The Ransomware Ran Itself
The Ransomware Didn't Need a Human. Neither Will the Next One
In July 2026, researchers at Sysdig documented something that should reset every security roadmap in the room: a ransomware attack run start to finish by an AI agent, with no operator at the keyboard. It found an exposed server, exploited a known bug, stole credentials, pivoted to a production database, encrypted over a thousand records, and wrote its own ransom note. The entire campaign moved at a pace no human crew could match, going from a failed login to a working exploit in 31 seconds.
Here's the part that should bother you more than the AI angle: nothing about the initial break-in was new. The vulnerability had a patch available for over a year. The system it lived on never should have been reachable from the public internet in the first place. This wasn't a failure of novel tradecraft, it was a failure of basics, just executed by something that doesn't get tired, distracted, or hesitant. Patch cadence and internet exposure are not "someday" items anymore. They are the whole game.
The defensive answer isn't panic, it's precision. Keep known vulnerabilities patched or genuinely compensated for, not just tracked in a spreadsheet. Get anything that doesn't need to be public off the public internet entirely. And update your behavioral analytics to catch what signature-based tools miss: the inhuman speed and self-correcting iteration that mark an agent instead of a person. I broke down the full incident, the technical evidence, and six concrete lessons in the carousel below. Swipe through, and tell me which of these controls is hardest to actually operationalize where you work.