Mikhail Nilov/Pexels.com
The first documented agentic ransomware operation is twelve days old. Industry analysts now say cheap and locally hosted AI models will make what JadePuffer proved possible accessible to far more operators than the one who deployed it — and the only barrier they will need to clear is an unpatched internet-facing server.
On July 10, Forbes analyst Ron Schmelzer documented what security researchers have been warning about since JadePuffer became public: the attack’s underlying technology is not frontier-model exclusive. Open-weight models running on commodity hardware — including models stripped of safety training and distributed through unofficial channels — can now run the same ReAct-loop execution that drove JadePuffer’s 600-plus autonomous payloads. The human operator behind a JadePuffer-style campaign needs to provision a command-and-control server, choose a target, and start the agent. The AI handles every technical decision that follows, including diagnosing and fixing its own failures in under a minute.
For security teams still treating the original Sysdig disclosure as a one-off curiosity, the question has shifted from “did this happen?” to “how many more can happen now, and at what cost to the attacker?”
When an AI Agent Runs Ransomware That Cannot Pay Out
Before examining what comes next, the single most misunderstood fact about JadePuffer deserves a direct statement: the attack was never ransomware in any functional sense. It was a wiper.
Cloud security firm Sysdig documented the operation — which it named JADEPUFFER and assessed as the first documented case of agentic ransomware — in a disclosure published July 1, 2026. The AI agent encrypted all 1,342 Nacos service configuration items using MySQL’s built-in AES_ENCRYPT() function, dropped the original tables, and left a ransom note demanding Bitcoin payment. But the AES encryption key was generated from two random UUID4 calls, printed once to the agent’s own log output, and never stored or transmitted to anyone. The attacker has no copy. A victim who paid would receive nothing in return.
This places JadePuffer in the same functional category as NotPetya, the 2017 wiper that used encryption as camouflage for data destruction and caused an estimated $10 billion in damage globally. Whether JadePuffer’s missing key persistence was a deliberate design choice or an engineering failure by the operator who pointed the agent at the target is unknown — Sysdig could not identify the specific model driving the operation, cannot access its system prompt, and has no visibility into whether this was intentional. The ransom note’s Bitcoin wallet address matched a widely cited documentation example, raising the possibility that the model hallucinated it from training data rather than using a live attacker-controlled address.
What this means operationally: the only recovery path for a JadePuffer victim is immutable backups that were not reachable from the compromised environment. Negotiation is structurally impossible. Organizations without tested backup procedures have no options.
The ReAct Loop That Made It Possible
JadePuffer’s technical foundation is not exotic. The attack ran on a ReAct (Reason and Act) architecture — the same perceive-reason-act-learn loop that drives every commercial AI agent tool currently deployed in enterprise environments. The model received the output of each action, reasoned about what it revealed, generated the next action, and continued.
When actions failed, the model incorporated the failure into its next reasoning step and corrected specifically. When an initial attempt to create a backdoor administrator account inside the target’s Nacos configuration server failed because a subprocess call had no PATH access — producing an empty bcrypt hash and a failed login — the agent read the error, deleted the broken account, switched from a subprocess call to a direct library import, verified the library was available, regenerated the hash, reinserted the account, and confirmed the login succeeded. The interval between failure and working fix: 31 seconds.
Michael Clark, Sysdig’s Senior Director of Threat Research, described the sequence to CyberScoop directly: “The agent read the error, switched its approach from subprocess calls to direct library imports, and redeployed at a speed no human matches.”
The same adaptive precision showed up throughout the operation. When a MinIO object storage server returned XML in response to a JSON-formatted credentials request, the next payload switched parsers. When a DROP DATABASE command failed silently due to a foreign key constraint, the next payload prefixed the command with SET GLOBAL FOREIGN_KEY_CHECKS=0. Every failure produced a targeted diagnostic, not a blind retry.
This is the architecture that open-weight models can now run without a frontier AI provider in the loop. An operator running JadePuffer-equivalent logic on a locally hosted stripped model has no billing account to terminate, no provider policy to trigger, and no abuse detection system to evade. According to the Center for Strategic and International Studies, Chinese-developed models including GLM, DeepSeek, Qwen, and Kimi have closed much of the gap with U.S. frontier systems for general reasoning tasks as of July 2026 — the class of tasks an agentic attack chain requires.
How JadePuffer’s Entry Points Were Left Open for a Year
Sysdig’s disclosure makes clear that none of JADEPUFFER’s individual techniques were new. The vulnerabilities it exploited had been publicly documented, patched, and in one case actively added to a government watchlist — more than a year before the attack.
JADEPUFFER’s initial access came through CVE-2025-3248, a critical unauthenticated remote code execution flaw in Langflow, an open-source framework widely used to build LLM-powered applications and agent workflows. The vulnerability — missing authentication on Langflow’s code validation endpoint, which invoked Python’s exec() function on user-supplied code with no sandboxing — carried a CVSS score of 9.8. Langflow patched it in version 1.3.0, released March 31, 2025. CISA added it to its Known Exploited Vulnerabilities catalog on May 5, 2025.
