Six months ago, a piece of malware called JadePuffer showed up and made security teams rethink what ransomware could actually do. It didn’t just run through a fixed checklist the way ransomware always had. It made decisions — picking targets, choosing which files mattered most, adjusting its own behavior when it sensed it was being watched. That was the birth of agentic ransomware as a real, deployed threat instead of a conference-talk hypothetical.
Half a year later, JadePuffer isn’t alone anymore. A handful of successor strains have shown up, each one taking JadePuffer’s core idea and pushing it somewhere new — faster, sneakier, or aimed at infrastructure JadePuffer never touched. The question security teams are asking now isn’t whether agentic ransomware is a real problem. That’s settled. The question is whether JadePuffer was the worst of it, or just the first draft.
This piece walks through what’s actually changed over six months of incident reports and forensic write-ups, what agentic ransomware looks like today compared to when JadePuffer first appeared, and — most importantly — what defenders can actually do about it.
What Is Agentic Ransomware, and Why Did JadePuffer Change Everything?
The Agentic Ransomware Family Tree: Variants That Followed JadePuffer
Agentic Ransomware by the Numbers: Comparing the Strains
Why Agentic Ransomware Still Traces Back to JadePuffer
How to Defend Against Agentic Ransomware Today
What Is Agentic Ransomware, and Why Did JadePuffer Change Everything?
Old-school ransomware behaves like a script. It runs the same sequence of steps on every machine it lands on, regardless of what it actually finds there. Agentic ransomware throws that model out. It reasons about its environment, sets its own sub-goals, and adjusts its plan as it goes — closer to a human operator working through a network by hand than a piece of automated malware.
JadePuffer was the strain that proved this wasn’t just theoretical. It could identify which systems were actually worth encrypting first, choose its own path for moving laterally through a network, and shift its encryption priorities on the fly based on what it found. None of that was scripted in advance. It was decided in real time.
That shift changed the math for attackers in a big way. Groups no longer needed a skilled operator steering every intrusion by hand — the agentic ransomware itself could handle reconnaissance and escalation on its own. That meant campaigns could scale up and hit more victims simultaneously, without a proportional increase in skilled labor on the attacker’s side.
A few specific capabilities made JadePuffer’s version of agentic ransomware genuinely different from what came before:
- Autonomous lateral movement, built on credential harvesting and live network mapping
- Adaptive encryption scheduling that went after databases and backup servers before touching individual endpoints
- Behavior changes the moment it detected endpoint detection and response (EDR) tools running
- Ransom notes generated automatically and tailored to a victim’s actual revenue data
Frameworks like MITRE ATT&CK, which were built around mapping human operator actions, had to be updated to account for autonomous decision-making happening inside a single piece of malware. That’s not a minor technical footnote — it’s a sign of how much agentic ransomware forced the entire field to rethink its assumptions.
To be fair, the original JadePuffer wasn’t flawless. Its decision-making component sometimes made poor escalation calls, and researchers managed to partially reverse-engineer its encryption key exchange within a few weeks of its appearance. Those cracks gave defenders some early wins. But as the next section shows, that breathing room didn’t last.
The Agentic Ransomware Family Tree: Variants That Followed JadePuffer
Six months in, JadePuffer is still the reference point every new agentic ransomware strain gets measured against. At least four distinct successors have shown up since, each one built to fix a specific weakness in the original.
CoralWraith (first spotted February 2025) split JadePuffer’s single decision-making agent into a modular, multi-agent setup — one component for reconnaissance, one for lateral movement, one for encryption. That separation makes this strain of agentic ransomware noticeably harder to detect, since defenders are effectively chasing three different behavioral signatures instead of one.
VoltSerpent (first spotted March 2025) optimized almost entirely for speed. Where JadePuffer took an estimated four-plus hours to fully encrypt a network, VoltSerpent cuts that down to under 90 minutes by pre-staging encrypted payloads in memory and triggering simultaneous writes across every mapped share at once. That’s not a small tweak — it’s a meaningfully faster category of agentic ransomware.
