Threat Actor Profile
Low Cybercriminal
Description

First known AI-powered ransomware. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly

Confidence Score
100%
Tags
ransomware ransomware.live
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'added_date': '2025-08-26',
 'client': '2003264@sit.singaporetech.edu.sg',
 'description': 'First known AI-powered ransomware. The PromptLock malware '
                'uses the gpt-oss:20b model from OpenAI locally via the Ollama '
                'API to generate malicious Lua scripts on the fly',
 'firstseen': None,
 'group': 'promptlock',
 'has_negotiations': False,
 'has_ransomnote': False,
 'lastseen': None,
 'locations': [],
 'negotiation_count': 0,
 'ransomnotes_count': 0,
 'tiaras_metadata': {'has_negotiations': False,
                     'has_ransomnote': False,
                     'locations': [],
                     'negotiation_count': 0,
                     'ransomnotes_count': 0,
                     'ransomware_live_group': 'promptlock',
                     'tools': {},
                     'url': 'https://www.ransomware.live/group/promptlock',
                     'victims': 0,
                     'vulnerabilities': []},
 'tiaras_source': 'ransomware.live',
 'tools': {},
 'ttps': [],
 'url': 'https://www.ransomware.live/group/promptlock',
 'victims': 0,
 'vulnerabilities': []}
Quick Actions
Back to Threat Actors
Dashboard Home