News

Halcyon announced Halcyon Ransomware Detection and Recovery (RDR), a no-cost integrated service that is now included with every deployment of the Halcyon Anti-Ransomware Platform. Most 24/7 threat monitoring and response services are not included with software platform purchases and are instead only offered at a significant additional cost. Halcyon offers 24/7 ransomware protection from a team of experts who investigate and respond to every single alert triggered in the Halcyon platform at no additional cost. … More →

The post Halcyon RDR boosts ransomware protection for organizations appeared first on Help Net Security.

Summary

Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Ghost (Cring)—(“Ghost”)—ransomware IOCs and TTPs identified through FBI investigation as recently as January 2025.

Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.

Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.ex "

Autosummary: Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, and the MS-ISAC.Their methodology includes leveraging vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207— commonly referred to as the ProxyShell attack chain).The FBI, CISA, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, date of infection, date detected, initial attack vector, and host and network-based indicators.Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.Slight variation of github[.]com/BeichenDream/Chunk-Proxy/blob/main/proxy.aspx Table 2: MD5 File Hashes Associated with Ghost Ransomware Activity File name MD5 File Hash Cring.exe c5d712f82d5d37bb284acd4468ab3533 Ghost.exe 34b3009590ec2d361f07cac320671410 d9c019182d88290e5489cdf3b607f982 ElysiumO.exe 29e44e8994197bdb0c2be6fc5dfc15c2 c9e35b5c1dc8856da25965b385a26ec4 d1c5e7b8e937625891707f8b4b594314 Locker.exe ef6a213f59f3fbee2894bd6734bbaed2 iex.txt, pro.txt (IOX) ac58a214ce7deb3a578c10b97f93d9c3 x86.log (IOX) c3b8f6d102393b4542e9f951c9435255 0a5c4ad3ec240fbfd00bdc1d36bd54eb sp.txt (IOX) ff52fdf84448277b1bc121f592f753c5 main.txt (IOX) a2fd181f57548c215ac6891d000ec6b9 isx.txt (IOX) 625bd7275e1892eac50a22f8b4a6355d sock.txt (IOX) db38ef2e3d4d8cb785df48f458b35090 Ransom Email Addresses Table 3 is a subset of ransom email addresses that have been included in Ghost ransom notes. Validate Security Controls In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory.Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses. The FBI is interested in any information that can be shared, to include logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, and/or decryptor files.Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov) or by calling 1-844-Say-CISA (1-844-729-2472). Impact and Encryption Ghost actors use Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, which are all ransomware executables that share similar functionality.This includes running scans to discover other network connected devices, running commands to list, add, or alter administrator accounts, using PowerShell to download and execute remote programs, and running scripts not usually seen on a network. Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. "

CISA and FBI: Ghost ransomware breached orgs in 70 countries

Autosummary: "

Lee Enterprises newspaper disruptions caused by ransomware attack

Autosummary: "The incident impacted the Company"s operations, including distribution of products, billing, collections, and vendor payments. "

BlackLock ransomware onslaught: What to expect and how to fight it

Autosummary: BlackLock’s representative on RAMP forum, who goes by “$$$”, is highly active: they are making connections and building trust, engaging in chats in various forum sections, and are often reaching out to developers, initial access brokers, potential affiliates, and rival gangs. "

US charges two Russian men in connection with Phobos ransomware operation

Autosummary: "

RansomHub Becomes 2024’s Top Ransomware Group, Hitting 600+ Organizations Globally

Autosummary: "After gaining access into the environment and performing reconnaissance, these tunneling tools are strategically deployed on critical network devices, including ESXi hosts, Windows hosts, VPN appliances, and network attached storage (NAS) devices," Sygnia researchers said. "RansomHub has targeted over 600 organizations globally, spanning sectors such as healthcare, finance, government, and critical infrastructure, firmly establishing it as the most active ransomware group in 2024," Group-IB analysts said in an exhaustive report published this week. "

Sarcoma ransomware gang claims the theft of sensitive data from PCB maker Unimicron

Autosummary: "

RA World Ransomware Attack in South Asia Links to Chinese Espionage Toolset

Autosummary: The attacks took place between December 4, 2024, and January 23, 2025, Recorded Future"s Insikt Group said, adding the adversary, also tracked as Earth Estries, FamousSparrow, GhostEmperor, RedMike, and UNC2286, attempted to exploit more than 1,000 Cisco devices globally during the timeframe. "

