AI agent carries out full ransomware attack for first time, researchers say

Sysdig says the JadePuffer group used an autonomous AI agent to plan and execute an end-to-end ransomware campaign, adapting in real time, stealing credentials and encrypting data while exposing flaws in its financial understanding

Security researchers have identified what they say is the first documented case of a ransomware attack planned, managed and executed entirely by an autonomous AI agent, marking a potentially significant shift in the global cyber threat landscape.
The attack group, known as JadePuffer, used a large language model to manage every stage of the campaign, from initial intelligence gathering and credential theft to lateral movement inside the network, data encryption and the ransom demand, according to a report by cloud security company Sysdig.
וירוס Pufferfish הסכנה הגדולה החדשה בעולם הסייבר
וירוס Pufferfish הסכנה הגדולה החדשה בעולם הסייבר
Pufferfish virus, the new major threat in cyber warfare
(Photo: Google Gemini)
The most concerning capability demonstrated in the attack, according to the report, was the AI agent’s flexibility and ability to adapt in real time. Like a skilled human hacker, the autonomous system was able to identify failures in its own actions and correct them quickly.
In one documented case, the system encountered a login error, analyzed the problem, changed the code parameters and produced a working solution within 31 seconds.
The initial breach was carried out by exploiting a known vulnerability, CVE-2025-3248, in Langflow, a popular open-source framework used to build AI applications. After gaining access, the AI agent scanned databases, extracted passwords and encryption keys, and began moving through the organization’s network toward production servers running Alibaba Nacos.
At that stage, the agent encrypted 1,342 service configuration items, deleted the originals and left behind a text file containing a ransom demand in Bitcoin and a contact address.

‘This is only the beginning’

Despite the sophistication of the automation, researchers said the technology still appeared to be in its early stages.
The ransom note included a public Bitcoin wallet address often used as an example in online training materials, suggesting the model copied data from its training sources without understanding the financial context. The generated code also included detailed natural-language comments in which the agent appeared to “explain” to itself the logic of its next actions, a recognizable feature of language models.
The development reflects a technological leap beyond the offensive tools that have dominated the cyber threat market until now.
In recent years, AI-based attack tools such as WormGPT and FraudGPT, which surfaced on the dark web, were used mainly to generate sophisticated phishing content or write isolated pieces of code for human operators. The move to fully autonomous agents changes the equation, researchers warned, because it allows complex attacks to be carried out with far less technical skill from the human attacker and at a much faster pace than a human defender can match.
Historically, cyberattacks have evolved from simple script automation, including early internet viruses in the 1990s, to human-operated ransomware, in which hackers manually direct the intrusion after gaining initial access.
The technology behind the current case, known as agentic AI, is based on the ability of language models not only to generate text, but to use external tools, run code repeatedly and test results against predefined goals.

A call for a defensive shift

Security experts say the arrival of “agentic threat actors” requires a major change in how organizations think about cyber defense.
For now, defenders may still have an advantage in the agent’s unusually high level of activity. Its tendency to try multiple solutions in a short period, along with distinctive traces left in the code such as explanatory text comments, creates abnormal “noise” inside a network that advanced monitoring and defense systems may be able to detect and stop before encryption takes place.
Yuval Sinai, head of active defense at the Israel National Cyber Directorate, told ynet that the central lesson from the case is not that JadePuffer used revolutionary attack techniques.
“The key point is that JadePuffer does not present revolutionary attack techniques,” Sinai said. “The agent exploited known vulnerabilities, unsecured default configurations and systems that were not updated on time. The innovation is not in the attack methods themselves, but in the ability of an AI agent to autonomously connect all stages of the attack chain, make real-time decisions, recover from failures and adapt to the environment, similar to an experienced human operator.”
Sinai said the implication for organizations is that the attacker’s pace is moving to “machine speed.”
“If in the past minutes or even hours passed between the different stages of an attack, an AI agent can execute the entire attack chain continuously and automatically, significantly reducing the window for detection and response,” he said.
As a result, he said, organizations must move beyond signature-based detection and adopt what he called “defense at machine speed”: behavior-based defense, continuous monitoring of identities and permissions, hardening of AI environments, reduction of attack surfaces, careful management of secrets and faster vulnerability patching cycles.
For organizations that rely on air-gapped networks, Sinai said the case should also serve as a warning.
Physical isolation remains an important layer of defense, he said, but autonomous attack agents require organizations to prepare for a scenario in which, after an initial breach through a supply chain, removable media or an insider, an AI agent could operate independently inside the isolated network without continuous guidance from the attacker.
“This is another indication that the era of agentic threat actors is no longer a future scenario, but an emerging reality,” Sinai said.
Comments
The commenter agrees to the privacy policy of Ynet News and agrees not to submit comments that violate the terms of use, including incitement, libel and expressions that exceed the accepted norms of freedom of speech.
""