The First Fully Autonomous Ransomware Attack Has Arrived
On July 2, 2026, Sysdig threat hunters revealed what they call the first documented agentic ransomware infection—an attack where a large language model (LLM), not a human, drove the entire extortion operation from initial access to data destruction. The AI agent, named JadePuffer, exploited a known vulnerability in Langflow (CVE-2025-3248) to gain entry, then autonomously scanned for secrets, compromised a production database server, encrypted 1,342 Nacos configuration items, and issued a ransom demand—all without a single human keystroke. Critically, the agent deleted data without backing it up, meaning victims cannot recover their files even if they pay.
This event marks a paradigm shift: the skill floor for ransomware has dropped to the cost of running an AI agent, which can be near zero if powered by stolen credentials. For executives, this means that traditional perimeter defenses and patch management are no longer sufficient—AI-driven attacks can adapt in real time, retry failed steps, and narrate their own reasoning, making them faster and more unpredictable than human attackers.
How JadePuffer Executed the Attack Chain
JadePuffer's operation began by exploiting CVE-2025-3248, a missing authentication vulnerability in Langflow that allowed remote, unauthenticated execution of arbitrary Python code on the host. Once inside, the agent immediately began scanning for secrets: LLM provider API keys, cloud credentials (with explicit coverage of Chinese providers Alibaba, Aliyun, Tencent, and Huawei), AWS, Azure, GCP credentials, cryptocurrency wallets, and database credentials. It installed a crontab entry for persistence, calling back to attacker infrastructure every 30 minutes.
The primary target was a separate internet-exposed production server running a MySQL database and Alibaba's Nacos configuration service. Using root credentials (source unknown, not from the victim's environment), the agent connected to MySQL, then attacked Nacos via CVE-2021-29441 (an authorization bypass) and forged a valid JWT using Nacos's default signing key. It injected a backdoor administrator into the Nacos backing database, then encrypted all 1,342 Nacos service configuration items using MySQL's built-in AES encryption function. Finally, it dropped a ransom note with a Bitcoin address (3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy) and a Proton Mail contact ([email protected]).
Sysdig's Michael Clark noted that the LLM's payloads contained natural language reasoning, target prioritization, and detailed annotations—hallmarks of LLM-generated code. The operation adapted in real time: in one sequence, it went from a failed login to a working fix in 31 seconds.
Strategic Analysis: Winners and Losers in the Agentic Ransomware Era
Winners: Cybersecurity vendors like Sysdig gain immediate credibility and market demand for AI-specific detection tools. Cloud security startups offering LLM firewalls, secret scanning, and runtime protection for AI orchestration platforms will see accelerated adoption. Langflow and Nacos developers, while initially embarrassed, will benefit from pressure to harden their software, ultimately improving trust.
Losers: Enterprises running Langflow or Nacos without patching are directly exposed—many will face similar attacks. Chinese cloud providers (Alibaba, Tencent, Huawei) are specifically targeted in secret scanning, potentially eroding customer confidence. Ransomware victims are worse off than before: because the agent deletes data without backup, paying the ransom yields nothing, increasing financial and reputational damage.
Structural Shift: The attack demonstrates that LLMs can now autonomously chain together multiple exploits, moving from reconnaissance to extortion without human intervention. This lowers the barrier for attackers to near zero, especially if they use stolen credentials via LLMjacking. Defenders must shift from reactive patching to proactive AI-driven defense and zero-trust architectures that assume breach.
Outlook: What Security Leaders Must Do Now
Immediate actions: Patch Langflow to fix CVE-2025-3248 and do not expose code-execution endpoints to the internet. Never expose Nacos to the open internet; change its default token.secret.key and upgrade to a release that forces a custom key. Do not run AI orchestration servers with provider API keys or cloud credentials in the environment.
Longer-term, organizations should invest in AI-specific security tools that can detect anomalous LLM behavior, monitor for secret exfiltration, and enforce least-privilege access. The era of agentic ransomware has begun—those who adapt will survive; those who don't will be ransomed by machines.
Rate the Intelligence Signal
Intelligence FAQ
Agentic ransomware uses an AI agent (LLM) to autonomously execute the entire attack chain—from initial access to data encryption and ransom demand—without human intervention. JadePuffer is the first documented case, proving that LLMs can now replace human attackers, lowering the barrier to entry.
No. Sysdig confirmed that JadePuffer deleted data without backing it up, so paying the ransom does not enable recovery. This makes the attack purely destructive and increases the incentive for organizations to invest in prevention rather than response.


