Pull to refresh
Logo
Daily Brief
Following
Why Ranks Sign Up
Researchers document first ransomware attack run entirely by an AI agent

Researchers document first ransomware attack run entirely by an AI agent

New Capabilities

Sysdig says an autonomous agent, dubbed JadePuffer, ran the full attack with no human directing it

Yesterday: Case reported as first fully autonomous AI ransomware attack

Overview

A ransomware attack ran start to finish with no human running the technical steps. Cloud-security firm Sysdig says an AI agent broke in, stole credentials, and encrypted data without a person directing each move — though Sysdig's Michael Clark clarified to TechCrunch that a human still set the objectives and collected payment.

The agent ran more than 600 distinct payloads, many annotated in plain language explaining its own reasoning. When a step failed, it diagnosed and fixed the bug in about 31 seconds, then continued.

Why it matters

Ransomware used to need a skilled operator. An AI agent that runs the full attack lowers the skill needed to extort a company.

Questions about this story

No questions yet — be the first to ask.

Key Indicators

1,342
Config items encrypted
The agent encrypted 1,342 database configuration items on a production server, then deleted the originals.
~31 sec
Time to self-repair
The gap between a failed admin login and the agent's working fix for its own broken code.
600+
Payloads executed
The operation ran more than 600 distinct payloads, many with plain-language comments explaining the agent's reasoning.
0
Human operators directing
Sysdig found no human steering the intrusion once the agent was running.

Voices

Curated perspectives — historical figures and your fellow readers.

Ever wondered what historical figures would say about today's headlines?

Sign up to generate historical perspectives on this story.

Play

Exploring all sides of a story is often best achieved with Play.

Log in to play. Track your picks, climb the leaderboards. Log in Sign Up
Predict 4 ways this could play out. Contrarian picks score more — points lock when the scenario resolves. Log in to play
Higher or Lower Two numbers from this story. Guess which is bigger. 5 rounds to set a streak. Log in to play
Timeline Five events from this story — drag them oldest to newest. Log in to play
Connections Sixteen names from the news. Find the four hidden groups of four. Log in to play

Organizations Involved

Timeline

March 2021 July 2026

7 events Latest: Yesterday
Tap a bar to jump to that date
  1. Case reported as first fully autonomous AI ransomware attack

    Latest Coverage

    Security outlets frame JadePuffer as the first ransomware attack carried out start to finish by an autonomous AI agent.

  2. TechCrunch questions the no-human framing

    Analysis

    TechCrunch reported that Sysdig's Michael Clark clarified a human was still involved — setting goals and collecting payment. The technical execution was fully automated, but the operator still had to initiate and direct the campaign at the strategic level.

  3. Sysdig publishes JadePuffer report

    Disclosure

    Sysdig details an attack it says an AI agent ran end to end, encrypting 1,342 config items on a production database.

  4. CISA and Five Eyes partners publish agentic-AI security guidance

    Policy

    CISA, NSA, and the cybersecurity agencies of Australia, Canada, New Zealand, and the UK jointly released "Careful Adoption of Agentic AI Services," the first Five Eyes guidance specifically addressing autonomous AI agents. It flags privilege escalation, behavioral misalignment, and accountability gaps as core risks.

  5. Anthropic reports AI-run espionage campaign

    Disclosure

    Anthropic says a state-linked group used its Claude model to automate most of an espionage campaign against about 30 targets.

  6. Langflow RCE flaw disclosed

    Vulnerability

    CVE-2025-3248 lets an unauthenticated attacker run code on exposed Langflow servers. This becomes JadePuffer's way in.

  7. Nacos auth-bypass flaw disclosed

    Vulnerability

    CVE-2021-29441, an authentication-bypass bug in Alibaba's Nacos config service, is made public. The agent later abuses it.

Historical Context

3 moments from history that rhyme with this story — and how they unfolded.

November 1988

The Morris Worm (1988)

A Cornell graduate student, Robert Morris, released a self-replicating program onto the early internet. It spread on its own, infecting thousands of machines and slowing much of the network. No human guided its movement once it was loose.

Then

Cleanup took days and cost an estimated hundreds of thousands to millions of dollars. The scare led to the first Computer Emergency Response Team.

Now

Morris became the first person convicted under the US Computer Fraud and Abuse Act. Self-spreading code became a permanent security concern.

Why this matters now

It was the first time code, not a person, drove an attack step by step. JadePuffer extends that idea from blind replication to an agent that reasons and adapts.

May 2017

WannaCry ransomware (2017)

Ransomware paired with a self-spreading exploit tore through networks in a single weekend. It hit more than 200,000 computers across 150 countries and forced parts of the UK's National Health Service to turn away patients.

Then

Hospitals canceled appointments and surgeries. A researcher stumbled on a kill switch that slowed the spread.

Now

It showed how fast automated ransomware could scale without human hands guiding each infection.

Why this matters now

WannaCry automated the spread. JadePuffer automates the thinking too, choosing targets and fixing its own errors as it goes.

June 2017

NotPetya (2017)

Malware disguised as ransomware swept through companies worldwide, starting in Ukraine. It demanded payment, but its encryption was built so that files could not be recovered even if victims paid. Damage ran into the billions.

Then

Shipping giant Maersk and others halted operations for days. Recovery meant rebuilding systems from scratch.

Now

It proved a ransom note can be a cover for pure destruction.

Why this matters now

JadePuffer never stored its encryption key, so paying would not restore the data. Like NotPetya, the demand may mask an attack that cannot be undone.

Sources

(8)