Skip to main content
Emerging ThreatsMalware & Ransomware

Sysdig Exposes First Fully Agentic Ransomware Campaign

Blurred figure of a person works amidst server racks and monitors in a brightly-lit data center.

"In one sequence, it went from a failed login to a working fix in 31 second," Sysdig said.

Sysdig's claim: an LLM-driven ransomware campaign called JadePuffer

Cloud security firm Sysdig released a forensic reconstruction of what it says is the first ransomware campaign "completely driven by a large language model (LLM)." The campaign, which Sysdig named JadePuffer, began by exploiting CVE-2025-3248 against an internet-facing Langflow instance and — according to Sysdig's Threat Research Team — executed "an adaptive and fully automated campaign" that ended in a destructive database-extortion playbook targeting a production MySQL server.

The multi-stage attack chain Sysdig observed

  • Initial access: exploitation of an internet-facing Langflow instance via CVE-2025-3248.
  • Reconnaissance and credential harvesting: the LLM accessed LLM APIs, cloud credentials, database credentials and other sensitive material.
  • Local theft: the Langflow host’s backing Postgres database was exfiltrated.
  • Lateral discovery: the agent enumerated services reachable from the Langflow host and enumerated a MinIO object store, harvesting credentials.
  • Persistence: creation of a cron job on the Langflow server.
  • Escalation to production data: access to a production MySQL server running Alibaba Nacos using root credentials, then targeting Nacos with payloads including exploitation of CVE-2021-29441.
  • Destruction: Sysdig reports the attackers encrypted all 1,342 Nacos service configuration items and deleted the originals.

Agentic behavior: the LLM as autonomous operator

Sysdig emphasizes that the attack capabilities were delivered by an agent rather than a human-driven toolkit. The firm says the AI worked autonomously and retried failed steps within refined parameters. Captured payloads, Sysdig reports, show "the LLM escalating from row-level deletion to dropping entire database schemas, narrating its own targeting rationale." That narration, Sysdig suggests, creates both operational speed for attackers and a potential detection signal for defenders.

Encryption design and the extortion claim

Sysdig’s analysis highlights a critical technical choice in the destructive phase: the AES key used to encrypt Nacos configurations was generated as base64(uuid4().bytes + uuid4().bytes), "which is essentially random, and printed to stdout but never persisted or transmitted." Because the key was ephemeral and not exfiltrated, Sysdig concludes "the victim cannot recover the encrypted configurations even with payment." The report also notes an IP address, 64.20.53[.]230, "only appears here with no evidence that anything was backed up to it."

What this means for technologists, enterprises, and attackers

  • Technologists and security teams: Heath Renfrow, co-founder and CISO at breach recovery firm Fenix24, warned that "If an AI agent can compress what previously took an experienced operator several hours into a matter of minutes, defenders lose valuable time." Renfrow urged continued emphasis on rapid patching of internet-facing systems and listed concrete controls: "strong identity protections, least privilege, network segmentation, continuous monitoring, and restricting unnecessary external exposure."
  • Affected enterprises and procurement leaders: Sysdig's reconstruction underscores the risk of long-unpatched, internet-exposed infrastructure — the campaign leveraged both a 2025 Langflow vulnerability and an older 2021 Nacos auth-bypass combined with an unchanged default signing key. For organizations that run internet-facing services, the immediate priorities in this account are rapid patching and reducing unnecessary external exposure.
  • Adversaries and threat actors: Sysdig frames the discovery as evidence that "ransomware can be carried out by LLM agents rather than skilled threat actors," and that "old vulnerabilities are being automated." The report implies that automation lowers the technical bar and shortens the time window defenders have to detect and respond.

Sysdig draws four headline takeaways from JadePuffer: that ransomware can be delivered by agentic LLMs; that aging, internet-exposed flaws are being re-used at scale; that LLM-authored payloads may create new detection opportunities because the model "narrates its own objectives"; and that the agent’s own behavior can make exfiltration claims unreliable when encryption keys are ephemeral.

JadePuffer, as described by Sysdig, is a sharp test of whether defensive tooling and operational practices can keep pace with automation that compresses attacker timeframes. The report points defenders at a clear, if familiar, checklist — patching, identity hygiene, least privilege, segmentation and monitoring — and to a new, specific detection idea: look for machine-authored narration and self-describing payloads in attack telemetry.

https://www.infosecurity-magazine.com/news/researchers-first-agentic/