Why the first AI-orchestrated ransomware attack is 'more terrifying than Mythos'
JadePuffer broke into a company, stole its data, and demanded a ransom using what researchers say was an AI-driven attack chain. Here's why security experts say it's the scary new normal.
Cybersecurity experts have warned for years that AI would eventually automate cyberattacks. This week, threat researchers at Sysdig found that this prediction is quickly becoming reality.
In a blog post, the researchers detailed what they say is the first documented case of AI agent-run ransomware: an end-to-end extortion campaign, dubbed JadePuffer, that Sysdig said was orchestrated by an LLM and had no human in the loop. In the incident, the AI agent exploited a vulnerable internet-facing server, searched for credentials, pivoted to a production database, adapted when commands failed, encrypted the victim's data and left a ransom demand—all while reasoning through each step of the attack.
Ransomware attacks — a type of malware that holds a victim’s sensitive data or device hostage until the victim pays a ransom — have long relied on automation. But human operators still typically decided how to navigate a victim’s network, which credentials to use, and what to do when something went wrong.
JadePuffer exploited familiar vulnerabilities
JadePuffer is a different milestone than Anthropic’s Mythos, which was unveiled in April and demonstrated that AI could autonomously discover thousands of previously unknown software vulnerabilities. Rather than finding new flaws, JadePuffer exploited familiar vulnerabilities that had already been publicly disclosed and patched, and chained them together in a coordinated attack.
Jamieson O’Reilly, an offensive security specialist and founder of Dvuln, said nothing about JadePuffer surprised him. “Whether we like it or not, this is the new normal arriving on schedule,” he said. “Half the industry filed this sort of thing under movie material. The other half knew it was a matter of when.”
The attack didn’t rely on sophisticated new exploits, he said. Instead, it combined several well-known techniques that defenders have understood for years. What was new, O’Reilly argued, was the orchestration. “A single model strung the entire chain together from initial access through credential theft, lateral movement, persistence, and finally destructive extortion, while writing running commentary on its own reasoning the entire way.”
More accessible to any attacker
That novelty, combined with the fact that the technology is becoming increasingly accessible, makes JadePuffer “more terrifying” than Mythos, said John Strand, owner of Black Hills Information Security.
Unlike frontier AI systems that require massive computing resources and are largely controlled by companies like Anthropic and OpenAI, he said, the kind of automation demonstrated by JadePuffer is increasingly within reach of far less sophisticated attackers.
“There’s a little box that you can buy from Nvidia,” he said, referring to the DGX Spark desktop AI system. “We can run this exact same type of thing that JadePuffer does on one of those little $6,000 boxes. It takes longer—it’s not going to be as fast as using Anthropic or OpenAI—but it does a very good job. It just sits there and grinds through these easy-to-find vulnerabilities and chains them together.”
Strand explained that this is why he isn’t fixated on AI discovering zero-day, or previously unknown, vulnerabilities. In real-world penetration tests, security firms rarely rely on zero-days to break into organizations. More often, they exploit misconfigurations, stolen credentials, and combinations of lower-severity vulnerabilities—which are exactly the type of attack scenarios JadePuffer seems to automate.
This could force organizations to rethink how they prioritize software vulnerabilities, because vulnerabilities that once seemed relatively low-risk could become much more dangerous with aI attackers.
”In the past, if there was an exploit that was out, you would patch as quickly as you could,” he said. “With this, it’s moving so much faster, and I just don’t think that organizations are ready for it.”
O’Reilly said none of this should come as a surprise. As companies like Anthropic and OpenAI increasingly deploy AI agents to automate software engineering tasks, he argued, it was only a matter of time before criminals applied the same technology to automate cyber intrusions.
“When companies like Anthropic and others openly describe wrapping agentic loops around whole engineering workflows and letting them write and ship code, the logical conclusion writes itself—that is, criminal groups will point the same machinery at intrusion instead of feature delivery.”
Basic security hygiene remains essential
For security teams, however, O’Reilly said the solutions remain largely “unglamorous.” Security hygiene—the routine, foundational cybersecurity practices that reduce the chances of being compromised—remains organizations’ biggest advantage.
“The entire operation rode on internet-exposed, neglected infrastructure and unchanged defaults,” he said.
Organizations should focus on four priorities, he said: eliminate basic security weaknesses before attackers can exploit them, better protect credentials and API keys, automate detection and response so AI-speed attacks don’t outrun defenders, and use AI itself to identify suspicious behavior.
Strand agreed that organizations should continue prioritizing security hygiene but said they should also invest in additional detection measures, including cyber deception technologies and monitoring outbound network traffic for signs that compromised systems are communicating with attackers.
But he added that he doubts JadePuffer will seem remarkable for long. "I think in a few years we aren't going to look at JadePuffer and be like, 'Well, this was novel,’ he said. “This is what normal is going to be moving forward."
In case you missed them:
AI needs a 'Stargate for Data,' a new viral essay argues. Here's what made my eyes bug out
Today’s frontier AI models—ChatGPT, Claude, Gemini—owe much of their success to the public internet. For years, AI companies feasted on billions of web pages collected through archives like Common Crawl and massive datasets such as The Pile.
What can the U.S. learn from China's open AI ecosystem?
Open-weight AI models — which allow developers to download, customize, and run the model on their own infrastructure — were back in the spotlight last week. Most recently, Palantir CEO Alex Karp said enterprise customers are increasingly concerned about giving AI companies access to their data and that some U.S. government customers
Top AI researchers argue U.S. leadership in open frontier AI has become a democratic and national security imperative
The debate over “open” AI has entered a new phase. For years, advocates have argued that openly available frontier AI models — whose underlying parameters ("weights") are released so researchers and developers can study, modify, and build on them —accelerated research, innovation, and competition. But at a gathering of many of the world’s leading AI researchers and engineers in San Francisco yesterday, the argument went further: maintaining U.S. leadership in frontier open-weight models is now a democratic and national security imperative.
The verification economy: Why AI is creating demand for proof
Over the past four years on the AI beat, I often find myself circling a theme that I spend months—sometimes years—trying to understand, and then suddenly it starts showing up everywhere.







