Researchers discover first fully autonomous AI ransomware attack

AI News


Researchers discover first fully autonomous AI ransomware attack
Researchers discover first fully autonomous AI ransomware attack

Cloud security company Sysdig announced that it has documented the first ransomware operation carried out by a fully autonomous AI agent, without a human directing the attack.

Sysdig’s threat research team named the operator JADEPUFFER and described it as an “agent threat actor,” a large language model that, as first reported by Bleeping Computer, spies on targets, steals credentials, moves across networks, and destroys data without touching a keyboard.

How agents got in and adapted on the fly

The malware, called JADEPUFFER, was initially introduced through a vulnerability in Langflow, a free-to-use platform for developing artificial intelligence apps. Attackers used this vulnerability to obtain API keys, cloud credentials, and database access logs.

But experts were most concerned about how to deal with failure. When creating an administrator account on the Nacos configuration server failed, the malware was able to detect the problem and provide a solution within 31 seconds.

The agent made another adjustment in another case, and when retrieving information from the storage mechanism, it received the information in XML format instead of the expected JSON format.

After successfully harvesting credentials on the Langflow host, JADEPUFFER proceeded further by targeting a new production server hosting the Alibaba Nacos service and MySQL database using the same authentication bypass.

Ultimately, JADEPUFFER encrypted and deleted all 1,342 items in the Nacos configuration before creating a ransom note table called README_RANSOM.

Researchers discover first fully autonomous AI ransomware attack

Despite the effectiveness of this attack, researchers have discovered several clues that indicate machines, rather than humans, are behind it. The malicious code contains many polite and detailed natural language comments explaining each step of its unique logic, a characteristic of LLM output rarely seen in human-written malware.

Sysdig further discovered that the encryption key used to lock the data was only created and printed once, and was never stored or sent anywhere, making it impossible for the attackers themselves to decrypt and return the files obtained by paying the ransom.

Additionally, the Bitcoin address listed in the ransom note is a common placeholder often found in open source documentation, and was clearly a delusion that rendered the entire payment meaningless.

Characterizing JADEPUFFER as a signal rather than a novelty, Sysdig argues that it reduces the skill level required for AI agents to execute the entire end-to-end attack chain.

This is because the flaws exploited by the AI ​​agent were all already known, and the researchers believe that a more worrying aspect is that old and vulnerable software can be easily exploited through the AI ​​agent.





Source link