Agentic Ransomware Registers First Major Hit

In one sequence, the LLM went from a failed login to a working fix in 31 seconds.

Agentic Ai Parradee Kietsirikul
istock.com/ParradeeKietsirikul

Article Summary

In one sequence, the LLM went from a failed login to a working fix in 31 seconds.

In new research released this afternoon, the Sysdig Threat Research Team (TRT) has captured what they assess to be the first documented case of agentic ransomware: a complete extortion operation driven end-to-end by a large language model (LLM).

This operator, dubbed JADEPUFFER, gained initial access to an internet-facing Langflow instance through CVE-2025-3248 and ran an adaptive and fully automated campaign, ultimately pivoting to the intended target and running a destructive database-extortion playbook against the victim's production database server. 

JADEPUFFER is considered an agentic threat actor (ATA), or an operator whose attack capability is delivered by an AI agent rather than a human-driven toolkit. 

The most striking characteristic, however, was the LLM's behavior. JADEPUFFER's own payloads were self-narrating. They contained natural language reasoning, target prioritization, and the kind of detailed annotations that human operators don’t often write but LLM-generated code produces reflexively. The operation also adapted in real time, retrying failed steps within refined parameters. In one sequence, it went from a failed login to a working fix in 31 seconds. 

JADEPUFFER’s operation unfolded across two distinct targets: the internet-facing Langflow instance that provided initial access, and a separate production database server, which was JADEPUFFER’s true objective. The machine compromised during initial access was used in the compromise of the final target. All payloads were delivered as Base64-encoded Python through the Langflow RCE endpoint.

JADEPUFFER is a warning sign. It’s a marker of where extortion tradecraft is heading. An autonomous agent reasoned about its targets, harvested and reused credentials, moved laterally, established persistence, and destroyed a database, narrating its own intent the entire way. 

None of the individual techniques were novel or sophisticated. What is notable, however, is that an AI model strung them together into a complete ransomware operation against neglected internet-facing infrastructure. 

The skill floor for running ransomware has dropped to whatever it costs to run an agent, and if that agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero. Defenders should expect the volume and breadth of such campaigns to rise as agentic tooling matures, and they should treat exposed application servers, unhardened configuration stores, and internet-facing database admin accounts as the first surfaces that will be attacked.

Not surprisingly, the industry has a lot to say about this latest evolution in AI threats.

Shane Barney, CISO at Keeper Security

"Thirty-one seconds. That is how long it took JADEPUFFER to diagnose a failed login, identify the root cause, rewrite the fix and successfully re-authenticate, all without human intervention. The Sysdig Threat Research Team's documentation of this operation is a concrete marker of where the threat landscape has moved, and the conclusion is less dramatic than the predictions and more dangerous than the headlines suggest. 

"AI agents are no longer theoretical attack surfaces. They are now attack tools.

"What makes this operation instructive is not the sophistication of the techniques involved but the conditions that made them possible. Every entry point JADEPUFFER exploited traces back to a failure of credential governance: secrets stored where they should not be, default credentials left unchanged and privileged accounts left open with no time-bound or scope-limited controls in place. 

"Keeper Security research found that 72 percent of organizations cannot detect credential misuse in real time, with most identifying unauthorized privileged access within hours rather than minutes. An AI agent operating at machine speed can move from initial access to full destruction well inside that window.

"The response has to match the threat. Privileged accounts need time-bound, scope-limited access controls rather than standing permissions. Secrets belong in a dedicated vault with automated rotation, not in environment variables on internet-facing servers. And real-time session visibility needs to be a baseline operational capability, because post-event log review is not a viable detection model when an attack can complete in minutes. 

"The threat has changed but the prescription has not. Know what identities exist in your environment, govern what they can access and ensure that access is continuously monitored. Those fundamentals have always mattered and in this environment they have become urgent."

Ben Ronallo, Principal Cybersecurity Engineer at Black Duck

"Companies need the visibility to patch, and then they need to just patch. The CVE associated with the Langflow compromise was published over a year ago and has been known as exploitable for an equally long time. As this attack shows, it's not a matter of if a known vulnerability will be exploited, but rather when it will be exploited and what the impact of that exploit will be.

"This sits alongside the recent Exploitarium disclosures, though the two are pulling on different threads. Exploitarium was about speed, AI finding brand new flaws faster than anyone could triage them. 

"JADEPUFFER is about patience and volume, working through vulnerabilities that have been public and exploitable for over a year, but never made the prioritized list because there were better, newer CVEs to chase rather than a years-old Nacos bug on some forgotten server. 

"New flaws get attention. Old ones just sit there until something decides they're worth the trip. Again, it’s not a matter of if but when. AI is lowering the barrier to entry at the same time. Someone with no real technical background can now chain together recon, credential theft, and destruction that used to require an operator who actually understood each step.

"When it comes to acting on this attack, first and foremost, if you know about exposed, vulnerable Langflow systems, activate your incident response procedures and immediately patch. While patching, pull the logs and check for the IOCs Sysdig identified, including scheduled tasks or cron entries beaconing outbound, that was JADEPUFFER's persistence mechanism on the initial access host. 

"Just as important, don't stop at the Langflow host itself. It was the doorway here, not the target; trace what the compromised host could reach, not just what happened on it. If you identify any IOCs, determine whether credentials were compromised and take the necessary steps to contain the incident."

Heath Renfrow, Co-Founder and CISO at Fenix24

"The headline shouldn't be that AI has suddenly created a new form of ransomware. The real story is that AI is beginning to reduce the amount of human involvement required during an attack. 

"Large language models can now assist with reasoning through failures, adapting commands, prioritizing targets, and modifying attack paths in real time. Those are tasks that historically required a skilled operator. As that capability matures, we should expect attacks to become faster, more consistent, and more scalable.

"We've already seen malware retry failed actions, adapt to environmental conditions, pivot laterally, and execute complex playbooks. What's changing isn't necessarily the objective—it's the speed and autonomy with which those objectives can be achieved. If an AI agent can compress what previously took an experienced operator several hours into a matter of minutes, defenders lose valuable time. That has implications across every phase of an incident, from detection and containment to recovery.

"Organizations should resist focusing solely on whether an attacker is 'AI-powered.'  Security teams should continue prioritizing the fundamental-rapid patching of internet-facing systems, strong identity protections, least privilege, network segmentation, continuous monitoring, and restricting unnecessary external exposure.

"The conversation shifts from simply preventing compromise to ensuring the business can recover when prevention fails. Recovery can no longer be viewed as a backup problem—it must be treated as an operational capability that is continuously validated.

"Ultimately, AI is unlikely to fundamentally change the goals of ransomware operators. It will change their efficiency. The organizations that succeed won't necessarily be those with the most security products—they'll be the ones that can detect compromise quickly, maintain resilient identity and infrastructure, and demonstrably recover critical business operations under pressure."

More in Cybersecurity