ESET Flags First AI-Powered Ransomware That Adapts to Each Victim System

ESET Warns of First AI-Powered Ransomware That Learns From Each Victim

Cybersecurity researchers have identified a new form of ransomware that behaves less like traditional malware and more like a learning system. Instead of relying on fixed instructions, this threat actively consults artificial intelligence in real time-adapting its attack methods based on each infected device.

In its latest threat analysis, ESET described this as the first known instance of AI-powered ransomware operating at scale, signalling a major shift in how cybercriminals design and deploy malicious software.

Ransomware Built Around Artificial Intelligence

The malware, known as PromptLock, departs sharply from earlier ransomware families that depended on static code and predictable execution paths. Instead, it uses a controller module written in Go that communicates directly with a remote AI model.

Rather than carrying pre-written attack scripts, PromptLock sends prompts to the AI, which then generates Lua scripts tailored specifically to the victim’s system. These scripts are executed instantly, allowing the malware to respond dynamically to different environments.

Security experts say this adaptive approach makes detection significantly harder, as the malicious code can look different on every infected machine.

How PromptLock Learns Inside Victim Systems

Once deployed, PromptLock scans the victim’s system to understand what data is present and how the environment is configured. Based on this assessment, it decides whether to encrypt files, steal sensitive information, or destroy data entirely.

What makes this malware particularly dangerous is its built-in feedback loop. After executing an AI-generated script, the malware sends execution logs back to the AI model. If something fails or behaves unexpectedly, the AI refines the script and reissues it-effectively allowing the malware to correct itself during the attack.

This kind of self-adjusting behavior marks a clear escalation from traditional ransomware operations.

Why This Matters Beyond Cybersecurity

The rise of AI-driven threats like PromptLock highlights a growing risk for organisations that rely heavily on digital systems and automated workflows. As businesses increasingly outsource core financial and operational functions-including outsourced bookkeeping India -the security of endpoints, shared platforms, and cloud-based access becomes even more critical.

Experts warn that attackers are deliberately targeting environments where sensitive financial data, credentials, and reporting systems intersect, making strong cybersecurity hygiene a non-negotiable requirement across both in-house and outsourced operations.

Part of a Larger AI-Driven Threat Ecosystem

ESET researchers noted that PromptLock is not an isolated development. Related AI-assisted tools such as PromptFlux and PromptSteal are already being used to improve persistence, evade detection, and automate data theft.

These tools are emerging alongside rapid growth in ransomware activity globally. By late 2025, ransomware victim disclosures had already surpassed previous annual totals, with analysts projecting a steep year-over-year increase.

The use of AI is accelerating this trend by reducing the technical barriers for attackers while increasing the sophistication of each campaign.

A Turning Point in the Ransomware Landscape

ESET describes the emergence of AI-powered ransomware as a defining moment in cybercrime evolution. Malware is no longer limited to executing fixed instructions-it can now analyze, learn, and adapt in real time.

By generating unique scripts for every victim system, PromptLock demonstrates how artificial intelligence can be embedded directly into the mechanics of ransomware itself. For defenders, this means traditional detection methods will need to evolve just as quickly.

As AI continues to reshape both business operations and cyber threats, organisations are being forced to rethink security not as a technical add-on, but as a foundational layer of modern digital operations.