HomeEverythingEducation
Equities & FundsCrypto & Digital AssetsAI & TechnologyBusiness & CorporateUS Politics & PolicyGeopolitics & Global RiskMacro, Rates & FXCommodities & EnergyEuropean Politics & MarketsAsia-PacificReal Estate & Property
← All Stories

AI-driven ransomware attack still required human setup

Created at 7 Jul · 12:30 AM1 source↑ Market-relevant
IN SHORT

Researchers clarified that the 'first' agentic ransomware attack, JadePuffer, still involved human oversight for victim selection, infrastructure setup, and credential acquisition, despite the AI agent handling technical execution.

✉Newsletter

PiQ Daily

Pick your topics. Get only what matters, on your cadence.

Key Numbers

1,300+configuration records encrypted
31 secondstime to fix failed login

Who's Involved

Sysdig
cloud security firm that documented the attack
Michael Clark
Sysdig's senior director of threat research
Geoff McDonald
Microsoft researcher who theorized about the AI model used
AI-driven ransomware attack still required human setup

↳ Why This Matters

The clarification highlights that while AI is advancing rapidly in cyberattacks, human oversight remains critical for initiating and directing such operations, posing a complex challenge for cybersecurity defenses.

Key facts

  • Researchers identified an "agentic ransomware" operation named JadePuffer.
  • An AI agent handled the technical execution of the ransomware attack from start to finish.
  • A human was responsible for setting up the operation, selecting the victim, and acquiring initial credentials.
  • The AI agent exploited known vulnerabilities to move through the target network and encrypt files.
  • The agent wrote its own ransom note and demonstrated rapid problem-solving capabilities.

Researchers have clarified that the first documented case of "agentic ransomware," dubbed JadePuffer, still required significant human involvement, despite initial reports suggesting an AI agent handled the entire operation autonomously. The AI agent successfully infiltrated a vulnerable server, navigated the target's network, encrypted files, and even generated its own ransom note, adapting to obstacles encountered during the attack.

However, Michael Clark, senior director of threat research at cloud security firm Sysdig, explained that a human operator was crucial in setting up the operation, provisioning the command-and-control and staging servers, and selecting the victim. Furthermore, the credentials used to breach the victim's database were not harvested by the AI but were obtained separately through a prior compromise.

The technical execution involved exploiting a known bug in Langflow, an open-source tool for building LLM applications, and a flaw in a production MySQL server to gain administrative access. The agent encrypted over 1,300 configuration records and left a ransom note with a Bitcoin address for payment. The speed of its operations was notable, with the agent fixing a failed login in just 31 seconds and documenting its actions in natural-language code comments.

Initial confusion arose from the discovery of API keys for multiple AI models, including OpenAI, Anthropic, DeepSeek, and Gemini, among the stolen data. Clark clarified that these keys were simply part of the loot considered valuable by the attacker and did not indicate that multiple models were actively powering different stages of the intrusion. Sysdig was unable to identify the specific model driving the agent or its system prompt.

Microsoft researcher Geoff McDonald suggested that an open-weight model with stripped safety training might have been used, based on his red-teaming experience. He also warned that ransomware campaigns could soon be limited by attacker budget rather than human effort, potentially leading to a surge in simultaneous campaigns. Clark anticipates that the low cost of running such agents will lead to more widespread use, even if current operations still require human bottlenecks like victim selection and credential acquisition.

Frequently asked questions

Agentic ransomware refers to an extortion operation where an AI agent handles the technical execution of a cyberattack from start to finish, including breaking into a network, encrypting files, and leaving a ransom note.

No, while an AI agent handled the technical execution, a human was involved in setting up the operation, provisioning infrastructure, and choosing the victim and initial credentials.

The attack exploited a known bug in Langflow, an open-source tool for building LLM apps, and a separate flaw to gain administrative access to a production MySQL server.

The speed and transparency of the AI agent's actions were notable, including its ability to fix a failed login in 31 seconds and document its reasoning in natural-language code comments.

What Happens Next

01Sysdig expects the use of AI agents in ransomware attacks to increase.
02Researchers will continue to monitor for similar agentic ransomware operations.

Get the newsletter.

Pick the topics you actually care about. We'll email when there's news worth your time, on the cadence you choose. Cancel any time from your account.

Cadence

How It Developed

Researchers documented an extortion operation dubbed JadePuffer, described as agentic ransomware.
The AI agent reportedly handled technical execution, including network traversal and file encryption.
A human was involved in setting up the operation, provisioning infrastructure, and choosing a victim.
Credentials used for initial access were obtained separately, not by the AI agent.
The agent exploited known flaws in Langflow and a MySQL server to gain access.
The AI agent wrote its own ransom note and fixed a failed login within 31 seconds.
API keys for multiple AI models were stolen by the agent but did not necessarily power the attack.
The specific AI model driving the agent could not be identified.

Sources

T1
The ‘first’ AI-run ransomware attack still needed a humanTechCrunch

Related Stories

Small businesses budget for AI's unexpected costs and errors
6 Jul · 9:25 AM
US Cyber Agency Uses Anthropic's Mythos AI to Audit Government Code
6 Jul · 8:12 PM
Reddit uses LLMs to combat AI-generated spam
6 Jul · 3:55 PM
Central bankers warn of AI risks to financial stability
6 Jul · 3:40 AM
Scotland Considers Datacentre Moratorium, Challenging UK AI Strategy
6 Jul · 7:10 AM