{"id":737462,"date":"2026-07-07T07:30:34","date_gmt":"2026-07-07T04:30:34","guid":{"rendered":"https:\/\/buradabiliyorum.com\/en\/the-first-ai-run-ransomware-attack-still-needed-a-human\/"},"modified":"2026-07-07T07:30:34","modified_gmt":"2026-07-07T04:30:34","slug":"the-first-ai-run-ransomware-attack-still-needed-a-human","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/the-first-ai-run-ransomware-attack-still-needed-a-human\/","title":{"rendered":"The &#8216;first&#8217; AI-run ransomware attack still needed a human"},"content":{"rendered":"<div>\n<p id=\"speakable-summary\" class=\"wp-block-paragraph\">Last week, researchers at cloud security firm Sysdig said they\u2019d documented the first known case of \u201cagentic ransomware.\u201d It was an extortion operation, dubbed JadePuffer, in which an AI agent \u2014 not a human \u2014 handled the technical execution of a real-world cyberattack from start to finish. The agent broke into a vulnerable server, stole credentials, moved through the target\u2019s network, encrypted files, and even wrote its own ransom note, adapting to obstacles along the way like a human hacker would. Coverage of the funding described it as run \u201cwithout any human oversight,\u201d with \u201cno human at the keyboard.\u201d<\/p>\n<p class=\"wp-block-paragraph\">That\u2019s not quite the <em>full<\/em> picture. In an <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/cyberscoop.com\/sysdig-judepuffer-ai-agentic-ransomware-attack\/\">interview<\/a> on Monday with CyberScoop, Sysdig\u2019s Michael Clark, the company\u2019s senior director of threat research, clarified that a human was still very much involved \u2014 just not in the technical execution. \u201cA human still set up and pointed the operation and provisioned the infrastructure behind it, the command-and-control server, the staging server used for the stolen data and chose a victim,\u201d Clark said. The credentials used to break into the victim\u2019s database, he added, weren\u2019t harvested by the AI agent itself; someone obtained them separately, through a prior compromise, and handed them to the operation.<\/p>\n<p class=\"wp-block-paragraph\">None of this contradicts Sysdig\u2019s original claim, and the technical details of the attack remain notable on their own \u2014 wild, even. The agent got in through a known bug in <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.langflow.org\/\">Langflow<\/a>, a popular open-source tool for building LLM <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>s, then moved on to a production MySQL server and exploited another known flaw to gain admin access. It encrypted over 1,300 configuration records and not only left behind a ransom note that it wrote itself but it left a Bitcoin address where the ransom could be sent. Sysdig hasn\u2019t disclosed who was targeted. <\/p>\n<p class=\"wp-block-paragraph\">The techniques were fairly ordinary apparently, what stood out was the speed and transparency involved. The agent fixed a failed login in 31 seconds, narrating its own reasoning in natural-language code comments the whole way.<\/p>\n<p class=\"wp-block-paragraph\">One detail that initially seemed to muddy the picture has since been clarified. Clark had told CyberScoop that Sysdig found \u201cmultiple models were used in the attack,\u201d citing harvested keys for OpenAI, Anthropic, DeepSeek, and Gemini \u2014 language that left open the question of whether several models actively powered different stages of the intrusion. Asked to clarify, Clark told TechCrunch that those keys were simply part of what the agent stole, not evidence of what was driving it. <\/p>\n<p class=\"wp-block-paragraph\">\u201cThe agent swept the Langflow host for anything valuable \u2014 provider API keys, cloud credentials, cryptocurrency wallets, and database configs \u2014 and those provider keys were part of the loot,\u201d he said via email. \u201cThey are indicative of what the attacker considered worth taking, but they do not tell us which model was making the decisions.\u201d<\/p>\n<p class=\"wp-block-paragraph\">On the model actually running JadePuffer, Clark said Sysdig \u201cwas not able to identify the specific model driving the agent\u201d and has no visibility into its system prompt or configuration.<\/p>\n<p class=\"wp-block-paragraph\">Microsoft researcher Geoff McDonald\u2019s theory, <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.linkedin.com\/feed\/update\/urn:li:activity:7478661847231979520\/\">offered on LinkedIn<\/a> several days ago, is worth revisiting in that light. McDonald suspected an open-weight model with safety training s<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/trip-and-travel\/\" data-internallinksmanager029f6b8e52c=\"10\" title=\"Trip &amp; Travel\" target=\"_blank\" rel=\"noopener\">trip<\/a>ped out, rather than a frontier model, was behind the attack, based on his own red-teaming experience showing frontier labs\u2019 safety layers hold up well. Sysdig\u2019s own account doesn\u2019t confirm or rule that out.<\/p>\n<p class=\"wp-block-paragraph\">McDonald\u2019s post also warned that ransomware campaigns are now bounded primarily by attacker budget rather than human effort, raising the possibility of \u201cthousands or tens of thousands of simultaneous campaigns.\u201d That concern is a little harder to square with what Clark described Monday. (If a human still has to choose each victim, provision infrastructure, and obtain database credentials for every operation, that\u2019s a bit of a bottleneck, at least.) <\/p>\n<p class=\"wp-block-paragraph\">Either way, Clark told CyberScoop, while Sysdig hasn\u2019t seen the same operation hit other victims yet, given how cheap it is to run an agent, he expects that to change.<\/p>\n<\/div>\n<p><em>When you purchase through links in our articles, we may earn a small commission. This doesn\u2019t affect our editorial independence.<\/em><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMN63nwsw68G3Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" target=\"_blank\" >Technology<\/a><\/span> category.<\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/techcrunch.com\/2026\/07\/06\/the-first-ai-run-ransomware-attack-still-needed-a-human\/\" target=\"_blank\" >Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last week, researchers at cloud security firm Sysdig said they\u2019d documented the first known case of \u201cagentic ransomware.\u201d It was an extortion operation, dubbed JadePuffer, in which an AI agent \u2014 not a human \u2014 handled the technical execution of a real-world cyberattack from start to finish. The agent broke into a vulnerable server, stole&#8230;<\/p>\n","protected":false},"author":1,"featured_media":737463,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/techcrunch.com\/wp-content\/uploads\/2026\/07\/Ransomware-attack.png?resize=1200,686","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[77337,72287,163110],"class_list":["post-737462","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","tag-ai","tag-security","tag-sysdig"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/737462","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=737462"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/737462\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/737463"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=737462"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=737462"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=737462"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}