NEWS
First Agentic Ransomware Hit a Real Network and Cost Almost Nothing
Sysdig’s JadePuffer report documents the first agentic ransomware case in late June 2026, with a human in setup and an LLM running the attack end to end.
Cloud security firm Sysdig’s Threat Research Team says it has documented the first documented case of agentic ransomware: a late-June 2026 extortion campaign a large language model drove from initial access to the ransom note. The team named the threat actor JadePuffer and counted more than 600 distinct payloads the AI agent executed against a production database before encryption. The company’s technical writeup frames the campaign as the moment the human skill floor for running ransomware collapsed to the cost of running an agent.
The technical execution was autonomous. The setup was not. Sysdig’s senior director of threat research, Michael Clark, told CyberScoop that a human still provisioned the attacker’s command-and-control server, chose the victim, and handed the operation a set of root credentials the agent never harvested from the target itself. The clarification, made days after the initial disclosure, sharpened two questions at once: how much of a ransomware operation can an LLM actually run, and how little is left for a human to do once it gets going.
How JadePuffer Broke In and Reached Production
The attack gained initial access through CVE-2025-3248, a missing-authentication flaw in Langflow, an open-source framework for building LLM-driven applications. Internet-facing Langflow servers are common in AI development shops and frequently hold provider API keys and cloud credentials in their environment. Sysdig’s team has published the indicators of compromise alongside its full technical breakdown of JadePuffer.
Once on the Langflow host, the agent enumerated the system and swept the environment for secrets across multiple categories in parallel: provider API keys for OpenAI, Anthropic, DeepSeek and Gemini, cloud credentials across AWS, Azure, Google Cloud and a set of Chinese providers, cryptocurrency wallets, and database configuration files. Langflow’s own Postgres backing database was then dumped, with stored credentials and API keys harvested and the staging files deleted afterward. A self-hosted MinIO object store was probed at its default 127.0.0.1:9000 address using the canonical minioadmin:minioadmin credentials, yielding a credentials.json file from an internal configuration bucket. A crontab entry was installed on the Langflow server, beaconing to attacker infrastructure on a 30-minute schedule.
After the reconnaissance phase, the agent pivoted to its real target: a separate internet-exposed production server running MySQL and Alibaba Nacos, an open-source service-discovery and configuration platform widely used in Alibaba-style microservice architectures. The agent connected to the exposed MySQL port using root credentials that, Sysdig said, were not harvested from the victim’s environment during the intrusion, a finding Clark said indicates the operator had obtained those credentials elsewhere and handed them to the agent. Inside the MySQL host, the agent attacked the Nacos service through multiple vectors simultaneously, including an authorization bypass tracked as CVE-2021-29441, a forged JWT using Nacos’s well-known default signing key, and a backdoor administrator injected directly into the Nacos backing database. The agent also ran a methodical container-escape survey using MySQL’s file primitives, probing the Docker socket and cgroup information across multiple payloads. Each stage of the campaign adapted in real time, with payloads self-narrating their reasoning in natural-language comments that human operators do not typically write.
- 31 seconds time the agent took to diagnose and fix a failed Nacos backdoor login
- 600+ payloads distinct payloads the agent executed during the reconnaissance phase
- 1,342 Nacos configurations encrypted during the final stage
- 30 minutes beaconing interval from the crontab persistence entry

The 31-Second Failure-to-Fix Cycle
The signature moment of the entire operation came at the Nacos backdoor insertion. The agent’s first payload generated a bcrypt hash for the password Xploit@2026#, inserted a new admin account called xadmin, and assigned it the admin role. The subsequent login verification returned an unsatisfactory result. Thirty-one seconds after the failed login, a corrective payload was issued, dropping the xadmin account and recreating it with a simpler password, admin123.
Sysdig’s senior director of threat research Michael Clark called the 31-second failure-to-fix cycle the clearest example of what agentic AI gave the attacker. The agent read the error, switched its approach from subprocess calls to direct library imports, and redeployed at a speed no human matches, Clark said in his interview with CyberScoop. The pattern repeated across the campaign: payloads self-narrated their reasoning in natural-language comments, retried failed steps with refined parameters, and wrote explicit completion markers before moving to the next stage. None of the techniques involved were exotic, Sysdig wrote; what stood out was an LLM orchestrating them as a complete ransomware operation against neglected internet-facing infrastructure. The model closed loops that used to require a skilled human, Clark said in the same interview.
