First AI-run ransomware attack highlights emerging cyber threat landscape
Researchers at Sysdig say the first fully agentic ransomware attack shows AI can independently plan, adapt and execute cyberattacks, raising fresh concerns for enterprise cybersecurity
)
Researchers say an AI agent independently planned, executed and adapted this ransomware attack, with no human operator involved (Image: Magnific)
Listen to This Article
Somewhere inside a server, a piece of attack code tried to log in with a password it had just created, and failed. Twelve seconds later, it was testing two different theories for why. Nineteen seconds after that, it had rewritten its own broken code, fixed the bug, and logged in successfully. Total time from failure to fix: 31 seconds. No one was watching this happen, because no one was there. The "hacker" was an AI model, running entirely on its own.
The cybersecurity provider Sysdig’s Threat Research Team has documented what it calls the first fully agentic ransomware attack on record, an extortion campaign it has named “JADEPUFFER,” in which a large language model (LLM) planned, executed, and adapted an entire database-extortion operation with no human directing the keyboard. Researchers were not describing a red-team simulation. This was an attack observed in the wild and reconstructed from the payloads, the pieces of code the attacker's own agent wrote and ran, that it left behind.
How it got in
According to Sysdig, the attack began on a Langflow server. Langflow is a tool companies use to build AI-powered applications, and this particular server was exposed directly to the internet with a known security flaw left unpatched. That flaw let the attacker's AI agent run its own code on the machine without needing a password.
Also Read
Once inside, the agent moved fast. It looked around the server, then went hunting for anything valuable: API keys for AI services, cloud account logins, cryptocurrency wallets, database passwords. It found a separate storage system on the same network that was still using its factory-default login, essentially the equivalent of a company leaving a filing cabinet unlocked with the key labelled "key" taped to it, and used it to walk out with a live credentials file. Before moving on, it set up a way to quietly check back in with its handlers every 30 minutes, in case it got kicked out later.
The real target
The Langflow server was never the actual goal. It was just a launchpad. The credentials and access it yielded pointed the agent toward the real target: a separate company server running a database alongside an open-source configuration management tool called Nacos built by China’s Alibaba, which is used to manage settings for business software.
That Nacos installation had two old, well-known weaknesses. The agent exploited both at once, forged a valid login, and planted its own hidden administrator account straight into the database.
Its first login attempt with that new account failed. What happened next is the clearest evidence in the whole report that no human was involved. Within 12 seconds, the agent was already testing two different explanations for the failure at the same time. Within 31 seconds, it had correctly diagnosed the actual bug, rewritten its own code to fix it, and logged in successfully. No person reads an error message, figures out the real cause, and ships a fix that fast.
It then spent about eight minutes carefully checking whether it could break out of the database entirely and take over the underlying server itself, the digital equivalent of a burglar checking whether a window in the back room also opens onto the street. Satisfied, it moved to the final phase: it scrambled more than 1,300 configuration records using the database's own built-in encryption, deleted the originals, and dropped a ransom note into a new table demanding payment in Bitcoin. From there it escalated to outright destruction, wiping entire databases, with its own code casually noting which ones were worth destroying first because they held the most valuable data.
Why researchers are confident this was AI, not a human with a script
Sysdig gives four reasons for concluding an AI ran the whole show, not a person.
First, the code kept explaining itself. Every step came with a plain-English note on why it was being done, this file is the "largest" one, this database is worth destroying first. Human attackers writing quick, disposable scripts almost never bother with that kind of commentary. AI-written code does it by habit.
Second, and most tellingly, is how fast the agent fixed its own mistakes. That 31-second stretch from failed login to working fix is hard to explain any other way. A person would need to read the error, work out what actually went wrong, and rewrite the code, and doing all that in 31 seconds is close to physically impossible. This happened more than once across the operation.
Third, the agent seemed to genuinely understand information it came across, rather than just matching keywords the way older automated tools do. This showed up repeatedly, in sessions that were weeks apart.
Fourth, the sheer scale: over 600 separate, purposeful commands run in one compressed burst. That is more consistent with a system reasoning through a task on the fly than with a fixed script someone wrote in advance.
There is one detail Sysdig could not fully explain. The Bitcoin address in the ransom note is a well-known example address used in Bitcoin's own documentation, just to show what an address looks like. It is not supposed to be a real, active wallet. But it is one.
Records show roughly 46 BTC has passed through it over time. Sysdig cannot say whether the AI pulled this address from its training data by mistake, or whether it actually belongs to whoever built the attack. Either way, it hardly matters for the victim. The key used to lock the data was random and never saved anywhere, so even paying the ransom would not bring the files back.
JADEPUFFER is not a one-off
It fits a pattern that has been building for months. Anthropic disclosed in September 2025 what it called the first large-scale cyber espionage campaign conducted predominantly by AI agents, in which human operators stepped in only to set strategic direction while an estimated 80 to 90 per cent of the actual attack work, reconnaissance, vulnerability discovery, credential harvesting, lateral movement and data exfiltration, was carried out by the AI itself.
Separately, between December 2025 and February 2026, an attacker used commercial coding assistants to breach nine Mexican government agencies, including the country's federal tax authority and electoral institute, discovering and exploiting vulnerabilities at a rate no human team could realistically match. In that case, the operator simply told the AI model it was conducting authorised penetration testing for a legitimate security firm, a form of social engineering aimed at the model itself rather than at a person, and it worked.
The common thread is that none of the individual techniques in any of these campaigns were new. What has changed is that a model can now chain them together, adapt when a step fails, and keep going without a human in the loop slowing it down.
What this means for enterprises
The uncomfortable part of Sysdig's assessment is not that agentic attacks are sophisticated. It is that they are not. JADEPUFFER succeeded using a four-year-old authentication bypass and a set of default credentials that should have been rotated the day the servers went live. What used to require a competent human operator to sequence now requires only the ability to point an agent at a target and let it run. If that agent happens to be running on stolen compute through what security researchers call LLMjacking, using someone else's paid AI access without their knowledge, an attacker's marginal cost of running the whole operation approaches zero.
That has direct implications for how enterprises, many of which have spent the last two years standing up AI orchestration platforms in a hurry, need to think about security. Sysdig's recommendations are unglamorous but specific: patch AI-adjacent infrastructure aggressively and never expose code-execution endpoints to the internet, keep provider API keys and cloud credentials out of the reach of web-facing processes, rotate every default credential sitting on MinIO, Nacos or equivalent platforms, never expose database administrative interfaces to the internet, and add controls on outgoing network traffic so a compromised host cannot beacon out or reach external staging servers at will.
There is one genuine silver lining buried in the report. Because the agent narrates its own reasoning inside the code it writes, that narration is itself a detection signal that did not previously exist. A script that explains, in plain English, why it is about to delete a particular database is an anomaly worth alerting on. For now, that may be the thin edge separating defenders from attackers who have simply automated everything else.
More From This Section
Don't miss the most important news and views of the day. Get them on our Telegram channel
First Published: Jul 06 2026 | 2:38 PM IST
