Ransomware has always needed a skilled human somewhere in the loop. Security firm Sysdig says that just changed. It has documented what it calls the first ransomware attack run from start to finish by an AI agent, with no human at the keyboard.
The researchers named the attacker JADEPUFFER, and say a large language model handled the entire job. It broke in, stole credentials, moved deeper into the network, planted a backdoor, then encrypted and destroyed a company’s production database. Sysdig’s Threat Research Team laid out the case in a detailed write-up.
JADEPUFFER slipped in through an old, boring door. It exploited a year-old, already-patched flaw in Langflow, an open-source tool for building AI apps. The bug lets anyone who can reach the server run code on it.
Plenty of Langflow boxes still sit exposed online. They often hold the API keys and cloud credentials for the services they connect to. That makes them a soft first target.
A machine at the keyboard
Once inside, the agent worked fast. It swept the host for secrets: AI provider keys, cloud logins, crypto wallets, and database passwords. It even raided a storage server still using its factory-default password.
The agent set up a way back in, pinging the attacker’s server every half hour. Then it pivoted to the real prize, a separate database server, and logged in as root. Where those root credentials came from, Sysdig cannot say.
From there it seized the server’s configuration system, using a 2021 bug and a default signing key that no one had ever changed. It planted its own admin account. Then it encrypted 1,342 settings, wiped the originals, and left a ransom note demanding Bitcoin.
A ransom with no key
Here is the cruel twist. The agent generated a random encryption key, printed it to the screen once, and never saved or sent it. There is no key to hand over, so even if the victim pays, nothing comes back.
The agent then went further, deleting whole databases. It claimed, in a comment in its own code, that it had already copied the data elsewhere. Sysdig found no sign that it had.
How do the researchers know a machine was driving? The code itself gave it away. The payloads carried plain-English notes explaining each step, the running commentary a human hacker never bothers to write, but a model produces by default.
The agent also fixed its own mistakes at machine speed. In one case, director of threat research Michael Clark said, it went from a failed login to a correct, multi-step fix in 31 seconds. Sysdig counted more than 600 separate, purposeful actions.
The floor just dropped
None of the individual moves was clever or new. The point is that a model stitched them into a full attack on its own. “The skill floor for running ransomware has dropped to whatever it costs to run an agent,” Clark wrote.
Run that agent on stolen credentials, and the cost falls close to zero. It is the same automation logic now upending everything from the economics of coding assistants to a wave of AI-written malicious browser code and fresh banking-trojan campaigns.
There is a sliver of good news. Because the agent narrates its own intent, defenders get a signal they never had before. That is fuelling a market of startups racing to secure AI agents, plus a push to turn AI back on the attackers and spot when an account’s user is not who they claim.
The fixes here will sound familiar: patch the flaw, stop exposing admin systems, and keep cloud keys away from web-facing machines. Sysdig calls JADEPUFFER a warning sign, not a crisis. But it expects the volume to rise as agentic tools mature.
Get the TNW newsletter
Get the most important tech news in your inbox each week.
