Related Posts
Subscribe via Email
Subscribe to our blog to get insights sent directly to your inbox.
In the last few weeks we’ve seen some different trends emerging in the malware space. We’ve seen PromptLock, a proof-of-concept that runs a local AI model to spit out one-off Lua scripts for discovery, exfil, and encryption; and Storm-0501’s pivot away from on-endpoint encryptors to cloud-based impact. We’re seeing less malware to catch, more behavior to prove and contain.
I put this together to help you look around the corner and think about what’s next, what the trend is, why it’s happening, exactly how the newer tradecraft works, and what to do now— steps that hold up in an audit and a press conference.
We’re sliding from the “brick through the window” era of fat, reusable encryptors into ephemeral, AI-assisted operations that leave fewer durable artifacts:
Why this matters: when artifacts evaporate, your advantage shifts from “did we catch the file?” to “how fast can we see the move and recover?”
Let’s be candid about cause and effect. We created this situation but it was also inevitable.
EDR/XDR killed a lot of commodity loaders. Email gateways throttled broad phishing. Sandbox detonation and better egress controls made C2 noisy. Defenders also learned the usual ransomware tells: VSS deletes, big write bursts, suspicious drivers. That pressure reduced ROI for traditional, on-disk encryptors.
Models remove two frictions: (1) the need to pre-package every step, and (2) the repetitiveness that makes static signatures work. With a local model, the malware decides and writes in situ, then throws the script away. That’s not sci-fi--it’s exactly what ESET documents in PromptLock.
A small Go wrapper starts or contacts a local model, emits an ephemeral .lua, runs it, then deletes it. Each run can choose different targets (enumerate certain file types, exfil first, encrypt later). Because the “brains” are local, there’s no API trail to subpoena. ESET’s analysis shows cross-platform potential (Windows/Linux, Lua works everywhere; macOS is feasible) and even a non-standard crypto choice (SPECK-128) under test—classic PoC DNA but directionally important. This information is from ESET also referenced above.
Microsoft reports the actor increasingly skips the endpoint encryptor and executes impact via cloud knobs: privilege changes, storage retention/immutability reductions, snapshot deletions, and key-management actions. That’s “ransomware” measured in config deltas and data access, not a suspicious EXE on a laptop.
Using BitLocker to do the encrypting, attackers remove recovery options and lock systems with almost no bespoke code left to hunt. It’s a clean example of low-artifact impact that defenders must detect by sequence, not signature. Here’s the Kaspersky link again.
I’m squarely in the camp, FUD (fear uncertainty and doubt) is for folks who can’t make a fact based argument. That being said you need to help your IT teams and MSSP to execute and tangible direction your auditors will recognize.
Lead with facts from the last two weeks (PromptLock PoC; Storm-0501 cloud tactics; St. Paul/Nevada operations) and translate them into evidence-based asks:
Anchor techniques:
High-signal early warnings (endpoint):
High-signal early warnings (cloud):
“Ephemeral” and “AI-native” aren’t buzzwords; they describe where the work is moving: from objects to behaviors, from endpoints to identities, policies, and data planes. You don’t need a bigger siren. You need better signals and faster proofs. Govern local AI, watch the control plane, and rehearse the rollback. When the next headline breaks, your story should be boring: we saw it, we contained it, we restored in hours.
Prepare your defenses against emerging ransomware tactics. Consult with our experts.
Don't miss another article. Subscribe to our blog now.
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.
Subscribe to our blog to get insights sent directly to your inbox.