Chinese espionage tools deployed in RA World ransomware attack

Autosummary: “During the attack in late 2024, the attacker deployed a distinct toolset that had previously been used by a China-linked actor in classic espionage attacks,” the researchers say, adding that "tools associated with China-based espionage groups are often shared resources" but "many aren’t publicly available and aren’t usually associated with cybercrime activity.” "

China-linked APTs’ tool employed in RA World Ransomware attack

Autosummary: China-linked APTs’ tool employed in RA World Ransomware attack Pierluigi Paganini February 13, 2025 February 13, 2025 A November 2024 RA World ransomware attack on an Asian software firm used a tool linked to China-linked threat actors. "

Sarcoma ransomware claims breach at giant PCB maker Unimicron

Autosummary: Unimicron added on Sarcoma"s list of victims Source: BleepingComputer Unimicron is a public company manufacturing rigid and flexible PCBs, high-density interconnection (HDI) boards, and integrated circuit (IC) carriers. "

8Base Ransomware Data Leak Sites Seized in International Law Enforcement Operation

Autosummary: "

Operation Phobos Aetor: Police dismantled 8Base ransomware gang

Autosummary: Police dismantled 8Base ransomware gang Pierluigi Paganini February 11, 2025 February 11, 2025 Authorities dismantled the 8Base ransomware gang, shutting down its dark web data leak and negotiation sites. The 8Base ransomware group has been active since March 2022, it focused on small and medium-size businesses in multiple industries, including finance, manufacturing, business services, and IT. "

8Base ransomware group leaders arrested, leak site seized

Autosummary: Still, 8Base group claimed several victims in December 2024, including the Croatian port operating company Luka Rijeka, Canadian company Mint Pharmaceuticals, and Japanese manufacturing company Iseki Agricultural Machinery. "

US indicts 8Base ransomware operators for Phobos encryption attacks

Autosummary: "

US sanctions LockBit ransomware’s bulletproof hosting provider

Autosummary: In 2022, a Russian hacker acquired IP addresses from Zservers, which were likely used with LockBit chat servers to coordinate ransomware activities, while, in 2023, Zservers provided infrastructure, including a Russian IP address, to a LockBit affiliate. "

Police arrests 4 Phobos ransomware suspects, seizes 8Base sites

Autosummary: The seizure message also indicates that "Operation Phobos Aetor" involved Thailand, Romania, Bavaria, Germany, Switzerland, Japan, USA, Europol, Czechia, Spain, France, Belgium, and the United Kingdom. "

Toll booth bandits continue to scam via SMS messages

Autosummary: For instance, Texas-based audience producer Gwen Howerton described on Bluesky how she had been duped by an unpaid toll scam after she had driven a rental car on the Dallas North Tollway - and, not being aware of the correct way to pay a toll, had believed the overdue payment demand she received to be genuine. "

Police arrests 2 Phobos ransomware suspects, seizes 8Base sites

Autosummary: The seizure message also indicates that "Operation Phobos Aetor" involved Thailand, Romania, Bavaria, Germany, Switzerland, Japan, USA, Europol, Czechia, Spain, France, Belgium, and the United Kingdom. The police operation, codenamed "Phobos Aetor," led to coordinated raids across four locations, where laptops, smartphones, and cryptocurrency wallets were seized for forensic analysis. "

Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware

Autosummary: "The attack involved the quick and deliberate execution of several post-compromise tactics, techniques and procedures (TTPs) including network and system discovery, administrator account creation, and the establishment of persistence mechanisms, which could have led to the deployment of ransomware," security researchers Ryan Slaney and Daniel Albrecht said. "

Smashing Security podcast #403: Coinbase crypto heists, QR codes, and ransomware in the classroom

Autosummary: Hosts: Graham Cluley: @grahamcluley.com @[email protected] Carole Theriault: @caroletheriault Guest: Geoff White Episode links: Sponsored by: Tailscale – Tailscale is perfect for work or personal projects, making networking simple. "

Top 3 Ransomware Threats Active in 2025

Autosummary: Ransom note demanding BitCoin left by Virlock During execution, ANY.RUN detects several malicious activities, revealing how Virlock operates: Behavior of Virlock ransomware analyzed by Interactive Sandbox A Virlock-specific mutex is identified, helping the malware ensure only one instance runs at a time to avoid interference. The ransom note includes .onion links that direct victims to the attackers" communication portal In the MITRE ATT&CK section, we get a clear breakdown of Lynx"s tactics and techniques, revealing how it operates: MITRE ATT&CK tactics and techniques used by Lynx ransomware Encrypting files to lock critical business data. LockBit: Teasing a Comeback in 2025 LockBit is one of the most notorious ransomware groups, known for its highly efficient encryption, double extortion tactics, and ability to evade traditional security measures. The Files Modification tab provides the changes of file system activity Shortly after, a ransom note appears, and the desktop wallpaper is replaced with an extortion message directing victims to a TOR site, where attackers demand payment. Latest Lynx attack: In mid-January 2025, Lynx targeted Lowe Engineers, a prominent civil engineering firm based in Atlanta, Georgia. "

