First AI-Powered Ransomware Uses Agents to Automate Attacks
JadePuffer demonstrates how agentic AI can execute nearly every stage of a ransomware operation, from reconnaissance to encryption, with minimal human involvement.
Security researchers have documented the first known case of ransomware powered by AI agents that can autonomously execute most stages of an attack chain, signaling a fundamental shift in how cybercrime operates.
Sysdig's Threat Research Team identified the operation, dubbed JadePuffer, which exploited an exposed Langflow instance to demonstrate how AI agents can handle reconnaissance, credential harvesting, lateral movement, database encryption, and ransom note generation with minimal human guidance. According to Sysdig's findings first reported last week, humans selected the target and provided initial credentials, but AI handled the complex technical execution that traditionally required skilled operators.
The attack exploited CVE-2025-3248, an authentication flaw in Langflow's code validation endpoint that allowed unauthenticated Python execution. Once inside, the AI agent moved through the system at machine speed—Sysdig noted the agent corrected a failed login and implemented a working fix in just 31 seconds, far faster than human operators typically work.
Why it matters
This development fundamentally changes the economics of ransomware. By automating the labor-intensive middle stages of attacks, AI agents lower the skill requirements, reduce costs, and accelerate execution timelines for cybercriminals. Security teams built to detect human-paced intrusions may miss attacks operating at machine tempo. More critically, the proliferation of locally-hosted open-weight models means attackers can operate without leaving traces in commercial AI provider logs, eliminating a key visibility point for threat intelligence.
The visibility problem
Sysdig could not identify which AI model powered JadePuffer. While the attack swept up API keys for OpenAI, Anthropic, DeepSeek, and Gemini, those were stolen credentials rather than evidence of which system ran the operation. This ambiguity highlights a growing challenge: locally-hosted models like DeepSeek and GLM enable attackers to operate without cloud provider oversight.
Cloud-based frontier models leave audit trails that providers can monitor for abuse. OpenAI and Anthropic have both reported detecting and blocking accounts used for malicious purposes. But when attackers run capable models on their own infrastructure, there's no provider account to suspend, no prompt history to review, and no centralized safety filter to bypass.
CISS noted in July 2026 that recent Chinese models have closed the capability gap with U.S. frontier systems, giving attackers more options and less dependence on monitored commercial APIs. Check Point Research reported in 2025 that criminals were already sharing jailbreak prompts for DeepSeek and using multiple models together to optimize malicious scripts.
AI infrastructure as attack surface
The JadePuffer case exposes a new vulnerability category: AI application servers themselves. Tools like Langflow sit near production systems, cloud credentials, and database access—making them high-value targets. The UK National Cyber Security Centre warned in January 2024 that AI would almost certainly increase both the volume and impact of cyber attacks by lowering barriers for novice criminals.
Anthropic has documented similar patterns. In August 2025, the company disrupted a cybercriminal using Claude to automate reconnaissance and network penetration in a data extortion operation that hit at least 17 organizations, with ransoms sometimes exceeding $500,000. A November 2025 Anthropic report described an AI-orchestrated espionage campaign where human operators selected targets but AI performed reconnaissance, exploit writing, and credential harvesting.
For enterprise security teams, the implications are immediate: detection rules calibrated for human behavior may miss machine-speed attacks, AI development tools exposed to the internet create new entry points, and the traditional assumption that skilled human operators leave detectable patterns no longer holds.
Sysdig's research was first reported by TechCrunch and detailed in the company's threat intelligence briefing.
This is an original analysis by the Omega editorial team. Source reporting: AI Watch.
Want systems like this working for your business?
Book a Call
