threat-wire
AI Agent Runs an Entire Ransomware Attack Alone
Researchers at Sysdig say they've documented the first ransomware attack carried out end to end by an AI agent, no human at the keyboard. The agent broke into an exposed Langflow server through a year-old bug, stole cloud credentials, and encrypted a production database before leaving a ransom note. The entry point was a flaw that a patch already fixed months ago.
By SecureBusinessHub Editorial, International cybersecurity desk — · 6 min read
More than 600 separate, purposeful commands ran during the attack. A human typed none of them.
Sysdig's Threat Research Team says it has documented the first ransomware attack run start to finish by an AI agent, with no operator steering any of it. They're calling the operator JADEPUFFER. A large language model handled the entire job: breaking into a server, stealing credentials, pivoting to a second target, then encrypting and wiping a production database.
An Old Bug Nobody Patched
The entry point was CVE-2025-3248, a missing-authentication flaw in Langflow, an open-source tool for building AI apps and agent workflows, that lets anyone who can reach the server run their own code with no login required. The bug was fixed in Langflow 1.3.0 and added to CISA's Known Exploited Vulnerabilities catalog back in May 2025, but plenty of servers were never updated. Langflow instances are a tempting target because they often sit exposed to the internet holding API keys and cloud credentials for whatever they connect to.
Once inside, the agent mapped the machine and swept it for anything valuable: API keys for OpenAI, Anthropic, DeepSeek, and Gemini, cloud credentials for AWS, Google, Azure, and Chinese providers Alibaba and Tencent, plus crypto wallet keys and database logins. It found an object storage server still running its factory-default login, minioadmin and minioadmin, never changed since setup, and helped itself. Then it planted a scheduled task that pinged the attacker's server every 30 minutes, so it could get back in later.
From Foothold to Ransom Note
The agent pivoted to its real target: a separate, internet-facing server running a MySQL database and Nacos, a configuration and service directory common in microservice deployments, and logged into the database as root. Sysdig says it never found where those root credentials came from. From there, the agent took over Nacos using a four-year-old authentication bypass and a default signing key the tool has shipped unchanged since 2020, then planted its own admin account.
It encrypted all 1,342 Nacos configuration entries, dropped the original tables, and left a ransom note demanding Bitcoin with a Proton Mail contact. The note claims AES-256 encryption; Sysdig found the tool it actually used defaults to weaker AES-128. Either way, the encryption key was generated at random, printed to the screen once, and never saved or sent anywhere. There is no key to hand over, even for a victim willing to pay.
How Sysdig Knew It Wasn't Human
The clearest tell was the code itself. The attack payloads were full of plain-English notes explaining why each step was being taken, the kind of running commentary a human hacker never bothers to write but a model produces by default. The agent also fixed its own mistakes at machine speed. In one case, it went from a failed login attempt to a correct, multi-step fix in 31 seconds, diagnosing the exact cause instead of blindly retrying.
- If you run Langflow, confirm it's on version 1.3.0 or later, and that its code-execution endpoints are not reachable from the public internet
- Search for any MinIO instance still using the default minioadmin / minioadmin login
- Check whether your Nacos deployment still uses the default signing key it ships with (unchanged since 2020), and whether it connects to its database as anything other than a restricted service account
- Review outbound firewall rules for any server that shouldn't be phoning home every 30 minutes to an unfamiliar address
What This Means Going Forward
JADEPUFFER isn't the first sign that attacks are getting automated. Anthropic disrupted an extortion campaign in August 2025 that used its Claude Code tool against at least 17 organisations, with ransom demands topping $500,000, though a human still steered that one. In November 2025 the company disclosed what it called a largely autonomous cyberattack, a Chinese state-linked espionage operation that had Claude write exploits and steal data with little human involvement. Agents make it nearly free to spray an entire back catalogue of known bugs, which means neglected, unpatched servers get more exposed, not less.
"None of the individual moves in this attack were clever or new," Sysdig's researchers concluded. "What's new is that a model stitched them into a complete attack against a neglected server, on its own."