Nobody Was at the Keyboard
The ransomware industry just automated its most expensive employee. The attack was clumsy. The economics are not.
This month, July 2026, Sysdig’s Threat Research Team published findings from what it described as the first documented case of agentic ransomware. An autonomous AI agent had exploited a known security flaw in Langflow, an open-source tool used for building AI applications, and from there conducted a complete ransomware operation without a human operator directing it. It harvested passwords and access credentials from the systems it found, moved sideways to a production database server, installed mechanisms to maintain its access, encrypted more than 1,300 configuration records, and generated its own ransom note. The whole time, it was writing natural-language annotations inside its own code, explaining to itself why it was taking each step.
It did not develop new exploits, the operation, which Sysdig codenamed JadePuffer, exploited a vulnerability that had been publicly reported and patched more than 14 months earlier. The configuration management system it targeted was still running with a factory-default security key, a known weakness documented since 2020 that effectively left the front door unlocked. The file storage server it raided still had its original manufacturer login credentials. None of the individual weaknesses were new. What was new is that an AI model chained them into a complete attack against neglected infrastructure, on its own, adapting in real time when things went wrong.
The best evidence for autonomy was not what the agent did when things worked, it was what it did when they didn’t. At one point, the agent tried to create a backdoor administrator account on the target system. It failed because a software component it needed wasn’t installed in the location it expected. The agent diagnosed the problem, found an alternative approach, deleted the broken account, and reinserted a working one. The complete troubleshooting cycle took 31 seconds.
To understand why this matters, you need to understand what ransomware already looks like as a business. Ransomware-as-a-Service, or RaaS, is the dominant model. It operates as a criminal supply chain with clearly defined roles, much like any franchise operation. Developers build and maintain the ransomware software and the infrastructure around it: payment portals, leak sites for publishing stolen data, and negotiation channels. Specialist brokers compromise organisations and sell that access on criminal marketplaces. Affiliates, the criminal equivalent of contractors, carry out the actual attacks: breaking into each target environment, escalating their access to reach valuable systems, and deploying the ransomware. Some RaaS platforms even offer technical support and recruitment programmes for new affiliates. The structural parallel with legitimate software businesses is not a metaphor, it is the business model.
Chainalysis tracked approximately $820 million in ransomware payments in 2025, against a record 7,874 publicly claimed victims. The market for initial access is cheap and liquid: average prices for a foothold inside a corporate network have fallen below $500. In this model, the human operator is the expensive part. Access is cheap, tooling is cheap. But the person who navigates an unfamiliar network, makes judgment calls under pressure, and adapts when defences respond is the bottleneck. The human in the loop is where the cost lives and where the operation fails to scale.
JadePuffer just automated that role.
Every enterprise deploying AI agents right now is trying to make the same move. Not towards the same objective. But the same operational logic: replace a slow, expensive human process with a fast, cheap, adaptable agent that can read information, make decisions, adjust when something breaks, and complete multi-step workflows. That is what customer service automation does. That is what AI coding assistants do. Reduce labour costs, increase throughput, accept some quality variance in exchange for speed and scale.
I am not saying there is any moral equivalence here. A logistics company routing freight and a criminal group encrypting databases are pursuing entirely different ends. But they share the same method, and there is no version of this technology where one works and the other does not. JadePuffer’s 31-second troubleshooting cycle looks exactly like a corporate AI agent automatically retrying a failed process. The behaviour that makes a legitimate agent useful is the same behaviour that made this one effective.
Here is where the story gets complicated. JadePuffer completed the workflow. But it was, by any reasonable standard, a terrible extortion operation.
The encryption key, the piece of information the victim would need to recover their data, was randomly generated and never saved or sent back to the attacker. So, the victim’s data would be unrecoverable, regardless of whether they pay or not. Before destroying database records, the agent’s code commented that the data had been backed up to another server, but that claim is the agent’s own assertion, written into its self-narrating code. Sysdig found no independent evidence that any backup had happened.
And then there is the Bitcoin address. The ransom note directed payment to a wallet address that turns out to be the standard example used in Bitcoin’s own documentation and developer tutorials. It appears in virtually every beginner’s guide to Bitcoin addresses on the internet. Sysdig cannot determine whether the operator deliberately configured it or whether the AI hallucinated it because it had seen it so many times in its training data. The agent completed every step of the attack chain. It just did not understand the business objective it was supposed to serve.
The temptation at this point is to be reassured. After all, the attack was clumsy, so the threat must be overstated? That would be the wrong conclusion.
Competence is a temporary limitation. The 31-second troubleshooting cycle already shows the agent improving within a single operation: diagnosing failures, rewriting its own code, retrying. A system that can do that is not going to stay bad at the job for long. The next version will be better, and the trajectory matters more than any single example.
Plus, the economics do not require each individual attack to succeed. They require the marginal cost of launching attacks to approach zero. If the agent runs on stolen computing power, a practice Sysdig has documented as an industrialised black market in which attackers hijack other organisations’ AI infrastructure to run their tools for free, LLMJacking, then the cost to the attacker is functionally nothing. The threat model shifts from a skilled operator choosing a target to hundreds of autonomous agents probing every internet-facing server and every unpatched system, continuously. Not sophisticated extortion but mass disruption. Possibly with victims who cannot recover even if they want to pay.
But there is a new defensive opportunity in this, and it is a real one. AI-generated attack code narrates itself. JadePuffer’s code contained detailed natural-language annotations explaining which targets it considered most valuable and why. Human attackers do not do this. They do not annotate throwaway scripts with commentary about their reasoning. But AI code generation produces this by default. It cannot help itself. That self-narration gives defenders something no previous generation of automated attack has offered: the attacker’s own account of what it is trying to do and why, written into the evidence it leaves behind.
The problem is speed. If the agent can diagnose a failure, rewrite its code, and retry in 31 seconds, the window for defenders to respond may be too narrow for any process that relies on a human making the call. The detection opportunity is real. Whether anyone can act on it fast enough is a different question.
JadePuffer is not the crisis, it is the proof of concept. An autonomous agent assembled known techniques into a complete ransomware operation against neglected infrastructure, for approximately the cost of running a container. Whilst it did this badly, it will not do it badly for long.
The ransomware industry has been trying to scale for years. It professionalised its tooling, outsourced its access brokerage, built affiliate programmes, and offered customer support. The one thing it could not automate was the operator: the human who navigates the network, makes the calls, and adapts when the plan fails. That constraint just lifted.
Every other industry calls this digital transformation.
I write about AI, cybersecurity, and technology every Friday. Subscribe to get it in your inbox.
Sources
Sysdig TRT. ‘JADEPUFFER: Agentic ransomware for automated database extortion.’ 1 July 2026.
BleepingComputer. ‘JadePuffer ransomware used AI agent to automate entire attack.’ 4 July 2026.
The Register. ‘Smooth AI criminal drives first end-to-end agentic ransomware attack.’ 2 July 2026.
Chainalysis. 2026 Crypto Crime Report. Published February 2026 (full-year 2025 data).
Darkweb IQ (via Chainalysis). Average IAB access price decline to $439 by Q1 2026.
Sysdig TRT. ‘LLMjacking evolved: Attackers are using stolen AI compute to build offensive agentic tools.’ June 2026.
Bitcoin Wiki, Bitcoin Design Guide, CoinGecko. Confirm canonical P2SH example address.


