Ransomware Tracker (Entry #356): JADEPUFFER
JADEPUFFER is the name of the agentic threat actor (ATA) that exploited a vulnerability in an Internet-facing Langflow instance (CVE-2025-3248) and, without human intervention, gained persistence, enumerated a victim's systems, and deployed ransomware across the network. It was first reported on and documented by Sysdig in mid-2026, and most of what is known is from their research. Sysdig's report showed that the agent was able to perform multiple tasks simultaneously, exploit more documented vulnerabilities (CVE-2021-29441), and, when the threat actor failed at a task, pivot to alternative methods; ultimately, deploying ransomware. However, the agent didn't drop a ransom note in the traditional sense. Instead, it created an SQL table named "README_RANSOM" with an ID primary key, message (ransom note), Bitcoin address, and contact information within the table. Those relationship values are in the ransom note below and are derived from Sysdig's report. The agent claimed to use AES encryption to encrypt files, but the algorithm ensures that any encrypted data can never be recovered, effectively making this a wiper/pseudo-ransomware.
In conclusion, JADEPUFFER ushers in a new era of ransomware that isn't purely defined by the current Ransomware Tracker taxonomy. This has led to a new Ransomware Type: Agentic, a new Threat Actor Type: ATA (Agentic Threat Actor), and a ransom note deployment methodology not widely observed, if ever, before now. The ransom note file name is actually the SQL table name.
https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/jadepuffer