News
Sysdig Researchers Document First Fully Autonomous AI Ransomware Attack

Security firm Sysdig has described the JadePuffer campaign, in which an AI agent built on a large language model carried out an entire ransomware attack on its own, from the initial breach to the ransom note, without a human at the keyboard.
Contents
Researchers at security firm Sysdig have documented a case in which an AI agent carried out a complete ransomware attack on its own, from breaching a server to encrypting data and writing the ransom note. The campaign, dubbed JadePuffer, is described as the first documented case in which an autonomous large-language-model-based agent executed the entire attack cycle, from reconnaissance to data destruction.
How the attack unfolded
According to Sysdig, the agent broke into a vulnerable server by exploiting a known flaw in Langflow, a popular open-source tool for building applications with language models. From there it stole credentials, moved laterally across the victim's network, attacked a Nacos server and a MySQL database, then encrypted the configuration files and deleted the originals.
The most unsettling part was how the agent reacted to obstacles. When one of its commands failed, it analyzed the cause itself and, within 31 seconds, wrote a corrected version of the code with natural-language comments describing each step of its reasoning.
JadePuffer operates differently because it first analyzes the situation, then makes decisions and changes strategy depending on the obstacles it encounters - Sysdig researchers
A human still in the background
That doesn't mean humans have disappeared from the process entirely. Michael Clark, senior director of threat research at Sysdig, told TechCrunch that someone still had to set up the entire infrastructure behind the operation.
A human still configured and directed the operation and built the infrastructure behind it: the command-and-control server, the server for storing stolen data, and also chose the victim - Michael Clark, Sysdig
A human also supplied the previously stolen credentials that served as the agent's entry point. In other words, people were no longer sitting at the keyboard carrying out the technical steps of the intrusion, but they still made the strategic decisions about who to target and how to set up the operation's backend.
Not the first case, but different
This isn't the first documented attempt at AI-driven ransomware. In the summer of 2025, ESET researchers described PromptLock, a proof-of-concept piece of malware that used the gpt-oss-20b model locally to generate Lua scripts, but it was never deployed in an actual attack. JadePuffer differs in that it's a documented, executed campaign with a real target, real encrypted data and a real ransom demand, not just a lab proof of concept.
Experts cited by industry outlets note that ransomware has always required a human to write the script or steer the attack live. JadePuffer shows that this condition is no longer necessary, and that an agent can act faster than any human operator, adapting its tactics in real time.
What it means for businesses
For security teams, this marks a change in the scale of the threat. An autonomous agent doesn't need to sleep, doesn't make mistakes from fatigue, and can run many parallel attacks without a proportional increase in the number of people on the criminal side. That lowers the barrier to entry for less sophisticated criminal groups that previously lacked the technical skill to carry out a multi-stage intrusion.
For Polish companies and government agencies, which are already seeing a growing number of AI-assisted cyberattacks, the JadePuffer case is a signal that classic defense mechanisms based on detecting patterns from known ransomware families may not be enough against an agent that modifies its own code and strategy mid-attack.
Sysdig notes that there's still no certainty about the scale of the phenomenon, since the company couldn't identify the specific language model powering the agent or gain insight into its system prompt. That makes it harder to assess whether similar campaigns are already underway elsewhere, unnoticed.


