First AI-Run Ransomware Attack Wasn’t Fully Autonomous, Researchers Say
The first AI-run ransomware attack still relied on human involvement for victim selection, infrastructure setup, and the use of stolen credentials, highlighting both the promise and the limits of autonomous cyberattacks.
Last week, researchers at cloud security company Sysdig announced they had identified what they described as the first documented case of“"agentic ransomware.” The operation, known as JadePuffer, involved an AI agent carrying out the technical stages of a real-world ransomware attack from beginning to end. According to the researchers, the AI infiltrated a vulnerable server, obtained credentials, moved laterally across the victim’s network, encrypted files, and even generated its own ransom note while adapting to obstacles, much as a human attacker would. Early reports described the campaign as operating “without any human oversight” and suggested there was “no human at the keyboard.”
However, the complete story is more nuanced. Speaking with CyberScoop on Monday, Sysdig Senior Director of Threat Research Michael Clark explained that although the AI handled the technical execution of the intrusion, human operators still played a significant role in preparing the attack.
According to Clark, a person selected the victim, configured the supporting infrastructure, including the command-and-control and staging servers, and launched the operation before the AI agent took over. He also clarified that the credentials used to gain access to the target’s database were not collected by the AI itself. Instead, they had been acquired separately during an earlier compromise and then supplied to the operation by a human.
These additional details do not contradict Sysdig’s original findings, and the attack’s technical sophistication remains noteworthy. The AI agent initially gained access by exploiting a known vulnerability in Langflow, an open-source platform used for building large language model applications. It then pivoted to a production MySQL server, where it leveraged another known vulnerability to obtain administrative privileges.
After securing elevated access, the AI encrypted more than 1,300 configuration records. It also composed its own ransom note and generated a Bitcoin wallet address to which victims could send payment. Sysdig has not publicly identified the organisation targeted during the attack.
While the individual attack methods themselves were relatively conventional, what distinguished the operation was the speed with which the AI worked and the transparency of its decision-making process. According to Sysdig, when the AI encountered a failed login attempt, it corrected the issue within 31 seconds while documenting its reasoning through natural-language code comments throughout the process.
One aspect of the investigation that initially created confusion has also since been clarified. During his interview with CyberScoop, Clark mentioned that Sysdig had discovered API keys associated with OpenAI, Anthropic, DeepSeek, and Gemini during the intrusion. That statement prompted speculation that several AI models might have been actively participating in different stages of the attack.
Clark later explained that this was not the case.
In a follow-up email, he said the AI agent searched the compromised Langflow server for valuable assets, including provider API keys, cloud credentials, cryptocurrency wallets, and database configuration files. The keys belonging to OpenAI, Anthropic, DeepSeek, and Gemini were among the information stolen during that process.
“The agent swept the Langflow host for anything valuable — provider API keys, cloud credentials, cryptocurrency wallets, and database configs — and those provider keys were part of the loot,” Clark wrote. “They are indicative of what the attacker considered worth taking, but they do not tell us which model was making the decisions.”
Regarding the specific AI model behind JadePuffer, Clark said Sysdig was unable to determine exactly which model powered the agent. The company also has no visibility into the system prompt or configuration that guides its behaviour.
Those findings align with an earlier theory proposed by Microsoft researcher Geoff McDonald on LinkedIn. Based on his own experience conducting AI red-team testing, McDonald suggested the ransomware was more likely powered by an open-weight model with many of its safety restrictions removed rather than by one of the latest frontier AI systems, whose built-in safeguards have generally proven more resistant to misuse. Sysdig’s investigation neither confirms nor disproves that possibility.
McDonald also argued that AI agents could dramatically increase the scale of ransomware campaigns because future attacks may become constrained primarily by financial resources rather than by the availability of skilled human operators. In his view, attackers could eventually launch “thousands or tens of thousands of simultaneous campaigns.”
Clark’s latest comments, however, suggest that significant human involvement remains necessary. If operators must still identify suitable victims, obtain credentials, and establish supporting infrastructure for every attack, those manual steps continue to limit how quickly such campaigns can scale.
Even so, Clark told CyberScoop that although Sysdig has not yet observed JadePuffer being used against additional victims, he believes wider deployment is likely. Given the relatively low cost of running AI agents, he expects similar attacks to become increasingly common.
What's Your Reaction?
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
Wow
0