The First AI-Run Ransomware Attack — What JADEPUFFER Means for Your Patching Priorities

The First AI-Run Ransomware Attack — What JADEPUFFER Means for Your Patching Priorities

On July 1, 2026, the Sysdig Threat Research Team published its analysis of what it assesses to be the first documented case of agentic ransomware — a complete extortion operation driven from start to finish by a large language model, with no human at the keyboard. The team named the operator JADEPUFFER. The techniques it used were not new or clever. What is new is that a machine strung them together into a full attack against a neglected, internet-facing server, on its own.

For anyone responsible for security, the interesting question is not whether AI can now run an attack — it clearly can — but what that changes about where you spend your limited defensive effort. The short answer: it raises the value of two things you already knew mattered, exposure management and patching discipline, because attackers can now automate the boring parts at near-zero cost.

What actually happened

JADEPUFFER gained initial access through CVE-2025-3248, a missing-authentication flaw in Langflow — a popular open-source framework for building LLM applications and agent workflows. The flaw lets anyone who can reach the server run arbitrary Python on it, no login required. It was fixed in Langflow 1.3.0 and added to CISA's Known Exploited Vulnerabilities catalogue back in May 2025. In other words, this was an old, already-patched bug hitting a server that had never been updated.

Once inside, the agent worked fast and methodically. It enumerated the host, then swept it in parallel for secrets: API keys for AI providers, cloud credentials, crypto wallet keys, and database logins. It raided a MinIO object store still using its factory-default credentials (minioadmin:minioadmin), dumped Langflow's own backing database, and installed a scheduled task that beaconed to the attacker's server every 30 minutes. It then pivoted to its real target — a separate internet-facing server running MySQL and an Alibaba Nacos configuration service — took over Nacos using a 2021 authentication-bypass flaw and an unchanged default signing key, encrypted 1,342 configuration items, dropped the original tables, and left a ransom note.

There is a grim twist. The encryption key was generated at random, printed to the screen once, and never saved or transmitted. Even a victim who paid could not recover the data. The agent then deleted whole databases outright, leaving a comment in its own code claiming it had already exfiltrated the data — a claim Sysdig could not verify.

How they knew a model was driving

Sysdig's evidence is worth understanding, because it hints at how defenders will spot these attacks. The payloads were self-narrating: full of plain-English commentary explaining why each step was taken, the kind of running annotation a human operator never bothers to write but a model produces by default. The agent also diagnosed and fixed its own mistakes at machine speed — in one sequence it went from a failed login to a correct, multi-step fix in 31 seconds, correctly identifying the root cause rather than blindly retrying. Across the operation, Sysdig counted more than 600 distinct, purposeful payloads.

Why this shifts your patching priorities

The lesson is not "AI is coming for you." It is that the economics of exploitation have changed. Automating the spray of an entire back-catalogue of known vulnerabilities used to cost attacker time and skill. With an agent, it is nearly free — and if the agent runs on stolen AI compute, close to zero. That has three practical consequences.

First, the long tail of unpatched, internet-facing systems becomes more dangerous, not less. Neglected servers were always a risk; now they are a risk that a tireless machine will find and exploit faster than a human ever could. Prioritize by exposure: anything reachable from the internet running known-exploited software should jump to the top of your list, regardless of how "important" the box feels.

Second, known-exploited vulnerabilities deserve special weight. CVE-2025-3248 was on CISA's KEV list for over a year before this attack. If your patch prioritization still leans mainly on CVSS scores, add active-exploitation status as a first-class signal. A medium-severity flaw that is being exploited in the wild is more urgent than a critical one that is not.

Third, default credentials and exposed admin interfaces are part of your patch surface. JADEPUFFER never had to work hard for MinIO — the default login had never been changed. Nacos shipped an unchanged default signing key. A database administrative account sat exposed on the internet. Patching software is necessary but not sufficient; the same discipline has to cover configuration.

What to do this quarter

Start with visibility. You cannot prioritize what you cannot see, so build or refresh an inventory of internet-facing assets and the software versions they run. Cross-reference it against CISA's KEV catalogue and fix those first. Pull provider API keys and cloud credentials out of the environment of any web-reachable service and into a proper secrets manager. Change every default credential and default signing key you can find, and never expose a database's administrative account to the internet. Finally, apply egress controls so a compromised host cannot beacon out or reach an external staging server — that single measure would have disrupted JADEPUFFER's persistence.

Because attackers can now weaponize a fresh advisory in hours, Sysdig argues that watching for malicious behavior at runtime matters as much as racing to patch. Both are true: patch the known-exploited flaws you can, and assume something will slip through, so invest in detecting the behavior — unexpected database processes, new scheduled tasks making outbound calls, credential sweeps — that follows a breach.

If you want to know which of your internet-facing systems an agent like this would reach first, that is exactly what a penetration test is designed to surface — testing your exposure the way a real attacker would, before one does. And as AI-driven tooling matures, testing the security of your own AI and LLM applications, such as exposed Langflow-style endpoints, is becoming its own discipline through LLM and AI penetration testing.

JADEPUFFER is a warning sign, not a crisis. None of its moves was sophisticated. The organizations it will hurt are the ones that already knew they had exposed, unpatched systems and had not gotten to them yet. The window to get to them is closing faster than it used to.


This article is general information, not legal or professional security advice. Your specific exposure and obligations depend on your environment, sector and role.

Sources

  • Sysdig Threat Research Team, "JADEPUFFER: Agentic ransomware for automated database extortion" (July 1, 2026): sysdig.com
  • The Hacker News, "AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack" (July 2, 2026): thehackernews.com
  • BleepingComputer, "JadePuffer ransomware used AI agent to automate entire attack": bleepingcomputer.com
  • CISA Known Exploited Vulnerabilities Catalog, CVE-2025-3248 (Langflow): nvd.nist.gov

Back to blog