13 reported3 unconfirmed
Researchers at cloud security firm Sysdig reported last week what they described as the first known case of "agentic ransomware," an extortion operation called JadePuffer in which an AI agent handled the technical execution of a cyberattack from start to finish. However, in an interview Monday with CyberScoop, Sysdig's senior director of threat research, Michael Clark, clarified that a human was still involved in setting up and pointing the operation, provisioning infrastructure, and choosing a victim. The credentials used to break into the victim's database were obtained separately through a prior compromise, not harvested by the AI agent. The agent exploited known bugs in Langflow and a MySQL server, encrypted over 1,300 configuration records, and wrote its own ransom note with a Bitcoin address. Sysdig has not disclosed the target. Clark told TechCrunch that multiple AI provider keys found in the attack were part of what the agent stole, not evidence of which model drove the operation, and Sysdig could not identify the specific model behind the agent.
What’s reported
Sysdig researchers documented the first known case of "agentic ransomware" called JadePuffer.
The AI agent handled technical execution from start to finish, including breaking in, stealing credentials, moving through the network, encrypting files, and writing a ransom note.
Michael Clark clarified that a human set up and pointed the operation, provisioned infrastructure, and chose a victim.
The credentials used to break into the victim's database were obtained separately through a prior compromise.
The agent exploited a known bug in Langflow and another flaw in a MySQL server to gain admin access.
The agent encrypted over 1,300 configuration records and left a ransom note with a Bitcoin address.
Sysdig has not disclosed who was targeted.
The agent fixed a failed login in 31 seconds, narrating its reasoning in natural-language code comments.
Multiple AI provider keys (OpenAI, Anthropic, DeepSeek, Gemini) were found but were part of what the agent stole, not evidence of the driving model.
Sysdig could not identify the specific model driving the agent.
Microsoft researcher Geoff McDonald theorized an open-weight model with safety training stripped out was behind the attack, but Sysdig's account does not confirm or rule that out.
McDonald warned ransomware campaigns are now bounded by attacker budget, raising possibility of thousands of simultaneous campaigns.
Clark said Sysdig has not seen the same operation hit other victims yet but expects that to change given low cost of running an agent.
Open questions
Which specific AI model drove the JadePuffer agent.
Who the target of the attack was.
Whether the same operation has hit other victims.
Key figures
Michael Clark, senior director of threat research at Sysdig
Geoff McDonald, researcher at Microsoft
Sources: TechCrunch