logo-darklogo-darklogo-darklogo-dark
  • Tool Categories
    • 🎨Art & Creative Design505
    • 🏢Business Management644
    • 💻Coding & Development514
    • 👮Detection83
    • 🧠General Use728
    • 🏥Health & Wellness55
    • 📷Image & Photo Analysis100
    • 🖼️Image Generation & Editing618
    • 📐Interior & Architectural Design37
    • 🎓Learning & Education483
    • ⚖️Legal & Finance90
    • 🎭Lifestyle & Entertainment236
    • 📢Marketing & Advertising627
    • 🎧Music & Audio138
    • 👔Office & Workplace1,014
    • 🔬Research & Data Analysis373
    • 👥Social Media245
    • 🎥Video Generation & Editing426
    • 👧🏻Virtual Companion135
    • 🎤Voice Generation & Editing381
    • ✍️Writing & Editing808
    • All Categories
    • AI Use Cases
  • News
  • Events
    • Academic Conferences
    • Developer Conferences
    • Expos / Trade Shows
    • Industry Summits
    • Workshops / Training
    • All Events
    • Past Events
  • Saved Tools
  • Suggest a Tool
✕
Home › News › The first AI-run ransomware attack still had a human pulling the strings

The first AI-run ransomware attack still had a human pulling the strings

July 6, 2026
Dark high-tech control room with red holographic screens showing encrypted files and a ransom message from AI agent BlackLock.

#image_title

Last week, cloud security firm Sysdig published research on what it called the first known case of “agentic ransomware.” The operation, named JadePuffer, had an AI agent handle the technical side of a real cyberattack from start to finish. No human at the keyboard, many outlets reported. The agent broke into a server, stole credentials, moved through the network, encrypted files, and wrote its own ransom note. It even adapted when things went wrong, just like a human hacker would.

That framing was only partly right. According to TechCrunch, Sysdig’s senior director of threat research, Michael Clark, clarified in an interview with CyberScoop that a human was still very much part of the operation. Just not during the attack itself. “A human still set up and pointed the operation and provisioned the infrastructure behind it, the command-and-control server, the staging server used for the stolen data and chose a victim,” Clark said. The credentials used to break into the target’s database were also obtained separately by a person, through a prior compromise, and handed to the agent before it ever started.

None of that undermines Sysdig’s core finding. The technical details of this attack are still striking, and the implications for cybersecurity are real. But the distinction matters, because it changes the risk calculus considerably.

Here is what the agent actually did, once it was pointed at a target. It got in through a known vulnerability in Langflow, a popular open-source tool for building apps on top of large language models. From there it moved to a production MySQL server, exploited a second known flaw to gain admin access, and encrypted more than 1,300 configuration records. It then left behind a ransom note it wrote itself, complete with a Bitcoin address for payment. Sysdig has not named the victim.

What set this apart from a typical attack was speed. The agent fixed a failed login attempt in 31 seconds and narrated its own reasoning in natural-language code comments throughout. It also swept the compromised host for anything valuable, including:

  • API keys for OpenAI, Anthropic, DeepSeek, and Gemini
  • Cloud credentials
  • Cryptocurrency wallets
  • Database configuration files

That last point caused some confusion. Early coverage suggested multiple AI models may have powered different stages of the attack. Clark told TechCrunch that was a misreading. Those API keys were simply part of what the agent stole, not evidence of the models driving it. “They are indicative of what the attacker considered worth taking, but they do not tell us which model was making the decisions,” he said. Sysdig was not able to identify which model actually ran JadePuffer, and has no visibility into its system prompt or configuration.

Microsoft researcher Geoff McDonald offered a theory on LinkedIn shortly after the story broke. Based on his own red-teaming work, he suspected the attack was powered by an open-weight model with its safety training removed, rather than a frontier model from one of the major labs. His reasoning was that frontier models’ safety layers tend to hold up well under testing. Sysdig’s account neither confirms nor rules that out.

McDonald also raised a broader concern: that ransomware campaigns are now limited mainly by attacker budget, not human labor, opening the door to thousands of simultaneous campaigns running in parallel. That scenario is harder to picture given what Clark described. If a human still has to pick each victim, set up infrastructure, and supply database credentials for every operation, that is a meaningful bottleneck. At least for now.

Clark told CyberScoop that Sysdig has not yet seen JadePuffer hit other targets. But given how cheap it is to run an AI agent, he expects that to change. That is the part worth watching. The human involvement in this attack was real, but it was also minimal and mostly upfront. As agents get better and credential markets stay active, the gap between “AI-assisted” and “fully autonomous” keeps shrinking.

Share

Related news

Smartphone screen showing the Google search page in dark mode, with a blurred colorful Google logo in the background.

#image_title

July 6, 2026

Google is now using your uploaded images, audio and video to train its AI


Read more
Silhouette of a person holding a smartphone in front of a colorful 'Siri' logo on a bright background, suggesting voice assistant usage

#image_title

July 6, 2026

Apple lets you tweak Siri’s voice speed and emotion in iOS 27 beta 3


Read more
Reddit logo with RGB glitch effect in pink, yellow, and cyan on a light gray background.

#image_title

July 6, 2026

Reddit is using AI to fight the spam that AI helped create


Read more

Recent Posts

  • The first AI-run ransomware attack still had a human pulling the strings
  • Google is now using your uploaded images, audio and video to train its AI
  • Apple lets you tweak Siri’s voice speed and emotion in iOS 27 beta 3
  • Reddit is using AI to fight the spam that AI helped create
  • Apple iOS 27 code hints at AirPods Ultra with built-in cameras
Best AI Tools

Discover the best AI tools for any use case

Explore
  • Tool Categories
  • AI Use Cases
  • AI Events
  • AI News
  • Saved Tools
Company
  • About Us
  • Contact Us
  • Media & Partnerships
  • Suggest a Tool
Legal
  • Privacy Policy
  • Terms of Service
Copyright © 2026 Best AI Tools 415 Mission Street, 37th Floor, San Francisco, CA 94105