‹ ARCHIVE NB-L068 · .log · 2026·07

An AI ran an entire ransomware attack from start to finish, on its own

An AI ran an entire ransomware attack from start to finish, on its own
NB-L068 .log

Sysdig's threat research team documented what it calls the first case of a ransomware attack, a program that breaks into systems, encrypts the data and demands a ransom, carried out end to end by an artificial-intelligence agent, with no human directing each step. They named it JadePuffer. The break-in, the credential harvesting, the pivot to the right server, the encryption and the ransom note, all of it was driven by the machine.

The name of the software is the least of it. The bar for launching an attack like this just collapsed. You no longer need to know how to hack, you need to get an agent running. And the way in was, with perfect irony, one of the very tools everyone now uses to build AI agents.

The door was the AI tool itself

The starting point was a Langflow instance exposed to the internet, an open-source platform for building AI applications and agents. The attacker got in through a known, already-patched flaw, CVE-2025-3248 (which lets a stranger run code on the server with no authentication at all). Inside, the agent did what a human intruder would, but in seconds, and swept up everything, access keys to AI services like OpenAI, Anthropic and DeepSeek, cloud credentials, cryptocurrency wallets and database passwords. It even found a file store still protected by the factory password, minioadmin:minioadmin, that no one had changed.

With the credentials in hand, it jumped to the real target, a production database server. It used another old flaw, CVE-2021-29441, and a signing key no one had changed, to forge an administrator pass and create a hidden account. Then it encrypted 1,342 system configurations, deleted the originals, and left a table with the ransom demand, a Bitcoin address and an email contact.

How we know it was a machine

The signs that no human was at the controls are in the code itself. The commands came annotated in plain language, explaining the reason for each step and ranking targets by payoff, the kind of comment a human operator never writes in a throwaway script, but that a language model produces by reflex. And it adapted in real time. In one sequence, it went from a failed login to a working fix in 31 seconds. When it asked for a reply in one format and got another, the next command already read it in the right one. When a delete command failed because of a database safeguard, the next one switched the safeguard off and tried again.

Not everything worked, and that is where the case gets unsettling. The Bitcoin address it demanded for the ransom is the example that appears in the currency's own technical documentation, probably a memory the model pasted without thinking, though Sysdig does not rule out a wallet the operator chose. And the key it used to encrypt the data was printed once and never saved, which means the victim recovers nothing, even if they pay. It was crude, but it worked, at machine speed.

This is the signature of a first version, and first versions improve. Sysdig puts it plainly: "The skill floor for running ransomware has dropped to whatever it costs to run an agent," and warns that these campaigns will grow as the tooling matures. In Portugal, the National Cybersecurity Centre (CNCS) has said the same in other words in its annual report, generative AI lowers the barrier to entry for cybercrime and helps automate its techniques. This case is the practical demonstration.

How to protect yourself

The measures that stop this are basic hygiene, still left undone:

  • Treat AI tools as attack surface. If you run a Langflow or anything like it, patch it and never expose it to the internet without authentication.
  • Do not leave access keys or cloud credentials sitting on machines that touch the web. They are what handed the agent the keys to the kingdom.
  • Kill the factory passwords. minioadmin:minioadmin and default signing keys are the first thing any agent tries.
  • Limit where a compromised machine can connect. If it cannot reach the outside, it cannot pull instructions or steal data.
  • Watch for its own tell. An agent narrates its goals in the code it runs, and that chatter is a rare chance to catch it.

For years, defenders had one thing going for them, attacking well took effort and talent. That edge is disappearing. When a full attack costs no more than renting a robot for a few hours, no target is too small to bother with.

Sources: Sysdig, Bleeping Computer, CNCS.

#StaySafe
🙏🖖

DOMAIN
BRI assistant

Quer saber sobre um projeto, um serviço ou uma notícia recente? Pergunte. Conheço todo o conteúdo deste site.