NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Realize the Full Value of Microsoft Security
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Guide Defining Whole-of-State Security: Building Resilient States Through Unified Cybersecurity
    Defining Whole-of-State Security: Building Resilient States Through Unified Cybersecurity
    Read Guide
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • ARC-AMPE Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • SOC as a Service
      • Microsoft Security Managed Services
      • Splunk Managed Services
      • Tenable Managed Services
      • CrowdStrike Managed Detection and Response (MDR)
      • Zscaler Support Services
      • Vendor Security Assessments
      • Curated Threat Intelligence
      • Vulnerability Management
    Guide Defining Whole-of-State Security: Building Resilient States Through Unified Cybersecurity
    Defining Whole-of-State Security: Building Resilient States Through Unified Cybersecurity
    Read Guide
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Downloadable Assets icon Downloadable Assets
    Guide Defining Whole-of-State Security: Building Resilient States Through Unified Cybersecurity
    Defining Whole-of-State Security: Building Resilient States Through Unified Cybersecurity
    Read Guide
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Guide Defining Whole-of-State Security: Building Resilient States Through Unified Cybersecurity
    Defining Whole-of-State Security: Building Resilient States Through Unified Cybersecurity
    Read Guide
  • Consult with an expert
  • Client support
  • Careers
  • Contact
1.800.917.5719
NuHarbor Security Blog
    • Compliance
    • Industry Insights
    • Security Operations
    • Cybersecurity Technology
    • Advisory and Planning
    • Security Testing
    • Application Security
    • Managed Detection and Response
    • Threat Intelligence
    • Managed Services
    • NuHarbor
    • Cyber Talent
October 9, 2025

Is Ephemeral Ransomware “the New Thing”?

Justin Fimlaid Justin Fimlaid
Is Ephemeral Ransomware “the New Thing”?

Look Around the Corner...And Be Ready 

In the last few weeks we’ve seen some different trends emerging in the malware space. We’ve seen PromptLock, a proof-of-concept that runs a local AI model to spit out one-off Lua scripts for discovery, exfil, and encryption; and Storm-0501’s pivot away from on-endpoint encryptors to cloud-based impact. We’re seeing less malware to catch, more behavior to prove and contain.  

I put this together to help you look around the corner and think about what’s next, what the trend is, why it’s happening, exactly how the newer tradecraft works, and what to do now— steps that hold up in an audit and a press conference. 

What the Trend Actually Is

We’re sliding from the “brick through the window” era of fat, reusable encryptors into ephemeral, AI-assisted operations that leave fewer durable artifacts: 

  • AI in the loop, locally. PromptLock doesn’t call a cloud API—it launches a local LLM and generates a fresh script per run. That breaks hash/YARA expectations and dodges cloud AI logging. ESET Research 
  • Impact moves up-stack. Storm-0501 shows how crews can get paid without ever dropping a classic encryptor: compromise identities, flip storage retention/immutability, tamper with keys, and create pressure from the cloud control plane. Microsoft Research 
  • “Encryptor-less” is mainstream. Campaigns like ShrinkLocker use BitLocker itself to lock systems—your OS does the work; the custom malware footprint is tiny. Kaspersky Research 

Why this matters: when artifacts evaporate, your advantage shifts from “did we catch the file?” to “how fast can we see the move and recover?” 

How We Got Here (And Why AI Shows Up Now) 

Let’s be candid about cause and effect. We created this situation but it was also inevitable. 

What Worked and Pushed Attackers Sideways

EDR/XDR killed a lot of commodity loaders. Email gateways throttled broad phishing. Sandbox detonation and better egress controls made C2 noisy. Defenders also learned the usual ransomware tells: VSS deletes, big write bursts, suspicious drivers. That pressure reduced ROI for traditional, on-disk encryptors.

Where the Opportunistic Gaps Remained
  • Control-plane blind spots. Most programs still don’t monitor identity and storage like they monitor endpoints. That’s a gap in role assignments, snapshot/retention changes, and key-vault operations—the very knobs modern crews twist. Microsoft’s Storm-0501 write-ups are explicit about this path.  
  • Interpreter sprawl. PowerShell, Python—and now Lua—are already present. If an attacker can write a short script to enumerate shares and flip recovery, why ship a 5-MB binary? ShrinkLocker’s BitLocker abuse is the blueprint.  
  • Local AI without guardrails. Dev and research endpoints are quietly running local model servers; pair that with a small loader and you get non-deterministic code on demand with minimal forensic exhaust. (Ollama’s default listener is on localhost:11434—useful for hunts.)  
Why AI Now?

Models remove two frictions: (1) the need to pre-package every step, and (2) the repetitiveness that makes static signatures work. With a local model, the malware decides and writes in situ, then throws the script away. That’s not sci-fi--it’s exactly what ESET documents in PromptLock. 

What The New Tradecraft Actually Does 

Local-LLM Orchestration (PromptLock Pattern)

A small Go wrapper starts or contacts a local model, emits an ephemeral .lua, runs it, then deletes it. Each run can choose different targets (enumerate certain file types, exfil first, encrypt later). Because the “brains” are local, there’s no API trail to subpoena. ESET’s analysis shows cross-platform potential (Windows/Linux, Lua works everywhere; macOS is feasible) and even a non-standard crypto choice (SPECK-128) under test—classic PoC DNA but directionally important. This information is from ESET also referenced above. 

