First Documented Ransomware Attack Ran Exclusively by Agentic AI Discovered
The Sysdig Threat Research Team has discovered what they believe to be the first ever ransomware attack carried out fully end-to-end by agentic AI.
Dubbed JADEPUFFER, the campaign targeted a flaw in Langflow, a popular open-source framework for creating LLM applications, that would allow attackers to run arbitrary Python on the host machine. Many instances of Langflow are exposed on the open internet and their credentials are often stored in their environment, making them an attractive entry point.
The most striking characteristic, however, was the LLM's behavior. JADEPUFFER's own payloads were self-narrating. They contained natural language reasoning, target prioritization, and the kind of detailed annotations that human operators don’t often write but LLM-generated code produces reflexively. The operation also adapted in real time, retrying failed steps within refined parameters. In one sequence, it went from a failed login to a working fix in 31 seconds.
After the Langflow instance was compromised, it moved to the true target: separate production servers containing SQL databases. The AI would encrypt the MySQL database and generate a ransom note containing the demand, a Bitcoin payment address, and a Proton Mail account to contact.
Then, the AI would begin deleting data, escalating as it went and rationalizing its decisions the whole time.
The researchers note that the speed at which the LLM handled failures indicated automation, with the attacker able to assess the failures and remediate within seconds.
Further, the actions weren't merely an automated script, but required understanding and diagnosing the problem to create a specific solution on the fly.
The LLM gave a Bitcoin address that was an example address used commonly in developer documentation, meaning it's possible it hallucinated the wrong address in its ransom note. It's also possible however that the attackers configured it with a real address that happens to be the same as the one used in documentation, the researchers say they have no way to know for sure.
Ransomware is no longer a craft for the highly skilled: An LLM agent can chain reconnaissance, credential theft, lateral movement, persistence, and destruction without the operator possessing deep expertise in any one step. Tradecraft that once implied a capable human now implies a capable model.
This attack sets a scary precedent; with the skill ceiling for ransomware attacks now so low, we could start seeing massive operations of LLMs scanning all over the internet for vulnerable machines to extort for profit, without a human having to do much at all.
Particularly it will be important to keep your software patched with the latest security updates, since these models rely on known vulnerabilities for now.
Community Discussion