AI’s first solo ransomware heist is here.
Security researchers at Sysdig say they have documented the first known case of "agentic ransomware," an attack in which a large language model (LLM) handled every stage of a ransomware operation without direct human control.
The campaign, which Sysdig named JADEPUFFER, began by exploiting CVE-2025-3248, a remote code execution vulnerability in the open-source Langflow framework. From there, the AI agent conducted reconnaissance, searched for credentials, moved through the victim's network, established persistence, targeted production systems, encrypted data, and deployed a ransom note.
Unlike traditional ransomware, which typically relies on pre-written scripts or human operators, the researchers say the AI continuously adjusted its actions as conditions changed.
"The most striking characteristic, however, was the LLM's behavior," Sysdig wrote in its report. "JADEPUFFER's own payloads were self-narrating."
The AI adapted as it encountered obstacles
According to Sysdig's analysis, the agent behaved much like a skilled penetration tester. It searched for cloud credentials, AI provider API keys, cryptocurrency wallets, database passwords, and other sensitive information before pivoting from the compromised Langflow server to a production MySQL database running Alibaba's Nacos configuration platform.
When parts of the attack failed, the AI modified its approach almost immediately instead of simply retrying the same commands.
"In one sequence, it went from a failed login to a working fix in 31 seconds," Sysdig noted. The researchers observed similar behavior when the AI encountered unexpected data formats and authentication issues, rewriting its own code to continue the attack.
The ransom demand may never have been payable
The attack encrypted 1,342 Nacos configuration records before deleting the originals and leaving behind a ransom note demanding payment in Bitcoin.
However, Sysdig found a critical flaw in the ransomware itself. The encryption key was randomly generated, displayed once, and never saved or transmitted back to the attacker. That means the encrypted data could not be recovered, even if the victim paid the ransom.
The researchers also found no evidence to confirm the attacker's claim that stolen data had been backed up elsewhere before the databases were destroyed.
Why defenders should pay attention
Although the attack relied on previously known vulnerabilities rather than new exploits, researchers say its significance lies in the automation. Instead of requiring an experienced ransomware operator, an AI agent successfully combined reconnaissance, credential theft, privilege escalation, lateral movement, persistence, and destructive actions into a single workflow.
The attack also highlights the risks of leaving internet-facing systems unpatched. The initial compromise relied on a Langflow vulnerability that already had a fix available, while later stages exploited older weaknesses in Nacos and poorly secured administrative access.
JADEPUFFER suggests ransomware could become faster and more scalable as AI agents mature. Rather than inventing new hacking techniques, autonomous agents may simply automate existing ones, allowing attackers to launch more campaigns with less expertise.
For businesses, the findings reinforce the importance of basic security practices such as promptly applying patches, restricting internet exposure, limiting administrative privileges, protecting credentials, and monitoring systems for unusual behavior. Cybersecurity agencies have recently warned that AI is expected to accelerate both offensive and defensive cyber capabilities, making rapid detection and response increasingly important.
While Sysdig describes JADEPUFFER as the first documented fully autonomous ransomware campaign, its findings are based on a single observed incident. Similar AI-driven attacks will become more common as agentic tools continue to evolve, making long-standing security gaps an even more attractive target.
Read more: China's open-weight AI race is also reshaping cybersecurity. See how Z.ai's GLM-5.2 is testing the limits of AI-powered security tools.


