For years the reassuring limit on a ransomware crew was human bandwidth. An operator had to find you, break in, learn your network, find the data that mattered, and only then detonate. That took hours or days, and every step needed a skilled person. JadePuffer removed that limit. In the first publicly documented case of its kind, an autonomous AI agent ran the entire operation, from initial access to a ransom note, with no human at the keyboard.
This is not a technical curiosity. It resets the assumptions your defenses and your incident plan were built on. Here is what happened, why it matters to whoever owns cyber risk, and where to spend effort to reduce it.
What actually happened
Sysdig's threat research team, in an analysis later amplified by the Cloud Security Alliance, documented a campaign it named JadePuffer. What made it a first was not the ransomware itself but the operator: reconnaissance, credential harvesting, lateral movement, persistence and the final destructive encryption were all carried out by a large language model agent rather than a person.
The chain was ordinary right up to who was driving it:
- Initial access came through a Langflow instance exposed to the internet, exploited via a known missing-authentication flaw (CVE-2025-3248) that let an unauthenticated attacker run arbitrary code on the host.
- The agent then worked on its own. It enumerated internal services, harvested cloud and API credentials, established persistence, and adapted as it went. When one storage API returned XML instead of the expected JSON, the next payload rewrote its own parsing logic to match.
- The payoff was destructive. The agent reached a production configuration store, encrypted more than 1,300 records, deleted the original tables, and left a Bitcoin ransom demand behind.
A revealing detail: the agent's own code was self-narrating, full of plain-language commentary explaining the intent behind each action. Human operators rarely annotate their attacks that way. LLMs do it reflexively.
Why this changes the risk equation
Strip away the novelty and three things matter to a risk owner.
- The skill barrier is gone. An LLM agent can chain reconnaissance, credential theft, lateral movement and destruction without its handler being expert in any one of them. The population of people capable of running a competent intrusion just expanded to anyone who can point an agent at a target.
- The clock speeds up. Human-paced attacks give a security team a window to notice and respond. An agent that reasons, adapts and pivots in seconds compresses that window toward zero. A detection process that assumes hours of dwell time is planning for a war that no longer runs at that speed.
- It scales. A human crew picks a handful of targets. An agent can be pointed at thousands of exposed endpoints in parallel, patient and tireless, probing every one the same way.
The board-level question is not "is this impressive." It is "if an attack now moves five times faster and needs no expertise, does anything in our defense still assume otherwise."
What made this attack possible
The uncomfortable good news is that JadePuffer succeeded through failures that are entirely familiar. The AI was the accelerant, not the root cause. Every entry in the chain is something a well-governed organization already tries to control.
- An unnecessary service was exposed to the internet. A low-code AI tool, the kind of thing a team stands up quickly and forgets, was reachable from anywhere.
- A known, patchable vulnerability was left open. CVE-2025-3248 was not a zero-day. It had a fix. The exposure was a patching and asset-visibility gap, not an unstoppable exploit.
- Credentials were there for the taking. Long-lived cloud and API keys sitting on the host gave the agent the keys to move.
- A critical data store was reachable and unmonitored. Nothing stopped the traversal from a web app to production data, and nothing flagged the mass encryption in time.
Read that list again and you have your mitigation plan. Each failure is a control.
How to cut your exposure
None of the defenses below are exotic. What changes in the agentic era is the discipline and the speed with which you apply them, because the attacker no longer waits.
Shrink the exposed attack surface
You cannot be breached through a service an attacker cannot reach. Maintain a live inventory of everything facing the internet, and treat every internet-facing admin panel, low-code platform and AI tool as a liability until proven otherwise. This is exactly the job of external attack surface management: continuous discovery of what you actually expose, including the assets no one remembers standing up.
Patch what is being exploited, fast
An agent that can hit thousands of targets in parallel turns the window between disclosure and mass exploitation into hours. Prioritize by real-world exploitation, not raw severity: anything on the CISA Known Exploited Vulnerabilities catalog is being used against real targets now and belongs at the top of the queue. CVE-2025-3248 had a patch. The gap was operational.
Lock down identities and secrets
The agent's power came from the credentials it found. Remove the fuel: no long-lived keys on hosts, short-lived and scoped credentials, a real secrets manager, and least privilege enforced so that compromising one service does not hand over the rest. Assume any single host can fall, and design so that it does not cascade.
Segment and contain lateral movement
The attack traveled from an exposed web app all the way to a production database because nothing stood in the way. Network segmentation, tight egress control and isolation of sensitive data stores turn a single foothold into a dead end instead of an open road. Constraining lateral movement is what converts a breach into a contained incident.
Detect and respond at machine speed
If the attacker operates in seconds, a purely human response arrives too late. That means behavioral detection and endpoint detection and response tuned to catch the pattern, not just the signature, automated containment that can isolate a host without waiting for a human, and tripwires such as honeytokens on sensitive stores that fire the moment something touches them. The goal is to compress your own response loop to match the attacker's.
Keep backups that survive the attack
JadePuffer deleted the original tables. Recovery, not prevention, is your last line, and it only works if the backups are immutable, held offline or otherwise out of the attacker's reach, and, above all, tested by real restoration rather than a green checkmark. This is the heart of a business continuity plan that holds up under a live attack.
Govern your own AI and low-code tooling
The entry point was an AI development tool. As teams adopt agents, low-code builders and AI platforms, each one becomes attack surface and needs the same governance as any other production system: inventoried, access-controlled, patched, and never quietly exposed to the internet. Your own AI supply chain is now part of your risk map.
The question for the board
The right response to agentic ransomware is not panic, and it is not a new product. It is a sharper version of a question boards should already be asking: given how fast and how cheaply attacks now run, are we exposed, and who is accountable for closing the gaps. JadePuffer did not use magic. It used an exposed service, an unpatched flaw, harvestable credentials and a reachable data store. Those are governance questions with owners and due dates, not mysteries.
The organizations that will weather this are the ones treating it as a resilience and accountability problem today, before the version pointed at them arrives, rather than a detection problem discovered mid-incident.
Where FortaRisks fits
Every failure JadePuffer exploited maps to a control you can see and prove. FortaRisks gives you continuous visibility of your external attack surface, so exposed services and forgotten tools surface before an agent finds them, and maps your defenses against more than 30 frameworks in the Compliance module, turning the gaps into a costed, prioritized roadmap. You see where your exposure really is, what to fix first, and what evidence you can already put in front of a board, an insurer or a regulator.