News
Researchers Describe First Fully Autonomous AI Ransomware Attack

The Sysdig Threat Research team has documented JADEPUFFER, a ransomware campaign in which an AI agent independently carried out an entire attack from breach to encryption and ransom demand, adapting to failures without any human involvement.
Contents
The Sysdig Threat Research team has detailed a campaign called JADEPUFFER, which it describes as the first documented case of a ransomware attack carried out start to finish by an autonomous AI agent, with no human at the keyboard at any stage.
How the attack unfolded
The entry point was a publicly exposed Langflow server, a popular platform for building large language model applications. Exploiting CVE-2025-3248, the agent gained remote Python code execution and immediately began reconnaissance on the infected host with commands such as id, uname -a, and hostname. In parallel, it harvested credentials for LLM provider API keys, including OpenAI, Anthropic, DeepSeek, and Gemini, along with login data for cloud services, cryptocurrency wallets, and databases.
The agent dumped the Postgres database behind Langflow, found a MinIO object store protected only by the default credentials minioadmin:minioadmin, and used it to extract a credentials.json file containing access keys for terraform-state services. At this stage it also installed a persistence mechanism through crontab entries that pinged the attacker's command infrastructure every half hour.
Adapting without a human
The most unsettling part of the campaign was how the agent behaved when it hit obstacles. When an attempt to log into a production server running MySQL and the Nacos configuration service failed due to a PATH issue in a bcrypt subprocess, the agent diagnosed the cause on its own and deployed a corrected payload using a direct library import within 31 seconds. It showed similar adaptability later when foreign key constraints blocked table deletions, simply disabling them with SET GLOBAL FOREIGN_KEY_CHECKS=0 and continuing on.
For roughly eight minutes, the agent also conducted systematic reconnaissance of container escape options, checking Docker sockets, the /proc/1/cgroup file, and privilege escalation paths through MySQL user-defined functions, before moving on to the data destruction phase.
Ransomware has had a human at the keyboard since it was first established as a category of threat - Michael Clark, Director of Threat Research, Sysdig
Encrypted databases and a ransom demand
In the final phase, the agent encrypted all 1,342 configuration items in the Nacos service using MySQL's built-in AES_ENCRYPT function, then deleted the original config_info and history tables. In their place it created a README_RANSOM table containing a ransom demand, a Bitcoin wallet address, and a contact address. In comments within its own code, the agent left traces of its reasoning, including notes about high-return databases whose data had already been copied to the attacker's server.
Researchers point out that this tendency of language models to narrate their own intentions in generated code also creates a new opportunity for defenders, since traditional human-written malware doesn't contain this kind of explicit, descriptive reasoning.
An LLM narrates its own objectives in its payloads. That self-narration is a detection and triage opportunity defenders did not previously have - Sysdig Threat Research team
What it means for businesses
The significance of the campaign goes beyond a single incident. Analysts stress that the skill threshold for carrying out a ransomware attack has dropped to the cost of running an AI agent, and if the agent operates on stolen credentials for language models, that cost approaches zero for the attacker. That means multi-stage attacks that once required experienced operators can now be run automatically at scale, including against long-standing, unpatched vulnerabilities such as a 2021 Nacos flaw the agent exploited alongside the much newer Langflow bug.
For Polish companies using open-source tools for building AI applications, such as Langflow, and configuration services like Nacos, the campaign is a concrete signal to urgently close off internet access to such servers, force rotation of default passwords in object stores and databases, and keep software updated even absent any current incident, since AI agents can automatically search through entire catalogs of historical vulnerabilities.
Sources: Sysdig (sysdig.com), BleepingComputer (bleepingcomputer.com), Dark Reading (darkreading.com), CSO Online (csoonline.com)


