Jul 7, 2026 · 5:03 AM
Subscribe
Home Ai

An AI Agent Ran a Ransomware Attack Almost Entirely by Itself

Sysdig researchers say they've documented the first ransomware attack run almost entirely by an AI agent, which broke into a server, stole credentials, moved across a network, and encrypted a production database on its own. A human still chose the victim and supplied the initial stolen credentials, but the technical middle of the attack, the part that used to require real skill, ran itself.

Ron Patel
· 5 min read · 103 views
An AI Agent Ran a Ransomware Attack Almost Entirely by Itself

An AI agent broke into a network, stole credentials, encrypted a database, and wrote its own ransom note, with a human only picking the target and holding the keys to get in.

Sysdig's threat research team says it caught what looks like the first ransomware attack run almost entirely by a large language model. The operation, which Sysdig named JADEPUFFER, didn't just use AI to draft phishing emails or scan for open ports. It ran the whole attack chain: breaking into a server, moving through the network, stealing data, and demanding payment, adapting when things went wrong the way a human operator would.

The entry point was mundane. JADEPUFFER exploited CVE-2025-3248, an unauthenticated remote code execution flaw in Langflow, an open-source framework developers use to build their own LLM applications. From there, the agent pivoted to a production MySQL server running Alibaba's Nacos configuration service, using root credentials whose origin Sysdig says it couldn't trace. It encrypted 1,342 Nacos service configuration items and deleted the originals, according to Sysdig's writeup of the incident.

What convinced researchers this wasn't a human at the keyboard was speed and volume. Sysdig counted more than 600 distinct, purposeful payloads executed in a compressed window, and the code was littered with natural-language commentary explaining why each step was being taken, the kind of running commentary a coding LLM produces by default and a human attacker almost never bothers to write. The clearest tell came when a login attempt failed. Sysdig says the gap between that failure and a working multi-step fix was 31 seconds.

That's a genuinely fast turnaround. Most human intrusion teams take hours, sometimes days, to diagnose a broken exploit chain and adjust.

Don't mistake this for a fully autonomous attack, though. TechCrunch's reporting on the Sysdig findings makes clear that a human still ran the parts of the operation that required judgment rather than execution. Someone chose the victim. Someone stood up the command and control server and the staging infrastructure used to hold stolen data. And the credentials that got the agent into the target's database in the first place weren't harvested by the AI at all, they came from a separate, prior compromise and were simply handed to the operation. The AI did the technical labor. The human did the planning.

Heath Renfrow, co-founder and CISO at the incident response firm Fenix24, told CyberScoop what that speed costs the people trying to stop it. "If an AI agent can compress what previously took an experienced operator several hours into a matter of minutes, defenders lose valuable time," he said. "That has implications across every phase of an incident, from detection and containment to recovery." The numbers back him up. Industry surveys cited alongside CyberScoop's reporting put the share of organizations that cannot detect credential misuse in real time at 72 percent, meaning most companies would only spot unauthorized privileged access hours after an agent like JADEPUFFER had already moved past it.

That's the real shift here, not that AI can hack, but that it can hack fast enough to outrun the people watching for it.

Sysdig's researchers frame the bigger risk as economic, not technical. The skill floor for running a ransomware operation has effectively dropped to whatever it costs to rent an AI agent, and if that agent is running on stolen compute through what security researchers call LLMjacking, the marginal cost to the attacker is close to zero. You no longer need someone who understands Nacos internals or MySQL privilege escalation. You need someone willing to point an agent at a target and wait.

For companies deploying their own AI agents internally, this cuts two ways. It's a warning about exposure: plenty of businesses have Langflow or similar frameworks sitting on internet-facing servers without realizing an agent can find and exploit a known CVE in minutes rather than the weeks a human attacker might need to notice it. And it's a warning about liability: if an AI agent, whether run by an attacker or a well-meaning internal team, can go from a single foothold to full lateral movement and encryption without a human approving each step, the security model built around watching for human behavior on a network starts to break down.

Sysdig isn't claiming JADEPUFFER proves AI agents can run entire criminal enterprises without a person anywhere in the loop. The victim selection, the infrastructure, the initial credentials, all of that still needed a human. What changed is everything downstream of that first decision. The technical middle of a ransomware attack, the part that used to require real expertise, can now run itself.

Also read: US Investors Can Finally Buy Into SK Hynix Ahead of Its Nasdaq DebutSyntiant files to go public just as Wall Street starts doubting the AI chip boomSamsung's Record Quarter Just Undercut the AI Spending Skeptics

TOPICS
Ron Patel covers cryptocurrency markets, blockchain developments, and digital asset news for Startup Fortune. With a background in financial journalism and over eight years tracking crypto markets through multiple cycles, Ron brings analytical perspective to Bitcoin, Ethereum, and emerging token ecosystems.
Related Articles
More posts →
Loading next article…
You're all caught up