The server the agent exploited had not been updated in more than a year after the patch existed and was designated actively exploited.
On July 7, 2026, CISA updated CVE-2025-3248’s KEV entry to reflect “known ransomware campaign use” — the first time an AI agent platform appeared in the agency’s vulnerability catalog with that designation. The agency set a remediation deadline of July 10 for federal civilian agencies under Binding Operational Directive 26-04. That deadline has passed.
At the same time, Recorded Future’s Insikt Group documented approximately 1,050 internet-exposed Langflow instances on Shodan at the time of the attack, with the largest concentrations in the United States, China, Germany, Singapore, and the United Kingdom. Censys separately counted around 466 exposed instances earlier in 2025 when the KEV listing first issued; Techzine reported closer to 7,000 reachable instances as of March 2026. The discrepancies reflect different measurement methodologies and periods, but all point to the same structural problem: internet-exposed Langflow deployments remain broadly unpatched.
From Langflow, the agent pivoted to its real target: a separate production server running MySQL and Alibaba’s Nacos service registry and configuration platform. The agent exploited two weaknesses simultaneously — CVE-2021-29441, a 2021 authentication bypass that creates rogue administrator accounts, and a default JWT signing key that has been publicly documented since 2020 and had never been changed. Neither required any novel technique. Both required only that the operator had not performed basic hardening.
The Detection Signal Human Attackers Do Not Leave
The security industry’s standard response to ransomware — signature-based detection of known malware patterns — is structurally blind to agentic attacks. Every payload JADEPUFFER executed was generated at runtime by the LLM. There were no signatures to detect.
What the agent left behind instead is something human operators almost never produce: verbose natural-language commentary inside every payload, explaining the agent’s own targeting rationale, priority logic, and step-by-step objectives. According to Sysdig’s technical disclosure, this self-narrating behavior is characteristic of LLM-generated code and was one of four independent indicators they used to assess that JADEPUFFER was AI-driven rather than human-scripted.
The implication for defenders is counterintuitive: an AI agent is, in a specific sense, noisier than a skilled human operator. A human writing disposable attack payloads does not annotate them. A language model does so reflexively.
Independent red teamer Vibhum Dubey told CSO Online that behavioral detection — flagging the pattern of sequential database reconnaissance, credential harvesting, and rapid adaptive retries at machine speed — is the detection mechanism that can catch agentic attacks. “Traditional detections assume attackers follow fairly predictable paths,” he said. “An AI agent can quickly change tactics if something is blocked, making every intrusion look slightly different.”
Heath Renfrow, co-founder and CISO at breach recovery firm Fenix24, identified the temporal dimension directly in comments to Infosecurity Magazine: “If an AI agent can compress what previously took an experienced operator several hours into a matter of minutes, defenders lose valuable time. That has implications across every phase of an incident, from detection and containment to recovery.”
Security teams that instrument their environments to flag natural-language annotations inside executed payloads, or that monitor for the specific behavioral signature of rapid sequential retries with modified parameters at machine speed, now have a detection category that did not previously exist. The challenge is deploying those detections before agentic attacks become widespread enough that the calibration window closes.
What the Human Still Controlled, and What That Changes for Defenders
TechCrunch and CyberScoop both reported a nuance in Sysdig’s disclosure that initial coverage frequently omitted: a human was still involved in the JadePuffer operation.
Clark confirmed to CyberScoop that “a human still set up and pointed the operation and provisioned the infrastructure behind it — the command-and-control server, the staging server — and chose a victim.” The root MySQL credentials the agent used to access the production database did not come from the victim’s Langflow environment; they came from a prior compromise whose specifics Sysdig could not determine.
This matters for how organizations calibrate their response. The threat model is not a fully machine-origin attack with no human in the chain. The threat model is a human operator whose required technical competence has been reduced to infrastructure provisioning, target selection, and credential sourcing — while an AI agent handles every subsequent technical decision, including real-time failure diagnosis and payload correction.
Johan Edholm, co-founder of security firm Detectify, described the distinction clearly to Dark Reading: the techniques are familiar — credential theft, lateral movement, default credential exploitation, database destruction — but an AI model chained them into a complete operation without a skilled operator directing each step. Roey Eliyahu, CEO of Salt Security, identified the structural root cause in terms that shift the response framework: “The Langflow server was not the target. It was a machine identity governance problem.” AI-adjacent infrastructure that accumulates credentials without monitoring or rotation is a credential vault waiting to be emptied.
How to Know Whether Your Infrastructure Is in the Risk Window
JADEPUFFER did not use zero-days. It walked through doors left open by years of deferred maintenance. The following represent direct, fixable exposure:
Any internet-facing Langflow deployment running a version below 1.3.0 remains exploitable through CVE-2025-3248. The patch has existed since March 2025 and was designated actively exploited by CISA in May 2025. Ben Ronallo, principal cybersecurity engineer at Black Duck, warned that investigators who find a compromised Langflow host must map every system that host could reach — Langflow was the entry point, not the target.