Barclays customers continue to experience issues after major IT outage

Autosummary: "I"ve got my granddaughter here who"s 11 months old, also a one-year-old, two-year-old, 12-year-old, 13-year-old, 15-year-old all at home."Scott, 27, and his wife, who is four months pregnant, said they had sold their house on Friday morning, but the money for their new home had not gone through yet due to the problems at Barclays. "

A ransomware attack forced New York Blood Center to reschedule appointments

Autosummary: A ransomware attack forced New York Blood Center to reschedule appointments Pierluigi Paganini February 01, 2025 February 01, 2025 The New York Blood Center faced a ransomware attack on Sunday, forcing the healthcare organization to reschedule appointments. "

Indian tech giant Tata Technologies hit by ransomware attack

Autosummary: It is one of India’s key tech developers and state project contractors, employs over 11,000 people, has an annual revenue of $600 million, and operates 18 locations in India, North America, Europe, and Asia-Pacific. "

Only 13% of organizations fully recover data after a ransomware attack

Autosummary: According to the research, 29% of IT budgets are allocated to staff and technologies meant to prevent, detect, contain, and resolve ransomware attacks, yet attacks are still successful. 40% are confident in the ability of employees to detect social engineering lures (up from 30% in 2021), however, insider negligence is the top challenge when responding to ransomware attacks. "

How Interlock Ransomware Infects Healthcare Organizations

Autosummary: Data sent by the RAT to attacker-controlled servers revealed by ANY.RUN Proactive Protection Against Ransomware in Healthcare The healthcare sector is a prime target for ransomware groups like Interlock, with attacks that jeopardize sensitive patient data, disrupt critical services, and put lives at risk. This tactic effectively bypasses the initial layer of user suspicion, but with early detection and analysis, SOC teams can quickly identify malicious domains, block access, and respond faster to emerging threats, reducing the potential impact on business operations. Inside ANY.RUN"s sandbox session, one of the updaters, upd_8816295.exe, is clearly identified within the process tree on the right-hand side, showing its malicious behavior and execution flow. "

ESXi ransomware attacks use SSH tunnels to avoid detection

Autosummary: “ (VMware observer daemon log) “ /var/log/shell.log (ESXi shell activity log) (ESXi shell activity log) /var/log/hostd.log (Host agent log) (Host agent log) /var/log/auth.log (authentication log) “ The report provided multiple examples of common activities and messages found in ESXi syslog files that might be associated to malicious activity. "

TRIPLESTRENGTH Hits Cloud for Cryptojacking, On-Premises Systems for Ransomware

Autosummary: "

Experts Find Shared Codebase Linking Morpheus and HellCat Ransomware Payloads

Autosummary: They are both configured to exclude the \Windows\System32 folder, as well as a hard-coded list of extensions from the encryption process, namely .dll, .sys, .exe, .drv, .com, and .cat, from the encryption process. "

Cybersecurity books on ransomware you shouldn’t miss

Autosummary: "

Two ransomware groups abuse Microsoft’s Office 365 platform to gain access to target organizations

Autosummary: Once access was established, the attacker used a web browser to download a malicious payload, which was split into parts, reassembled, and unpacked to deploy malware.Two ransomware groups abuse Microsoft’s Office 365 platform to gain access to target organizations Pierluigi Paganini January 22, 2025 January 22, 2025 Two ransomware groups exploiting Microsoft 365 services and default settings to target internal enterprise users. "

Medusa ransomware: what you need to know

Autosummary: The largest proportion of Medusa"s targets appear to be located in the United States, followed by the United Kingdom, Canada, Australia, France, and Italy. Image In addition to the dark web leak site, accessible via Tor, Medusa also publicises hacks and publishes stolen data on its public Telegram channel.It"s noticeable that organisations based in Belarus, Kazakhstan, Kyrgyzstan, Russia, and Tajikistan do not appear in the list of victims. "

Week in review: AWS S3 data encrypted without ransomware, data of 15k Fortinet firewalls leaked

