Researchers Discover First Documented Case of Agentic Ransomware

Researchers from the Sysdig Threat Research Team (TRT) believe they have discovered the first documented case of an extortion operation run end-to-end by a large language model (LLM). The researchers labelled the LLM operator JADEPUFFER and state it is considered an agentic threat actor (ATA).
According to the researchers, the ATA’s behavior was its “most striking characteristic.” Its payloads were self-narrating, involving target prioritization, natural language reasoning, and detailed annotations typical of LLM-generated code. Additionally, the operator adapted in real time, redoing failed attempts with new parameters. In one observed instance, the ATA took a failed login attempt to a working fix in 31 seconds.
Below, security experts share their thoughts on this research.
Security Leaders Weigh In
Ram Varadarajan, CEO at Acalvio:
JADEPUFFER’s 31-second failed-login-to-working-exploit correction is the real headline: the skill floor for ransomware has collapsed from “skilled human operator” to “whatever compute an agent costs to run,” so unpatched internet-facing infrastructure that once sat safely in the long tail of “we’ll get to it” is now the most attacked surface, not the least.
This is our new reality. When the adversary rewrites its own exploit code on the fly, static signatures can’t keep pace — only runtime behavioral detection, watching what a process does rather than what it matches, stands a chance of catching it.
Shane Barney, Chief Information Security Officer at Keeper Security:
Thirty-one seconds. That is how long it took JADEPUFFER to diagnose a failed login, identify the root cause, rewrite the fix and successfully re-authenticate, all without human intervention. The Sysdig Threat Research Team’s documentation of this operation is a concrete marker of where the threat landscape has moved, and the conclusion is less dramatic than the predictions and more dangerous than the headlines suggest. AI agents are no longer theoretical attack surfaces. They are now attack tools.
What makes this operation instructive is not the sophistication of the techniques involved but the conditions that made them possible. Every entry point JADEPUFFER exploited traces back to a failure of credential governance: secrets stored where they should not be, default credentials left unchanged and privileged accounts left open with no time-bound or scope-limited controls in place. Keeper Security research found that 72% of organizations cannot detect credential misuse in real time, with most identifying unauthorized privileged access within hours rather than minutes. An AI agent operating at machine speed can move from initial access to full destruction well inside that window.
The response has to match the threat. Privileged accounts need time-bound, scope-limited access controls rather than standing permissions. Secrets belong in a dedicated vault with automated rotation, not in environment variables on internet-facing servers. And real-time session visibility needs to be a baseline operational capability, because post-event log review is not a viable detection model when an attack can complete in minutes.
The threat has changed but the prescription has not. Know what identities exist in your environment, govern what they can access and ensure that access is continuously monitored. Those fundamentals have always mattered and in this environment they have become urgent.
Ben Ronallo, Principal Cybersecurity Engineer at Black Duck:
Companies need the visibility to patch, and then they need to just patch. The CVE associated with the Langflow compromise was published over a year ago and has been known as exploitable for an equally long time. As this attack shows, it’s not a matter of if a known vulnerability will be exploited, but rather when it will be exploited and what the impact of that exploit will be.
This sits alongside the recent Exploitarium disclosures, though the two are pulling on different threads. Exploitarium was about speed, AI finding brand new flaws faster than anyone could triage them. JADEPUFFER is about patience and volume, working through vulnerabilities that have been public and exploitable for over a year, but never made the prioritized list because there were better, newer CVEs to chase rather than a years-old Nacos bug on some forgotten server. New flaws get attention. Old ones just sit there until something decides they’re worth the trip. Again, it’s not a matter of if but when. AI is lowering the barrier to entry at the same time. Someone with no real technical background can now chain together recon, credential theft, and destruction that used to require an operator who actually understood each step.
When it comes to acting on this attack, first and foremost, if you know about exposed, vulnerable Langflow systems, activate your incident response procedures and immediately patch. While patching, pull the logs and check for the IOCs Sysdig identified, including scheduled tasks or cron entries beaconing outbound, that was JADEPUFFER’s persistence mechanism on the initial access host. Just as important, don’t stop at the Langflow host itself. It was the doorway here, not the target; trace what the compromised host could reach, not just what happened on it. If you identify any IOCs, determine whether credentials were compromised and take the necessary steps to contain the incident.
Heath Renfrow, Co-Founder and Chief Information Security Officer:
The Sysdig research is an important milestone, but I think it’s important to separate what’s genuinely new from what is simply an evolution of existing attacker tradecraft.
The headline shouldn’t be that AI has suddenly created a new form of ransomware. The real story is that AI is beginning to reduce the amount of human involvement required during an attack. Large language models can now assist with reasoning through failures, adapting commands, prioritizing targets, and modifying attack paths in real time. Those are tasks that historically required a skilled operator. As that capability matures, we should expect attacks to become faster, more consistent, and more scalable.
From our perspective responding to ransomware incidents around the world, attackers have been automating significant portions of their operations for years. We’ve already seen malware retry failed actions, adapt to environmental conditions, pivot laterally, and execute complex playbooks. What’s changing isn’t necessarily the objective — it’s the speed and autonomy with which those objectives can be achieved.
If an AI agent can compress what previously took an experienced operator several hours into a matter of minutes, defenders lose valuable time. That has implications across every phase of an incident, from detection and containment to recovery.
Organizations should resist focusing solely on whether an attacker is “AI-powered.” The outcome is ultimately the same: compromised identities, stolen credentials, encrypted or destroyed data, and business disruption. Security teams should continue prioritizing the fundamental-rapid patching of internet-facing systems, strong identity protections, least privilege, network segmentation, continuous monitoring, and restricting unnecessary external exposure.
Perhaps the biggest implication is for recoverability.
As attacks become increasingly autonomous, organizations should assume that some adversaries will achieve their objectives faster than defenders can react. The conversation therefore shifts from simply preventing compromise to ensuring the business can recover when prevention fails. Recovery can no longer be viewed as a backup problem — it must be treated as an operational capability that is continuously validated.
One aspect of this research that deserves additional scrutiny is the claim that this represents the “first documented case” of agentic ransomware. While the use of a large language model to guide attack decisions is certainly noteworthy, security researchers and incident responders have observed increasingly autonomous malware behaviors for many years. The distinction here is the decision-making engine rather than the existence of autonomous behavior itself.
Ultimately, AI is unlikely to fundamentally change the goals of ransomware operators. It will change their efficiency. The organizations that succeed won’t necessarily be those with the most security products — they’ll be the ones that can detect compromise quickly, maintain resilient identity and infrastructure, and demonstrably recover critical business operations under pressure.
As AI accelerates offensive operations, recoverability becomes just as important a competitive advantage as prevention. That’s where I believe security leaders should be focusing their investments over the next several years.
Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!





.webp?height=200&t=1727964771&width=200)



