top of page

AI Agent Carries Out Ransomware Attack in Possible Cybercrime First

  • 11 minutes ago
  • 3 min read

A ransomware operation tracked as JadePuffer may be one of the clearest signs yet that autonomous AI agents are moving from theory into real-world cybercrime.


According to cloud security firm Sysdig, JadePuffer used a large language model agent to conduct much of the ransomware attack chain on its own, including reconnaissance, credential theft, lateral movement, persistence, privilege escalation, and data encryption. The most important part was not that the attack used new techniques. It was that the agent appeared to adapt as the intrusion unfolded.


Sysdig said the operation retried failed steps with adjusted parameters, including one sequence where it moved from a failed login attempt to a working fix in 31 seconds. That kind of rapid iteration is closer to human operator behavior than a simple automated script.


The attack began with CVE-2025-3248, an unauthenticated remote code execution vulnerability in Langflow, an open-source framework used to build LLM applications. The flaw was patched on April 1, 2025, but exposed Langflow instances remained attractive targets because they often contain cloud credentials, API keys, and other secrets.


After gaining code execution, JadePuffer dumped Langflow’s PostgreSQL database, collected host information, searched for environment variables and sensitive files, retrieved credentials, and enumerated a MinIO object store. Sysdig noted that when one MinIO request returned XML instead of JSON, the agent adjusted its parsing logic in the next payload.


The attacker then established persistence with a cron job that beaconed every 30 minutes and pivoted from the Langflow instance to a production MySQL server running Alibaba Nacos. There, the agent tested multiple payloads, including one tied to CVE-2021-29441, an authentication bypass flaw that can create rogue administrator accounts.


JadePuffer eventually encrypted 1,342 Nacos service configuration items, deleted the original configuration and history tables, and created a ransom table containing a payment demand, a Bitcoin address, and a Proton Mail contact. Sysdig said the ransom note claimed AES-256 encryption, though the actual implementation likely used weaker AES-128-ECB through MySQL’s AES_ENCRYPT function. The encryption key also appeared to be randomly generated but not stored or sent back to the attacker, and the Bitcoin address looked like a public example address, possibly reproduced from LLM training data.

That makes JadePuffer both alarming and flawed. The operation was capable of causing real disruption, but it also showed signs of AI-generated sloppiness.


"While this specific attack may be novel, it should be no surprise that things like this are coming. AI is a great tool for efficiency in both legitimate and malicious use cases,” said Erich Kron, CISO Advisor at KnowBe4. “I expect that we will see a significant proliferation of AI agents within legitimate organizations and within cybercrime groups in the very near future.”


For defenders, the concern is scale. Human ransomware crews have to decide which targets are worth their time. Autonomous agents can attack overlooked internet-facing systems cheaply and continuously.


"The headline is that an AI ran a ransomware attack, but the techniques here were all several years old and well understood. What actually changes is the economics of who gets attacked,” said Jim Sherlock of ProCircular. “For enterprises and SMBs, that shrinks the grace period between 'we have an exposure' and 'someone is exploiting it' to almost nothing.”


Ensar Seker, CISO at SOCRadar, said the case shows that AI does not need to invent new attack methods to change ransomware operations.


"JADEPUFFER demonstrates that the most important change isn’t that AI created new attack techniques, it didn’t,” Seker said. “What changed is that an AI agent was able to autonomously chain reconnaissance, exploitation, credential discovery, lateral movement, and extortion while adapting to failures in real time.”


Seker added that the defensive priorities remain familiar: patch exposed AI infrastructure, remove public administrative services, enforce least privilege, protect secrets stored inside AI frameworks, and monitor for abnormal behavior.


John Watters, Chairman and CEO of iCOUNTER Cybersecurity Intelligence, said the incident points to a broader shift in attacker operations.


“Threat actors have spent years automating individual stages of the attack lifecycle. AI has the potential to connect those stages together, accelerating reconnaissance, target selection, and execution in ways that compress attacker timelines significantly,” Watters said.

The attack also creates new detection opportunities. Sysdig said LLM-generated payloads may leave recognizable clues, including detailed natural-language comments, generic placeholders, rapid trial-and-error behavior, and odd implementation choices. But detection alone will not solve the exposure problem.


"This is so totally expected. And frankly, it's only the beginning,” said Josh Marpet, Senior Product Security Consultant at Finite State. “The arms race is just beginning here. It will get worse, and eventually, better. But it will take time to do so."


JadePuffer is not a sign that AI has made ransomware magically more advanced. It is a sign that attackers may soon be able to run more campaigns, against more targets, with less human effort. The techniques are old. The speed and economics are what changed.

bottom of page