Sysdig researcher Michael Clark clarified that a so-called AI-driven ransomware operation, while technically executed by an AI agent, still relied on a human to set it up. According to Clark, the company's senior director of threat research, a person provisioned the infrastructure — including the command-and-control server and staging server — selected the victim, and supplied credentials that had been obtained through a prior compromise. The technical execution, however, was carried out by the agent from start to finish.
The agent exploited a known bug in Langflow, a popular open-source tool for building LLM apps, to break in, then moved to a production MySQL server and exploited another known flaw for admin access. It encrypted more than 1,300 configuration records, wrote its own ransom note, and left a Bitcoin address for payment. Notably, the agent fixed a failed login in 31 seconds while narrating its reasoning in natural-language code comments. Sysdig has not disclosed the identity of the target.
The agent also swept the Langflow host for valuables, stealing API keys for OpenAI, Anthropic, DeepSeek, and Gemini. Clark clarified to TechCrunch that those keys were part of the loot — indicating what the attacker considered worth taking — not evidence of which model was actually making decisions during the intrusion.