Autosummary: Balancing usability and security in the fight against identity-based attacks In this Help Net Security interview, Adam Bateman, CEO of Push Security, talks about the rise in identity-based attacks, how they’re becoming more sophisticated each year, and how AI and ML are both fueling these threats and helping to defend against them.Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Attackers are encrypting AWS S3 data without using ransomware A ransomware gang dubbed Codefinger is encrypting data stored in target organizations’ AWS S3 buckets with AWS’s server-side encryption option with customer-provided keys (SSE-C), and asking for money to hand over the key they used. "

Python-Based Malware Powers RansomHub Ransomware to Exploit Network Flaws

Autosummary: As highlighted by Halcyon earlier this month, some of the other tools deployed prior to ransomware deployment include those responsible for - Disabling Endpoint Detection and Response (EDR) solutions using EDRSilencer and Backstab Stealing credentials using LaZagne Compromising email accounts by brute-forcing credentials using MailBruter Maintaining stealthy access and delivering additional payloads using Sirefef and Mediyes Ransomware campaigns have also been observed targeting Amazon S3 buckets by leveraging Amazon Web Services" Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt victim data. "

Clop Ransomware exploits Cleo File Transfer flaw: dozens of claims, disputed breaches

Autosummary: Clop Ransomware exploits Cleo File Transfer flaw: dozens of claims, disputed breaches Pierluigi Paganini January 16, 2025 January 16, 2025 The Clop ransomware gang claims dozens of victims from a Cleo file transfer vulnerability, though several companies dispute the breaches. "

Clop Ransomware exploits Cleo File Transfer flaw: dozens of claims, disputed breaches

Autosummary: Clop Ransomware exploits Cleo File Transfer flaw: dozens of claims, disputed breaches Pierluigi Paganini January 16, 2025 January 16, 2025 The Clop ransomware gang claims dozens of victims from a Cleo file transfer vulnerability, though several companies dispute the breaches. "

UK government proposes ransomware payment ban for public sector

Autosummary: "

Codefinger ransomware gang uses compromised AWS keys to encrypt S3 bucket

Autosummary: The Codefinger ransomware campaign targeting AWS SSE-C encryption is highly dangerous due to irreversible data loss without the attacker’s key, limited forensic evidence in AWS CloudTrail logs, and the potential to significantly disrupt critical data storage on Amazon S3 Organizations are recommended to protect themselves by hardening AWS environments: restrict SSE-C usage with IAM policies, monitor and audit AWS keys, enable detailed S3 logging, and collaborate with AWS support.Then they start the encryption by The threat actor looks for keys with permissions to write and read S3 objects (s3:GetObject and s3:PutObject requests), and then launches the encryption process by calling the x-amz-server-side-encryption-customer-algorithm header. "

Attackers are encrypting AWS S3 data without using ransomware

Autosummary: “The attacker initiates the encryption process by calling the x-amz-server-side-encryption-customer-algorithm header, utilizing an AES-256 encryption key they generate and store locally,” the Halcyon research team explained. "

OneBlood confirms personal data stolen in July ransomware attack

Autosummary: "

Inexperienced actors developed the FunkSec ransomware using AI tools

Autosummary: Inexperienced actors developed the FunkSec ransomware using AI tools Pierluigi Paganini January 13, 2025 January 13, 2025 FunkSec, a new ransomware group that attacked more than 80 victims in December 2024, was developed using AI tools. Once executed, FunkSec ransomware disables security features, including Windows Defender, logging, PowerShell restrictions, and shadow copy backups during execution. "

Preventing the next ransomware attack with help from AI

Autosummary: Next, it is important to understand WHO is affected and WHAT sort of data is involved, because this will dictate your next critical step, which is communication with the authorities, internally and with customers.Now, with triple extortion, attackers target not only the initial victim but also customers, partners, regulators and even shareholders.In this Help Net Security interview, Dr. Darren Williams, CEO at BlackFog, talks about how employee training plays a crucial role in preventing ransomware attacks. "

AI-Driven Ransomware FunkSec Targets 85 Victims Using Double Extortion Tactics

Autosummary: Some of the prominent actors associated with FunkSec are listed below - A suspected Algeria-based actor named Scorpion (aka DesertStorm) who has promoted the group on underground forums such as Breached Forum El_farado, who emerged as a main figure advertising FunkSec after DesertStorm"s ban from Breached Forum XTN, a likely associate who is involved in an as-yet-unknown "data-sorting" service Blako, who has been tagged by DesertStorm along with El_farado Bjorka, a known Indonesian hacktivist whose alias has been used to claim leaks attributed to FunkSec on DarkForums, either pointing to a loose affiliation or their attempts to impersonate FunkSec The possibility that the group may also be dabbling in hacktivist activity is evidenced by the presence of DDoS attack tools, as well as those related to remote desktop management (JQRAXY_HVNC) and password generation (funkgenerate). "

