Final week, researchers at cloud safety agency Sysdig stated they’d documented the primary recognized case of “agentic ransomware.” It was an extortion operation, dubbed JadePuffer, wherein an AI agent — not a human — dealt with the technical execution of a real-world cyberattack from begin to end. The agent broke right into a weak server, stole credentials, moved by the goal’s community, encrypted recordsdata, and even wrote its personal ransom be aware, adapting to obstacles alongside the way in which like a human hacker would. Protection of the funding described it as run “with none human oversight,” with “no human on the keyboard.”
That’s not fairly the full image. In an interview on Monday with CyberScoop, Sysdig’s Michael Clark, the corporate’s senior director of risk analysis, clarified {that a} human was nonetheless very a lot concerned — simply not within the technical execution. “A human nonetheless arrange and pointed the operation and provisioned the infrastructure behind it, the command-and-control server, the staging server used for the stolen knowledge and selected a sufferer,” Clark stated. The credentials used to interrupt into the sufferer’s database, he added, weren’t harvested by the AI agent itself; somebody obtained them individually, by a previous compromise, and handed them to the operation.
None of this contradicts Sysdig’s unique declare, and the technical particulars of the assault stay notable on their very own — wild, even. The agent acquired in by a recognized bug in Langflow, a preferred open-source software for constructing LLM apps, then moved on to a manufacturing MySQL server and exploited one other recognized flaw to achieve admin entry. It encrypted over 1,300 configuration information and never solely left behind a ransom be aware that it wrote itself but it surely left a Bitcoin handle the place the ransom may very well be despatched. Sysdig hasn’t disclosed who was focused.
The methods have been pretty abnormal apparently, what stood out was the pace and transparency concerned. The agent fastened a failed login in 31 seconds, narrating its personal reasoning in natural-language code feedback the entire method.
One element that originally appeared to muddy the image has since been clarified. Clark had informed CyberScoop that Sysdig discovered “a number of fashions have been used within the assault,” citing harvested keys for OpenAI, Anthropic, DeepSeek, and Gemini — language that left open the query of whether or not a number of fashions actively powered completely different phases of the intrusion. Requested to make clear, Clark informed TechCrunch that these keys have been merely a part of what the agent stole, not proof of what was driving it.
“The agent swept the Langflow host for something worthwhile — supplier API keys, cloud credentials, cryptocurrency wallets, and database configs — and people supplier keys have been a part of the loot,” he stated by way of e-mail. “They’re indicative of what the attacker thought-about value taking, however they don’t inform us which mannequin was making the selections.”
On the mannequin truly working JadePuffer, Clark stated Sysdig “was not in a position to establish the particular mannequin driving the agent” and has no visibility into its system immediate or configuration.
Microsoft researcher Geoff McDonald’s concept, offered on LinkedIn a number of days in the past, is value revisiting in that mild. McDonald suspected an open-weight mannequin with security coaching stripped out, slightly than a frontier mannequin, was behind the assault, based mostly on his personal red-teaming expertise exhibiting frontier labs’ security layers maintain up nicely. Sysdig’s personal account doesn’t affirm or rule that out.
McDonald’s publish additionally warned that ransomware campaigns at the moment are bounded primarily by attacker finances slightly than human effort, elevating the opportunity of “1000’s or tens of 1000’s of simultaneous campaigns.” That concern is a bit of tougher to sq. with what Clark described Monday. (If a human nonetheless has to decide on every sufferer, provision infrastructure, and procure database credentials for each operation, that’s a little bit of a bottleneck, not less than.)
Both method, Clark informed CyberScoop, whereas Sysdig hasn’t seen the identical operation hit different victims but, given how low-cost it’s to run an agent, he expects that to vary.
Once you buy by hyperlinks in our articles, we may earn a small commission. This doesn’t have an effect on our editorial independence.