NimbusLock (first spotted March 2025) took agentic ransomware somewhere JadePuffer never went: cloud-native environments. Instead of focusing on on-premises Active Directory networks, it adapted its decision logic for AWS IAM role escalation and cross-account pivoting. A lot of SaaS companies had assumed they were low-priority ransomware targets. NimbusLock ended that assumption.
OnyxHarvest (first spotted April 2025) paired agentic ransomware with large-scale data theft. Before encrypting anything, it classifies sensitive files and builds a curated leak package designed to maximize pressure on the victim — and it specifically knows which documents would trigger mandatory breach-notification laws, using that knowledge as direct leverage.
There’s also a less encouraging trend underneath all of this: underground forums are now openly trading “agentic kits” — modular components that let lower-skilled operators assemble their own custom agentic ransomware without needing to build one from scratch. The barrier to entry for this threat class keeps dropping, which is exactly the wrong direction for defenders.
Put together, the pattern is hard to miss. JadePuffer wasn’t the worst-case version of agentic ransomware. It was the proof of concept everyone else has been iterating on since.
Agentic Ransomware by the Numbers: Comparing the Strains
Numbers make the shift concrete. Here’s how JadePuffer and its four main successors compare across the metrics that actually matter to a security team dealing with an active incident.
| Attribute | JadePuffer | CoralWraith | VoltSerpent | NimbusLock | OnyxHarvest |
|---|---|---|---|---|---|
| Architecture | Single agent | Multi-agent | Single agent | Cloud-native agent | Dual-purpose agent |
| Primary target | On-prem AD networks | Hybrid environments | SMB file shares | AWS/Azure tenants | Data-rich enterprises |
| Avg. time to encrypt | ~4.2 hours | ~3.5 hours | ~1.4 hours | ~2.8 hours | ~5+ hours (exfil first) |
| Avg. remediation time | 18–22 days | 20–28 days | 14–18 days | 25–35 days | 30–40 days |
| EDR evasion | Behavioral pivoting | Signature splitting | Memory-only staging | API abuse | Process hollowing |
| Ransom demand range | $500K–$5M | $750K–$8M | $300K–$3M | $1M–$10M | $2M–$15M |
| Known victim count | 40+ | 15+ | 25+ | 10+ | 8+ |
A few things stand out immediately. Remediation timelines for agentic ransomware are trending longer, not shorter, across the family as a whole. VoltSerpent encrypts the fastest, but its cleanup is comparatively simple since it skips data theft entirely. OnyxHarvest and NimbusLock, on the other hand, create genuinely painful remediation situations — cloud intrusions require rotating credentials across dozens of connected services, and data exfiltration adds regulatory and legal complexity on top of the technical cleanup.
Victim profiles are widening fast, too. JadePuffer mostly hit mid-market manufacturing and healthcare organizations. The successor strains have pushed into financial services, higher education, and government contractors — and NimbusLock’s cloud focus in particular has pulled SaaS companies into the blast radius, despite many of them assuming agentic ransomware wasn’t really their problem.
Ransom demands across the whole agentic ransomware family have roughly doubled compared to six months ago. That’s not a coincidence — these strains gather financial intelligence on their victims automatically and calibrate demands to what a given organization can actually afford to pay, which makes the whole extortion process far more efficient from the attacker’s side.
Federal agencies have taken notice. CISA has issued multiple advisories specifically addressing these variants, and the FBI’s Internet Crime Complaint Center has updated its ransomware guidance to account for agentic behaviors — a strong signal about how seriously this threat class is being treated at a national level.
Why Agentic Ransomware Still Traces Back to JadePuffer
With newer, faster, nastier strains circulating, it’s fair to ask why JadePuffer still comes up in nearly every conversation about agentic ransomware. The answer is influence, not raw danger. JadePuffer didn’t just carry out an attack — it established a playbook that every strain after it has followed in some form.
