The First Ransomware Attack Run From Start To Finish By An AI Agent | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware


In one logged sequence, an intruder went from a failed login to a working fix in thirty-one seconds. No human types that fast, and in this case no human was typing. On July 1, the security firm Sysdig published an analysis of a campaign it calls JADEPUFFER, which it assesses as the first ransomware operation run end to end by an autonomous AI agent, with no person driving the keyboard.

The agent handled the whole intrusion itself. It broke into an internet-facing server through a known 2025 vulnerability, worked its way across the network, and encrypted 1,342 configuration items before deleting the originals and leaving a ransom note. It adapted as it went, retrying failed steps within refined parameters. The giveaway was in the code: the payloads carried natural-language comments explaining their own objectives, the self-documenting style characteristic of a large language model rather than a human writing malware.

The attack itself was ordinary. It used a year-old bug and techniques any competent intruder already knows. What was new is that a machine ran the entire thing on its own, which means the cost and the time it takes to run an attack just fell toward zero. When the price of doing something collapses, the volume of it explodes, and that is the real news in JADEPUFFER.

The New Economics Of AI-Powered Crime

This pattern is familiar to anyone who has followed how the firm reads the AI economy. When the cost of an action falls toward zero, you do not get less of it. You get vastly more of it, pushed into places it never reached before. The whole point of driving the price of AI tokens down is to get intelligence embedded into every product the way cheap semiconductors ended up inside everything, from cars to doorbells.

The same logic runs in reverse on the offense side. If an agent can plan, execute, and adapt an attack, a criminal needs fewer people and less expertise to launch one, which widens the field of who can. A human crew can run a handful of intrusions at a time, limited by how many skilled operators it can afford. An agent can run thousands in parallel, at machine speed, for the price of inference. That reaches well beyond large enterprises with security teams, pulling banks, hospitals, manufacturers, software vendors, and smaller businesses that were never worth a skilled attacker’s time into range. The threat is not a smarter hacker. It is an ordinary attack that now runs at nearly unlimited scale for almost nothing.

Why Human-Speed Defense Loses

Go back to the thirty-one seconds. A security operations center staffed by human analysts, working an alert queue one item at a time, was built for adversaries that move at human speed. It is a reasonable design against a person, who has to think, type, and rest. It is a losing design against a process that acts in seconds, runs in parallel, and never stops.

That is the structural problem JADEPUFFER exposes, well before it is a problem any single company has solved. The defensive model most enterprises still run assumes a human on the other side. Once the other side is an agent, the arithmetic stops working, because no team of analysts can triage faster than an adversary can act. What follows is an arms race in which both sides run on AI, and the only thing that operates at the speed and scale of an autonomous attacker is an autonomous defender.

What Investors Should Watch Next

This is where the story stops being about malware and starts being about which businesses the shift favors. Cybersecurity was already one of the sturdier lines in the enterprise budget, and it is not a discretionary one when the threat is getting more automated. In the Conference Board’s second-quarter CEO survey, nearly two-thirds of chief executives called cybersecurity a high-impact risk for their industry, up from the prior quarter. When the threat environment gets worse, buyers upgrade faster and spend with more urgency.

The sharper point is where inside that budget the money goes. An autonomous attacker rewards the defenders that already run autonomous defense, what the industry has started calling the agentic SOC, where software triages and responds to threats at the speed the threats now move. Our two favorites in security sit there. CrowdStrike’s Charlotte AI is designed to do exactly what a human analyst can no longer keep pace with: triage detections, investigate them, and respond with what the company calls bounded autonomy, acting on its own inside limits the security team sets. CrowdStrike reports Charlotte AI cutting manual investigation work by around 70 percent and reaching greater than 98 percent decision accuracy, and in the quarter it reported June 3 it added a record $255.8 million in net new annual recurring revenue, up 32 percent, taking ending ARR to $5.51 billion. Palo Alto Networks is building toward the same posture across its platform.

After the Vercel breach this spring, the lesson was that in enterprise AI, trust is the thing customers end up paying for. JADEPUFFER moves the axis one step further, from who you trust to how fast you can answer. The security budget is shifting away from paying skilled analysts to run the response and toward paying for a system that can run it at the speed of the attack.

The instinct with a story like this is to file it as a security scare and move on. The sharper read follows the structure. Cybersecurity spending stays sturdy because the threat keeps getting worse, and this particular shift tilts the advantage toward the narrow set of platforms built to fight at machine speed rather than every vendor with a security label. That is why the firm’s attention in the space stays on CrowdStrike and Palo Alto Networks.

Three things are worth watching from here. Whether other researchers document more autonomous campaigns in the coming months, which would confirm JADEPUFFER as a pattern rather than a novelty. Whether the shift toward agentic defense shows up in the numbers, in metrics like net new ARR and the adoption of autonomous tiers such as Charlotte AI. And whether the rest of the security industry can ship genuine machine-speed autonomy, or only reprice human-speed tools with an AI label on the box.

This is the first cyberattack a machine ran from start to finish on its own. It marks the point where security itself starts moving to machine speed, and the advantage shifts to the defenders that can operate there.

——————————————————–


Click Here For The Original Source.

.........................

National Cyber Security

FREE
VIEW