General 15.07.2026
AI Autopsy: JadePuffer Claims a First for AI-Driven Ransomware
The first autonomous ransomware campaign has arrived. Here’s why every CISO should be paying attention.
General 15.07.2026
The first autonomous ransomware campaign has arrived. Here’s why every CISO should be paying attention.
On July 7, the National Cyber Security Centre (NCSC) announced plans to build a “Cyber Shield”. Its mission: to use agentic AI to protect critical systems against offensive use of the same technology. The agency warned that threat actors will soon be able to conduct “fully autonomous attacks operating across the complete intrusion lifecycle”.
It’s a future brought one step closer with the discovery of JadePuffer: what experts are describing as the first end-to-end, agent-driven autonomous ransomware operation. It could have major implications for cyber-resilience strategies and response timelines.
Discovered by Sysdig and revealed by the company in a report in early July, JadePuffer is branded as an “agentic threat actor” (ATA) – that is, “an operator whose attack capability is delivered by an AI agent rather than a human-driven toolkit”. It achieved initial access by exploiting CVE-2025-3248, an unauthenticated remote code execution flaw in Langflow, a popular open-source framework for building LLM-based apps.
The ATA then enumerated the host and dumped local data, including stored credentials, API keys, and user records, from Langflow’s Postgres database. It performed lateral discovery from there, enumerating a MinIO object store and establishing persistence on the Langflow host by installing a cron job on the server. This beaconed the attacker’s infrastructure every 30 minutes.
“The key was generated, used once, and never saved or transmitted anywhere” Crystal Morin
This preparatory work enabled the ATA to go after the intended target: a MySQL server running Alibaba Nacos (Naming and Configuration Service). It targeted the configuration service through multiple vectors simultaneously, including exploitation of an authentication-bypass bug (CVE-2021-29441). It checked for container escape methods and then deployed ransomware to encrypt all 1,342 Nacos service configuration items and delete the originals, before leaving a ransom demand.
Interestingly, the encryption used in the attack was built to be unrecoverable, Sysdig senior cybersecurity strategist, Crystal Morin, tells Assured Intelligence.
“This was done not by human design choice, but just incidentally by the LLM. The key was generated, used once, and never saved or transmitted anywhere,” she explains. “Paying the ransom gets you nothing back. That makes ransomware a business continuity problem and a completely different boardroom conversation.”
The agent also adapted at numerous points in the campaign, retrying failed steps within the parameters set for it. Sysdig claims that in one sequence “it went from a failed login to a working fix in 31 seconds”.
The CISOs Assured Intelligence spoke to agree that JadePuffer represents a troubling development on two fronts: that the speed at which attack surfaces are growing, and agentic threat actors are operating, is greater than that of corporate governance and security processes. That’s a mismatch that could give adversaries a significant advantage.
“For CISOs, the implication isn’t simply that attacks are becoming ‘AI-powered’. It’s that organisations may have significantly less time to detect, investigate, contain, and respond before attackers achieve their objectives,” argues Fenix24 CISO, Heath Renfrow.
“Every new AI service, exposed interface, plugin, model integration, or automation workflow expands the potential attack surface. Many organisations are still developing mature asset inventories and security controls for these environments, making it easier for attackers to identify overlooked internet-facing systems or misconfigurations.”
“Every new AI service, exposed interface, plugin, model integration, or automation workflow expands the potential attack surface” Heath Renfrow
That an AI system itself (Langflow) was the initial target for JadePuffer is no coincidence, as the potential blast radius is “enormous”, adds Sysdig’s Morin. “It held provider API keys for OpenAI, Anthropic, and DeepSeek, cloud credentials, cryptocurrency wallets, and database configs, all in one place,” she explains. “That is the new reality of the attack surface. AI infrastructure has quietly become one of the richest credential surfaces organisations own.”
All of which meant that JadePuffer didn’t need to create a novel exploit to cause significant damage,” adds Keeper Security CISO Shane Barney. It simply needed an environment where the growth of connected infrastructure has outpaced governance. “That is not an unusual condition to find in enterprise environments today,” he warns.
CISOs who have been playing “wait and see” with agentic threats up to now “should treat this as the moment the conversation shifts from preparation to response”, Barney adds.
“The immediate lesson is operational: audit what credentials exist in your environment, where they are stored and what they can access,” he advises. “Standing privileged access, secrets in application environments and internet-facing administrative accounts are the conditions that made this attack possible, and none of them requires sophisticated remediation to address.”
Cobalt CISO, Andrew Obadiaru, says the focus should be on redesigning response timelines. “An AI agent operating at machine speed can move from initial access to full destruction well inside the traditional detection window,” he tells Assured Intelligence. “In terms of practical actions, CISOs should audit their mean time to detect (MTTD) and (MTTR) against a compressed attack timeline, not the usual multi-hour dwell times of traditional ransomware.”
In light of JadePuffer, security teams should also work to reduce risk across the AI attack surface, Obadiaru adds. “CISOs need to bring AI application deployments, internal tools, LLM wrappers, agent frameworks under the same security governance as production systems,” he says. “This means applying the same standards for penetration testing, patching cadence, least-privilege access, and internet exposure reviews. Any internet-facing LLM application server should be treated as a high-value target today.”
“Every identity, human or non-human, needs defined access boundaries, time-limited permissions and continuous monitoring enforced” Shane Barney
Longer-term, the focus must be on extending zero trust governance to machine identities and AI tools, which could be targets for ATAs, Keeper Security’s Barney adds. “Every identity, human or non-human, needs defined access boundaries, time-limited permissions and continuous monitoring enforced as a foundational control rather than an afterthought,” he argues. “And because these threats operate at machine speed, detection has to as well. Automated, real-time visibility across every privileged session is the baseline modern security programs now require.”
Fenix24’s Renfrow agrees that identity security best practices can help to harden systems from ATAs, citing phishing-resistant MFA and least privilege as important. But he also urges CISOs to address other fundamentals, including rapidly patching internet-facing systems “reducing unnecessary external exposure”, and segmenting critical environments.
Other best practices should include continuous monitoring for unusual activity, and “ensuring recovery capabilities are regularly validated rather than assumed,” he adds.
In a world where end-to-end autonomous attacks are the norm, and adversaries expand these capabilities to cover the complete intrusion lifecycle, as the NCSC fears, resilience must be the priority, Renfrow argues. This means being able to maintain the core services of the minimum viable company (MVC) during a serious incident, while accelerating recovery as rapidly as possible.
“Ultimately, AI is unlikely to change what ransomware operators are trying to accomplish. It will change how efficiently they accomplish it,” concludes Fenxi24’s Renfrow. “The organisations that will be most resilient are those that can not only defend effectively but also demonstrate that they can recover under real-world conditions.”