Close Menu
  • Home
  • Articles
    • Attacks
      • BEC
      • Data Breach
      • DDoS
      • Evasion Attacks
      • Injection
      • Malware
      • MITM
      • Phishing
      • Ransomware
      • RCE
      • Social Engineering
      • Spoofing
      • Spyware
    • Business and Policy
      • BCP and DRP
      • GRC
      • Regulations
    • Data Protection
      • DLP
      • DRM
      • Encryption
      • IAM
    • Future, Trends and Insight
      • AI
      • Events & Community
      • Emerging Tech
      • Expert Panel
      • Interviews With Experts
      • Insights
      • Study & Research
    • Resources
      • Guides
      • Tools
      • Training & Education
    • Security
      • API
      • Apps
      • Cloud
      • Critical Infrastructure
      • Endpoint
      • Hardware
      • IoT
      • Mobile
      • Network
      • OT
      • Port Security
      • Security Architecture
      • Software Development
      • Supply Chain
      • Zero Trust
    • Threats and Vulnerabilities
      • Emerging Threats
      • Insider Threats
      • Risk Management
      • Threat Intelligence
      • Zero Day
  • News and Exclusives
    • Latest News
    • ISB Exclusive
    • Positive News
  • Who We Are
    • About Us
    • Information Security Buzz Expert Panel​
    • Write for Us
    • Media Pack
  • Contact Us
  • Newsletter
Facebook X (Twitter) LinkedIn
Facebook X (Twitter) LinkedIn
Information Security BuzzInformation Security Buzz
  • Home
  • Articles
    • Attacks
      • BEC
      • Data Breach
      • DDoS
      • Evasion Attacks
      • Injection
      • Malware
      • MITM
      • Phishing
      • Ransomware
      • RCE
      • Social Engineering
      • Spoofing
      • Spyware
    • Business and Policy
      • BCP and DRP
      • GRC
      • Regulations
    • Data Protection
      • DLP
      • DRM
      • Encryption
      • IAM
    • Future, Trends and Insight
      • AI
      • Events & Community
      • Emerging Tech
      • Expert Panel
      • Interviews With Experts
      • Insights
      • Study & Research
    • Resources
      • Guides
      • Tools
      • Training & Education
    • Security
      • API
      • Apps
      • Cloud
      • Critical Infrastructure
      • Endpoint
      • Hardware
      • IoT
      • Mobile
      • Network
      • OT
      • Port Security
      • Security Architecture
      • Software Development
      • Supply Chain
      • Zero Trust
    • Threats and Vulnerabilities
      • Emerging Threats
      • Insider Threats
      • Risk Management
      • Threat Intelligence
      • Zero Day
  • News and Exclusives
    • Latest News
    • ISB Exclusive
    • Positive News
  • Who We Are
    • About Us
    • Information Security Buzz Expert Panel​
    • Write for Us
    • Media Pack
  • Contact Us
  • Newsletter
Subscribe
Information Security BuzzInformation Security Buzz
Home - Ransomware - Sysdig uncovers first documented agentic ransomware operation
Ransomware Artificial Intelligence Attacks Latest News News & Analysis

Sysdig uncovers first documented agentic ransomware operation

Kirsten DoyleBy Kirsten DoyleJuly 10, 20265 Mins Read
Share LinkedIn Twitter Facebook Copy Link Email
Sysdig agentic ransomware
Share
Facebook Twitter LinkedIn Email Copy Link
Quick AI Summary
ChatGPTClaudeGeminiGrokPerplexityDeepSeekCopilot

Security researchers at Sysdig have documented what they believe is the first documented case of an AI agent running a ransomware operation from end to end.

Dubbed JADEPUFFER, the operation used a large language model (LLM) to automate an attack that began with the exploitation of an internet-facing Langflow instance and ended in destructive database extortion. 

Sysdig’s research describes an AI-driven campaign that adapted to failures, harvested credentials, searched for sensitive data, moved toward its intended target, and attacked a production database server.

The attackers initially exploited CVE-2025-3248, a missing-authentication vulnerability in Langflow’s code validation endpoint that allows unauthenticated remote code execution. Once inside, JADEPUFFER enumerated the compromised host and searched for LLM provider API keys, cloud credentials, cryptocurrency wallets, seed phrases, database credentials, and configuration files.

The operation then dumped Langflow’s PostgreSQL database, scanned internal systems, and targeted a separate production database server. According to Sysdig, the agent connected to an exposed MySQL port using root credentials before carrying out its database-extortion playbook.

Researchers said the LLM’s behaviour provided some of the clearest evidence of automation. Its payloads included natural-language reasoning and target prioritisation, while the agent also adjusted its approach when steps failed. In one case, it moved from a failed login attempt to a working fix in 31 seconds.

Sysdig stressed that the individual attack techniques were neither new nor especially sophisticated. The significance lies in the AI agent’s ability to combine them into a complete operation with little apparent need for human intervention.

The findings suggest that agentic AI could lower the technical barrier to running ransomware campaigns and allow attackers to operate at greater speed and scale. Sysdig expects these campaigns to grow as agentic tools mature, particularly against exposed application servers, poorly secured configuration stores, and internet-facing database administration accounts.

