top of page

The first AI-driven ransomware campaign: The power of technology and the true role of humans

The cybersecurity community recently witnessed a remarkable turning point as artificial intelligence (AI) executed a cyberattack entirely on its own. Dubbed JadePuffer, this campaign marks the first recorded instance where an "AI agent" (an AI system capable of operating independently) handled the entire technical lifecycle of a ransomware operation from end to end without direct human intervention.

However, looking closely at the details, experts have noted that the cyber underworld has not completely replaced humans in these operations just yet.

How the AI-driven hack unfolded?

According to a disclosure by cloud security firm Sysdig, the AI agent in the JadePuffer campaign demonstrated an adaptable and flexible capability on par with a real human hacker.

Upon gaining initial access to the system, the AI entity executed a sequence of actions entirely on its own: exfiltrating credentials, moving laterally deeper into the target's internal network, encrypting files for ransom, and even drafting the extortion letter to the victim. Initial reports described the attack as fully automated, with "no human presence behind the keyboard."

The true human role behind the scenes

While the AI handled the entire technical execution, this does not mean humans were completely left out of the loop. In an interview, Michael Clark, Senior Director of Threat Research at Sysdig, provided further clarity on the bigger picture.

In reality, humans still play a core role in setting up, guiding, and laying the groundwork for the campaign. They are responsible for building the underlying infrastructure, including command-and-control (C2) servers and staging servers used to store stolen data, and they are also the ones selecting the victims.

Notably, the key that allowed the AI to breach the initial database was not discovered by the AI itself. These credentials had been harvested by humans from a prior data breach and fed directly to the AI agent.

Attack timeline: Conventional techniques but extremely fast

Although the intrusion methods used in this campaign were relatively basic, what astonished experts was the AI's intimidating processing speed:

  • Infiltration method: The AI exploited a known security flaw in Langflow (a popular open-source tool used for building AI applications).

  • Privilege escalation: From that staging point, it moved to an active MySQL database server and exploited another vulnerability to gain full administrative (admin) privileges.

  • Impact: A total of over 1,300 configuration records were encrypted. The AI drafted a ransom note on its own, complete with a Bitcoin wallet address for payment collection. The specific identity of the victim remains confidential.

Remarkably, when encountering a failed login attempt during its progression, the AI agent took exactly 31 seconds to self-correct the error. Throughout the operation, it also continuously left natural language comments within the source code to explain its reasoning and actions.

The AI agent surprised researchers with its extreme speed and continuous natural language comments embedded within the source code
The AI agent surprised researchers with its extreme speed and continuous natural language comments embedded within the source code

The enigma of the underlying AI model

Initially, Sysdig's discovery of multiple API keys from major developers like OpenAI, Anthropic, DeepSeek, and Gemini in the system led to some misconceptions. Many wondered whether these models had collaborated to orchestrate the attack.

However, Sysdig clarified that these API keys were actually part of the "loot" that the AI scavenged and exfiltrated from the Langflow server. They reflect high-value assets targeted by the attacker rather than evidence of which model drove the assault. Currently, Sysdig has not been able to pinpoint the exact AI model family behind JadePuffer, nor have they gained access to its system prompts or configuration.

From an expert perspective, Geoff McDonald from Microsoft hypothesized that the culprit could be an "open-weight" model (an AI model type that users can freely modify) that was tampered with by hackers to remove its safety guardrails. Drawing on his red-teaming experience, he noted that the safety filters of advanced models from major providers currently perform exceptionally well against malicious behaviors. The Sysdig report neither confirmed nor denied this assessment.

The future of the threat and existing bottlenecks

The Microsoft expert also warned that once AI gets involved in ransomware campaigns, the limitation of attacks will no longer depend on human labor but rather on the adversary's budget. This opens up the risk of thousands, or even tens of thousands, of concurrent campaigns.

However, this concern is somewhat mitigated when compared with the reality described by Sysdig. As long as humans must still manually select victims, provision the network infrastructure, and harvest login credentials for each campaign, this remains a fixed "bottleneck" preventing attacks from spreading rampantly.

Nevertheless, given that operating an AI agent is extremely cost-effective, Sysdig's experts note that the trend of hackers utilizing this technology will undoubtedly rise in the future, even though they have not yet detected any other victims outside of the JadePuffer campaign.

The JadePuffer campaign provides clear evidence that AI has begun to be weaponized within the cybercrime landscape. While this technology can automate technical workflows at breakneck speeds, humans currently remain the puppet masters pulling the strings and preparing core prerequisites. This serves as a vital reminder for the cybersecurity industry to ready its defenses against next-generation, self-operating threats.

Comments


follow ipsip vietnam.png
40051abd5a76713af8f015988fc6780e-blue-phone-icon-with-a-wave-on-it.webp
whatsapp-mobile-software-icon-png-image_6315991.png
pngtree-minimal-calendar-icon-vector-png-image_21233134.png
IPSIP logo transparent.png

IPSIP VIETNAM ONE MEMBER LIMITED LIABILITY COMPANY (IPSIP VIETNAM OMLLC)

Tax code: 0313859600

🏢 SH05.01, B4 Street, Saritown Area, An Khanh Ward, Ho Chi Minh City, Vietnam

​☎  +84 918 397 489

  • Linkedin
  • Facebook
  • TikTok
  • Email liên hệ
png-clipart-iso-iec-27001-information-security-management-iso-iec-27002-international-orga
soc 2 type ii

Our Services

Sign up to receive in-depth cybersecurity documents and news from IPSIP Vietnam.

bottom of page