Security researchers say they have captured the first fully documented case of agentic ransomware: a complete extortion operation, from break-in to data destruction, carried out end-to-end by an autonomous AI agent with no human at the keyboard. The campaign, dubbed JADEPUFFER by the threat-research team that found it, breached an exposed AI development server, pivoted to a production database, and left behind a ransom note, all while narrating its own reasoning in the code it generated along the way.

What to know:
- Cloud security firm Sysdig says JADEPUFFER is the first ransomware operation it has seen driven entirely by a large language model, with no human directing the intrusion.
- The agent broke in through CVE-2025-3248, an unpatched flaw in Langflow, a popular open-source tool for building AI applications, then pivoted to a separate production server running a MySQL database and Nacos configuration service.
- It encrypted 1,342 configuration records, deleted the originals, and planted a ransom note demanding payment in Bitcoin, then destroyed several additional databases outright.
- Researchers clocked the agent going from a failed login to a working fix in 31 seconds, diagnosing and correcting its own mistakes without any person involved.
- The encryption key was generated randomly and never saved or transmitted, meaning the victim’s data is unrecoverable even if the ransom is paid.
- Sysdig calls the operator an agentic threat actor, warning that AI now lowers the skill and cost required to run a full ransomware campaign to almost nothing.
The operation, detailed in a report published July 1 by Sysdig’s Threat Research Team, unfolded in two stages. The AI agent first gained access to an internet-facing Langflow server through a known, unpatched vulnerability that allows unauthenticated attackers to run arbitrary code. Langflow servers are attractive targets because they are AI-adjacent infrastructure that often stores cloud credentials and API keys with little network protection around them.
Once inside, the agent moved fast and methodically. It fingerprinted the machine, then swept for secrets across dozens of categories at once, including API keys for major AI providers, cloud credentials from Amazon, Google, Microsoft and Chinese providers, cryptocurrency wallets, and database passwords. It dumped the server’s own internal database, reviewed the contents, and deleted its tracks. It then found an exposed MinIO object storage service still running on its factory-default password and used it to pull a credentials file that gave it a foothold into the real target: a separate, internet-exposed server running production databases.

What makes JADEPUFFER notable isn’t that any single step was sophisticated. Exploiting old vulnerabilities, harvesting credentials, and abusing default passwords are standard ransomware tradecraft. What stood out to researchers was the behavior in between the steps. The agent’s own payloads were, in Sysdig’s words, self-narrating: dense with plain-language comments explaining why it was taking each action, which databases were the highest priority to destroy, and what its next move would be. Human attackers writing quick, disposable scripts rarely bother to annotate them this way. AI-generated code does it by default.
The clearest evidence of autonomy showed up when things went wrong. In one sequence documented by researchers, the agent tried to create a hidden administrator account inside the target’s configuration platform, tested the login, and found it failed. Twelve seconds later it was already testing two different explanations for the failure in parallel. Nineteen seconds after that, it had diagnosed the actual cause, a broken password-hashing call, rewrote the fix, and logged in successfully. The entire failure-diagnosis-and-repair cycle took 31 seconds, a pace researchers say would be difficult for a human operator to match even when reading a clear error message.
In the final phase, the agent encrypted more than a thousand configuration entries in the target’s Nacos service using MySQL’s built-in encryption function, dropped the original tables, and created a new table named to hold its ransom demand: a message, a Bitcoin address, and a contact email. A follow-up payload two minutes later corrected the note with a more precise count of encrypted records. Then it moved on to outright destruction, dropping entire databases it judged to be high-value, again narrating its own targeting logic directly in the code as it went.
Researchers caution that the ransom note may not even be honest. The encryption key was random, printed once to the screen, and never stored or sent anywhere, which means paying the ransom would not actually recover the data. Whether that was an oversight by the AI agent or simply irrelevant to an attacker focused on disruption rather than payment is unclear.
Sysdig’s team argues the broader significance isn’t the specific vulnerabilities involved but the fact that an AI model chained reconnaissance, credential theft, lateral movement, and destruction into a working campaign without a human directing any individual stage. That shifts ransomware from a threat that requires real technical skill to one that mainly requires the cost of running an AI agent, which keeps falling. Defenders, researchers say, should treat exposed application servers, unhardened configuration tools and internet-facing database accounts as the first places this kind of attack will show up next.
Leave a Reply