AI Agent Conducts First Fully Autonomous Ransomware Attack
Researchers have identified what they believe to be the first agentic ransomware attack. An autonomous large language model (LLM) agent conducted an entire attack without human involvement, including vulnerability exploitation, credential theft, lateral movement, and file encryption.
The attack was identified by researchers at the cloud security company Sysdig, who linked the attack to the JadePuffer ransomware operation. JadePuffer used a fully autonomous AI agent to conduct reconnaissance on the targeted company, exploit a vulnerability (CVE-2025-3248), steal credentials, move laterally within the victim’s network, establish persistence, escalate privileges, encrypt data, and drop a ransom note, adapting to failures on the fly without human intervention.
The vulnerability exploited for initial access was an unauthenticated remote code execution vulnerability in the Langflow open source framework. The researchers explained that this is an attractive entry point as Langflow servers are AI-adjacent, often hold provider API keys and cloud credentials, and are commonly stood up quickly without network controls. While a patch had been issued to fix the vulnerability on April 1, 2025, and the flaw was known to be actively exploited, the vulnerability had not been patched.
The AI agent was able to adjust its approach in a similar way to a human attacker. For instance, when an API request returned XML instead of JSON, the next payload adjusted its parsing logic accordingly, and when certain steps failed, the AI agent retried those steps using refined parameters. “In one sequence, it went from a failed login to a working fix in 31 seconds,” explained the researchers.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“A few things stand out from a security architecture perspective. The entry point was not the AI system itself. It was a Langflow instance holding provider API keys and cloud credentials in its environment, which is a machine identity governance problem as AI-adjacent infrastructure was able to accumulate credentials that nobody actively monitored or rotated,” said Roey Eliyahu, CEO and Co-founder, Salt Security. “The Langflow server was not the target. It was the credential store that made the target accessible.
The AI agent gained access to a production MySQL server running Alibaba Nacos by exploiting a 2021 authentication bypass vulnerability, then encrypted all 1,342 Nacos service configuration items and deleted the originals. The AES encryption key was not transmitted to the attacker’s infrastructure, so even if the ransom was paid, recovery would not have been possible.
“The most striking aspect of JADEPUFFER was not the attack itself, but the AI agent’s behavior. During the attack, the agent performed reconnaissance, searched for credentials, moved between systems, and established persistence. It also adapted when an initial attempt to create an administrator account failed by generating a corrected payload and successfully retrying the task,” Sally Vincent, Senior Threat Research Engineer at Exabeam, told The HIPAA Journal. “While the attack relied on known, older vulnerabilities rather than new exploits, it demonstrates how AI can automate and accelerate the exploitation of unpatched systems. It also serves as a reminder that patching known vulnerabilities remains important, since AI can make exploiting them faster and more efficient.”
While the attack was fully automated, it did not involve the exploitation of any zero-day vulnerabilities or novel techniques; therefore, defending against automated attacks is no different from defending against hands-on- keyboard attacks, at least for now. That said, the speed of the attack is concerning. “The 31-second self-correction is the part that changes the threat model most fundamentally. A human attacker who fails an initial payload waits, reassesses, consults, and tries again on a different timeline. An agent that fails a payload corrects and retries in under a minute. That compression of the attack cycle means the window between first detection signal and material damage is now measured in seconds, not hours,” said Roey Eliyahu.
According to a recent statement from the Five Eyes cybersecurity agencies, advances in artificial intelligence have accelerated the speed, scale, and sophistication of cyber threats. The agencies warned that “frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years; it is months.” The Sysdig researchers say the age of agentic threat actors has arrived.
As recommended by the Five Eyes agencies, organizations should take steps now to combat threats by reducing their attack surface, accelerating patching processes, addressing legacy systems, reviewing and strengthening identity and access controls, and ensuring they develop and test incident response plans, which should be focused on fast containment and recovery.


