Sysdig has documented what it believes is the first known case of agentic ransomware, in which a large language model (LLM) autonomously executed a complete extortion campaign from initial access to database destruction, signaling a new stage in AI-driven cyber threats that could significantly lower the technical barriers for ransomware operations.
AI may be reshaping ransomware faster than many security teams anticipated. According to new research from Sysdig, the cybersecurity company has identified what it describes as the first documented case of an AI agent executing an end-to-end ransomware operation, a development that could fundamentally alter how cybercriminals launch extortion campaigns.
The attack, named JADEPUFFER by the Sysdig Threat Research Team (TRT), illustrates how a LLM can independently perform reconnaissance, harvest credentials, move laterally across systems, establish persistence, compromise production infrastructure and execute database extortion without continuous human intervention.
“JADEPUFFER is a warning sign. It is a marker of where extortion tradecraft is heading,” says Michael Clark, Director of Threat Research, Sysdig.
Unlike previous ransomware campaigns that relied on highly skilled operators or manually developed attack scripts, JADEPUFFER demonstrated an ability to reason through problems, adjust its actions after encountering errors, and complete a coordinated attack sequence autonomously. According to Sysdig, the significance lies less in the techniques employed than in the AI agent’s ability to orchestrate them as a complete operation.
Clark says the attack relied largely on known vulnerabilities and established offensive techniques rather than sophisticated exploits. However, by combining those techniques into an adaptive workflow, the AI agent substantially reduced the expertise traditionally required to conduct ransomware campaigns.
“The skill floor for running ransomware has dropped to whatever it costs to run an agent, and if that agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero,” says Clark.
From Initial Access to Automated Extortion
According to Sysdig research, the operation began by exploiting CVE-2025-3248, a missing-authentication vulnerability affecting Langflow, an open-source framework used to develop LLM-powered applications and AI workflows.
After gaining access to an internet-facing Langflow instance, the agent immediately performed system reconnaissance while simultaneously searching for valuable credentials. The investigation found that it targeted API keys for AI providers, cloud credentials across multiple cloud platforms, cryptocurrency wallets, database credentials, and application configuration files. The compromised Langflow server then became a pivot point toward the attacker’s primary objective: a production database server running MySQL and Alibaba’s Nacos configuration platform.
Throughout the intrusion, Sysdig observed the AI agent carrying out tasks that traditionally require human decision-making. It scanned internal infrastructure, enumerated storage resources, extracted sensitive files, and installed persistence mechanisms while continuously adapting its behavior to changing conditions.
One example involved the enumeration of a MinIO object storage environment. After receiving an unexpected XML response instead of JSON, the agent immediately modified its parsing logic and continued the operation without interruption.
The most notable adaptive behavior appeared later in the attack when JADEPUFFER attempted to compromise the victim’s Nacos environment.
AI Demonstrates Autonomous Decision-Making
Sysdig says the AI agent repeatedly displayed what researchers describe as plan-act-observe-adjust behavior. After inserting a backdoor administrator account into the Nacos database, the login attempt failed. Rather than stopping or waiting for human guidance, the AI diagnosed the likely cause, rewrote its own code, deleted the faulty account and generated a corrected version before successfully authenticating.
The complete troubleshooting cycle took 31 seconds.
Researchers argue that this behavior represents one of the clearest indicators that the operation was driven by an autonomous AI agent rather than a human operator executing scripted commands. The payloads themselves also contained extensive natural-language explanations describing why each step was being performed, how targets were prioritized and what actions should follow. Sysdig notes that such internal reasoning resembles AI-generated code rather than conventional ransomware tooling.
Once administrative access had been established, JADEPUFFER encrypted 1,342 Nacos configuration items using MySQL encryption functions, deleted the original configuration tables and created a ransom table containing payment instructions, a Bitcoin address and a Proton Mail contact.
Sysdig says the encryption key was generated randomly, displayed temporarily and never stored or transmitted elsewhere, leaving victims unable to recover encrypted configurations even if a ransom were paid.
The agent subsequently escalated its destructive activity by dropping entire database schemas while documenting its own rationale inside the generated payloads. Overall, Sysdig analyzed more than 600 coordinated payloads executed throughout the campaign.
The company says four independent lines of evidence support its assessment that the attack was LLM-driven: self-narrating code, machine-speed error diagnosis and correction, demonstrated comprehension of natural-language context, and operational patterns that consistently reflected autonomous decision-making.
The findings suggest AI agents may soon automate many attack stages that previously depended on experienced ransomware operators.
“Ransomware [and destructive] attacks can now scale bounded primarily by attacker budget instead of being bounded by their human ability to operate campaigns themselves,” says Geoff McDonald, Principal Research Manager, Microsoft’s Defender for Endpoint team. There is now little stopping threat actors from operating thousands or tens of thousands of simultaneous campaigns.”
He adds that the industry may not yet be prepared for the pace at which these capabilities could evolve. “This is a transformative moment in cybersecurity that in my opinion the industry and world is not ready for, and I believe will have great negative outcomes as it accelerates over these next few months,” McDonald says.
For defenders, Sysdig argues that the emergence of agentic ransomware reinforces the importance of reducing exposed attack surfaces, patching internet-facing applications, securing AI infrastructure and limiting privileged credentials. The company also recommends runtime threat detection, stronger controls around AI orchestration platforms and preventing administrative services such as Nacos and database management interfaces from being directly accessible from the internet.