AI agent reportedly carries out ransomware attack from start to finish
Cybersecurity researchers say they have documented what may be the first known ransomware operation driven almost entirely by an autonomous artificial intelligence agent, marking a potential turning point in how cyber extortion campaigns are built and executed.
Cloud security firm Sysdig has named the operation JADEPUFFER and described it as an agentic ransomware attack, meaning the intrusion was not simply assisted by AI but appeared to be orchestrated by a large language model agent across multiple stages. According to Sysdig, the system handled reconnaissance, credential hunting, lateral movement, persistence and database encryption with little evidence of hands-on human control during the operation.
The attack began with an internet-facing instance of Langflow, an open source framework used to build applications and workflows powered by large language models. The attackers exploited CVE-2025-3248, a critical missing-authentication vulnerability that allowed remote code execution on vulnerable Langflow systems. The National Vulnerability Database lists the flaw as affecting Langflow versions before 1.3.0 and gives it a CVSS 3.1 severity score of 9.8.
The flaw was not new. It was disclosed in April 2025, and the US Cybersecurity and Infrastructure Security Agency added it to its Known Exploited Vulnerabilities catalogue in May 2025, with federal agencies instructed to apply mitigations or discontinue use where fixes were not available.
Once inside the exposed Langflow system, the AI-driven campaign reportedly began gathering host information and searching for secrets. Sysdig said the agent looked for LLM provider API keys, cloud credentials, cryptocurrency wallet data, seed phrases, database credentials and configuration files. It also dumped Langflow’s backing Postgres database and scanned reachable internal services, including databases, object storage and service discovery endpoints.
What made the attack stand out was not the novelty of the techniques, but the way they were chained together. Sysdig said the agent repeatedly adjusted its behaviour when something failed. In one case, a request to a MinIO object store returned XML rather than the expected response, and the agent changed its parsing approach before trying again. In another, a failed login was corrected within 31 seconds through a multi-step fix, behaviour the researchers interpreted as evidence of automated reasoning rather than a static script.
The operation then moved to a separate production server running MySQL and Alibaba Nacos, a service discovery and configuration platform commonly used in microservice environments. Sysdig said the agent targeted Nacos through multiple routes, including a known authentication bypass family linked to CVE-2021-29441, token forgery using a default signing key, and direct database manipulation to create a rogue administrator account.
The ransomware phase focused on Nacos configuration data. Captured payloads showed the agent encrypting 1,342 configuration items, dropping the original configuration and history tables, and creating a ransom table with a Bitcoin address and contact details. Sysdig also noted that the ransom note claimed AES-256 encryption, while the use of MySQL’s AES_ENCRYPT function likely meant AES-128 in ECB mode unless the server had been reconfigured.
In a further complication for the victim, the encryption key appeared to have been generated and printed only once without being stored or transmitted. Sysdig said that would make recovery impossible even if a ransom were paid.
Researchers also found signs suggesting the operation had been generated or directed by an LLM. The malicious payloads contained unusually detailed natural language comments describing target priorities and the purpose of each step. The ransom note also used a Bitcoin address widely seen in example documentation, raising questions about whether the agent had drawn from training data rather than an operator-supplied payment wallet.
SecurityWeek reported that the case demonstrates how LLM agents can combine known exploitation methods with real-time reasoning to automate complex, multi-stage intrusions. The report also noted that the campaign relied on already known weaknesses rather than new vulnerabilities, reinforcing the risk posed by unpatched internet-facing systems.
For defenders, JADEPUFFER may be a warning of what comes next. If attackers can use AI agents to automate the repetitive work of scanning, exploiting, adapting and escalating, the technical barrier to running sophisticated campaigns could fall sharply. At the same time, AI-generated attacks may leave unusual fingerprints, including verbose code comments, self-narrating logic and rapid failure correction, which defenders can use to improve detection.
Sysdig’s recommendations are familiar but increasingly urgent: patch vulnerable Langflow systems, avoid exposing code execution endpoints to the internet, keep API keys and cloud credentials out of web-facing environments, harden Nacos deployments, restrict database administration access and monitor for unusual scheduled tasks or outbound connections.
The reported attack does not mean AI has invented a new class of cyber weapon. It does suggest that existing weaknesses can now be exploited faster, more consistently and with less human expertise. For organisations running cloud infrastructure, AI development tools or exposed application servers, the message is clear: old vulnerabilities are becoming easier to weaponise at machine speed.
