Cybersecurity

AI can now run ransomware attacks alone — as long as a human sets it up first

Adrian Kessler

The ransomware that just made security headlines wasn’t guided by a hacker watching a terminal. An AI agent handled every technical stage of the attack independently — mapping the target, stealing credentials, moving between systems, and encrypting over a thousand database records. What it could not do was set up its own payment infrastructure or send the ransom demand.

Cloud security firm Sysdig documented the intrusion, naming it JadePuffer. The agent gained access through CVE-2025-3248, an unauthenticated remote code execution flaw in Langflow, an open-source framework used to build AI-powered applications. From that foothold, it swept the environment for API keys, cloud access tokens, and database credentials, then moved to a production MySQL server and encrypted 1,342 configuration items stored in Nacos — an enterprise service registry widely used in Chinese-origin infrastructure stacks.

The most striking detail is not the breadth of the attack but its self-correction. When an attempt to forge administrator credentials failed due to a path configuration error, the agent diagnosed the root cause, wrote a 15-step remediation script, and executed it in 31 seconds. That is too fast for a human operator to have diagnosed, scripted, and run a fix — the behavior points to genuine on-the-fly reasoning rather than scripted playbooks.

None of this means ransomware operations are about to run without people. The attack still required a human to configure the command-and-control server, register the ransom contact address on ProtonMail, and build the infrastructure before the agent was deployed. The encryption key JadePuffer generated was never stored or transmitted — meaning victims cannot recover their data even if they pay, a flaw that either reflects poor operational design or indifference to post-attack negotiation.

What JadePuffer actually documents is a cost reduction, not a handoff. Every stage that previously required specialized expertise — lateral movement, privilege escalation, database enumeration, real-time error correction — can now be delegated to an agent. Sysdig’s conclusion is direct: the skill floor for ransomware operations has dropped to whatever it costs to run a language model.

The attack targeted Langflow installations exposed to the internet. Roughly 7,000 vulnerable instances were reported at the time the Langflow CVE became public. Any organization running unpatched Langflow, Nacos, or similar open-source LLM infrastructure on internet-facing servers sits in the same window of exposure. This is not new advice; it is the same posture guidance that predates AI agents. The difference is that the operator probing for those exposed services now runs automatically.

The Langflow vulnerability was patched in April 2025. Sysdig published full indicators of compromise, including C2 IP addresses and the ransom contact address. CISA has draft guidance on agentic AI system constraints expected later this year — the question of where a deployed AI agent’s authority ends, and where accountability begins, has not yet produced policy.

Tags: , , , , ,

Discussion

There are 0 comments.