PromptLock PoC Ransomware: Lessons and Key Takeaways

    Date: 11/28/2025

    Severity: High

    Summary

    In August 2025, researchers discovered a proof-of-concept ransomware named PromptLock, created as part of an academic study on orchestrating ransomware-style attacks with large language models (LLMs). The sample uses a locally hosted LLM—calling a gpt-oss:20b model via the Ollama API—to dynamically generate and execute malicious Lua scripts capable of file enumeration, selective exfiltration, and cross-platform actions. Although only a POC, it demonstrates how local LLMs can make ransomware more adaptive, unpredictable, and easier for threat actors to develop. For defenders, this highlights the need to treat model runtimes as critical assets by tightening API and file permissions and monitoring for unusual script activity. Ollama, which allows users to download and run various LLMs locally, poses additional challenges because organizations often lack visibility into prompts, outputs, or whether downloaded models are tampered with. This uncontrolled adoption of local LLM tools expands the attack surface and increases the risk of exploitation as employees experiment with emerging AI technologies. CVE ID : CVE-2025-6218, CVE-2025-8088

    Indicators of Compromise (IOC) List

    Hash :

    1458b6dc98a878f237bfb3c3f354ea6e12d76e340cefe55d6a1c9c7eb64c9aee

    1612ab799df51a7f1169d3f47ea129356b42c8ad81286d05b0256f80c17d4089

    1854a4427eef0f74d16ad555617775ff

    2fdffdf0b099cc195316a85636e9636d

    74eb831b26a21d954261658c72145128

    806f552041f211a35e434112a0165568

    ac377e26c24f50b4d9aaa933d788c18c

    ed229f3442f2d45f6fdd4f3a4c552c1c

    f7cf07f2bf07cfc054ac909d8ae6223d

    161cdcdb46fb8a348aec609a86ff5823752065d2

    24bf7b72f54aa5b93c6681b4f69e579a47d7c102

    639dbc9b365096d6347142fcae64725bd9f73270

    8c7bcafce90f5fb121131ecb27346ecfc6e961c5

    ad223fe2bb4563446aee5227357bbfdc8ada3797

    bb8fb75285bcd151132a3287f2786d4d91da58b8

    f3f4c40c344695388e10cbf29ddb18ef3b61f7ef

    09bf891b7b35b2081d3ebca8de715da07a70151227ab55aec1da26eb769c006f

    1458b6dc98a878f237bfb3c3f354ea6e12d76e340cefe55d6a1c9c7eb64c9aee

    1612ab799df51a7f1169d3f47ea129356b42c8ad81286d05b0256f80c17d4089

    2755e1ec1e4c3c0cd94ebe43bd66391f05282b6020b2177ee3b939fdd33216f6

    7bbb06479a2e554e450beb2875ea19237068aa1055a4d56215f4e9a2317f8ce6

    b43e7d481c4fdc9217e17908f3a4efa351a1dab867ca902883205fe7d1aab5e7

    e24fe0dd0bf8d3943d9c4282f172746af6b0787539b371e6626bdb86605ccd70

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    md5hash IN ("ed229f3442f2d45f6fdd4f3a4c552c1c","ac377e26c24f50b4d9aaa933d788c18c","1854a4427eef0f74d16ad555617775ff","f7cf07f2bf07cfc054ac909d8ae6223d","2fdffdf0b099cc195316a85636e9636d","74eb831b26a21d954261658c72145128","806f552041f211a35e434112a0165568")

    Detection Query 2 :

    sha1hash IN ("ad223fe2bb4563446aee5227357bbfdc8ada3797","bb8fb75285bcd151132a3287f2786d4d91da58b8","161cdcdb46fb8a348aec609a86ff5823752065d2","639dbc9b365096d6347142fcae64725bd9f73270","8c7bcafce90f5fb121131ecb27346ecfc6e961c5","24bf7b72f54aa5b93c6681b4f69e579a47d7c102","f3f4c40c344695388e10cbf29ddb18ef3b61f7ef")

    Detection Query 3 :

    sha256hash IN ("2755e1ec1e4c3c0cd94ebe43bd66391f05282b6020b2177ee3b939fdd33216f6","1612ab799df51a7f1169d3f47ea129356b42c8ad81286d05b0256f80c17d4089","1458b6dc98a878f237bfb3c3f354ea6e12d76e340cefe55d6a1c9c7eb64c9aee","7bbb06479a2e554e450beb2875ea19237068aa1055a4d56215f4e9a2317f8ce6","09bf891b7b35b2081d3ebca8de715da07a70151227ab55aec1da26eb769c006f","b43e7d481c4fdc9217e17908f3a4efa351a1dab867ca902883205fe7d1aab5e7","e24fe0dd0bf8d3943d9c4282f172746af6b0787539b371e6626bdb86605ccd70")

    Reference: 

    https://www.splunk.com/en_us/blog/artificial-intelligence/promptlock-llm-ransomware-security-analysis.html   

    https://otx.alienvault.com/pulse/68b26dfdba35a83aaf0eac1d


    Tags

    MalwareVulnerabilityPromptLock PoCRansomwareOllamaCVE-2025

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags