The ‘first’ AI-run ransomware attack still needed a human
An AI agent carried out the technical execution of a real-world ransomware attack for the first known time, but new details show a human still chose the victim, set up the infrastructure, and supplied stolen credentials — meaning it wasn't quite the fully autonomous cybercrime debut that last week's headlines suggested.
Last week, researchers at cloud security firm Sysdig said they’d documented the first known case of “agentic ransomware.” It was an extortion operation, dubbed JadePuffer, in which an AI agent — not a human — handled the technical execution of a real-world cyberattack from start to finish. The agent broke into a vulnerable server, stole credentials, moved through the target’s network, encrypted files, and even wrote its own ransom note, adapting to obstacles along the way like a human hacker would. Coverage of the funding described it as run “without any human oversight,” with “no human at the keyboard.”
That’s not quite the full picture. In an interview on Monday with CyberScoop, Sysdig’s Michael Clark, the company’s senior director of threat research, clarified that a human was still very much involved — just not in the technical execution. “A human still set up and pointed the operation and provisioned the infrastructure behind it, the command-and-control server, the staging server used for the stolen data and chose a victim,” Clark said. The credentials used to break into the victim’s database, he added, weren’t harvested by the AI agent itself; someone obtained them separately, through a prior compromise, and handed them to the operation.
None of this contradicts Sysdig’s original claim, and the technical details of the attack remain notable on their own — wild, even. The agent got in through a known bug in Langflow , a popular open-source tool for building LLM apps, then moved on to a production MySQL server and exploited another known flaw to gain admin access. It encrypted over 1,300 configuration records and not only left behind a ransom note that it wrote itself but it left a Bitcoin address where the ransom could be sent. Sysdig hasn’t disclosed who was targeted.
The techniques were fairly ordinary apparently, what stood out was the speed and transparency involved. The agent fixed a failed login in 31 seconds, narrating its own reasoning in natural-language code comments the whole way.
One detail that initially seemed to muddy the picture has since been clarified. Clark had told CyberScoop that Sysdig found “multiple models were used in the attack,” citing harvested keys for OpenAI, Anthropic, DeepSeek, and Gemini — language that left open the question of whether several models actively powered different stages of the intrusion. Asked to clarify, Clark told TechCrunch that those keys were simply part of what the agent stole, not evidence of what was driving it.
“The agent swept the Langflow host for anything valuable — provider API keys, cloud credentials, cryptocurrency wallets, and database configs — and those provider keys were part of the loot,” he said via email. “They are indicative of what the attacker considered worth taking, but they do not tell us which model was making the decisions.”
On the model actually running JadePuffer, Clark said Sysdig “was not able to identify the specific model driving the agent” and has no visibility into its system prompt or configuration.
Microsoft researcher Geoff McDonald’s theory, offered on LinkedIn several days ago, is worth revisiting in that light. McDonald suspected an open-weight model with safety training stripped out, rather than a frontier model, was behind the attack, based on his own red-teaming experience showing frontier labs’ safety layers hold up well. Sysdig’s own account doesn’t confirm or rule that out.
McDonald’s post also warned that ransomware campaigns are now bounded primarily by attacker budget rather than human effort, raising the possibility of “thousands or tens of thousands of simultaneous campaigns.” That concern is a little harder to square with what Clark described Monday. (If a human still has to choose each victim, provision infrastructure, and obtain database credentials for every operation, that’s a bit of a bottleneck, at least.)
Either way, Clark told CyberScoop, while Sysdig hasn’t seen the same operation hit other victims yet, given how cheap it is to run an agent, he expects that to change.
When you purchase through links in our articles, we may earn a small commission . This doesn’t affect our editorial independence.
Last chance to save up to $190 on TechCrunch Founder Summit. Join 1,000+ founders and VCs at all stages for real-world scaling insights and connections that move the needle. Savings end June 26, 11:59 p.m. PT .
Amazon will stop accepting new customers for Mechanical Turk Anthony Ha
Amazon will stop accepting new customers for Mechanical Turk
Amazon will stop accepting new customers for Mechanical Turk
5 desk gadgets that can make your workday better Aisha Malik
5 desk gadgets that can make your workday better
5 desk gadgets that can make your workday better
Chevy built an all-American EV truck — why is nobody buying it? Tim De Chant
Chevy built an all-American EV truck — why is nobody buying it?
