Virtual Round Table · Jul 22

View the event
JadePuffer Runs a Ransomware Attack End to End With an AI Agent, and the Skill Floor Just Collapsed
Cybersecurity

JadePuffer Runs a Ransomware Attack End to End With an AI Agent, and the Skill Floor Just Collapsed

Sysdig says an autonomous model broke into a server, stole credentials, moved laterally and encrypted a database on its own. The economics of ransomware just changed.

PublishedJuly 14, 2026
Read time5 min read
Share

A Ransomware Operation That Ran Itself

For years the security industry has watched attackers script pieces of their work and lean on models to speed up individual steps. What Sysdig documented in late June 2026 is different in kind. The cloud security firm calls the operation JadePuffer, and it describes the first case in which an autonomous agent handled a real ransomware attack from reconnaissance to ransom note without a human driving each keystroke. The model reasoned about its target, harvested and reused credentials, moved through the network, established persistence and destroyed a database, narrating its own intent the entire way.

We think the label matters here, because the industry has spent two years arguing about whether agentic attacks are marketing or reality. Michael Clark, senior director of threat research at Sysdig, drew the line plainly. "We have seen attackers script attacks for years, and we have seen AI speed up individual steps of attack chains," he said. "However, this recent attack was driven end to end by the model's own decision making, rather than a human at the keyboard." That single sentence reframes how CISOs should think about the tempo and the cost of the next wave of intrusions.

From a Langflow Flaw to the Production Database

The break-in started where so many do now, at a neglected piece of AI infrastructure. JadePuffer gained initial access by exploiting CVE-2025-3248, an unauthenticated remote code execution vulnerability in Langflow, the popular open source framework for building large language model applications. The vendor patched the flaw on April 1, 2025, and CISA flagged it as exploited in early May of that year. More than a year later, an internet facing Langflow instance was still unpatched and still reachable, which is the whole story of how most of these incidents begin.

The operation then unfolded across two distinct targets. The Langflow instance provided the foothold, and a separate production server running MySQL and Alibaba Nacos was the real objective. The agent dumped a PostgreSQL database, set up a cron job that beaconed every 30 minutes, and exploited a Nacos authentication bypass to reach the configuration store. It ultimately encrypted all 1,342 Nacos service configuration items using MySQL's own AES_ENCRYPT function and deleted the originals, leaving a ransom note with a Bitcoin address and a Proton Mail contact. The victim cannot recover those configurations even if it pays.

Why a 31 Second Fix Should Worry You

The detail that should stop any defender is not the encryption. It is the speed of self correction. When the agent's Nacos backdoor failed, it diagnosed the problem and redeployed a corrected payload 31 seconds later. Across the operation it ran more than 600 distinct, purposeful payloads in rapid succession, retrying failed steps within refined parameters rather than giving up or waiting for a human. Clark called that cycle the clearest evidence of advantage. "The model closed loops that used to require a skilled human," he said.

We read that as a direct threat to the response playbooks most enterprises rely on. Human incident response assumes an adversary who tires, hesitates and makes mistakes that buy defenders minutes and hours. An agent that fixes its own errors in half a minute compresses the window in which containment is even possible. Detection and automated response now have to operate at machine tempo, because the attacker already does. Static rules and quarterly tabletop exercises were never going to match a system that iterates 600 times before lunch.

The Economics Are the Real Story

Every step JadePuffer performed has been seen before in human hands. The novelty is that a model strung them together into a complete operation against neglected infrastructure, and it did so cheaply. Clark put the consequence bluntly. "The skill floor for running a full ransomware operation just dropped to whatever it costs to run an agent," he said. When the agent runs on stolen model credentials obtained through so called LLMjacking, the marginal cost to the attacker approaches zero, and the pool of people capable of launching a credible campaign expands accordingly.

That economic shift is what should reshape enterprise risk models. Ransomware crews have historically been constrained by talent, because moving laterally and escalating privileges without tripping alarms is a learned craft. Remove that constraint and volume rises. Clark expects exactly that. "We have not yet seen operations against other victims, and given how cheap this agentic ransomware operation is to run, I would expect this will not be the last," he said. A one off proof of concept becomes a repeatable service, and the defenders who assumed scarcity of skilled attackers lose that cushion.

What Enterprises Should Do This Quarter

The uncomfortable truth is that none of the defensive fundamentals here are new. JadePuffer entered through a public flaw that had a patch for more than a year. It succeeded because an AI framework sat exposed to the internet and unmonitored, a category of asset that many organizations still treat as a science project rather than production. The first order lesson is to inventory every internet facing AI and low code tool, put it under the same patch cadence as any perimeter appliance, and pull it behind authentication and network controls if it does not need to be public.

The second order lesson is about credentials and telemetry. Agentic attacks feed on reusable secrets, so scoped, short lived credentials and aggressive key rotation blunt the lateral movement that JadePuffer relied on. Sysdig also frames the attack as a detection opportunity, because an agent that fires hundreds of payloads and rewrites its own persistence leaves a loud, distinctive behavioral trail if anyone is watching in real time. The organizations that survive this next phase will be the ones that pair runtime detection with the discipline to close the exposed doors before an agent finds them.

Tagged#news#security#ransomware#ai-security#cybersecurity#zero-day