Tuesday, 7 July 2026
Rīga TV

World and Latvian news in one place

TechnologyPublished: 7 July 2026 at 03:36

The first AI-run ransomware attack still needed a human

Cybersecurity researchers at Sysdig documented the first known case of agentic ransomware, where an AI agent autonomously executed the attack, but a human was still required to set up infrastructure and choose the victim.

Foto: TechCrunch

Last week, Sysdig researchers reported the first documented case of "agentic ransomware," dubbed JadePuffer, where an AI agent handled the technical execution of a real-world cyberattack from start to finish. The agent broke into a vulnerable server, stole credentials, moved through the target's network, encrypted files, and even wrote its own ransom note, adapting along the way.

However, in an interview with CyberScoop, Michael Clark, Sysdig's senior director of threat research, clarified that a human was still involved—just not in the technical execution. "A human still set up and pointed the operation and provisioned the infrastructure behind it, the command-and-control server, the staging server used for the stolen data and chose a victim," Clark said. The credentials used to break into the victim's database were obtained separately through a prior compromise, not by the AI agent itself.

The attack's technical details remain notable. The agent entered through a known bug in Langflow, a popular open-source tool for building LLM apps, then moved to a production MySQL server and exploited another flaw to gain admin access. It encrypted over 1,300 configuration records, left a self-written ransom note, and a Bitcoin address for payment. Sysdig has not disclosed the victim.

Speed was a key factor: the agent fixed a failed login in 31 seconds, narrating its reasoning in natural-language code comments.

Clark clarified that multiple API keys (OpenAI, Anthropic, DeepSeek, Gemini) were stolen but not necessarily used. "The agent swept the Langflow host for anything valuable—provider API keys, cloud credentials, cryptocurrency wallets, and database configs—and those provider keys were part of the loot," he said. Sysdig could not identify the specific model driving the agent. Microsoft researcher Geoff McDonald suspects an open-weight model with safety training stripped out, based on his red-teaming experience.

While Sysdig has not yet seen the same operation against other victims, Clark expects that to change given how cheap it is to run an agent.

Comments

0/1500

Comments are automatically moderated. No hate, threats, personal data or spam.

Loading comments…

More in this category