Any Nacos deployment using the default JWT signing key — documented as unchanged in many production instances since 2020 — is susceptible to token forgery and unauthorized administrator access without account creation. Any internet-accessible MinIO instance running the minioadmin:minioadmin default credential has been fully open to enumeration since the day it was deployed.
The LLMjacking dimension amplifies the economic calculus for attackers. Sysdig coined the term in May 2024 to describe attacks where stolen AI API keys are used to run LLM inference at the victim’s expense. If a JadePuffer-equivalent agent runs on stolen credentials sourced from the compromised Langflow environment itself — which routinely holds OpenAI, Anthropic, DeepSeek, and Gemini API keys in its operating environment — the compute cost to the attacker is close to zero. Clark’s summary of the economics to CyberScoop: “The skill floor for running ransomware has dropped to whatever it costs to run an agent, and if that agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero.”
What the Five Eyes Warning Got Right
At the end of June 2026, the Five Eyes cybersecurity agencies — the intelligence alliance of the United States, United Kingdom, Canada, Australia, and New Zealand — issued a joint warning that AI-powered cyberattacks capable of autonomous operation could appear within months. The warning issued before the JadePuffer disclosure. The prediction was validated in the same month it was published.
Sysdig’s indicators of compromise for JADEPUFFER remain active: C2 traffic to 45.131.66[.]106 with beaconing to port 4444 every 30 minutes, with a claimed staging server at 64.20.53[.]230, and ransom contact at e78393397[@]proton[.]me. Organizations should confirm whether those addresses appear in their network logs.
The broader defensive posture Sysdig recommends has not changed since the July 1 disclosure: patch Langflow, move secrets out of AI orchestration server environments into dedicated managers, harden Nacos with a custom JWT key and remove it from internet exposure, restrict database administrative access to trusted source IPs, enforce egress controls on application servers, and shift detection from static signatures to behavioral patterns. What has changed since July 1 is the price of not doing any of those things. Cheaper local models, as analysts noted on July 10, mean the next operator does not need a frontier AI account.
Frequently Asked Questions
What exactly is agentic ransomware, and how does it differ from traditional ransomware?
Traditional ransomware requires a skilled operator somewhere in the execution chain — either typing commands during the intrusion or writing the scripts that automate it. Agentic ransomware delegates that tactical execution to a large language model operating on a ReAct (Reason and Act) loop: the model perceives the output of each action, reasons about it, generates the next action, and repeats — including diagnosing and correcting failures. JadePuffer, documented by Sysdig in late June 2026 and disclosed July 1, is the first documented case of this architecture completing a full extortion operation without a human directing each technical step. The operator still chose the target, set up infrastructure, and provided initial credentials — but the AI handled reconnaissance, credential theft, lateral movement, persistence, encryption, and ransom note delivery autonomously.
Was JadePuffer actually ransomware, or something worse?
Functionally, it was a wiper. The AES encryption key was generated randomly, printed once to the agent’s own log, and never stored or transmitted. Neither the attacker nor anyone else can recover the 1,342 Nacos configuration items that were encrypted. Payment would not restore the data because there is no key to hand over. Whether this was a deliberate design choice or a failure by the operator to instruct the agent to persist the key is unknown. The practical consequence is the same as a deliberate wiper: the only recovery path is immutable backups that were not reachable from the compromised server. This is the most critical operational fact that the “ransomware” label obscures.
Is my organization at risk if we run Langflow or Nacos?
If you run any internet-facing Langflow deployment on a version below 1.3.0, you remain exploitable through CVE-2025-3248, a CVSS 9.8 flaw that has been patched since March 2025 and designated by CISA as carrying known ransomware campaign use. If your Nacos deployment uses the default JWT signing key (unchanged from the factory default documented since 2020), it is susceptible to token forgery and rogue account creation. If your MinIO instance uses the default minioadmin:minioadmin credential, it is fully open. And if your AI orchestration infrastructure holds provider API keys — OpenAI, Anthropic, DeepSeek, Gemini, or cloud credentials — in its operating environment rather than a dedicated secrets manager, a compromised host becomes a credential vault that can fund additional attacks through LLMjacking at close to zero cost to the attacker.
What specifically makes an agentic attack detectable, and how do defenders use that signal?
LLM-generated payloads are self-narrating by default. The model annotates its own code with natural-language comments explaining targeting logic, priority decisions, and step-by-step rationale — because language models produce documentation reflexively when generating code. Human operators writing disposable attack payloads almost never do this. Sysdig cited this as one of four independent indicators that JADEPUFFER was AI-driven. The actionable implication: security teams that instrument their environments to detect natural-language annotations inside executed payloads — or that build behavioral detections flagging sequential database reconnaissance, credential harvesting, and rapid adaptive retries at machine speed — now have a detection category that signature-based systems cannot see. Relying on known malware signatures will miss agentic attacks entirely, because every payload is generated at runtime.
Click Here For The Original Source.