What changes is the economics of who gets attacked

Jim Sherlock, VP of AI and Cybersecurity R&D at ProCircular, says: “The headline is that an AI ran a ransomware attack, but the techniques here were all several years old and well understood. What actually changes is the economics of who gets attacked.”

He adds that when an AI agent can find an exposed asset, chain three old vulnerabilities, and weaponize it for pennies, the forgotten internet-facing systems that were never worth a human operator’s time suddenly are. 

“For enterprises and SMBs, that shrinks the grace period between ‘we have an exposure’ and ‘someone is exploiting it’ to almost nothing, which makes continuous visibility of your own attack surface the difference between a non-event and a breach.”

Frankly, it’s only the beginning

Josh Marpet, Senior Product Security Consultant at Finite State, says: “This is so totally expected. And frankly, it’s only the beginning. Wait till we see ransomware collecting bitcoin after the original attackers have already been arrested. What happens to ransomware when no one controls it? Will we have AI agents hunting it down?”

Marpet says the arms race is just beginning here. “It will get worse, and eventually, better. But it will take time to do so.”

Automating the full cyber kill chain

Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity at Suzu Labs, says: “JadePuffer automated the full cyber kill chain, from initial exploitation through lateral movement to ransomware deployment, without a human operator at any stage. Previous AI-assisted attacks handled individual phases. JadePuffer chained all of them using standard Python libraries, publicly known CVEs (a 2025 Langflow RCE for entry, a 2021 Nacos auth bypass for lateral movement), and default credentials that ship unchanged in production deployments.

“The agent adapted to failures across the operation in real time. It diagnosed a failed admin login in 31 seconds, identifying a broken bcrypt subprocess path, rewriting the hash generation inline, and rebuilding the account without any human input. Other failures got the same treatment: a foreign key constraint silently blocking DROP DATABASE was answered with disabled checks on the next payload, and an unexpected XML response from MinIO triggered an immediate parser switch,” he explains. 

“Reconnaissance is already done before the agent fires its first payload,” Krell continues. “Search engines like Shodan continuously scan and index every device and service with an open port on the public internet. Any attacker can query for exposed Langflow instances, Nacos servers, or databases with management ports facing the internet and get a target list in seconds. Pair that with an autonomous agent running on stolen API credentials, and every entry gets hit for close to nothing.”

He says RaaS commoditized the deployment side of ransomware years ago, but still required an operator who understood the target environment. “Agentic automation removes that last requirement. Expect full attack-chain kits on dark markets within a year, packaged for buyers with zero technical ability. The skill floor for ransomware just dropped to the cost of prompting a model.”

A foundational shift in adversarial capabilities

Noelle Murata, Chief Operating Officer at Xcape, comments: “The emergence of the JadePuffer agent marks a foundational shift in adversarial capabilities, moving cyber threats from scripted automation to autonomous, machine-speed execution. By leveraging a large language model to independently navigate the entire cyber kill chain, diagnose its own execution errors, and rewrite payloads in seconds, this operation renders conventional, human-dependent incident response models completely obsolete.”

She says while the agent relied entirely on unpatched legacy vulnerabilities and public tools to gain initial access, its ability to execute an end-to-end campaign without human intervention severely compresses the detection and containment window for defenders.

“The strategic takeaway for executive leadership is that basic security hygiene remains an effective barrier, but true systemic resilience now requires a shift from manual triage to real-time, behavior-based defense. CISOs must leverage this milestone to secure board-level mandates for automated, continuous-monitoring systems capable of isolating lateral movement instantly, shifting corporate defense from reactive patching to proactive architectural containment,” Murata ends.

Kirsten Doyle
Kirsten Doyle
Information Security Buzz News Editor

Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.

  • Kirsten Doyle
    AI-assisted software engineering is creating a new delivery paradox
  • Kirsten Doyle
    Klue supply chain breach exposes Salesforce data at several security firms
  • Kirsten Doyle
    AI-Powered Attacks Become Top Concern for Security Professionals, New Filigran Survey Reveals
  • Kirsten Doyle
    ShinyHunters targets Oracle PeopleSoft customers through critical zero-day

The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.

Share. Facebook Twitter LinkedIn Email Copy Link

Related Posts

Foxconn confirms cyberattack following Nitrogen ransomware claims

May 14, 20263 Mins Read

Lazarus Group Turns to Medusa Ransomware in Escalating Global Extortion Campaign

February 26, 20263 Mins Read

The Cyberattack That Exposed the Fragility of Digital Heritage

February 11, 20268 Mins Read
ISB-Bora-Side-Bar

No se ha podido establecer conexión. Error 429

 
ISB-Bora-Side-Bar
Black ISB Logo

Information Security Buzz is an independent resource that provides the experts’ comments, analysis, and opinion on the latest Cybersecurity news and topics

X (Twitter) LinkedIn Facebook RSS

Working With Us

  • About Us
  • Advertise With Us
  • Contact Us

Write For Us

  • How To Contribute

The Pages

  • Privacy Policy
  • Cookie Policy
  • AI Policy
  • Terms & Conditions
  • Copyright Notice

Information Security Buzz and all its contents are copyright © 2014-2025. All rights reserved. All third-party trademarks are recognized.

Type above and press Enter to search. Press Esc to cancel.

Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}