Three specific paradigms trace directly back to JadePuffer’s original design.
Goal-oriented autonomy. Before JadePuffer, ransomware didn’t decide anything — it executed a fixed script regardless of context. JadePuffer introduced actual decision-making: evaluating network layout, weighing which targets mattered most, and adapting mid-attack. Every successor has expanded on that same idea. CoralWraith’s multi-agent structure, for instance, lets separate components make independent decisions simultaneously — a direct evolution of the single-agent reasoning JadePuffer introduced.
Anti-detection intelligence. JadePuffer didn’t just try to slip past security tools — it recognized specific products and changed tactics accordingly, shifting from file-based to memory-based behavior against certain EDR platforms and throttling its own network scanning against others to avoid tripping anomaly alerts. The strains that followed pushed this further still. VoltSerpent can identify and disable specific EDR kernel drivers outright. OnyxHarvest times its data theft to blend into normal business-hours network traffic. This isn’t simple evasion anymore — it’s closer to counter-intelligence.
Victim intelligence gathering. JadePuffer scraped financial data from public filings and internal documents to calibrate its ransom demands, which made negotiations brutally efficient from the attacker’s side. OnyxHarvest has taken that idea even further, classifying stolen data by regulatory sensitivity so it knows exactly which files would trigger mandatory breach notifications — and uses that as direct leverage at the negotiating table.
These aren’t just isolated technical tricks. Together, they represent a real strategic shift in how ransomware operations are designed. Modern agentic ransomware doesn’t just encrypt files — it reasons about the environment it’s in, and that’s precisely what makes it so hard to catch with tools built for scripted threats.
Most security operations centers still lean heavily on signature-based detection layered with behavioral analytics — solid tools against malware that behaves the same way every time. Against agentic ransomware that rewrites its own approach mid-attack, those same tools are often a full step behind. Closing that gap is the central challenge facing defenders right now.
How to Defend Against Agentic Ransomware Today
Understanding how agentic ransomware evolved matters, but security teams need concrete countermeasures, not just background context. Based on six months of incident response data, a handful of strategies have consistently proven effective against this threat class.
Microsegmentation stops lateral movement cold. Agentic ransomware thrives on flat networks, since unrestricted movement between subnets is exactly what its autonomous pathfinding is built to exploit. Microsegmentation genuinely frustrates that decision-making process. Organizations with zero-trust network segmentation already in place before an attack saw dwell times measured in hours rather than days. NIST’s Zero Trust Architecture guidelines are a solid starting point if your organization hasn’t begun this work yet.
Deception technology exploits a real weakness in agentic decision-making. These systems trust the environmental data they collect — feed them false data, and they make bad decisions. Several organizations reported that deploying decoy Active Directory objects caused JadePuffer-family variants to waste hours chasing dead ends. Deception platforms built specifically around credential-based lures tend to deliver the most consistent results against agentic ransomware specifically, rather than more generic honeypot setups.
Immutable backups remain the last real line of defense. Every agentic ransomware strain examined here prioritizes destroying backups above almost everything else. Air-gapped, immutable backup systems consistently separated organizations that recovered within days from those that paid a ransom and still spent weeks rebuilding. The 3-2-1-1 approach — three copies, two media types, one offsite, one immutable — held up best across the incident data. Just make sure immutability is actually tested through quarterly restoration drills, not treated as a checkbox in a configuration file.
A practical checklist for security teams working through this right now:
- Audit network segmentation and eliminate flat network zones within 30 days
- Deploy deception technology across at least 15% of network assets
- Verify backup immutability through actual quarterly restoration tests
- Implement privileged access management with just-in-time elevation
- Run tabletop exercises modeling agentic ransomware scenarios specifically
- Monitor for anomalous credential usage patterns, not just known indicators of compromise
- Build a relationship with a ransomware response firm before you need one
- Review cyber insurance policies for agentic AI exclusion clauses — these are showing up more often than most organizations realize
Threat intelligence sharing has also moved from “nice to have” to genuinely critical. Organizations participating in Information Sharing and Analysis Centers are getting early warning indicators that can provide hours of advance notice before a new agentic ransomware variant hits their specific sector — and against a strain that can fully encrypt an environment in 90 minutes, those hours matter enormously.
