The decryption key exists nowhere on disk. The Bitcoin address in the ransom note is a public example pulled from training data. The victim's 1,342 configuration records are gone, and even if they paid, they could not get them back. This is what happens when an AI agent runs a ransomware operation end to end: it destroys things it cannot undo, then asks for money it cannot collect.

JadePuffer agentic ransomware attack - Sysdig Threat Research Security firm Sysdig published a report in early July 2026 documenting what they call the first fully agentic ransomware operation. They named it JadePuffer. The attack exploited CVE-2025-3248, an unauthenticated remote code execution flaw in Langflow, an open-source framework for building LLM-based workflow apps. From that single entry point, an autonomous LLM agent executed every stage of the kill chain without a human issuing commands.

The attack chain reads like a textbook intrusion, except the operator was a language model. The agent dumped Langflow's Postgres database to harvest credentials. It scanned the internal network. It found a production server running MySQL and Alibaba's Nacos configuration service. It connected using root credentials that appear to have come from a prior compromise, not from the Langflow environment itself. Then it encrypted 1,342 Nacos service configuration records, deleted the original tables, and deployed a cron job that beamed data to attacker infrastructure every 30 minutes.

What makes JadePuffer different from scripted ransomware is the self-correction. When a MinIO API request returned XML instead of expected JSON, the agent rewrote its parsing logic on the fly. When a login attempt failed, it diagnosed the error and retried with corrected parameters. Sysdig observed the entire self-healing sequence take 31 seconds.

The payloads themselves are strange. Each one was Base64-encoded Python, delivered through the Langflow RCE endpoint. But the code contained natural language annotations and target prioritization notes, the kind of explanatory comments that human operators rarely write but LLM-generated code produces reflexively. "Self-narrating" is how Sysdig's Michael Clark described them. The agent was explaining its own attack to no one.

The operational failures are almost as interesting as the successes. The AES encryption key was generated randomly but never stored or transmitted anywhere the attacker could retrieve it. The Bitcoin address in the ransom note was a well-known example address, likely from the model's training data, not a real wallet controlled by anyone. The data is unrecoverable. The ransom cannot be paid. The extortion is, in a meaningful sense, a bluff that the AI does not know it is making.

This raises an uncomfortable question about what "agentic" actually means in practice. The agent chained reconnaissance, lateral movement, persistence, and encryption without human guidance. But it also made mistakes that a competent human operator would not: no key exfiltration, no functional payment infrastructure, data destruction that removed the victim's negotiating position. The attack was autonomous. It was not competent.

For defenders, the detection surface changes in subtle ways. Traditional signature-based detection struggles because every LLM-generated intrusion looks slightly different. The agent adapts its approach based on what works and what fails. What Sysdig recommends instead is behavioral monitoring: rapid iterative command execution, automated script generation with unusual code comments, suspicious cron job creation, and mass database operations that happen faster than quarterly security audits can catch.

The real concern is not JadePuffer itself but what it proves is possible. Langflow instances with internet exposure are common in organizations racing to deploy AI workflows. CVE-2025-3248 was disclosed in April and carries a CVSS score of 9.8. The fact that a production server was reachable from a development tool environment, with root MySQL credentials apparently lying around, is the kind of architectural failure that shows up in every post-incident report and gets fixed exactly until the next one.

JadePuffer did not invent any new technique. Every individual step, credential harvesting, lateral movement, and encryption, is well-documented and has been for years. What changed is the orchestration. An LLM agent can chain these steps without the operator needing expertise in any one of them. The barrier to running a complete ransomware operation just dropped from "skilled threat actor" to "someone who can point an LLM at a vulnerable endpoint."

Sources