World’s first agentic AI ransomware attack, and an unchartered territory

0
1
World’s first agentic AI ransomware attack, and an unchartered territory


The first ever documented fully autonomous agentic ransomware attack has happened, a few days ago. Cybersecurity researchers Sysdig have identified an artificial intelligence (AI) agent dubbed Jadepuffer, which autonomously exploited a vulnerable server, and executed a series of events which included gaining access to and stealing credentials, encrypt a necessary database and subsequently issued a bitcoin ransom demand.

Sysdig does not name the specific victim of the JadePuffer ransomware attack. (Sysdig)
Sysdig does not name the specific victim of the JadePuffer ransomware attack. (Sysdig)

Sysdig does not name the specific victim of the JadePuffer ransomware attack, and have classified this as an agentic threat actor (ATA), or an operator whose attack capability is delivered by an AI agent rather than a human-driven toolkit.

“The most striking characteristic, however, was the LLM’s behavior. JadePuffer’s own payloads were self-narrating. They contained natural language reasoning, target prioritization, and the kind of detailed annotations that human operators don’t often write but LLM-generated code produces reflexively. The operation also adapted in real time, retrying failed steps within refined parameters,” explains Michael Clark, Director of Threat Research at Sysdig.

The JadePuffer ransomware attack represents a shift to autonomous “agentic” threats, utilizing AI to execute the entire attack process, from gaining entry to data destruction or keeping data hostage. It had long been feared at AI, particularly the evolutions of authentic AI, will be used by threat actors to exploit software vulnerabilities and poor infrastructure management.

Juraj Janosik, Vice President of AI at ESET, tells HT that this is a clear indicator that AI can automate more of the kill chain than encryption alone. Researchers note that the AI used by this ransomware fixed its own mistakes instantly. When it got a login attempt incorrect, it rewrote its own code and bypassed the problem in just 31 seconds.

“But this should not be viewed as AI becoming the attacker. There is no evidence that the AI agent chose the target, defined the scope, or initiated the operation on its own. The decision to attack, victim selection, and motivation still most likely sat with a human operator,” he points to a fine distinction.

In this case, the AI agent achieved machine-speed unauthorised access and irreversible data extortion, which serves to highlight a significant lowering of skill needed by attackers now, as well as increases efficiency. Cybersecurity threats can now emerge from tools that are much more capable, than ever before.

The AI encrypted 1,342 configuration files and demanded a Bitcoin ransom. Crucially, the ransomware agent generated a random lock key, printed it once to the screen, and permanently deleted it. The data is unrecoverable even if the victim pays.

“There are two interpretations of this. Either (a) the LLM autonomously hallucinated the address from training data, and the wallet belongs to a third party who sweeps unsolicited deposits, or (b) the operator configured their agent with a real, controlled wallet address that happens to coincide with the documentation example,” says Sysdig’s Clark.

“As AI makes exploitation and chaining of existing flaws faster and easier, leaving internet-facing systems unpatched dramatically increases the risk,” Janosik adds. Historically, launching a complex, multi-stage cyberattack required a team of highly skilled human operators. It is possible that this democratisation of cybercrime will likely trigger an exponential increase in the volume of attacks.

An alarming detail of the JadePuffer-like ransomware is that an AI agent can encrypt data it has accessed and also immediately discard the decryption keys, if the attack is programmed in such a way. If AI agents mounting cybersecurity attacks prioritise destruction over negotiation, it may mean more future agentic attacks may also result in permanent data loss for corporates.


LEAVE A REPLY

Please enter your comment!
Please enter your name here