AI Agent Executes First-Ever Fully Autonomous Ransomware Attack in History
By admin | Jul 07, 2026 | 3 min read
Last week, security researchers at cloud firm Sysdig reported what they described as the first documented instance of "agentic ransomware." The operation, named JadePuffer, involved an AI agent carrying out the technical aspects of a real-world cyberattack from beginning to end—without a human handling the keyboard. The agent gained entry to a vulnerable server, stole credentials, navigated through the target's network, encrypted files, and even composed its own ransom note, adapting to obstacles along the way much like a human hacker would. Initial coverage portrayed the attack as running "without any human oversight," with "no human at the keyboard."
However, that characterization isn't entirely accurate. In a Monday interview with CyberScoop, Michael Clark, Sysdig's senior director of threat research, clarified that a human remained deeply involved—just not in the technical execution. "A human still set up and pointed the operation and provisioned the infrastructure behind it, the command-and-control server, the staging server used for the stolen data and chose a victim," Clark explained. He added that the credentials used to break into the victim's database weren't harvested by the AI agent itself; someone obtained them separately through a prior compromise and handed them to the operation. None of this contradicts Sysdig's original claim, and the technical details of the attack remain notable on their own—even striking. The agent exploited a known bug in Langflow, a widely used open-source tool for building LLM applications, then moved to a production MySQL server and leveraged another known flaw to gain admin access. It encrypted over 1,300 configuration records and left behind a ransom note it wrote itself, along with a Bitcoin address for payment. Sysdig has not disclosed the target. The techniques were fairly standard, but what stood out was the speed and transparency. The agent fixed a failed login in 31 seconds, narrating its own reasoning in natural-language code comments throughout the process.
One detail that initially seemed confusing has since been clarified. Clark had told CyberScoop that Sysdig found "multiple models were used in the attack," citing harvested keys for OpenAI, Anthropic, DeepSeek, and Gemini—language that left open the question of whether several models actively powered different stages of the intrusion. "The agent swept the Langflow host for anything valuable—provider API keys, cloud credentials, cryptocurrency wallets, and database configs—and those provider keys were part of the loot," he said via email. "They are indicative of what the attacker considered worth taking, but they do not tell us which model was making the decisions."
Regarding the specific model running JadePuffer, Clark said Sysdig "was not able to identify the specific model driving the agent" and has no visibility into its system prompt or configuration. In light of this, Microsoft researcher Geoff McDonald's theory, shared on LinkedIn several days ago, is worth revisiting. McDonald suspected an open-weight model with safety training stripped out—rather than a frontier model—was behind the attack, based on his own red-teaming experience showing frontier labs' safety layers hold up well. Sysdig's account neither confirms nor rules that out. McDonald's post also warned that ransomware campaigns are now bounded primarily by attacker budget rather than human effort, raising the possibility of "thousands or tens of thousands of simultaneous campaigns." That concern is a bit harder to reconcile with what Clark described Monday. If a human still has to choose each victim, provision infrastructure, and obtain database credentials for every operation, that creates a significant bottleneck, at least for now.
Either way, Clark told CyberScoop that while Sysdig hasn't seen the same operation hit other victims yet, given how cheap it is to run an agent, he expects that to change.
Comments
Please log in to leave a comment.
No comments yet. Be the first to comment!