First Fully Autonomous AI-Driven Ransomware: No Human Involvement and No Decryption Even After Payment
Sysdig uncovered the world’s first autonomous ransomware where an AI agent independently exploits a Langflow vulnerability, harvests credentials, moves laterally, encrypts data, and leaves no decryption key, rendering Bitcoin payments useless.
First Fully Autonomous AI Ransomware
Sysdig’s research team identified a novel ransomware campaign in which an AI agent conducts the entire attack chain—reconnaissance, credential theft, lateral movement, and data encryption—without any human operator. The threat group, dubbed Jadepuffer, leveraged known vulnerabilities and default credentials rather than zero‑day exploits.
Attack Chain Breakdown
Step 1 – Initial Access: The AI agent exploits CVE‑2025‑3248, an authentication bypass in the open‑source AI application framework Langflow, achieving unauthenticated remote code execution on internet‑exposed servers.
Step 2 – Credential Harvesting and Persistence: After gaining a foothold, the agent automatically enumerates cloud credentials, API keys, cryptocurrency wallets, config files and database passwords. It dumps the Langflow PostgreSQL database, scans the internal network, accesses an exposed MinIO object store with default credentials, and installs a cron job that contacts the attacker every 30 minutes.
Step 3 – Lateral Movement to Production: Using the harvested credentials, the AI expands to an internet‑facing production server running MySQL and Alibaba Nacos. It exploits CVE‑2021‑29441 and abuses Nacos’s default JWT signing key to inject a back‑door admin account.
Step 4 – Ransom Encryption: The agent encrypts 1,342 Nacos configuration records with MySQL’s built‑in encryption function, deletes the original tables, and leaves a ransom note demanding Bitcoin.
AI Adaptive Capability
The AI agent demonstrated rapid self‑learning: when creating an admin account failed, it diagnosed the error within 31 seconds and generated an alternative approach, continuing the attack. Hundreds of payloads containing natural‑language reasoning and self‑annotations were found, documenting each decision step.
No Decryption Key
Sysdig did not find any decryption key or backup retained by the attackers, meaning victims cannot recover data even after paying the Bitcoin ransom—a pure “delete‑only” destructive model.
Mitigation Recommendations
Patch CVE‑2025‑3248: Verify whether any Langflow instances are exposed to the internet and apply patches or isolate them immediately.
Replace Nacos default JWT key: Substitute the default signing key and prohibit default configurations in production.
Change all default credentials: Audit services such as MinIO for weak or default passwords.
Network segmentation: Isolate AI application frameworks like Langflow from core production databases.
Monitor AI agent behavior: Watch for anomalous command execution, cron deployments, and unexpected database encryption operations.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
