A security firm has spotted what it claims is the first documented case of a ransomware operation run entirely by a large language model.
The Sysdig Threat Research Team said the operator, dubbed JadePuffer, is the first agentic threat actor, describing it as using a known flaw in AI app builder Langflow to gain access to credentials and other key data.
Thereafter, researchers noted it took over a production database and encrypted it for extortion purposes.
“JadePuffer is a warning sign,” Michael Clark, Sysdig’s director of threat research, said in a blog post.
“It’s a marker of where extortion tradecraft is heading. An autonomous agent reasoned about its targets, harvested and reused credentials, moved laterally, established persistence, and destroyed a database, narrating its own intent the entire way.”
Clark has clarified that though the attack operation was run by an AI, the attack was still organized by a human who set up the infrastructure, found the initial credentials to break in, and chose a victim. But the rest of the attack was managed by the LLM itself.
Alarming attack
Clark noted that JadePuffer’s payloads were “self narrating”, containing detailed notes that a human wouldn’t bother to write but an LLM generates innately about why each step was taken, including prioritization of targets. That narration data could prove useful for security teams looking to defend against such attacks, Clark added.
“The operation also adapted in real time, retrying failed steps within refined parameters,” Clark added. “In one sequence, it went from a failed login to a working fix in 31 seconds.”
That is perhaps the most alarming aspect of the incident, according to Roey Eliyahu, CEO and co-founder of Salt Security.
“A human attacker who fails an initial payload waits, reassesses, consults, and tries again on a different timeline,” Eliyahu said. “An agent that fails a payload corrects and retries in under a minute. That compression of the attack cycle means the window between first detection signal and material damage is now measured in seconds, not hours.”
The JadePuffer system even wrote a ransom note complete with Bitcoin address and Proton email contact, Clark noted, though the former appears to be a wallet address frequently used as an example in explainer text online.
That’s either a coincidence, said Clark, or a hallucination by the LLM due to the frequency of that address online, and therefore used in training data.
Clark also noted that the encryption key was generated and essentially random, so the victim would not be able to decrypt — even if they paid the ransom. The victim organization wasn’t disclosed.
Warning about the future of security
While JadePuffer is just one incident, it shows that AI can help automate old vulnerabilities and that ransomware no longer requires skills to pull off an attack, according to Sally Vincent, senior threat research engineer at Exabeam.
“While the attack relied on known, older vulnerabilities rather than new exploits, it demonstrates how AI can automate and accelerate the exploitation of unpatched systems,” Vincent said. “It also serves as a reminder that patching known vulnerabilities remains important, since AI can make exploiting them faster and more efficient.”
While Clark stressed that none of the attack techniques were novel or sophisticated, JadePuffer is interesting because it was strung together into a complete ransomware operation by an AI model.
“The skill floor for running ransomware has dropped to whatever it costs to run an agent, and if that agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero,” he commented.
That means security professionals should expect to see more like this, as well as a higher volume of attacks, and should proactively protect “exposed application servers, unhardened configuration stores, and internet-facing database admin accounts,” Clark added.
Salt Security’s Eliyahu added: “The question every security team should be asking after this report is: what is holding credentials in our AI-adjacent infrastructure, and what can those credentials reach?”
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