No defense against agentic ransomware is airtight. But layered strategies dramatically reduce the odds of a catastrophic outcome. The realistic goal isn’t an impenetrable network — it’s making your environment expensive enough that an agentic threat’s own cost-benefit reasoning steers it toward an easier target.
Conclusion: Final Thoughts on Agentic Ransomware
JadePuffer turned ransomware from a scripted nuisance into an adaptive, reasoning threat, and everything that’s followed — CoralWraith, VoltSerpent, NimbusLock, OnyxHarvest — has built directly on that foundation. Threat actors are iterating faster than most security teams can keep pace with, and that gap between prepared and unprepared organizations keeps widening.
The organizations weathering agentic ransomware attacks best aren’t doing anything exotic. They’ve invested in microsegmentation, deception technology, and genuinely immutable backups, and they treat this threat class as a fundamentally different problem rather than a faster version of the ransomware they’ve dealt with for years. That mindset shift matters as much as any individual tool on the list.
Concrete next steps: assess your organization’s exposure to agentic ransomware techniques within the next two weeks, not next quarter. Treat network segmentation and backup immutability as your two highest-impact investments. Subscribe to CISA and sector-specific ISAC alerts for early warning on new strains. And brief your executive leadership now — the budget decisions made around agentic ransomware today will shape how the next six months play out.
FAQ About Agentic Ransomware
What actually makes agentic ransomware different from traditional ransomware?
Traditional ransomware runs a pre-programmed script no matter what environment it lands in. Agentic ransomware uses AI-driven reasoning to adapt in real time — evaluating network layout, picking high-value targets on its own, and changing behavior when it senses security tools nearby. It reacts instead of just executing, which is exactly what makes it so much harder to catch with conventional detection.
Is JadePuffer still being actively deployed?
Yes, though less frequently than when it first appeared. Newer strains like CoralWraith and VoltSerpent have become more popular among attackers seeking upgraded capabilities. That said, JadePuffer’s original codebase still shows up in attacks against organizations running older on-premises infrastructure, and modified versions continue circulating on underground forums. It hasn’t been retired.
How long does recovery from agentic ransomware typically take?
It varies significantly by strain and by how prepared the victim organization was beforehand. JadePuffer incidents average 18–22 days for full remediation. Cloud-focused strains like NimbusLock can stretch to 25–35 days because of the credential rotation involved. OnyxHarvest, with its added data-theft component, often runs 30–40 days or longer. Organizations with tested, immutable backups consistently recover faster — sometimes within a week.
Can endpoint detection and response tools stop agentic ransomware on their own?
Not reliably. Agentic ransomware is specifically built to work around EDR weaknesses — JadePuffer changed its behavior based on which EDR product it detected, and VoltSerpent can disable certain EDR kernel drivers outright. Meaningful protection against this threat class requires layering EDR together with network segmentation, deception technology, and behavioral analytics rather than leaning on any single tool.
Should an organization pay the ransom if hit by agentic ransomware?
Law enforcement, including the FBI, consistently advises against it, and the last six months of incident data backs that up. Payment funds further development of these tools, doesn’t guarantee data recovery, and doesn’t prevent repeat targeting. Some organizations that paid OnyxHarvest’s demands still had their stolen data leaked afterward. Prevention and tested backups matter far more than any decision made mid-incident.
Which industries face the highest risk from agentic ransomware right now?
JadePuffer initially concentrated on manufacturing and healthcare. Six months later, the target list has expanded deliberately into financial services, higher education, government contractors, and cloud-native SaaS companies. Small and mid-market organizations face particular risk, since they often lack dedicated security operations teams and tend to run flatter, less-segmented networks — precisely the conditions agentic ransomware is built to exploit.