Cloud-Based Impact (Storm-0501)

Microsoft reports the actor increasingly skips the endpoint encryptor and executes impact via cloud knobs: privilege changes, storage retention/immutability reductions, snapshot deletions, and key-management actions. That’s “ransomware” measured in config deltas and data access, not a suspicious EXE on a laptop. 

Encryptor-less via OS Features (ShrinkLocker)

Using BitLocker to do the encrypting, attackers remove recovery options and lock systems with almost no bespoke code left to hunt. It’s a clean example of low-artifact impact that defenders must detect by sequence, not signature. Here’s the Kaspersky link again. 

One Set of Recommendations

I’m squarely in the camp, FUD (fear uncertainty and doubt) is for folks who can’t make a fact based argument. That being said you need to help your IT teams and MSSP to execute and tangible direction your auditors will recognize. 

A. Work with IT on Three “What If” Scenarios (Tabletop + Drill) 
  1. Local-LLM on a staff endpoint emits short-lived scripts (enumeration to exfil to encrypt). What do we see (signals), what do we contain, and how fast can we prove scope? 
  2. Cloud-only impact: attacker gains elevated identity and relaxes storage immutability, deletes snapshots, tampers keys. Can we detect the chain and roll it back? 
  3. Encryptor-less: OS BitLocker flips on critical servers. How quickly do we isolate, restore, and who authorizes recovery key workflows? 
B. Hedge Toward Readiness - Controls That Work Across All Three 
  • Govern AI and interpreters. Default-deny local LLM servers on endpoints; exceptions live in isolated, monitored VMs. Monitor Lua/Python/PowerShell launched from user-writable paths; alert on .lua/.py that have been created, executed, then deleted in minutes.  
  • Elevate control-plane visibility. Treat identity and storage analytics as first-class: 
    • Alerts for Global Admin/Owner changes and app consent grants; 
    • Retention/immutability relaxations, snapshot deletes, and Key Vault disable/rotate/delete; 
    • Bulk copy by automation identities at odd times (AzCopy/gsutil). These are ransomware canaries in a cloud tenant.  
  • Design for recoverability, not promises. Keep immutable backups with locks outside tenant-admin control; maintain documented rollback for storage and key policies; and prove restores quarterly (pick a system that hurts if you lose it). 
C. How to Win Support Without FUD

Lead with facts from the last two weeks (PromptLock PoC; Storm-0501 cloud tactics; St. Paul/Nevada operations) and translate them into evidence-based asks: 

  • “Here are the signals we’re missing today in identity/storage.” 
  • “Here are the drills and restore proofs we’ll run this quarter.” 
  • “Here’s the metric we’ll report (TtC/TtR), not a pile of blocked hashes.” 
    That’s proactive problem leadership: no scare slides—just a plan you can defend publicly.  

ATT&CK Anchors, Early Warnings, and Detections 

Anchor techniques: 

  • T1059 (scripting: PowerShell/Python/Lua)
  • T1486 (Encrypt for Impact)
  • T1490 (Inhibit System Recovery)
  • T1078/T1098 (Valid Accounts/Account Manipulation; .003 Additional Cloud Roles)
  • T1530 (Data from Cloud Storage)
  • T1565.001 (Stored Data Manipulation)
  • T1552/T1555 (Credentials)
  • T1608.002 (Stage Capabilities — treat local LLM as a staged capability)

High-signal early warnings (endpoint): 

  • New/unsanctioned listeners on localhost:11434; unknown Go parent to lua/luajit/python child from user-writable paths; .lua/.py that have been created, executed, then deleted in under 5 min; rapid VSS tamper.  

High-signal early warnings (cloud): 

  • Global Admin/Owner spikes; app consent grants; immutability/retention relaxations; snapshot deletions; Key Vault disable/rotate/delete; sudden AzCopy/gsutil by automation identities. (Exactly the Storm-0501 path.)  

ATT&CK Anchors, Early Warnings, and Detections 

“Ephemeral” and “AI-native” aren’t buzzwords; they describe where the work is moving: from objects to behaviors, from endpoints to identities, policies, and data planes. You don’t need a bigger siren. You need better signals and faster proofs. Govern local AI, watch the control plane, and rehearse the rollback. When the next headline breaks, your story should be boring: we saw it, we contained it, we restored in hours. 

Prepare your defenses against emerging ransomware tactics. Consult with our experts.

Don't miss another article. Subscribe to our blog now. 

Subscribe now

 

Included Topics

  • Advisory and Planning,
  • Cyber Talent
Justin Fimlaid
Justin Fimlaid

Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.

Related Posts

Industry Insights 6 min read
Cybersecurity Awareness Month: A Reset, Not a Ritual
Cybersecurity Awareness Month: A Reset, Not a Ritual
Read More
Industry Insights 10 min read
China’s 14th Five-Year Plan Ends This Year: A Guide for Public Sector Cybersecurity Leaders
China’s 14th Five-Year Plan Ends This Year: A Guide for Public Sector Cybersecurity Leaders
Read More
1 min read
Third-Party Security in the Healthcare Industry [Infographic] Read More

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest Pwned episodes

Episode 200 - Reflections of Pwned...Until Next Time
April 03, 2024
Episode 200 - Reflections of Pwned...Until Next Time
Listen Now
Episode 199 - When a BlackCat Crosses Your Path...
March 21, 2024
Episode 199 - When a BlackCat Crosses Your Path...
Listen Now
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
March 08, 2024
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2025 NuHarbor Security. All rights reserved.