An AI Agent Conducted a Ransomware Attack Alone, from Initial Access to Extortion
The Sysdig Threat Research team has documented what it deems to be the first ransomware attack fully executed by an AI agent, without human operational intervention. The operator, named JADEPUFFER, exploited CVE-2025-3248 on Langflow, an open-source framework for creating LLM apps and agent workflows, to access a production server, encrypt 1,342 Nacos configurations, and destroy entire database schemas, leaving the victim unable to recover the data.
Sysdig categorizes JADEPUFFER as an "agentic threat actor" (ATA): an operator whose offensive capabilities are delivered by an AI agent rather than a human-driven toolkit. The vulnerability exploited for initial access was a missing authentication in Langflow's code validation endpoint, allowing an unauthenticated attacker to execute arbitrary Python code on the host. All payloads were delivered as Base64 encoded Python via this endpoint.
Reconnaissance and Credential Collection
After initial access, the agent performed reconnaissance and secrets collection in parallel: LLM provider API keys (OpenAI, Anthropic, DeepSeek, Gemini), explicit cloud credentials covering Chinese providers (Alibaba, Aliyun, Tencent, Huawei) in addition to AWS, GCP, and Azure, cryptocurrency wallets and seed phrases, database credentials, and configuration files. It dumped Langflow's Postgres database, saving the results in local files, reviewing them, and then deleting the staging files.
The agent also enumerated an internal MinIO object store using default credentials minioadmin:minioadmin, listing all buckets (application data, backups, ML artifacts, Terraform state) and extracting credential files; when the response parser failed because it was set for JSON format instead of XML, the agent autonomously corrected the error. To maintain persistence, it installed a crontab with a beacon to the attacker’s infrastructure every 30 minutes.
The Attack on the Nacos Server
The ultimate target was a separate production server, exposed on the internet, that ran a MySQL database and the Alibaba Nacos configuration service, an open-source platform for service discovery and dynamic configuration used in microservices architectures. The agent connected to the exposed MySQL port with root credentials; Sysdig does not know how they were obtained and states that they were not stolen from the victim's environment.
JADEPUFFER attacked Nacos with multiple simultaneous vectors: exploiting the auth-bypass CVE-2021-29441, forging a valid JWT using Nacos' default signing key, which has been publicly documented since 2020 and unchanged in many deployments, and injecting a backdoor admin directly into the support database via the previously obtained root access. After a first failed attempt caused by a bcrypt hash generated via subprocess with an empty PATH, the agent concurrently diagnosed two possible causes and 31 seconds later issued a corrective payload that deleted the broken account and recreated it with direct bcrypt import, checking the version before proceeding. It then conducted a systematic investigation for a potential container escape attempt via MySQL file primitives before issuing an explicit completion marker and moving on to the ransomware phase.
Encryption and Ransom Impossible to Honor
The agent encrypted all 1,342 Nacos configuration items with MySQL's AES_ENCRYPT() function, deleted the original tables config_info and his_config_info, and created a ransom README table with a ransom request, Bitcoin address, and Proton Mail contact:
"YOUR DATA HAS BEEN ENCRYPTED. All NACOS configurations, REDACTED customer data, and REDACTED PII have been encrypted with AES-256."
The key used for the encryption, however, was ephemeral, generated from two concatenated UUID4s and base64 encoded: it was printed to stdout but never persisted or transmitted, so the victim cannot recover the data even by paying. The claim of "AES-256" in the note is also likely inaccurate, as MySQL’s AES_ENCRYPT() uses AES-128-ECB by default unless the server is explicitly reconfigured. The agent then transitioned from row-level deletion to dropping entire database schemas, commenting in the payload on its "rationale for targeting" and indicating, without external verification, that the data had already been copied to a staging server.
According to Sysdig, the operation's payloads were self-explanatory: "it contained natural language reasoning, target prioritization, and the type of detailed annotations that human operators often do not write, but which LLM-generated code produces reflectively." The operation produced over 600 distinct and targeted payloads in a compressed timeframe, adapting failed attempts in real-time.
Among the collected indicators of compromise, Sysdig notes that the Bitcoin address used in the ransom note corresponds to the canonical Pay-to-Script-Hash example found throughout Bitcoin developer documentation and in LLM training corpora. Blockchain data shows 737 confirmed transactions and about 46 BTC received historically, with a current balance of zero because every deposit is transferred immediately: it remains impossible to establish whether the address is actually real and monitored, and, above all, by whom.
What Changes for Defense
"The level of expertise required to conduct a ransomware attack has been reduced to simply the execution cost of an agent, and if such an agent runs with credentials stolen via LLMjacking, the cost for an attacker is practically zero," Sysdig writes. The technical skill necessary to conduct a ransomware attack has thus been reduced to the cost of executing an AI agent.
Among the defensive recommendations: update Langflow to fix CVE-2025-3248 and not expose code-execution endpoints on the internet, change Nacos' default key and not expose it on the internet, do not run AI servers with API keys or cloud credentials in the environment, do not expose the database admin port on the internet, and apply egress controls to prevent arbitrary beacons.