Artificial Intelligence

The First Fully Autonomous AI Ransomware Attack Is Here — And It Learned on the Fly

Published

on

An AI Agent Just Pulled Off a Full Ransomware Attack — No Human Needed

For years, security experts have warned that artificial intelligence would eventually move beyond writing malicious code and start orchestrating attacks on its own. That moment, it appears, has arrived.

Researchers at Sysdig, a cloud security firm, say they have documented what may be the first ransomware attack executed almost entirely by an autonomous AI agent ransomware operation. Dubbed JadePuffer, the campaign relied on a large language model (LLM) agent to carry out nearly every stage of the hack — from initial breach to data encryption — without continuous human direction.

The findings, if confirmed, mark a serious inflection point. AI is no longer just a tool for writing phishing emails or generating exploit code. It is now planning, adapting, and executing cyberattacks in real time.

How JadePuffer Broke In and Moved Through the Network

The attack chain began with a known vulnerability. According to Sysdig, JadePuffer exploited CVE-2025-3248, a remote code execution flaw in Langflow, an open-source framework used to build LLM-powered applications. The bug was patched in April 2025 and later added to CISA’s catalog of vulnerabilities known to be actively exploited.

Once inside the system, the AI agent didn’t just sit there. It performed a full reconnaissance sweep — collecting host information, hunting for credentials, digging up sensitive files, and extracting cloud secrets. It mapped storage resources before moving laterally through the victim’s infrastructure.

That behavior alone would be impressive for an automated tool. But what made researchers sit up was the adaptability.

The AI Adapted in Real Time — Like a Human Hacker

Most automated malware follows a rigid script. If a command fails, it crashes or loops. JadePuffer did something different.

Sysdig’s report describes a moment when the AI agent encountered an unexpected XML response while querying a MinIO object store. Instead of failing, it modified its parsing logic and retried the operation using a different approach. In another instance, a failed login attempt was automatically corrected within 31 seconds — no human intervention required.

That kind of dynamic problem-solving is what security teams typically associate with experienced human operators, not scripts.

The AI went on to establish persistence by creating scheduled cron jobs. It then pivoted to a production server running Alibaba Nacos, where it exploited CVE-2021-29441 to create rogue administrator accounts. From there, it encrypted 1,342 Nacos configuration records, deleted the original data, and replaced everything with a ransom note demanding payment in Bitcoin.

Clues That the Attack Was AI-Generated

Researchers found several telltale signs that an LLM had authored the attack code. The malicious scripts contained unusually detailed natural-language comments — the kind a human programmer might leave to explain their reasoning, but far more verbose than typical malware.

The ransom note itself raised eyebrows. It referenced a Bitcoin wallet commonly used as an example in documentation rather than a genuine payment address. Sysdig also believes the malware used AES-128 in ECB mode despite claiming AES-256 encryption — a rookie mistake that an AI might make when pulling code from training data.

These fingerprints could become important for defenders. If AI-generated attacks leave distinct behavioral patterns and coding quirks, security teams may be able to build new detection techniques around them.

What This Means for the Future of Cybersecurity

The JadePuffer operation didn’t invent new attack methods. It exploited known vulnerabilities and used existing techniques. But the ability to autonomously perform reconnaissance, privilege escalation, persistence, and ransomware deployment represents a notable escalation in offensive AI capabilities.

Sysdig says the incident demonstrates that agentic AI threats have effectively arrived. The technical expertise required to launch sophisticated cyberattacks just dropped significantly. In theory, someone with minimal hacking skills could now deploy an AI agent to do the heavy lifting.

For organizations, the takeaway is blunt: patch internet-facing systems and secure cloud credentials remain essential — even as the attackers themselves change. The same fundamentals that stop human hackers also stop AI agents, at least for now.

But the clock is ticking. As LLM agents get smarter and cheaper, the gap between amateur and professional cybercriminals is narrowing fast. The first fully autonomous ransomware attack is here. It won’t be the last.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version