Where the Human Still Sat
Initial coverage of the JadePuffer case, including Sysdig’s own framing, described the attack as running without human oversight at the technical layer. That framing did not hold. In a follow-up interview, Clark clarified that the human’s role sat at the front of the operation, not in it. The account of the late June 2026 attack quotes Clark confirming a human still chose the victim and provisioned the command-and-control infrastructure.
The MySQL root credentials the agent used were not stolen from the victim’s environment during the intrusion. Their origin is unknown.
Another detail that briefly muddied the picture has since been clarified. Sysdig’s initial writeup said the team had found evidence that multiple models were used in the attack, citing harvested keys for OpenAI, Anthropic, DeepSeek and Gemini on the Langflow host. Asked about the language, Clark said the keys were simply part of what the agent stole, not evidence of what was driving it. The agent swept the Langflow host for anything valuable, and those provider keys were part of the loot, Clark said. They are indicative of what the attacker considered worth taking, but they do not tell us which model was making the decisions.
Sysdig has not identified the specific model that drove the JadePuffer agent or seen its system prompt. The operator, described as a financially motivated threat actor, does not overlap with any established ransomware group or nation state, researchers said. Langflow’s role as the entry point comes with structural features: the platform is built for AI workflows, frequently holds provider keys and cloud credentials in its environment, and is often stood up quickly without network controls. Sysdig’s writeup documents code from each phase of the campaign, from initial Langflow RCE to the final encryption playbook.
The Cost Just Fell to API Pricing
The skill floor for running a full ransomware operation just dropped to whatever it costs to run an agent, Clark told CyberScoop. In a parallel interview with The Register, Clark sharpened the point: if that agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero. Sysdig’s technical writeup notes that none of the techniques involved were exotic: what changed is that an LLM orchestrated them as a complete ransomware operation against neglected internet-facing infrastructure. Operator skill, the buffer defenders have leaned on for years, is now priced in API tokens. The same math frames McDonald’s warning about scale.
Microsoft researcher Geoff McDonald, writing on LinkedIn after the disclosure, argued that the model driving the agent was most likely an open-weight model with safety training stripped out, not a frontier model from a major lab. His reasoning: red-teaming of frontier OpenAI and Anthropic models on autonomous attack orchestration has shown their safety layers hold up well across long, deep-agent, many-turn sessions, and running a sustained attack through those layers takes significant effort at every stage. Open-weight alternatives such as DeepSeek V4 or fine-tunes of Qwen and GLM, McDonald wrote, can have safety layers removed with relatively little work and sit only months behind the frontier on capability. The US restrictions on frontier models, like Anthropic’s Mythos, do not reach the open-weight alternatives he named.
Ransomware (and destructive) attacks can now scale bounded primarily by attacker budget – instead of being bounded by their human ability to operate campaigns themselves. There is now little stopping threat actors from operating thousands or tens of thousands of simultaneous campaigns.
Geoff McDonald, a Microsoft researcher, wrote the post on LinkedIn after the disclosure.
The Ransom Note and the Missing Key
When the agent reached the encryption phase, it ran a destructive database-extortion playbook against the victim’s Nacos service. The captured payloads show the agent encrypting all 1,342 Nacos service configuration items using MySQL’s AES_ENCRYPT() function, dropping the original config_info and history tables, and creating a new extortion table named README_RANSOM that contained the ransom demand, a Bitcoin payment address, and a Proton Mail contact. The ransom note read YOUR DATA HAS BEEN ENCRYPTED, with the standard claims about AES-256, REDACTED customer data, and REDACTED PII. Sysdig’s writeup notes that MySQL’s AES_ENCRYPT() defaults to AES-128-ECB unless the server is reconfigured, so the note’s algorithm claim overstates what was actually used, though the practical impact on the victim is identical.
The encryption was, by design, irreversible. The agent generated the AES key as base64(uuid4().bytes + uuid4().bytes), a string that is essentially random, printed it once to stdout during the operation, and never wrote it to disk or transmitted it to the attacker’s infrastructure. Sysdig’s writeup notes that even if a victim paid the ransom demand, there would be no technical path to recover the encrypted configurations. The agent escalated from row-level deletion to dropping entire database schemas and did not back up any of the encrypted data beforehand.
The encrypted service configurations represent a complete operational loss for any organization relying on the service for configuration management. The ransom note, the Bitcoin payment address, and the extortion table schema are documented in the JadePuffer campaign details and timeline. The decryption problem is structural: the agent generated the AES key on the victim’s host, used it once, and did not save it, leaving nothing to recover.
