Sysdig documents JadePuffer, the first end-to-end LLM-driven ransomware run
An agent chained a Langflow RCE to a Nacos MySQL server, encrypted 1,342 config rows, and wrote its own ransom note — but a human still picked the victim.
Sysdig’s Threat Research Team on Friday published what it calls the first documented case of end-to-end agentic ransomware, an operation it’s tracking as JadePuffer. The intrusion, which hit an unnamed victim in late June, ran through more than 600 distinct payloads written in natural language by the agent itself, and it landed on a live MySQL instance with an encrypted table and a note attached.
Initial access came through CVE-2025-3248, an unauthenticated RCE flaw in the open-source LLM framework Langflow. From there the agent dumped a local PostgreSQL database, enumerated MinIO buckets, harvested environment variables, and installed a cron job beaconing every 30 minutes. Lateral movement to an Alibaba Nacos configuration server used CVE-2021-29441, with JWTs forged against Nacos’s long-published default signing key. The destructive stage encrypted all 1,342 Nacos service configuration items using MySQL’s own AES_ENCRYPT() function, dropped the original config_info and history tables, and wrote a README_RANSOM table containing a Bitcoin address and a Proton Mail contact.
The autonomy is the story. Michael Clark, senior director of threat research at Sysdig, told CyberScoop that “the agent read a Nacos error, switched from subprocess calls to direct library imports and redeployed a working fix 31 seconds later.” That’s not a scripted branch. That’s a runtime debugging loop.
It’s also sloppy. Sysdig assesses the actual encryption as AES-128-ECB, not the “AES-256” the ransom note claims. The encryption key was never transmitted to the attacker, meaning victims couldn’t have paid to recover the data even if they’d wanted to. The Bitcoin address turns out to be a well-known example wallet from public documentation, which Sysdig reads as either an LLM hallucination or an operator who never looked. The agent held API keys for OpenAI, Anthropic, DeepSeek and Gemini; Sysdig couldn’t identify which model was in the driver’s seat.
What the agent didn’t do is telling. According to Clark, the human operator provisioned the C2 and staging infrastructure, chose the victim, and supplied MySQL root credentials lifted in a prior compromise. The autonomous ransomware attack, in other words, still needed a person to point it at someone and hand it the keys. The 2017 commodity-ransomware wave was defined by kits sold to unskilled affiliates. JadePuffer is the first serious datapoint that the next wave may be defined by agents sold, or rented, to operators who supply little more than a target list.
Sources
- https://www.sysdig.com/blog/jadepuffer-agentic-ransomware-for-automated-database-extortion
- https://www.bleepingcomputer.com/news/security/jadepuffer-ransomware-used-ai-agent-to-automate-entire-attack/
- https://techcrunch.com/2026/07/06/the-first-ai-run-ransomware-attack-still-needed-a-human/
- https://cyberscoop.com/sysdig-judepuffer-ai-agentic-ransomware-attack/
- https://www.darkreading.com/cyberattacks-data-breaches/jadepuffer-first-complete-llm-driven-ransomware-attack