AI Agent Conducts First Fully Autonomous Ransomware Attack
Researchers have identified what they believe to be the first agentic ransomware attack. An autonomous large language model (LLM) agent conducted an entire attack without human involvement, including vulnerability exploitation, credential theft, lateral movement and file encryption.
The attack was identified by researchers at the cloud security company Sysdig, who linked the attack to the JadePuffer ransomware operation. JadePuffer used a fully autonomous AI agent to conduct reconnaissance on the targeted company, exploit a vulnerability (CVE-2025-3248), steal credentials, move laterally within the victim’s network, establish persistence, escalate privileges, encrypt data, and drop a ransom note, adapting to failures on the fly without human intervention.
The vulnerability exploited for initial access was an unauthenticated remote code execution vulnerability in the Langflow open source framework. The researchers explained that this is an attractive entry point as Langflow servers are AI-adjacent, often hold provider API keys and cloud credentials, and are commonly stood up quickly without network controls. While a patch had been issued to fix the vulnerability on April 1, 2025, and the flaw was known to be actively exploited, the vulnerability had not been patched.
The AI agent was able to adjust its approach in a similar way to a human attacker. For instance, when an API request returned XML instead of JSON, the next payload adjusted its parsing logic accordingly, and when certain steps failed, the AI agent retried those steps using refined parameters. “In one sequence, it went from a failed login to a working fix in 31 seconds,” explained the researchers.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The AI agent gained access to a production MySQL server running Alibaba Nacos by exploiting a 2021 authentication bypass vulnerability, then encrypted all 1,342 Nacos service configuration items and deleted the originals. The AES encryption key was not transmitted to the attacker’s infrastructure, so even if the ransom was paid, recovery would not have been possible.
According to a recent statement from the Five Eyes cybersecurity agencies, advances in artificial intelligence have accelerated the speed, scale, and sophistication of cyber threats. The agencies warned that “frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years; it is months.” The Sysdig researchers say the age of agentic threat actors has arrived.
While the attack was fully automated, it did not involve the exploitation of any zero-day vulnerabilities or novel techniques, therefore defending against automated attacks is no different to defending against hands-on- keyboard attacks. As recommended by the Five Eyes agencies, organizations should take steps now to combat threats by reducing their attack surface, accelerating patching processes, addressing legacy systems, reviewing and strengthening identity and access controls, and ensuring they develop and test incident response plans, which should be focused on fast containment and recovery.