Chevy built an all-American EV truck — why is nobody buying it?
Mark Zuckerberg tells staff that AI agents haven’t progressed as quickly as he’d hoped Lucas Ropek
Mark Zuckerberg tells staff that AI agents haven’t progressed as quickly as he’d hoped
Mark Zuckerberg tells staff that AI agents haven’t progressed as quickly as he’d hoped
After $18B IPO, Bending Spoons founder says success comes from minimizing luck Anna Heim
After $18B IPO, Bending Spoons founder says success comes from minimizing luck
After $18B IPO, Bending Spoons founder says success comes from minimizing luck
The ‘Father of the Internet’ is finally retiring Tim Fernholz
The ‘Father of the Internet’ is finally retiring
The ‘Father of the Internet’ is finally retiring
OpenClaw is finally available on Android and iOS Lucas Ropek
OpenClaw is finally available on Android and iOS
OpenClaw is finally available on Android and iOS
Pontos-chave
- O ataque de ransomware destaca a necessidade de supervisão humana em operações cibernéticas, mesmo com o uso de IA.
- A crescente sofisticação das ameaças cibernéticas exige uma revisão das políticas de segurança e proteção de dados no Brasil.
- A educação em segurança cibernética deve ser uma prioridade para todas as empresas, não apenas para profissionais de TI.
Análise editorial
A recente revelação sobre o ataque de ransomware operado por uma IA, embora impressionante, destaca a complexidade e a necessidade de supervisão humana em operações cibernéticas. Para o setor de tecnologia brasileiro, isso serve como um alerta sobre a importância de proteger infraestruturas críticas e dados sensíveis, especialmente em um cenário onde a adoção de tecnologias de IA está crescendo rapidamente. As empresas devem estar cientes de que, mesmo com a automação, a vulnerabilidade a ataques cibernéticos permanece, e a necessidade de uma abordagem de segurança em camadas é mais relevante do que nunca.
Além disso, a utilização de IA em cibercrimes levanta questões éticas e legais que precisam ser discutidas no Brasil. O país ainda está desenvolvendo sua legislação sobre proteção de dados e crimes cibernéticos, e a crescente sofisticação das ameaças pode exigir uma revisão das políticas existentes. A colaboração entre o setor privado e o governo será crucial para criar um ambiente seguro que possa lidar com essas novas ameaças.
Observando o futuro, é importante que as empresas brasileiras não apenas implementem tecnologias de IA, mas também desenvolvam uma compreensão clara de como essas ferramentas podem ser utilizadas tanto para o bem quanto para o mal. A educação em segurança cibernética deve ser uma prioridade, não apenas para os profissionais de TI, mas para todos os colaboradores, a fim de cultivar uma cultura de segurança dentro das organizações. O que se destaca neste caso é a rapidez e a eficiência da IA, que podem ser um indicativo de que os ataques cibernéticos se tornarão mais frequentes e sofisticados, exigindo uma resposta ágil e bem estruturada.
Por fim, a participação de humanos na configuração inicial do ataque sublinha que, apesar dos avanços tecnológicos, a inteligência humana ainda é um fator determinante em operações cibernéticas. A interação entre humanos e máquinas continuará a ser um tema central na segurança cibernética, e as empresas devem estar preparadas para essa nova realidade.
O que esta cobertura entrega
- Atribuicao clara de fonte com link para a publicacao original.
- Enquadramento editorial sobre relevancia, impacto e proximos desdobramentos.
- Revisao de legibilidade, contexto e duplicacao antes da publicacao.
Fonte original:
TechCrunch AISobre este artigo
Este artigo foi curado e publicado pelo AIDaily como parte da nossa cobertura editorial sobre desenvolvimentos em inteligência artificial. O conteúdo é baseado na fonte original citada abaixo, enriquecido com contexto e análise editorial. Ferramentas automatizadas podem auxiliar tradução e estruturação inicial, mas a decisão de publicar, a revisão factual e o enquadramento de contexto seguem responsabilidade editorial.
Saiba mais sobre nosso processo editorial