
PromptLock leverages Lua scripts generated from hard-coded prompts to enumerate the local filesystem, inspect target files, exfiltrate selected data, and perform encryption. These Lua scripts are cross-platform compatible, functioning on #Windows, #Linux, and #macOS.
Based on the detected user files, the malware may exfiltrate data, encrypt it, or potentially destroy it. Although the destruction functionality appears to be not yet implemented. #Bitcoin address used in the prompt appears to belong to Bitcoin creator https://en.wikipedia.org/wiki/Satoshi_Nakamoto
For its file encryption mechanism, the PromptLock ransomware utilizes the SPECK 128-bit encryption algorithm.
Although multiple indicators suggest the sample is a proof-of-concept (PoC) or work-in-progress rather than fully operational malware deployed in the wild, we believe it is our responsibility to inform the cybersecurity community about such developments.
The PromptLock ransomware is written in #Golang, and we have identified both Windows and Linux variants uploaded to VirusTotal. IoCs:
🚨 Filecoder.PromptLock.A
📄 24BF7B72F54AA5B93C6681B4F69E579A47D7C102
AD223FE2BB4563446AEE5227357BBFDC8ADA3797
BB8FB75285BCD151132A3287F2786D4D91DA58B8
F3F4C40C344695388E10CBF29DDB18EF3B61F7EF
639DBC9B365096D6347142FCAE64725BD9F73270
161CDCDB46FB8A348AEC609A86FF5823752065D2