AI agent executes first complete ransomware attack.

AI agent executes first complete ransomware attack.

      Ransomware has traditionally required a skilled human operator at some point in the process. However, security company Sysdig claims this has changed. They have documented what they refer to as the first ransomware attack completely executed by an AI agent, without any human involvement.

      The researchers identified the attacker as JADEPUFFER, asserting that a large language model was responsible for conducting the entire operation. It infiltrated the system, stole credentials, moved deeper into the network, installed a backdoor, and subsequently encrypted and destroyed the production database of a company. Sysdig’s Threat Research Team provided a comprehensive analysis of the incident.

      JADEPUFFER exploited a year-old, previously patched vulnerability in Langflow, an open-source tool for creating AI applications, that allowed it to run code on the server. Many Langflow instances are still exposed online, and they often store API keys and cloud credentials for linked services, making them vulnerable initial targets.

      Once it gained access, the agent acted swiftly. It scanned the host for sensitive information such as AI provider keys, cloud logins, cryptocurrency wallets, and database passwords, even targeting a storage server still using its default factory password.

      The agent established a means for re-entry, communicating with the attacker's server every thirty minutes. It then targeted a separate database server, successfully logging in as root, although Sysdig could not determine the source of those root credentials.

      From there, it took control of the server’s configuration system by exploiting a 2021 vulnerability and a default signing key that had never been altered. It created its own admin account, encrypted 1,342 settings, erased the original data, and left a ransom note demanding payment in Bitcoin.

      In a cruel twist, the agent generated a random encryption key, displayed it on the screen once, and neither saved nor transmitted it. Consequently, there is no key to provide, meaning that even if the victim pays, nothing is returned.

      The agent continued its attack by deleting entire databases. It claimed in a comment within its own code that it had already copied the data elsewhere, but Sysdig could find no evidence of this.

      How do the researchers confirm that a machine was controlling the operation? The code itself revealed this. The payloads contained plain-English comments detailing each step, something a human hacker typically does not include but a model naturally produces.

      The agent also corrected its own errors with machine-like speed. According to Michael Clark, director of threat research at Sysdig, it managed to resolve a failed login and implement a correct, multi-step solution in just 31 seconds. Sysdig recorded over 600 distinct, deliberate actions.

      The individual steps taken were neither clever nor innovative. The main point is that a model coordinated them into a complete attack autonomously. "The skill ceiling for executing ransomware has reduced to whatever cost it takes to operate an agent,” Clark stated.

      Deploying that agent using stolen credentials makes the overall cost nearly negligible. This same automation logic is currently transforming various areas, from coding assistants to a surge of AI-generated malicious browser code and new banking trojan operations.

      There is a small silver lining. Because the agent articulates its purpose, defenders receive a signal that has never been available before. This has sparked a wave of startups dedicated to securing AI agents and efforts to turn AI against attackers, enabling detection when the actual user of an account does not match their claims.

      The solutions to these issues may sound familiar: patch the vulnerabilities, avoid exposing administrative systems, and keep cloud keys away from publicly accessible machines. Sysdig regards JADEPUFFER as a cautionary indicator rather than a full-blown crisis but anticipates an increase in such incidents as agent-based tools evolve.

Other articles

AI agent executes first complete ransomware attack.

Sysdig reported that it detected the first ransomware attack carried out entirely by an AI agent. The agent infiltrated the system, erased a database, and left a ransom that the victim is unable to pay.