> Back to All Posts

JadePuffer Ransomware: The First Fully AI-Run Cyberattack

JadePuffer Ransomware

A ransomware attack usually needs a human behind the keyboard, at least at the critical moments. That assumption just broke. Security researchers at Sysdig have documented what appears to be the first ransomware operation carried out from start to finish by an autonomous AI agent, and they’ve named it JadePuffer ransomware.

No operator typed commands during the intrusion. An AI agent scanned for weaknesses, stole credentials, moved across systems, and encrypted data on its own. It even adjusted its approach mid-attack when things didn’t go as planned. This shift matters for anyone who cares about online security, because it changes who can launch a serious attack and how fast one can unfold.

How the JadePuffer Ransomware Attack Started

The agent gained entry through a flaw in Langflow, an open-source tool developers use to build applications powered by large language models. The vulnerability, tracked as CVE-2025-3248, allowed remote code execution without any authentication. A patch arrived in April 2025, but attackers kept exploiting unpatched servers, and CISA flagged active exploitation by May.

Once inside, the AI agent got to work immediately. It pulled data from Langflow’s PostgreSQL database, mapped out the host environment, and hunted through environment variables and configuration files for anything useful. It also enumerated a MinIO object storage bucket sitting on the network.

One detail stood out to researchers. When the agent queried an API and got a response in XML instead of the JSON format it expected, it didn’t stall or fail. It rewrote its own parsing logic on the fly and kept moving. That kind of adaptive troubleshooting used to require a person watching a screen.

Moving Deeper Into the Network

After establishing a foothold, the agent installed a cron job that pinged attacker infrastructure every 30 minutes, giving it a way back in if anything got disrupted. From there, it pivoted to a production MySQL server tied to Alibaba Nacos, a platform used for managing microservices.

The agent used root credentials of unclear origin to get in, then exploited a known Nacos authentication bypass, CVE-2021-29441, to create rogue administrator accounts. This gave it a stable, elevated position inside systems that had nothing to do with the original Langflow server. The lateral movement happened without any human reviewing the next step or approving the escalation.

Researchers pointed to one exchange where the agent hit a failed login attempt and had a working fix in place just 31 seconds later. Code comments left behind by the agent even included natural-language notes explaining its own reasoning, almost like a developer thinking out loud while debugging.

The Encryption and the Ransom Demand

The final stage targeted 1,342 configuration items stored in the Nacos service. The agent encrypted them using MySQL’s built-in AES_ENCRYPT() function, then deleted the original unencrypted copies. It replaced them with a ransom table containing a Bitcoin wallet address and a Proton Mail contact for negotiations.

The note claimed AES-256 encryption, but researchers who examined the attack believe the weaker AES-128-ECB mode was actually used. Oddly, the encryption key itself appears to have been generated randomly during the attack and was never sent back to the attacker’s infrastructure, a mistake that could complicate any actual decryption process even if a victim paid.

Another slip gave away the automated nature of the operation. The Bitcoin address in the ransom note turned out to be a widely circulated example address, the kind that shows up in tutorials and documentation rather than one tied to a real wallet. Researchers believe the AI model likely reproduced it from training data instead of generating a legitimate payment address.

What This Means Going Forward

Sysdig is calling this new category of threat an “agentic threat actor,” where AI systems don’t just assist an attacker but run the operation independently. This lowers the bar for launching damaging attacks, since an AI agent can execute techniques that once required real technical skill and hands-on attention.

The JadePuffer ransomware case also cuts both ways. Because AI-generated attacks tend to leave distinctive traces, like reused training data or oddly efficient decision patterns, defenders now have new signals to watch for. Security teams can build detection around behaviors that are unique to automated agents rather than human operators.

For everyday users and organizations alike, the basics still apply and matter more than ever. Exposed services with known vulnerabilities remain the easiest entry point, whether the attacker is a person or a machine. Keeping software patched, limiting internet-facing access to sensitive systems, and using tools like a VPN to reduce exposure on public or untrusted networks all reduce the odds of becoming a target in the first place.

Final Thoughts

The JadePuffer ransomware attack marks a turning point in how cybercrime gets carried out. An AI agent handled reconnaissance, credential theft, lateral movement, and encryption without a human guiding each step, and it adapted when things didn’t go according to plan.

This doesn’t mean every ransomware attack will look like this tomorrow, but it shows the technical ceiling has moved. Attackers no longer need deep expertise to run a multi-stage intrusion, because an AI agent can fill that gap. Staying protected means treating basic security hygiene, patching, access controls, and network protection, as non-negotiable rather than optional.

Janet Andersen

Janet is an experienced content creator with a strong focus on cybersecurity and online privacy. With extensive experience in the field, she’s passionate about crafting in-depth reviews and guides that help readers make informed decisions about digital security tools. When she’s not managing the site, she loves staying on top of the latest trends in the digital world.