The 'initial' AI-operated ransomware assault still required a person.

The ‘initial’ AI-operated ransomware assault still required a person.

In the previous week, experts from the cloud security company Sysdig reported they had identified the initial documented instance of “agentic ransomware.” This extortion scheme, named JadePuffer, involved an AI agent — as opposed to a human — managing the entire technical execution of a cyberattack in the real world. The agent infiltrated a vulnerable server, acquired credentials, navigated through the target’s network, encrypted files, and even drafted its own ransom note, adjusting to hurdles much like a human hacker would. Coverage of the funding mentioned that it was conducted “without any human oversight,” asserting “no human at the keyboard.”

However, that’s not entirely the full story. During an interview on Monday with CyberScoop, Sysdig’s Michael Clark, the firm’s senior director of threat research, emphasized that a human was indeed involved — just not in the technical execution aspects. “A human still set up and directed the operation and provided the necessary infrastructure behind it, including the command-and-control server, the staging server for the stolen data, and selecting a victim,” Clark explained. The credentials utilized to access the victim’s database were not obtained by the AI agent directly; they were acquired separately by someone through a previous breach and provided to the operation.

None of this contradicts Sysdig’s initial assertion, with the technical specifics of the attack being remarkable in themselves — even astonishing. The agent gained access via a known vulnerability in Langflow, a widely used open-source tool for creating LLM applications, and subsequently targeted a production MySQL server, exploiting another recognized flaw to obtain admin privileges. It encrypted more than 1,300 configuration records and not only composed a ransom note itself but also included a Bitcoin address for payment. Sysdig has not disclosed the identity of the targeted entity.

The methods utilized seem rather typical, yet the rapidity and clarity exhibited were noteworthy. The agent resolved a failed login in just 31 seconds, detailing its reasoning through natural-language code comments throughout the process.

A detail that initially appeared to obfuscate the narrative has been clarified. Clark had informed CyberScoop that Sysdig found “multiple models were used in the attack,” referencing harvested keys from OpenAI, Anthropic, DeepSeek, and Gemini — phrasing that left the door open regarding whether various models were simultaneously involved at different stages of the breach. When prompted for clarification, Clark told TechCrunch that those keys were merely part of what the agent pilfered, not indicators of what was operating it.

“The agent scoured the Langflow host for anything of value — provider API keys, cloud credentials, cryptocurrency wallets, and database configurations — and those provider keys were part of the bounty,” he stated via email. “They reflect what the attacker deemed worthwhile to take, yet they do not convey which model was making the decisions.”

Regarding the model specifically powering JadePuffer, Clark noted Sysdig “was unable to determine the specific model operating the agent” and lacks insight into its system prompt or setup.

The theory from Microsoft researcher Geoff McDonald, shared on LinkedIn a few days prior, is worth reconsidering in this context. McDonald speculated that an open-weight model with safety training removed, rather than a cutting-edge model, was behind the attack, based on his own red-teaming experiences indicating that safety layers in frontier labs perform effectively. Sysdig’s account does not confirm nor deny this possibility.

McDonald’s post also cautioned that ransomware operations are increasingly limited by the attacker’s budget rather than human labor, suggesting the potential for “thousands or tens of thousands of simultaneous campaigns.” This concern is somewhat challenging to reconcile with what Clark outlined on Monday. (If a human must still select each victim, arrange infrastructure, and secure database credentials for every operation, that poses somewhat of a bottleneck.)

Regardless, Clark informed CyberScoop that while Sysdig has not observed the same operation target other victims so far, he anticipates changes soon due to the low cost of operating an agent.

Purchases made through the links in our articles may earn us a small commission. This does not influence our editorial independence.

Leave a Reply