Security

First AI-Powered Ransomware Uses Agents to Automate Attacks

JadePuffer demonstrates how agentic AI can execute nearly every stage of a ransomware operation, from reconnaissance to encryption, with minimal human involvement.

Omega Editorial· July 10, 2026· 3 min read

Security researchers have documented the first known case of ransomware powered by AI agents that can autonomously execute most stages of an attack chain, signaling a fundamental shift in how cybercrime operates.

Sysdig's Threat Research Team identified the operation, dubbed JadePuffer, which exploited an exposed Langflow instance to demonstrate how AI agents can handle reconnaissance, credential harvesting, lateral movement, database encryption, and ransom note generation with minimal human guidance. According to Sysdig's findings first reported last week, humans selected the target and provided initial credentials, but AI handled the complex technical execution that traditionally required skilled operators.

The attack exploited CVE-2025-3248, an authentication flaw in Langflow's code validation endpoint that allowed unauthenticated Python execution. Once inside, the AI agent moved through the system at machine speed—Sysdig noted the agent corrected a failed login and implemented a working fix in just 31 seconds, far faster than human operators typically work.

Why it matters

This development fundamentally changes the economics of ransomware. By automating the labor-intensive middle stages of attacks, AI agents lower the skill requirements, reduce costs, and accelerate execution timelines for cybercriminals. Security teams built to detect human-paced intrusions may miss attacks operating at machine tempo. More critically, the proliferation of locally-hosted open-weight models means attackers can operate without leaving traces in commercial AI provider logs, eliminating a key visibility point for threat intelligence.

The visibility problem

Sysdig could not identify which AI model powered JadePuffer. While the attack swept up API keys for OpenAI, Anthropic, DeepSeek, and Gemini, those were stolen credentials rather than evidence of which system ran the operation. This ambiguity highlights a growing challenge: locally-hosted models like DeepSeek and GLM enable attackers to operate without cloud provider oversight.

Cloud-based frontier models leave audit trails that providers can monitor for abuse. OpenAI and Anthropic have both reported detecting and blocking accounts used for malicious purposes. But when attackers run capable models on their own infrastructure, there's no provider account to suspend, no prompt history to review, and no centralized safety filter to bypass.

CISS noted in July 2026 that recent Chinese models have closed the capability gap with U.S. frontier systems, giving attackers more options and less dependence on monitored commercial APIs. Check Point Research reported in 2025 that criminals were already sharing jailbreak prompts for DeepSeek and using multiple models together to optimize malicious scripts.

AI infrastructure as attack surface

The JadePuffer case exposes a new vulnerability category: AI application servers themselves. Tools like Langflow sit near production systems, cloud credentials, and database access—making them high-value targets. The UK National Cyber Security Centre warned in January 2024 that AI would almost certainly increase both the volume and impact of cyber attacks by lowering barriers for novice criminals.

Anthropic has documented similar patterns. In August 2025, the company disrupted a cybercriminal using Claude to automate reconnaissance and network penetration in a data extortion operation that hit at least 17 organizations, with ransoms sometimes exceeding $500,000. A November 2025 Anthropic report described an AI-orchestrated espionage campaign where human operators selected targets but AI performed reconnaissance, exploit writing, and credential harvesting.

For enterprise security teams, the implications are immediate: detection rules calibrated for human behavior may miss machine-speed attacks, AI development tools exposed to the internet create new entry points, and the traditional assumption that skilled human operators leave detectable patterns no longer holds.

Sysdig's research was first reported by TechCrunch and detailed in the company's threat intelligence briefing.

#ransomware#agentic ai#cybersecurity#ai security#threat intelligence#langflow

This is an original analysis by the Omega editorial team. Source reporting: AI Watch.

Want systems like this working for your business?

Book a Call

More in Security

Security· 3 min read

Apple Sues OpenAI Over Alleged Trade Secret Theft

The lawsuit accuses OpenAI of poaching employees who brought confidential hardware designs to the AI company's nascent device business.

Via AI Watch · Jul 11, 2026
Security· 2 min read

Apple Sues OpenAI Over Alleged Trade Secret Theft

The lawsuit claims OpenAI solicited confidential product details from Apple job candidates and accessed internal documents through former employees.

Via AI Watch · Jul 11, 2026
Security· 3 min read

Apple Sues OpenAI Over Alleged Trade Secret Theft

The iPhone maker claims OpenAI's hardware chief orchestrated systematic theft of confidential designs, prototypes, and documents from departing employees.

Via WIRED · Jul 10, 2026