AI-powered ransomware has officially arrived – and it's only the beginning
This new vector could bring the cost of a ransomware attack to nearly zero.

- Sysdig researchers reported the first fully autonomous AI ransomware attack, carried out by an agent called Jadepuffer.
- Jadepuffer exploited a critical Langflow flaw, found valuable data, reused credentials, and attacked a production database.
- Researchers said the attack matters because AI agents can adapt, fix errors, and reduce the cost of extortion.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
Ransomware attacks no longer require a human for execution: for the first time, an AI agent carried out a ransomware attack independently, exploiting vulnerabilities and encrypting data fully on its own.
Researchers from Sysdig observed what they consider to be the first instance of a fully agentic ransomware attack.
The AI-powered attacker, dubbed Jadepuffer, gained access by exploiting CVE-2025-3248, a critical vulnerability that allows threat actors to execute arbitrary code on vulnerable internet-facing Langflow servers.
Once inside, it ran an adaptive campaign to locate the data and executed a database-extortion playbook against the victim's production database server.
Researchers noted that the most striking characteristic of Jadepuffer was its ability to adapt and reason through problems. In one example, it fixed its approach to a failed login attempt and successfully logged in 31 seconds later.
This “self-narrating” feature, as well as its ability to reason through failures and adapt in real time, led researchers to classify it as an agentic threat actor rather than AI simply executing a human-written script. Traditional automated attacks rely on pre-programmed scripts that would stop if an error occurred. However, Jadepuffer managed to adjust its commands and fix those errors.
“Jadepuffer is a warning sign. It’s a marker of where extortion tradecraft is heading. An autonomous agent reasoned about its targets, harvested and reused credentials, moved laterally, established persistence, and destroyed a database, narrating its own intent the entire way,” Sysdig’s Threat Research Team said in a blog post.
While the team noted that none of the techniques were novel or sophisticated, Jadepuffer managed to put them together into a complete ransomware operation against a known security flaw. This could bring the cost of an attack from the cost of running an AI agent to nearly zero if the agent is running on stolen credentials through LLMjacking.
Jadepuffer searched for many different kinds of secrets, such as LLM API keys, cloud credentials (with explicit coverage of Chinese providers like ALIBABA_, ALIYUN_, TENCENT_, HUAWEI_, although it also scanned for AWS, GCP, and Azure), crypto wallets, database credentials, and configuration files.
Notably, even if a ransom was paid, the encryption key was printed to stdout but never persisted or transmitted. This means that the victim would not be able to recover the encrypted configurations even with payment.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
The Bitcoin address in the ransom note is also not a canonical example address from Bitcoin developer documentation, which raises two possible explanations: either the AI agent autonomously hallucinated it from its training data, or the operator configured the agent with a real wallet address that happens to coincide with the documentation example.
Companies and security teams are warned to prepare for an increase in such automated campaigns and treat existing and potential security flaws as real entry points for attackers. Organizations running Langflow should immediately patch and upgrade to version 1.3.0 or later and use runtime threat detection to detect malicious activity early.
The report follows Sysdig’s earlier research on an AI agent that executed a cyberattack exploiting a vulnerability in a publicly exposed Marimo notebook. The attackers were able to search the compromised system for credentials, including cloud access keys, database credentials, and other data that could potentially allow them to access other systems.