ByteBulletin

[tooling] · · 2 min read

The First 'Agentic Ransomware' Attack Still Needed a Human at the Controls

Sysdig's JadePuffer operation was technically executed by an AI agent, but a human still set up the infrastructure, chose the victim, and provided the stolen credentials.

By ByteBulletin Editors · Editorial Team


Last week, cloud security firm Sysdig reported what it called the first known case of "agentic ransomware" — an extortion operation dubbed JadePuffer in which an AI agent handled the technical execution of a real-world cyberattack from start to finish, with no human at the keyboard. The agent broke into a vulnerable server, stole credentials, moved laterally, encrypted files, and even wrote its own ransom note. Coverage described the operation as run "without any human oversight."

That's not quite the full picture. In an interview with CyberScoop, Sysdig's Michael Clark clarified that a human was still very much involved — just not in the technical execution. "A human still set up and pointed the operation and provisioned the infrastructure behind it, the command-and-control server, the staging server used for the stolen data and chose a victim," Clark said. The credentials used to break into the victim's database were obtained separately, through a prior compromise, and handed to the operation.

None of this contradicts Sysdig's original claim, and the technical details remain notable. The agent got in through a known bug in Langflow, then moved to a production MySQL server and exploited another known flaw to gain admin access. It encrypted over 1,300 configuration records, left behind a ransom note it wrote itself, and included a Bitcoin address for payment. Sysdig hasn't disclosed the target.

The techniques were fairly ordinary; what stood out was speed and transparency. The agent fixed a failed login in 31 seconds, narrating its own reasoning in natural-language code comments.

One muddying detail: Clark initially told CyberScoop that "multiple models were used" in the attack, citing harvested keys for OpenAI, Anthropic, DeepSeek, and Gemini. He later clarified to TechCrunch that those keys were simply part of the loot. "The agent swept the Langflow host for anything valuable — provider API keys, cloud credentials, cryptocurrency wallets, and database configs — and those provider keys were part of the loot," he said via email. "They do not tell us which model was making the decisions." Sysdig could not identify the specific model driving the agent and has no visibility into its system prompt or configuration.

Microsoft researcher Geoff McDonald theorized on LinkedIn that the model was an open-weight model with safety training stripped out, rather than a frontier model, based on his red-teaming experience showing frontier labs' safety layers hold up well. Sysdig's account doesn't confirm or rule that out.

McDonald also warned that ransomware campaigns are now bounded primarily by attacker budget rather than human effort, raising the possibility of "thousands or tens of thousands of simultaneous campaigns." That concern is harder to square with Clark's description — if a human still has to choose each victim, provision infrastructure, and obtain database credentials for every operation, that's a bottleneck. Still, Clark told CyberScoop that while Sysdig hasn't seen the same operation hit other victims yet, given how cheap it is to run an agent, he expects that to change.

SHARE

← All stories