The ‘first’ AI-enabled ransomware attack still required humans.

Last week, researchers at cloud security firm Sysdig said they had documented the first known case of “agent ransomware.” It was a heist operation called JadePuffer, in which non-human AI agents handled the technical execution of a real cyber attack from start to finish. The agents broke into vulnerable servers, stole credentials, moved through the target’s network, encrypted files, and even wrote their own ransom notes, adapting to obstacles like human hackers. The funding statement described it as running “without human supervision” and “without anyone at the keyboard.”

That’s not quite right saturated painting. In an interview with CyberScoop on Monday, Michael Clark, senior director of threat research at Sysdig, said humans are still very much involved in executing the technology. “Humans still set up and direct the operation, provide the infrastructure behind it, command and control servers, staging servers used for the stolen data, and select the victims,” Clark said. He added that the credentials used to break into victims’ databases were not collected by the AI ​​agents themselves. Someone acquired it separately through a prior compromise and handed it over to the operations team.

None of this contradicts Sysdig’s original claims, and the technical details of the attack are still notable in their own right. The agent infiltrated through a known bug in Langflow, a widely used open source tool for building LLM apps, then moved to a production MySQL server and exploited another known flaw to gain administrator access. It encrypted over 1,300 configuration records and left behind a self-written ransom note as well as a Bitcoin address to which the ransom could be sent. Sysdig did not say who the targets were.

The technology was fairly ordinary, but what stood out was its speed and transparency. The agent fixed the failed login in 31 seconds, explaining its reasoning throughout the entire process with natural language code comments.

One detail that initially seemed to blur the picture later became clear. Clark told CyberScoop that Sysdig found that “multiple models were used in the attack,” citing keys collected for OpenAI, Anthropic, DeepSeek, and Gemini. This raised the question of whether different models actively drove different stages of invasion. Asked to clarify, Clark told TechCrunch that these keys were only part of what the agents stole and were not triggering evidence.

“The agents swept through Langflow hosts looking for anything valuable: provider API keys, cloud credentials, cryptocurrency wallets, database configurations, etc. These provider keys were part of the loot,” he said via email. “It indicates what the attacker thought was worth taking, but it doesn’t tell us which model made the decision.”

As for which models actually run JadePuffer, Clark said Sysdig “could not identify the specific model running the agent” and had no visibility into system prompts or configurations.

Microsoft researcher Geoff McDonald’s theory presented on LinkedIn a few days ago is worth revisiting from that perspective. McDonald suspected that the Open Weight model, with its safety training removed, and not the Frontier model, was behind the attack, based on his own red teaming experience showing that Frontier Lab’s safety layers held up well. Sysdig’s own account neither confirms nor rules this out.

McDonald’s post also warned that ransomware campaigns are now limited primarily by attackers’ budgets rather than human efforts, raising the possibility of “thousands or tens of thousands of simultaneous campaigns.” That concern is a little harder to square with what Clark described Monday. (If humans still have to select each victim, provide the infrastructure, and obtain database credentials for every operation, this becomes at least a bit of a bottleneck.)

Either way, Clark told CyberScoop. Sysdig has yet to see the same operation harm other victims, but considering how cheap it is to run an agent, he expects that to change.

We may receive a small commission if you purchase something through links included in this article. This does not affect our editorial independence.