First AI-Run Ransomware Attack Still Required Human Help

▼ Summary
– Sysdig documented the first known “agentic ransomware” case, JadePuffer, where an AI agent executed a cyberattack without human technical involvement.
– A human still set up the operation, provisioned infrastructure, chose the victim, and provided stolen credentials obtained from a prior compromise.
– The agent exploited a known bug in Langflow to access a server, then used another flaw to gain admin access, encrypting over 1,300 records and writing its own ransom note.
– The agent’s speed was notable, fixing a failed login in 31 seconds while narrating its reasoning in code comments, though the techniques were ordinary.
– Sysdig could not identify the specific model driving the agent, and the stolen API keys for multiple models were part of the loot, not evidence of which model was used.
Last week, cloud security firm Sysdig reported what it described as the first documented instance of “agentic ransomware.” The operation, named JadePuffer, involved an AI agent carrying out the technical components of a real-world cyberattack independently. The agent breached a vulnerable server, stole credentials, navigated the target’s network, encrypted files, and even composed its own ransom note, adapting to challenges much like a human hacker would. Coverage of the event characterized it as running “without any human oversight,” with “no human at the keyboard.”
However, that characterization isn’t entirely accurate. In a Monday interview with CyberScoop, Sysdig’s senior director of threat research, Michael Clark, clarified that human involvement remained crucial, though not in the technical execution. “A human still set up and pointed the operation and provisioned the infrastructure behind it, the command-and-control server, the staging server used for the stolen data and chose a victim,” Clark explained. He added that the credentials used to access the victim’s database were not obtained by the AI agent; instead, someone acquired them through a prior breach and fed them into the operation.
This clarification does not undercut Sysdig’s original findings, and the technical details of the attack remain striking on their own. The agent exploited a known vulnerability in Langflow, a widely used open-source tool for building LLM applications, then moved to a production MySQL server and leveraged another known flaw to gain administrative access. It encrypted over 1,300 configuration records and left behind a ransom note it wrote itself, complete with a Bitcoin address for payment. Sysdig has not revealed the identity of the target.
The techniques employed were relatively standard, but the speed and transparency stood out. The agent corrected a failed login attempt in just 31 seconds, documenting its own reasoning in natural-language code comments throughout the process.
One point of confusion has since been resolved. Clark initially told CyberScoop that “multiple models were used in the attack,” citing harvested keys for OpenAI, Anthropic, DeepSeek, and Gemini. This language suggested several models might have actively powered different phases of the intrusion. When pressed for clarification, Clark told TechCrunch that those keys were merely part of what the agent stole, not evidence of what was driving it.
“The agent swept the Langflow host for anything valuable , provider API keys, cloud credentials, cryptocurrency wallets, and database configs , and those provider keys were part of the loot,” he said via email. “They are indicative of what the attacker considered worth taking, but they do not tell us which model was making the decisions.”
Regarding the model that actually powered JadePuffer, Clark stated that Sysdig “was not able to identify the specific model driving the agent” and lacks visibility into its system prompt or configuration.
In that context, a theory from Microsoft researcher Geoff McDonald, posted on LinkedIn several days ago, is worth revisiting. McDonald suspected that an open-weight model with safety training stripped out, rather than a frontier model, was behind the attack. His red-teaming experience suggests that frontier labs’ safety layers remain robust. Sysdig’s account neither confirms nor rules out this possibility.
McDonald’s post also warned that ransomware campaigns are now limited primarily by attacker budget rather than human effort, raising the specter of “thousands or tens of thousands of simultaneous campaigns.” That concern is somewhat harder to reconcile with Clark’s Monday description. If a human must still choose each victim, provision infrastructure, and obtain database credentials for every operation, that creates a significant bottleneck, at least for now.
Regardless, Clark told CyberScoop that while Sysdig has not yet seen JadePuffer hit other victims, the low cost of running an agent leads him to expect that will change.
(Source: TechCrunch)




