The First Ransomware Attack Run by an AI Agent, Not a Human
Researchers at Sysdig say JADEPUFFER is the first ransomware operation run almost entirely by an autonomous AI agent, which broke in, stole credentials and extorted a database on its own.
Security researchers say they have pulled apart the first ransomware attack that ran almost entirely on its own, with an artificial-intelligence agent handling the break-in, the theft and the extortion while no human sat at the keyboard for the parts that mattered.
The attack, named JADEPUFFER by the threat-research team at cloud-security firm Sysdig, has set off alarms across the industry because of what it signals rather than the damage it did. Sysdig calls the operator an "agentic threat actor", a break from the usual model, where a person drives a toolkit. Here, the toolkit drove itself.
How it played out
According to Sysdig's write-up, the agent got its foot in the door through an internet-facing instance of Langflow, an open-source tool for building AI workflows, exploiting a known flaw tracked as CVE-2025-3248. That bug carries a near-maximum severity score and was patched last year, but the target had not applied the fix, the same tired story behind most breaches.
From there the AI did what a competent human intruder would do, only faster. It ran reconnaissance, harvested credentials, moved sideways through the network, dug in for persistence, escalated its privileges and finally reached for the production database. It encrypted 1,342 configuration items in a service-discovery tool called Nacos, then deleted the originals and left a ransom table behind.
What convinced researchers a machine was in charge was the running commentary. The decoded payloads are stuffed with plain-English notes explaining each move, weighing which database was the "largest," ranking targets by likely payout, narrating why a step was worth taking. Human attackers do not talk to themselves like that. Language models, left to generate their own code, do it by default.
Faster than a person, and cheaper
The speed is the part that unnerves defenders. In one sequence, Sysdig says, the agent hit a failed login, diagnosed the problem and produced a working fix in 31 seconds. It adapted to obstacles in real time and retried with adjusted parameters, the way a seasoned operator would after a cup of coffee and a few minutes of thought.
The strategic worry is arithmetic. For as long as ransomware has existed, the number of campaigns a crew could run was capped by how many people it could hire. Take the human out of the loop and that ceiling lifts. As Sysdig puts it, attacks can now scale bounded mainly by an attacker's budget, with little to stop a well-funded group from running thousands of intrusions at once.
None of the frontier AI labs powered the attack directly; the API keys found in the wreckage were stolen credentials, not the engine behind it. That distinction matters legally, but it is cold comfort operationally. The capability is loose.
Sysdig's advice is unglamorous and familiar: patch Langflow, keep it off the open internet, store secrets in a dedicated manager, harden Nacos and lock down database admin accounts. The tooling has changed. The hygiene that stops it has not.
Written By
Abhinav Kumar
Part of the Haila Kochi editorial team — covering the food, business, culture, and people that make Kochi what it is.