who updated the social media post about PromptLock. 

According to Raz, the binary won’t function outside of a lab environment, so the good news for defenders (for now, at least) is that the malware isn’t going to encrypt any systems or steal any data in the wild. 

“If attackers wanted to use our specific binary, it would require a lot of modification,” he said. “But this attack was not too complicated to do, and I’m guessing there’s a high chance that real attackers are already working on something like this.”

The lighter model, gpt-oss-20b, complied more readily with the team’s queries, Raz added, while the heavier version denied the researchers the code on a more frequent basis, citing OpenAI’s policies designed to protect sensitive data.

However, it’s worth noting that the engineering students didn’t jailbreak the model, or inject any malicious prompts. “We just told it directly: generate some code that scans these files, generate what a ransom note might look like,” Raz said. “We didn’t beat around the bush at all.”

It’s likely that the AI complied because it wasn’t asked to generate a full-scale attack, but rather the individual tasks required to pull off a ransomware infection. Still, “once you put these pieces together, it becomes this whole malicious attack, and that is really hard to defend against,” Raz said.

Around the same time that ESET spotted Raz’s malware, and dubbed it the first AI ransomware, Anthropic warned that a cybercrime crew used its Claude Code AI tool in a data extortion operation

Between both of these – systems developing malware that even security researchers believe to be a real ransomware PoC, and extortionists using AI in their attacks – it’s a good indication that defenders should take note, and start preparing for the inevitable future right now. ®

READ MORE HERE