728 x 90

The ‘first’ AI-executed ransomware attack still needed a human | TechCrunch

The ‘first’ AI-executed ransomware attack still needed a human | TechCrunch

Last week, researchers at cloud security firm Sysdig said they had documented the first known case of “agent ransomware.” It was an extortion operation, called JadePuffer, in which an AI agent (not a human) handled the technical execution of a real-world cyberattack from start to finish. The agent broke into a vulnerable server, stole credentials,

Last week, researchers at cloud security firm Sysdig said they had documented the first known case of “agent ransomware.” It was an extortion operation, called JadePuffer, in which an AI agent (not a human) handled the technical execution of a real-world cyberattack from start to finish. The agent broke into a vulnerable server, stole credentials, moved through the target’s network, encrypted files and even wrote his own ransom note, adapting to obstacles along the way as a human hacker would. Coverage of the financing described it as being executed “without any human supervision,” without “any human being at the keyboard.”

That’s not quite full image. In an interview Monday with CyberScoop, Sysdig’s Michael Clark, the company’s senior director of threat research, clarified that a human was still heavily involved, just not in the technical execution. “A human still set up and ran the operation and provisioned the infrastructure behind it, the command and control server, the staging server used for the stolen data, and chose a victim,” Clark said. The credentials used to access the victim’s database, he added, were not collected by the AI ​​agent itself; someone obtained them separately, through a prior commitment, and gave them to the operation.

None of this contradicts Sysdig’s original claim, and the technical details of the attack are still notable on their own, even far-fetched. The agent logged in via a known bug in Langflow, a popular open source tool for building LLM applications, then moved to a production MySQL server and exploited another known flaw to gain administrator access. He encrypted over 1,300 configuration records and not only left a ransom note that he wrote himself, but also left a Bitcoin address to which the ransom could be sent. Sysdig has not revealed who was targeted.

The techniques were apparently quite common, what stood out was the speed and transparency involved. The agent fixed a failed login in 31 seconds and narrated his own reasoning in natural language code comments throughout the process.

A detail that initially seemed to cloud the picture has now been clarified. Clark had told CyberScoop that Sysdig found that “multiple models were used in the attack,” citing keys collected for OpenAI, Anthropic, DeepSeek and Gemini, language that left open the question of whether multiple models actively drove different stages of the intrusion. When asked to clarify, Clark told TechCrunch that those keys were simply part of what the agent stole, not evidence of what drove him.

“The agent searched the Langflow host for anything valuable (vendor API keys, cloud credentials, cryptocurrency wallets, and database configurations) and those vendor keys were part of the loot,” he said via email. “They are indicative of what the attacker thought was worth taking, but they don’t tell us which model was making the decisions.”

As for the model actually running JadePuffer, Clark said Sysdig “was unable to identify the specific model driving the agent” and has no visibility into the prompt or system configuration.

From that perspective, it’s worth revisiting Microsoft researcher Geoff McDonald’s theory, offered on LinkedIn several days ago. McDonald suspected that an open weight model with no security training, rather than a frontier model, was behind the attack, based on his own experience on the red team that showed that frontier lab security layers are well maintained. Sysdig’s own account neither confirms nor rules it out.

McDonald’s post also warned that ransomware campaigns are now limited primarily by the attacker’s budget rather than human effort, raising the possibility of “thousands or tens of thousands of simultaneous campaigns.” That concern is a little harder to reconcile with what Clark described Monday. (If a human still has to choose each victim, provide infrastructure, and obtain database credentials for each operation, that’s at least a bottleneck.)

Either way, Clark told CyberScoop, while Sysdig has yet to see the same operation hit other victims, given how cheap it is to run an agent, he hopes that will change.

When you buy through links in our articles, we may earn a small commission. This does not affect our editorial independence.

For more tech updates, stay tuned to our blog.

Posts Carousel

Latest Posts

Top Authors

Most Commented

Featured Videos