In a startling development reported by PCWorld, security researchers have detected a new strain of ransomware created using a local large language model (LLM). This ransomware can change its output dynamically so it evades traditional antivirus detection. (pcworld.com) This is proof that the old security playbook of detect and respond is no longer sufficient.
This blog post explains what this means, why businesses need to move toward isolation and containment, and why AppGuard, with a decade-long proven track record, should be your frontline defense.
The attack, detailed by PCWorld, involves a ransomware variant called PromptLock. Unlike static malware signatures that antivirus solutions look for, PromptLock includes embedded prompts that call a locally stored LLM (specifically, gpt-oss:20b). Each time the ransomware is triggered, the LLM generates new code. The signatures that antivirus tools depend on simply don’t catch it. (pcworld.com)
Researchers note that even though the prompt itself is static, the output varies, making detection extremely challenging. PromptLock also uses Lua scripts and Go code to scan and encrypt files, exfiltrate data, and run across multiple platforms including Windows, macOS, and Linux.
While the current implementation “does not pose a serious threat,” according to the researchers, it is only a matter of time before threat actors refine the technique and amplify its damage.
The takeaway is clear: dynamic, AI-driven attacks are here. Signature-based defenses are losing relevance and businesses remain dangerously exposed.
For years, the cybersecurity model for endpoints has been:
Monitor for anomalous behaviors or known malicious patterns
Alert security teams
Respond (quarantine, remediation, rollback) after detection
But what if the malware never “flags” itself in a detectable way? What if it mutates on the fly? That is exactly what AI-driven ransomware like PromptLock can do. Relying on detection means you will always be behind the attacker.
Even if an attack is detected eventually, the damage such as data encryption, exfiltration, or business disruption may already be done.
To keep pace, businesses must adopt a model that does not wait for detection to act. Instead, it should proactively isolate and contain potentially malicious behavior before damage occurs.
Isolation and containment change the game:
Prevent malicious actions like file encryption, process injection, or lateral movement from executing in the first place
Contain suspicious behaviors in a safe environment
Enforce strict process controls so only explicitly allowed operations succeed
Minimize impact by quarantining anomalies instantly
With this approach, attackers can no longer roam freely or escalate privileges. Their actions are blocked or severely constrained, even if they evade signature detection.
That is where a solution like AppGuard excels.
For more than ten years, AppGuard has been used in government and high-security environments to protect endpoints against even the most stealthy attacks. Now it is available for commercial organizations. Here is why it deserves attention:
Proven track record: A decade of success in real-world, high-security deployments
Behavioral containment: AppGuard enforces process-level controls, blocking disallowed actions instead of waiting for detection
Zero-trust by default: Only explicitly allowed actions are permitted
Minimal false positives: Aggressive protection with reduced noise
Cross-platform support: Works across Windows platforms with adaptable architecture
Lightweight and scalable: Enterprise-ready without heavy system overhead
AppGuard is not another detection tool. It is a fundamentally different approach built for a world where malware evolves faster than signatures.
Reassess your endpoint strategy
Antivirus and detection-based tools are no longer enough against AI-powered threats.
Adopt isolation-first technologies
Evaluate solutions like AppGuard that prevent malicious behaviors rather than only detecting them.
Layer defenses
Use AppGuard alongside existing tools to improve your security posture without disruption.
Plan for AI-enabled future threats
This is not “if” anymore — it is “when.”
Build incident readiness
Even with containment, have response plans, but give your defenders a fighting chance by blocking malicious actions at the start.
The emergence of AI-driven ransomware like PromptLock, covered by PCWorld, makes one thing clear: the era of signature-based detection is ending. It is time to shift from reactive detect and respond to proactive isolation and containment.
Businesses that depend only on detection tools are at increasing risk. A smarter, more resilient defense is possible — one that denies attacks the freedom to execute in the first place. That solution is AppGuard, backed by a 10-year proven history and now available for commercial use.
If you run security for a business, now is the time to act. Talk with us at CHIPS about how AppGuard can prevent incidents like this. Let us help you move your security model from Detect and Respond to Isolation and Containment before the next AI-powered attack bypasses your defenses.
Like this article? Please share it with others!