AI Agent Executes 'First' End-To-End Ransomware Attack
- Reference: 0184274788
- News link: https://it.slashdot.org/story/26/07/02/1849243/ai-agent-executes-first-end-to-end-ransomware-attack
- Source link:
> JadePuffer's "self-narrating" payloads "contained natural language reasoning, target prioritization, and the kind of detailed annotations that human operators don't often write but LLM-generated code produces reflexively," Clark added. "The operation also adapted in real time, retrying failed steps within refined parameters. In one sequence, it went from a failed login to a working fix in 31 seconds." After exploiting CVE-2025-3248, a missing authentication vulnerability in Langflow that allows remote, unauthenticated attackers to execute arbitrary Python on the host, the AI agent began scanning for and collecting secrets, including LLM provider API keys, cloud credentials "with explicit coverage of Chinese providers" including Alibaba, Aliyun, Tencent, and Huawei, while also scanning for AWS, Azure and Google Cloud Platform, cryptocurrency wallets, and database credentials.
>
> The AI also installed a crontab entry on the Langflow server to maintain persistence and call back to the attacker's infrastructure every 30 minutes. JadePuffer's intended target was a separate internet-exposed production server running a MySQL database and an Alibaba Nacos configuration service, we're told. Nacos is an open-source service-discovery and dynamic configuration platform developed by Alibaba and used in the cloud provider's microservices applications. The agent connected to the server's exposed MySQL port using root credentials, although Sysdig doesn't know how the attacker obtained them. These credentials weren't stolen from the victim's environment.
>
> JadePuffer then attacked Nacos via multiple vectors including an authorization bypass flaw (CVE-2021-29441) and forging a valid JSON web token (JWT) using Nacos's default signing key. Additionally, using its root database access, the LLM injected a backdoor administrator into the Nacos backing database. It ultimately encrypted all 1,342 Nacos service configuration items using MySQL's built-in AES encryption function, and created an extortion demand, ransom note, Bitcoin payment address, and a Proton Mail contact [...]. However, according to the threat hunters, the victim can't recover the encrypted data, even if they paid the ransom demand, because the agent escalated "from row-level deletion to dropping entire database schemas, narrating its own targeting rationale," without backing up any of the encrypted data.
[1] https://www.theregister.com/security/2026/07/02/smooth-ai-criminal-drives-first-end-to-end-agentic-ransomware-attack/5266073
[2] https://github.com/langflow-ai/langflow
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-3248
[4] https://www.sysdig.com/blog/jadepuffer-agentic-ransomware-for-automated-database-extortion
Internet-facing "Langflow"? (Score:3)
If you actually find anyone doing that in the real world, you should point and laugh until they get angry.
Re: (Score:2)
Yeah, that's definitely the problem and you've definitely found the solution.
Whose agent (Score:2)
This thing was presumably running on someone's system. Hunt them down.
Re: (Score:3)
While I appreciate the sentiment, if that would work, we would not have a global silent ransomware catastrophe on our hands ...
Re: Whose agent (Score:4, Interesting)
Stop projecting. Well, maybe you are really this disconnected from actual reality. MAGA? Religious fuckup? Or even only run-of-the-mill self-important moron?
For some actual examples, there have been some spectacular IT attacks on US national security. Did they ever find the ones who did it (beyond mindless political cries of "China!" or "North Korea!")? No, they did not beyond a very small number of cases. And why did they not? Because it is actually exceptionally hard to do. So hard that even the NSA struggles and often fails.
Re: (Score:2)
And because if they are in China or North Korea, they are hard to reach. But I also feel like they are not really trying.
Re: (Score:2)
I am unsure whether they are really trying. One problem the US has is that if it started to really go after the attackers, with international help (only way it would work), it would have to go after a lot of its own government people as well. So they may want to not draw too much attention to their own activities. Or they are really trying and failing. Hard to say.
Finally a good use for this tech! (Score:2)
Or rather something it is good enough to actually do. Keep in mind that attacks, extortion, etc. all to not need reliability, they just need volume. If a rather large part of those attacked are left hanging, that is totally fine.
So did it fail in the last stage? (Score:2)
> However, according to the threat hunters, the victim can't recover the encrypted data, even if they paid the ransom demand, because the agent escalated "from row-level deletion to dropping entire database schemas, narrating its own targeting rationale," without backing up any of the encrypted data.
So the victim had no way to get their data back, right? What's the incentive to pay the random then, if the attacker had encrypted the data without backing it up and wouldn't be able to decrypt it?
Re:So did it fail in the last stage? (Score:5, Insightful)
You're not giving them money because they can decrypt your data. You're giving them money because they *say* they can decrypt your data. By the time you find out your data's gone, so is your money.
Re: (Score:2)
That only works once or twice, why would the next victim bother to even thinking about paying if it has been determined to not work?