First-ever AI-powered ransomware discovered. What does it mean for compliance and cybersecurity?

This past August, researchers at ESET revealed something cybersecurity experts have long anticipated: The first-ever AI-powered ransomware, dubbed PromptLock. Unlike traditional ransomware, which relies on pre-written code, PromptLock uses a large language model (LLM) to dynamically generate scripts for scanning files, stealing data, encrypting systems and even drafting ransom notes.

What makes PromptLock especially alarming and nefarious is its lean design which means that instead of embedding a full AI model in every attack, it can connect to an external AI service. That enables attackers to keep the malicious payload small while still harnessing the adaptability of AI. For now, PromptLock appears to be a proof-of-concept, with no evidence of active campaigns. But its design signals a major shift in the cyber threat landscape.

PromptLock is more than a technical curiosity. It is a compliance and governance issue. As businesses face the new Data (Use and Access) Act (DUAA) alongside GDPR and PECR, the arrival of AI-assisted malware raises the bar for preparedness.

Traditional ransomware already tested the resilience of organisations. AI-driven ransomware takes this a step further. It could:

• vary its behaviour every run, making Indicators of Compromise (IoCs) harder to detect. 
• generate convincing ransom communications on the fly, exploiting social engineering at scale. 
• exploit unsecured AI systems within organisations, turning helpful business tools into attack vectors. 

Organisations need to update their cyber risk assessments immediately. This new breed of AI-powered ransomware demonstrates how quickly the threat landscape shifts. Preparedness is everything now.

There are three areas to focus on immediately:

1. Staff awareness training
   AI-crafted attacks may not look like anything your staff has seen before. Suspicious files, strange prompts or unusual system behaviour could all be red flags. Training should empower staff to escalate concerns even if they don’t fit existing patterns. 
2. Incident response and breach reporting
   With DUAA now requiring 72-hour breach notification, organisations can’t afford delays. Response plans should be stress-tested to ensure IT, legal and compliance teams can escalate rapidly, even when the attack looks different every time. 
3. Securing AI systems
   Any AI deployed in your business such as customer service chatbots or document drafting tools, must be secured against hijacking. Regulators will expect firms to prevent their own AI from becoming a vector of attack. We call on regulators to issue clear guidance on AI in cybercrime so organisations can adapt confidently. 

PromptLock is not just about cybersecurity. It links directly to compliance under DUAA, GDPR and PECR. 

• With DUAA and GDPR, the litigation risk is higher than ever. As seen in the case, Farley v Paymaster, even minor errors can spark claims. If AI ransomware leads to mis-sent data or delayed responses, firms could face lawsuits. 
• Breach notification just got real. The 72-hour DUAA rule demands that incidents are detected and reported faster, even when ransomware mutates its tactics. 
• Governance is changing. Boards must add AI-powered cybercrime to their risk registers and ask whether internal controls are fit for this new threat. 

AI can revolutionise business. But as PromptLock demonstrates, it can also revolutionise crime. Organisations must assume that cybercriminals will continue to innovate, experimenting with AI to create more adaptive, unpredictable and scalable attacks.

The cyber arms race has entered a new phase. It’s one where the lines between human and machine-driven threats are increasingly blurred. The organisations that thrive will be those that connect cyber resilience with compliance obligations.

Your organisation needs to know how to protect itself from cyber threats and maintain a secure digital environment. Vinciworks’ cyber security courses prepare your team for all cyber risks with training and micro-learning modules on a range of topics from social media to IT security. These can easily be configured into a multi-year training plan, ensuring long-term protection. Try it here.