AI Agents Now Run Full Ransomware Operations With Minimal Human Help
JADEPUFFER campaign shows AI agents autonomously exploiting vulnerabilities, moving laterally, and encrypting databases. Ransomware attacks up 42% as LLMs compress attack timelines to seconds.
The ransomware industry has crossed a threshold that security researchers have been warning about for years: AI agents are now conducting complete attack chains with minimal human oversight. A campaign discovered this week by Sysdig demonstrates just how far autonomous operations have progressed.
The threat actor behind JADEPUFFER deployed an AI agent that exploited CVE-2025-3248, a missing-authentication flaw in Langflow, to gain initial access. What happened next illustrates why ransomware operations are becoming increasingly difficult to defend against—the agent handled reconnaissance, lateral movement, and encryption without waiting for human commands.
Machine-Speed Attack Execution
According to Sysdig's analysis, the JADEPUFFER agent demonstrated capabilities that would take human operators hours to replicate. Once inside, it systematically swept for API keys from OpenAI, Anthropic, DeepSeek, and Gemini, plus cloud credentials from AWS, Azure, and Chinese providers. It accessed a MinIO storage server using factory-default credentials and pivoted to a MySQL database.
The agent then exploited CVE-2021-29441, a Nacos authentication bypass, using unchanged default signing keys. All 1,342 Nacos configuration settings were encrypted, original tables dropped, and a ransom note left demanding Bitcoin.
Researchers identified over 600 purposeful attack payloads containing plain-English notes explaining each step—a signature characteristic of LLM operations. When authentication errors occurred, the agent fixed them in 31 seconds with multi-step corrections.
The Broader Shift to Autonomous Ransomware
JADEPUFFER isn't an isolated incident. CTI Labs reported a 42% increase in ransomware attacks during Q1 2026, attributing the surge to AI-powered Ransomware-as-a-Service platforms. The IBM X-Force Threat Index documented a 49% surge in active ransomware groups year-over-year.
These numbers reflect what happens when operational barriers collapse. Median access handoff times between initial access brokers and ransomware operators fell to 22 seconds in 2025, down from more than eight hours in 2022. When AI handles the heavy lifting, operations that once required specialized skills become accessible to anyone with a budget.
Over 250 new ransomware operators were documented in the last six months. Many use generative AI tools to craft personalized phishing campaigns 60% faster than before. We covered a similar AI-assisted ransomware toolkit last month that used Claude Opus to automate EDR evasion against Sophos, CrowdStrike, and Defender.
Ransomware 3.0: Code Generated at Runtime
Research published on arXiv describes what researchers call "Ransomware 3.0"—LLM-orchestrated malware that generates code dynamically rather than shipping pre-compiled binaries. The orchestrator contains only natural language instructions; malicious payloads are synthesized at runtime.
This approach creates a detection nightmare. Every execution yields different code, artifacts, and extortion notes. Traditional signature-based detection becomes structurally incapable of keeping pace with polymorphic variants that rewrite themselves continuously.
The proof-of-concept was tested across personal computers, enterprise servers, and industrial controllers using open-source language models. It successfully generated functional encryption routines, exfiltration scripts, and destructive payloads—all from prompts alone.
Real-World Attack Examples
The shift toward AI-assisted operations is already producing incidents:
- July 2025: A single actor conducted an extortion campaign against 17 organizations using Claude Code, instructing the AI to handle technical reconnaissance and draft localized ransom notes.
- December 2025: An individual breached the Mexican government using Claude Code and ChatGPT, targeting 10+ agencies and stealing 195 million taxpayer records.
- ISACA tracking: One Chinese-backed group leveraged AI where agents handled 80–90% of each operation, with humans intervening at just 4–6 key decision points.
New malware families like PROMPTFLUX, PROMPTSTEAL, and PROMPTLOCK now incorporate LLMs directly. These tools aren't experimental—they're being deployed against production environments.
Triple Extortion and Automated Negotiations
The operational model is changing too. AI-powered chatbots now handle ransom negotiations autonomously, engaging victims in multiple languages around the clock. This mirrors the modular approach we've seen in frameworks like Avalon, which bundles every tool threat actors need from initial access through encryption.
Triple extortion has become standard: encryption, data theft, and a third pressure mechanism like DDoS attacks, regulatory complaints, or direct outreach to victims' customers and journalists.
What Defenders Should Do Now
The JADEPUFFER IOCs include command-and-control infrastructure at 45.131.66[.]106:4444 and a staging server at 64.20.53[.]230. The attackers used Bitcoin address 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy and Proton Mail contact e78393397[@]proton[.]me.
Sysdig's recommendations:
- Patch Langflow immediately and never expose code-running endpoints to the internet
- Store API keys in dedicated secret managers, not AI environment variables
- Change Nacos default signing keys and restrict internet exposure
- Implement strict database root account access controls
- Deploy runtime behavioral monitoring—traditional signatures won't catch polymorphic variants
The CISA #StopRansomware resources and NIST framework both recommend layered defenses, but the speed advantage now belongs to attackers. When an AI agent can identify, exploit, and encrypt in the time it takes a security analyst to triage an alert, response processes need fundamental rethinking.
For organizations still building their ransomware defense strategy, the lesson from JADEPUFFER is clear: assume attackers have access to the same AI tools you do, and plan accordingly.
Related Articles
FortiBleed Credential Theft Tied to Lynx and INC Ransomware
SOCRadar links FortiBleed to INC and Lynx ransomware operations. 430,000 FortiGate firewalls targeted, 110 million credentials stolen, 12+ ransomware deployments confirmed.
Jul 4, 2026DHS Confirms HSIN Breach During World Cup Security Operations
Hackers breached the Homeland Security Information Network between May and June, compromising sensitive but unclassified data while the US hosts FIFA World Cup games.
Jul 4, 2026FBI Seizes NetNut Proxy Network Built on 2M Hijacked Smart TVs
Google and the FBI dismantled NetNut, a residential proxy network that compromised 2 million smart TVs and streaming boxes. 316 threat groups used it in a single week to mask attack origins.
Jul 3, 2026Scattered Spider Suspect Extradited After $8M Jewelry Hack
19-year-old Peter Stokes extradited from Finland to face U.S. charges for alleged role in Scattered Spider operations including an $8 million jewelry retailer breach.
Jul 2, 2026