Sysdig documents first ransomware attack run entirely by an AI agent

Cloud security firm Sysdig has documented what its researchers assess to be the first ransomware operation driven entirely by an autonomous large language model agent, marking what cybersecurity experts say is an alarming new chapter in AI-enabled cybercrime.

The operator, which Sysdig’s Threat Research Team dubbed JADEPUFFER, broke into an internet-facing server, harvested credentials, moved laterally to a production database, encrypted data, and destroyed backups — all without a human at the keyboard. Sysdig published its findings on June 30, and the report has since drawn wide attention across the security community. securityaffairs.com bleepingcomputer.com sysdig.com

How the Attack Worked

JADEPUFFER exploited CVE-2025-3248, a critical missing-authentication flaw rated 9.8 on the CVSS scale in Langflow, an open-source framework for building AI applications. The vulnerability allows unauthenticated remote code execution, and Langflow servers often hold cloud credentials and API keys in their environments. hackread.com sysdig.com

Once inside, the LLM agent swept the host for secrets — including keys for OpenAI, Anthropic, and major cloud providers — then dumped Langflow’s backing database, scanned internal services, and looted a MinIO object store using default credentials. It then pivoted to a separate production server running MySQL and Alibaba’s Nacos configuration service, exploiting a 2021 authentication bypass and forging JWT tokens with Nacos’s well-known default signing key. sysdig.com securityaffairs.com

The agent encrypted all 1,342 Nacos configuration items using MySQL’s AES_ENCRYPT function, dropped the original tables, and left a ransom note demanding Bitcoin payment. The encryption key was generated randomly, printed once to stdout, and never saved — making recovery impossible even if the ransom were paid. letsdatascience.com sysdig.com

Evidence of Autonomy

Sysdig identified four lines of evidence supporting its assessment that an LLM, not a human, drove the operation. The payloads were saturated with natural-language commentary explaining targeting decisions. The agent corrected its own errors at machine speed — fixing a failed login attempt in 31 seconds with a 15-line diagnostic and corrective script. It also adapted in real time when encountering unexpected responses, such as switching from JSON to XML parsing mid-operation. cybernews.com sysdig.com

“The skill floor for running ransomware has dropped to whatever it costs to run an agent,” Sysdig wrote in its report, “and if that agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero”. sysdig.com

Implications for Defenders

Security researchers emphasized that none of JADEPUFFER’s individual techniques were novel — the danger lies in an AI model stringing them together into a coherent attack chain against neglected infrastructure. Sysdig urged organizations to patch Langflow, harden Nacos deployments, remove credentials from web-reachable processes, and apply egress controls to prevent compromised hosts from beaconing to attacker infrastructure. bleepingcomputer.com thehackernews.com cybernews.com sysdig.com