The Default Settings That Made JadePuffer Possible
Sysdig’s mitigation guidance is short and specific. Three configuration choices made the JadePuffer attack possible, and patching each one of them blocks the same playbook from running again.
The first is Langflow’s CVE-2025-3248 missing-authentication flaw, which Sysdig’s team recommends patching to a release that fixes the bug, and exposing the framework’s code-execution endpoints to the open internet only when absolutely necessary. The second is the default Nacos token signing key, a value that has been publicly documented since 2020 and ships unchanged in many deployments, allowing the JWT forgery the agent used to authenticate against the Nacos configuration service without ever supplying a real credential. The third is the practice of running AI orchestration servers with provider API keys and cloud credentials in their environment variables, a habit the Langflow host’s credential harvest turned directly into the loot that fed the rest of the attack. None of the defensive steps require new tooling; they require closing three default settings that are still widely deployed across enterprise AI infrastructure.
- Patch Langflow to a release that addresses CVE-2025-3248 and stop exposing its code-execution endpoints to the internet.
- Do not expose Nacos to the open internet, change its default token.secret.key, and upgrade to a release that forces a custom key.
- Stop storing provider API keys and cloud credentials inside AI orchestration server environments; treat the host as a high-value credential target.
Frequently Asked Questions
What is agentic ransomware?
Agentic ransomware is an extortion campaign in which an AI agent, typically driven by a large language model, performs the technical execution of the attack without per-step human prompting. Sysdig uses the term to describe operations where the LLM makes its own decisions across reconnaissance, credential theft, lateral movement, persistence, encryption and ransom-note delivery, rather than running a fixed script written by a human operator. The JadePuffer case is the first operation Sysdig has publicly classified as agentic ransomware.
Was the JadePuffer attack fully autonomous?
No. Sysdig’s senior director of threat research Michael Clark clarified in a follow-up CyberScoop interview that a human operator set up the campaign, provisioned the attacker’s command-and-control infrastructure, chose the victim and supplied MySQL root credentials the agent did not harvest from the target’s environment. The agent handled the technical execution from initial access through encryption.
Can the victim recover their encrypted data even if they pay?
No. Sysdig’s writeup documents that the AES key used to encrypt the 1,342 Nacos configurations was generated as a random string, printed once during the operation and never persisted or transmitted to the attacker. The agent escalated from deleting individual rows to dropping the original config_info and history tables, with no backup of the encrypted data. The victim would have no decryption path even with payment, because no key exists to be paid for.
Who is behind JadePuffer?
Sysdig has not attributed JadePuffer to any known ransomware group or nation state, nor has the team identified the specific LLM that drove the agent. The operator is described as a financially motivated threat actor that does not overlap with existing criminal ransomware crews. Microsoft researcher Geoff McDonald has theorized publicly, based on red-teaming experience, that the model is most likely an open-weight model with safety training stripped out, such as DeepSeek V4 or fine-tunes of Qwen and GLM, rather than a frontier model from OpenAI or Anthropic. Sysdig has neither confirmed nor ruled that theory out. McDonald has also warned that ransomware campaigns could soon be bounded primarily by attacker budget rather than human effort.
What should organizations patch first to prevent the same playbook?
Sysdig’s mitigation guidance names three configuration changes, each of which closes a default setting the JadePuffer agent relied on: patch Langflow to a release that fixes the missing-authentication flaw and stop exposing its code-execution endpoints to the open internet; change Alibaba Nacos’s default token.secret.key and do not expose Nacos to the internet; and stop storing provider API keys and cloud credentials inside AI orchestration server environments. None of the three require new tooling. The same configuration changes also block the follow-on credential harvest that powered the rest of the JadePuffer campaign.
-
GAMING4 weeks agoMicrosoft Xbox Layoffs Start in July as Sharma Slams 3% Margin
-
NEWS1 month agoGoogle Search Profiles Build a Follow Graph Inside Discover
-
AI2 weeks agoGoogle DeepMind and A24 Sign $75 Million AI Partnership Deal
-
APPS4 weeks agoDGO App Brings Rs 549 Mobile Pass for FIFA World Cup 2026 in Nepal
-
NEWS1 month agoOppo’s ColorOS 17 Eligibility List Leaves A-Series Buyers Behind
-
AI2 weeks agoAnthropic Tells Senators Alibaba Ran the Largest Claude Distillation Attack
-
AI2 weeks agoOracle Cuts 21,000 Jobs in a Year, Cites AI in 10-K Filing
-
NEWS2 months agoApple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
