'It’s a marker of where extortion tradecraft is heading': Cyber experts say they've identified the first case of ‘agentic ransomware’ – but there’s a catch
While the JadePuffer ransomware has alarm bells ringing, it still needed a human in the loop
A security firm has spotted what it claims is the first documented case of a ransomware operation run entirely by a large language model.
The Sysdig Threat Research Team said the operator, dubbed JadePuffer, is the first agentic threat actor, describing it as using a known flaw in AI app builder Langflow to gain access to credentials and other key data.
Thereafter, researchers noted it took over a production database and encrypted it for extortion purposes.
"JadePuffer is a warning sign," Michael Clark, Sysdig’s director of threat research, said in a blog post.
"It’s a marker of where extortion tradecraft is heading. An autonomous agent reasoned about its targets, harvested and reused credentials, moved laterally, established persistence, and destroyed a database, narrating its own intent the entire way."
Clark has clarified that though the attack operation was run by an AI, the attack was still organized by a human who set up the infrastructure, found the initial credentials to break in, and chose a victim. But the rest of the attack was managed by the LLM itself.
Alarming attack
Clark noted that JadePuffer's payloads were "self narrating", containing detailed notes that a human wouldn't bother to write but an LLM generates innately about why each step was taken, including prioritization of targets. That narration data could prove useful for security teams looking to defend against such attacks, Clark added.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
"The operation also adapted in real time, retrying failed steps within refined parameters," Clark added. "In one sequence, it went from a failed login to a working fix in 31 seconds."
That is perhaps the most alarming aspect of the incident, according to Roey Eliyahu, CEO and co-founder of Salt Security.
"A human attacker who fails an initial payload waits, reassesses, consults, and tries again on a different timeline," Eliyahu said. "An agent that fails a payload corrects and retries in under a minute. That compression of the attack cycle means the window between first detection signal and material damage is now measured in seconds, not hours."
The JadePuffer system even wrote a ransom note complete with Bitcoin address and Proton email contact, Clark noted, though the former appears to be a wallet address frequently used as an example in explainer text online.
That’s either a coincidence, said Clark, or a hallucination by the LLM due to the frequency of that address online, and therefore used in training data.
Clark also noted that the encryption key was generated and essentially random, so the victim would not be able to decrypt — even if they paid the ransom. The victim organization wasn't disclosed.
Warning about the future of security
While JadePuffer is just one incident, it shows that AI can help automate old vulnerabilities and that ransomware no longer requires skills to pull off an attack, according to Sally Vincent, senior threat research engineer at Exabeam.
"While the attack relied on known, older vulnerabilities rather than new exploits, it demonstrates how AI can automate and accelerate the exploitation of unpatched systems," Vincent said. "It also serves as a reminder that patching known vulnerabilities remains important, since AI can make exploiting them faster and more efficient."
While Clark stressed that none of the attack techniques were novel or sophisticated, JadePuffer is interesting because it was strung together into a complete ransomware operation by an AI model.
"The skill floor for running ransomware has dropped to whatever it costs to run an agent, and if that agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero," he commented.
That means security professionals should expect to see more like this, as well as a higher volume of attacks, and should proactively protect "exposed application servers, unhardened configuration stores, and internet-facing database admin accounts," Clark added.
Salt Security's Eliyahu added: "The question every security team should be asking after this report is: what is holding credentials in our AI-adjacent infrastructure, and what can those credentials reach?"
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
Freelance journalist Nicole Kobie first started writing for ITPro in 2007, with bylines in New Scientist, Wired, PC Pro and many more.
Nicole the author of a book about the history of technology, The Long History of the Future.
-
Yorkshire Building Society touts customer service gains with AI agentsNews The firm said that agents Penelope, Sam, and Alf are helping improve customer service, while adhering to high levels of regulation
-
Arrow Electronics secures pan-EMEA distribution deal with ABBNews The agreement will bring ABB's uninterruptible power supply solutions to Arrow's channel partners across key European markets
-
Three quarters of firms have halted AI projects over safety and security concerns – and cyber pros think things will deteriorate as models like Claude Mythos improveNews AI has become a leading problem for enterprise security teams, they can't automate their way out of trouble
-
OpenAI expands 'Daybreak' cyber program: New tools, partnerships, and a cyber-focused GPT-5.5 aim to help 'patch the world'News The company has added new tools, signed up partners, and released its GPT-5.5-Cyber model more widely
-
IT teams are bullish on AI tools, but they’re worried security practices can’t keep paceNews Executives and IT teams are at odds over the risks associated with AI adoption
-
‘These sorts of post-compromise techniques used to be restricted to actors with the technical knowledge to carry them out’: Anthropic warns AI is helping lower the bar for up-and-coming hackersNews AI is making it harder to differentiate between high and low-skilled actors
-
AI is shrinking attack windows, and it’s forcing a complete rethink of cyber resilience – here’s how organizations can prepareNews Commvault has urged companies to improve their business continuity and resilience plans in the face of flaws spotted by AI
-
Google says AI is now being used to build zero-days – and we just narrowly avoided a 'mass exploitation event'News Google cyber researchers think they’ve found the first AI-generated zero-day exploit