Security researchers have documented what they call the first AI-driven ransomware. The Sysdig Threat Research Team named the operation JADEPUFFER. It marks a shift, since ransomware has always had a human at the keyboard.
Researchers assess the attack ran end to end via a large language model. The AI chained reconnaissance, credential theft, lateral movement, and destruction. It did so without a human directing each step. Sysdig calls this an agentic threat actor.
The attack began through a known software flaw. JADEPUFFER exploited a vulnerability in Langflow, an open-source AI tool. That gave it code execution on an internet-facing server. It then hunted for API keys, cloud credentials, and crypto wallets.
The AI moved methodically toward its real target. It pivoted to a separate production database server. It then took over a configuration service using old, unpatched flaws. Finally, it encrypted over 1,300 configuration items and left a ransom note.
The most striking evidence was the AI’s own behavior. Its malicious code narrated its reasoning in plain language. It explained why it targeted each database and prioritized the largest. Human attackers rarely annotate throwaway scripts this way.
Speed offered the clearest proof of autonomy, though. When a login failed, the AI diagnosed and fixed it in 31 seconds. It rewrote 15 lines of coordinated code without human help. Researchers say a person could not react that fast. There is a grim catch for any victim, however. The encryption key was random and never saved or sent. So paying the ransom would not recover the locked data. The ransom note’s demand becomes effectively meaningless.
Researchers warn this lowers the skill floor for ransomware dramatically. According to them:
JADEPUFFER is a warning sign. It’s a marker of where extortion tradecraft is heading. An autonomous agent reasoned about its targets, harvested and reused credentials, moved laterally, established persistence, and destroyed a database, narrating its own intent the entire way.
The cost of running such attacks approaches near zero. They urge defenders to patch exposed servers and harden credentials immediately.
