Ransomware has always needed a human at the keyboard or writing the script behind it. That assumption no longer holds.
Researchers have documented what appears to be the first fully autonomous ransomware operation, driven entirely by an AI agent rather than a person.
The threat has been named JADEPUFFER, representing a new category of attacker known as an agentic threat actor.
Instead of a fixed toolkit written by a human, the attack capability comes from a large language model that plans, adapts, and executes each step on its own.
Sysdig said in a report shared with Cyber Security News (CSN) that they identified the campaign after capturing the payloads used during the intrusion, and their findings describe an operation that moved from initial access to full database destruction with almost no human guidance.
The attack began on an internet facing Langflow instance, an open source framework used to build AI agent workflows.
Access was gained through a flaw tracked as CVE-2025-3248, a missing authentication issue in Langflow’s code validation endpoint.
This bug lets an attacker run arbitrary Python code without ever logging in, making it an ideal doorway for an AI driven campaign. Once inside, JADEPUFFER wasted no time expanding its reach.
Agentic Ransomware JADEPUFFER Uses Base64 Python Payloads
Every payload JADEPUFFER used was delivered as Base64 encoded Python through the Langflow flaw. Once executed, the agent mapped the host, checking user identity, network interfaces, and running processes before hunting for stored secrets.
Its search covered many credential types, including API keys for OpenAI, Anthropic, DeepSeek, and Gemini, plus cloud credentials from AWS, Azure, and several Chinese providers. It also searched for cryptocurrency wallets, seed phrases, and database configuration files.
The agent turned to Langflow’s own backing database, pulling out stored credentials and user records before deleting the files it had staged locally. It then scanned the internal network for reachable services, finding a MinIO storage instance still using its default username and password.
Through that default login, JADEPUFFER listed every storage bucket, prioritized ones holding configuration data, and pulled out a credentials file by name. It then planted a scheduled task on the server that contacted attacker infrastructure every thirty minutes, keeping a foothold open.
From Access to Extortion
The true target was a separate database server running MySQL alongside a configuration tool called Nacos. The agent broke in using a years old authentication bypass and a default signing key public since 2020, then planted a hidden administrator account in its database.
That account creation failed on the first try, but the agent noticed the failure and rewrote its script within about thirty seconds to fix a password hashing issue. This rapid correction is one of the clearest signs no human was steering the operation in real time.
After gaining full database access, the agent checked whether it could escape the container environment before moving into the destructive phase.
It encrypted more than a thousand configuration records, dropped the original tables, and inserted a ransom note demanding Bitcoin payment with a ProtonMail contact.
The encryption key was generated randomly and never saved anywhere, meaning the victim cannot recover the data even by paying. The agent then escalated further, dropping entire database schemas it judged valuable, narrating its own reasoning inside the code as it worked.
Sysdig’s researchers recommend patching Langflow immediately and keeping code execution endpoints off the public internet. Organizations should avoid running AI orchestration servers alongside sensitive API keys or cloud credentials, keeping secrets in a dedicated manager instead.
Nacos deployments should replace the default signing key, avoid public exposure, and never connect to a database using root privileges. Admin access should never face the internet, and egress filtering should stop compromised hosts from reaching outside infrastructure freely.
The defenders should expect this extortion campaign to grow more common as agentic tools mature. The barrier to running ransomware has dropped to the cost of an AI agent.
Indicators of Compromise (IoCs):-
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.