First Agentic Ransomware Detected in Cyberspace

Contextual interpretation of the target environment in natural language, comments justifying every action, diagnosing and correcting errors at speeds unimaginable for humans… There’s no doubt we are looking at an agentic ransomware.

Sysdig drew this conclusion after analyzing a likely destructive attack. It initially claimed that an AI had piloted the operation end-to-end… before acknowledging that a human had nonetheless defined the initial parameters and provisioned the underlying infrastructure.

Secrets Everywhere… and Default Credentials

Initial access was gained through an Internet-exposed Langflow instance. The vector: a remote code execution (RCE) vulnerability (CVE-2025-3248) in the code validation endpoint. It allowed harvesting secrets at multiple levels. Notably by extracting Langflow’s database and accessing a configuration bucket on a MinIO store… configured with the port and the default credentials.

The real target was a production server hosting a Nacos (Naming and Configuration Service) instance, Alibaba’s open-source tool for service discovery and configuration.

The Nacos authentication mechanism has been bypassed many times before. In particular because the default JWT signing key is publicly documented and still present on many deployments.

A Root Access Point from an Unknown Source

The cyberattack discussed here exploited this vulnerability. It also leveraged root access to MySQL, via root credentials… whose origin Sysdig says it does not know. This access allowed injecting an admin backdoor into the Nacos database. And, ultimately, to encrypt all service configurations using MySQL’s AES_ENCRYPT() function. First at the row level, then at the level of entire schemas. The production environment was thus paralyzed.

The randomly generated AES key was never stored or exfiltrated. It appeared only once in the logs, and the agent, lacking long-term memory, lost it, making decryption impossible. This did not prevent the ransom note—from being dropped, with a Bitcoin address.

Behaviors Typically Associated with Agents

Several observations support the case for an automated operation. One relates to the enumeration phase. Receiving XML when JSON was requested, the agent adapted its parser before sending back the request.

The backdoor injection also exposed a behavior typically associated with agents. The process involved generating a bcrypt hash, injecting the account, and granting it the admin role. The first attempt failed (login test failure). In barely 30 seconds, a solution was found—without human intervention: recreate the account with a hash corresponding to a simpler password. In the interim, the logs were read to identify the root cause (a subprocess issue), a script was devised, and it was submitted.

The same pattern emerged in the database destruction. Due to a foreign-key constraint, the first DROP DATABASE failed. The second payload temporarily disabled foreign-key checks.

Sysdig identifies two more signs of agent-like activity. On the one hand, justifying almost every action with a comment, including the logic behind the encryption prioritization. On the other, the writing of a completion marker typical of agents that, having finished a task, signal they are ready to continue.

Another potential clue: the ability to leverage context presented by the target in natural language, which pattern matching alone might not have interpreted. This behavior appeared in sessions separated by weeks.

During the attack, the agent accessed API keys for OpenAI, Anthropic, Google, and DeepSeek.

The presence of secrets within the Langflow environment facilitated the operation. Likewise, the default authentication on Nacos, which could also connect as root to the database.

Dawn Liphardt

Dawn Liphardt

I'm Dawn Liphardt, the founder and lead writer of this publication. With a background in philosophy and a deep interest in the social impact of technology, I started this platform to explore how innovation shapes — and sometimes disrupts — the world we live in. My work focuses on critical, human-centered storytelling at the frontier of artificial intelligence and emerging tech.