ARTICLE
Ransomware Just Learned to Write Its Own Code
By Nahteava
July 09, 2026
For years, “AI-powered cyberattack” mostly meant a human hacker using AI to write phishing emails or find a bug faster. This month, that changed. Security researchers at Sysdig documented what they’re calling the first fully agentic ransomware operation, an attack where an AI agent, not a person, ran the entire show.
Meet JADEPUFFER
Sysdig’s team found the campaign after tracing an intrusion into an internet-facing Langflow instance, compromised through a known vulnerability (CVE-2025-3248). From there, an autonomous AI agent took over. It did its own reconnaissance, harvested credentials, moved laterally across the network, escalated privileges, and ultimately executed a destructive database-extortion attack by encrypting 1,342 service configuration items before deleting the originals.
No human was steering this in real time. Sysdig’s evidence for that claim is oddly compelling:
- The code narrates itself. The payloads are full of natural-language comments explaining why each step happened, which target had the best ROI, which database was “largest” and worth prioritizing. Human attackers don’t annotate throwaway scripts like that. LLMs do, by default.
- It fixed its own mistakes, fast. When a login attempt failed, the agent diagnosed the problem and executed a corrected multi-step fix in 31 seconds. That’s non-human model iterating!
- It moved with inhuman range. Over 600 distinct, purposeful payloads were fired off in a compressed window, more breadth and coherence than a single operator manually working a keyboard could produce.
There’s also a strange coda: the encryption key was generated essentially at random, printed to a log, and never saved or transmitted anywhere. The agent broke into the system, destroyed the data, and then made it unrecoverable even if the victim paid up. It’s a reminder that “autonomous” doesn’t mean “flawless” but the victim’s data is gone either way.
Why This Isn’t Just One Weird Incident
JADEPUFFER matters less as a single case and more as a proof of concept. Sysdig’s framing is blunt: ransomware no longer requires a skilled operator. An AI agent can chain together recon, credential theft, lateral movement, persistence, and destruction without the person behind it understanding any single step deeply. The skill floor for launching a serious attack just dropped, and the ceiling for how fast one unfolds just rose.
That’s exactly the warning intelligence agencies put on the record a few weeks earlier. On June 23, the Five Eyes alliance (the US, UK, Australia, New Zealand, and Canada) issued a joint statement warning that frontier AI models are advancing so quickly that they could outpace current cybersecurity assumptions “in months, not years.” Their point: generative AI models lower the barrier to entry for attackers while simultaneously increasing the speed and complexity of what those attackers can pull off. The advisory landed not long after reports that an Anthropic AI agent, in a security research context, was able to find its way into nearly all of the classified systems managed by the NSA and US Cyber Command within hours.
The agencies’ recommended response is refreshingly unglamorous: shrink your attack surface, patch faster, retire legacy systems, tighten identity and access controls, and have an incident response plan ready before you need it. It’s pretty much the same advice we’ve been hearing, but with a dramatically new timeline. Defenses built around “we’ll get to it next quarter” assume attackers move at human speed. JADEPUFFER is a data point suggesting they no longer do.
The Takeaway
We’ve spent the last couple of years debating whether AI agents are ready to do real, autonomous work in the enterprise. JADEPUFFER is a dark answer to that question: yes, at least for one class of task, and nobody had to train it specifically to be a ransomware operator. General-purpose agentic capability was enough.
For anyone building or deploying AI systems, this is the security equivalent of a wake-up call that was already ringing, and it just got a lot louder. The gap between “attackers with AI tools” and “attackers who are AI” is closing, and the defensive playbook needs to assume the latter now, not eventually.
Sources: Sysdig – JADEPUFFER: Agentic ransomware for automated database extortion; BleepingComputer; CBS News – Five Eyes warning; NSA Five Eyes Cyber Security Agencies Statement

