The ‘first’ AI-run ransomware attack still needed a human

Last week, researchers at cloud security firm Sysdig said they had documented the first known case of ‘agentic ransomware’. It was an extortion operation called JadePuffer, in which an AI agent – not a human – handled the technical execution of a real cyber attack from start to finish. The agent broke into a vulnerable server, stole credentials, moved through the target’s network, encrypted files, and even wrote his own ransom note, adapting to obstacles along the way as a human hacker would. Reporting on the funding described it as being done “without any human oversight,” with “no human at the keyboard.”
That’s not quite it full image. In one interview On Monday at CyberScoop, Sysdig’s Michael Clark, the company’s senior director of threat research, made it clear that a human was still intimately involved – just not in the technical execution. “A human still set up and ran the operation and set up the infrastructure behind it, the command-and-control server, the staging server that was used for the stolen data, and chose a victim,” Clark said. The credentials used to break into the victim’s database, he added, were not collected by the AI agent itself; someone acquired them separately, through a prior compromise, and turned them over to the operation.
None of this contradicts Sysdig’s original claim, and the technical details of the attack remain remarkable in themselves – wild, even. The agent got in via a known bug Longstreama popular open source tool for building LLM apps, then moved to a production MySQL server and exploited another known flaw to gain administrative access. It encrypted more than 1,300 configuration records and not only left a ransom note that it wrote itself, but also left a Bitcoin address where the ransom could be sent. Sysdig did not reveal who the target was.
The techniques were apparently quite common, but what stood out was the speed and transparency. The agent fixed a failed login in 31 seconds, narrating his own reasoning in natural language commentary the entire way.
One detail that initially seemed to cloud the picture has now been clarified. Clark had told CyberScoop that Sysdig discovered that “multiple models were used in the attack,” citing harvested keys for OpenAI, Anthropic, DeepSeek and Gemini – language that left open the question of whether different models were actively driving different stages of the intrusion. Asked for clarification, Clark told TechCrunch that those keys were simply part of what the officer stole, and not evidence of what caused it.
“The agent robbed the Langflow host looking for anything valuable – provider API keys, cloud data, cryptocurrency wallets, and database configurations – and those provider keys were part of the loot,” he said via email. “They indicate what the attacker thought was worth taking, but they don’t tell us which model made the decisions.”
Regarding the model running JadePuffer, Clark said Sysdig was “unable to identify the specific model driving the agent” and has no visibility into its system prompt or configuration.
Microsoft researcher Geoff McDonald’s theory, offered on LinkedIn few days ago, is worth revisiting in that light. McDonald suspected that an open-weight model with stripped-down security training, rather than a frontier model, was behind the attack, based on his own red-teaming experience showing that frontier labs’ security layers were holding up well. Sysdig’s own story does not confirm or rule that out.
McDonald’s post also warned that ransomware campaigns are now limited primarily by the attacker’s budget rather than human effort, raising the possibility of “thousands or tens of thousands of concurrent campaigns.” That concern is a little harder to square with what Clark described Monday. (If a human still has to choose each victim, provision the infrastructure, and obtain database credentials for each operation, that’s a bottleneck to say the least.)
Anyway, Clark told CyberScoop. While Sysdig has not yet seen the same operation affect other victims, given how cheap it is to run an agent, he expects that to change.
When you make a purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.




