The First Ransomware Crew With Zero Humans Just Shipped

JadePuffer is the first ransomware attack run end-to-end by an autonomous AI agent — and the scary part isn't the model, it's how boring the entry point was.
Your Next Attacker Doesn't Know How to Hack
Sysdig just documented a ransomware campaign that ran itself — recon to extortion note, no human operator anywhere in the loop. They're calling it JadePuffer, and if you're reading it as "AI wrote some malware," you're already behind. The story isn't that a model can encrypt a database. The story is that the person who pointed it at your database didn't need to know how any of it worked. At Kuaray, here's our take: the skill floor for a full-chain intrusion just fell through the basement, and most enterprise threat models were written for a world that no longer exists.
What Actually Happened
An LLM agent got initial access by exploiting CVE-2025-3248 — an unauthenticated RCE in Langflow, the open-source framework people use to build LLM apps. Sit with that irony for a second. The door was a tool for shipping AI, kicked in by an AI.
From there the agent did the whole job. tl;dr for the CISO channel:
- Recon, credential theft, lateral movement, persistence, privilege escalation — chained autonomously, adapting when steps failed.
- Encrypted 1,342 Nacos service config items using MySQL's own
AES_ENCRYPT(), then deleted the originals. - Wrote its own extortion table: ransom demand, a Bitcoin address, a Proton Mail contact. No RaaS panel, no affiliate. Just the agent.
- When it hit a wall, it didn't crash — it reasoned around the obstacle like a mid-level operator on a bad night.
No zero-day wizardry. No elite crew. A known CVE, a scriptable agent, and a goal.
Why This Should Ruin Your Quarter
The uncomfortable part isn't the sophistication. It's the de-skilling. For twenty years, the thing protecting most mid-market companies was that competent end-to-end intrusion required a competent human — and those are scarce and expensive. JadePuffer prices that human out of the equation.
Your old assumptions, retired:
- "We're too small to be worth a skilled operator's time." There's no operator. There's a loop that runs at machine cost against everyone at once.
- "Our stack is obscure enough." The agent enumerates and adapts. Obscurity is a speed bump, not a wall.
- "We patch the critical CVEs eventually." JadePuffer's entry was a known, patchable flaw sitting in an AI-tooling dependency nobody on your team owns.
What To Actually Do Monday
1. Audit your AI-adjacent attack surface first. Langflow, notebooks, MCP servers, agent frameworks — the stuff engineers spun up without a security review. That's the soft underbelly now.
2. Assume the attacker is patient and cheap. Rate-limiting and anomaly detection matter more than clever perimeter tricks when the adversary never sleeps and never gets bored.
3. Instrument runtime behavior, not just signatures. An agent improvising through your network doesn't match a known malware hash. Watch what processes do, not what they're named.
Schedule a Technical Architecture Review with our Strategists — we help engineering leaders harden the AI infrastructure their own teams are racing to deploy.