First Known ‘Agentic Ransomware’ Attack Raises AI Security Alarm | eWeek

First Known ‘Agentic Ransomware’ Attack Raises AI Security Alarm

An AI model being attacked.

Image: Generated with Google’s Nano Banana

Jul 6, 2026
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

AI’s first solo ransomware heist is here.

Security researchers at Sysdig say they have documented the first known case of "agentic ransomware," an attack in which a large language model (LLM) handled every stage of a ransomware operation without direct human control.

The campaign, which Sysdig named JADEPUFFER, began by exploiting CVE-2025-3248, a remote code execution vulnerability in the open-source Langflow framework. From there, the AI agent conducted reconnaissance, searched for credentials, moved through the victim's network, established persistence, targeted production systems, encrypted data, and deployed a ransom note.

Unlike traditional ransomware, which typically relies on pre-written scripts or human operators, the researchers say the AI continuously adjusted its actions as conditions changed.

"The most striking characteristic, however, was the LLM's behavior," Sysdig wrote in its report. "JADEPUFFER's own payloads were self-narrating."

The AI adapted as it encountered obstacles

According to Sysdig's analysis, the agent behaved much like a skilled penetration tester. It searched for cloud credentials, AI provider API keys, cryptocurrency wallets, database passwords, and other sensitive information before pivoting from the compromised Langflow server to a production MySQL database running Alibaba's Nacos configuration platform.

When parts of the attack failed, the AI modified its approach almost immediately instead of simply retrying the same commands.

"In one sequence, it went from a failed login to a working fix in 31 seconds," Sysdig noted. The researchers observed similar behavior when the AI encountered unexpected data formats and authentication issues, rewriting its own code to continue the attack.

The ransom demand may never have been payable

The attack encrypted 1,342 Nacos configuration records before deleting the originals and leaving behind a ransom note demanding payment in Bitcoin.

However, Sysdig found a critical flaw in the ransomware itself. The encryption key was randomly generated, displayed once, and never saved or transmitted back to the attacker. That means the encrypted data could not be recovered, even if the victim paid the ransom.

The researchers also found no evidence to confirm the attacker's claim that stolen data had been backed up elsewhere before the databases were destroyed.

Why defenders should pay attention

Although the attack relied on previously known vulnerabilities rather than new exploits, researchers say its significance lies in the automation. Instead of requiring an experienced ransomware operator, an AI agent successfully combined reconnaissance, credential theft, privilege escalation, lateral movement, persistence, and destructive actions into a single workflow.

The attack also highlights the risks of leaving internet-facing systems unpatched. The initial compromise relied on a Langflow vulnerability that already had a fix available, while later stages exploited older weaknesses in Nacos and poorly secured administrative access.

JADEPUFFER suggests ransomware could become faster and more scalable as AI agents mature. Rather than inventing new hacking techniques, autonomous agents may simply automate existing ones, allowing attackers to launch more campaigns with less expertise.

For businesses, the findings reinforce the importance of basic security practices such as promptly applying patches, restricting internet exposure, limiting administrative privileges, protecting credentials, and monitoring systems for unusual behavior. Cybersecurity agencies have recently warned that AI is expected to accelerate both offensive and defensive cyber capabilities, making rapid detection and response increasingly important.

While Sysdig describes JADEPUFFER as the first documented fully autonomous ransomware campaign, its findings are based on a single observed incident. Similar AI-driven attacks will become more common as agentic tools continue to evolve, making long-standing security gaps an even more attractive target.

Read more: China's open-weight AI race is also reshaping cybersecurity. See how Z.ai's GLM-5.2 is testing the limits of AI-powered security tools.

Aminu Abdullahi

Aminu Abdullahi is a B2C and B2B technology and finance writer with more than six years of experience covering enterprise IT, cybersecurity, cloud computing, artificial intelligence, fintech, business software, and emerging technologies. His work has appeared in publications including TechRepublic, eWEEK, Channel Insider, Geekflare, Enterprise Networking Planet, eSecurity Planet, CIO Insight, and Webopedia. With a technical background in computer science, he specializes in translating complex technology topics into clear, accessible content for business leaders and decision-makers.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.