US charges operators of cryptomixers linked to ransomware gangs

Autosummary: "

BayMark Health Services sends breach notifications after ransomware attack

Autosummary: An investigation showed that the exposed files contained information that varied per patient but could have included the patient’s name and one or more of the following: Social Security number (SSN) Driver’s license number Date of birth The services received and the dates of service Insurance information Treating provider Treatment and/or diagnostic information While BayMark did not provide any information about the number of victims or the nature of the accident, it has been separately reported that the RansomHub ransomware group has BayMark listed on their leak site. "

Space Bears ransomware: what you need to know

Autosummary: Image Guarantees after the transaction: - Your publication will be deleted from this site - All downloaded information, confidential data, personal data, databases will be deleted from the servers - Tools to decrypt your system will be provided if necessary - We will give you information on how to avoid similar attacks in the futureThe gang, which is aligned to the Phobos ransomware-as-a-service group, steals sensitive data from organisations, encrypts victims" computer systems, and demands that a ransom be paid for a decryption key or the data will be published on the dark web. "

Casio says data of 8,500 people exposed in October ransomware attack

Autosummary: The latest announcement from the company lists the following exposed data: Employees (6,456 individuals) : Name, employee number, email address, affiliation, gender, date of birth, family details, address, phone number, taxpayer ID numbers, and HQ system account information. "

French govt contractor Atos denies Space Bears ransomware attack claims

Autosummary: "

Service disruptions continue to blindside businesses

Autosummary: Nearly half in the US (48%), Australia (48%), and the UK (47%), along with a majority in Japan (53%) believe that limited access to real-time data tools will further hinder their organizations during an outage, if approaches to service disruption are not prioritized. "

A ransomware attack disrupted services at Pittsburgh Regional Transit

Autosummary: A ransomware attack disrupted services at Pittsburgh Regional Transit Pierluigi Paganini December 26, 2024 December 26, 2024 A ransomware attack on Pittsburgh Regional Transit (PRT) was the root cause of the agency’s service disruptions. "

Clop ransomware threatens 66 Cleo attack victims with data leak

Autosummary: Clop achieves another major breach The Cleo data theft attack represents another major success for Clop, who leveraged leveraging a zero-day vulnerability in Cleo LexiCom, VLTransfer, and Harmony products to steal data from the networks of breached companies. "

Clop ransomware is now extorting 66 Cleo data-theft victims

Autosummary: Clop achieves another major breach The Cleo data theft attack represents another major success for Clop, who leveraged leveraging a zero-day vulnerability in Cleo LexiCom, VLTransfer, and Harmony products to steal data from the networks of breached companies. "

How companies can fight ransomware impersonations

Autosummary: "

US charges suspected LockBit ransomware developer

Autosummary: The criminal complaint says that at the time of Panev’s arrest, Israeli law enforcement found on his computer: Administrator credentials for a dark web online repository, where source code for multiple versions of the LockBit builder were stored, along with source code for LockBit’s StealBit data exfiltration tool Access credentials for the LockBit control panel, an online dashboard maintained by LockBit developers for LockBit’s affiliates The complaint also alleges that Panev was in contact with Lockbit’s alleged primary administrator- Dimitry Yuryevich Khoroshev, aka LockBitSupp – and discussed work that needed to be done on the LockBit builder and control panel. "

US charged Dual Russian and Israeli National as LockBit Ransomware developer

Autosummary: “As alleged in the superseding complaint, at the time of Panev’s arrest in Israel in August, law enforcement discovered on Panev’s computer administrator credentials for an online repository that was hosted on the dark web and stored source code for multiple versions of the LockBit builder, which allowed LockBit’s affiliates to generate custom builds of the LockBit ransomware malware for particular victims. "

LockBit Developer Rostislav Panev Charged for Billions in Global Ransomware Damages

Autosummary: " With the latest arrest, a total of seven LockBit members – Mikhail Vasiliev, Ruslan Astamirov, Artur Sungatov, Ivan Gennadievich Kondratiev, Mikhail Pavlovich Matveev – have been charged in the U.S. Despite these operational setbacks, the LockBit operators appear to be plotting a comeback, with a new version LockBit 4.0 scheduled for release in February 2025. "Once a co-conspirator sold the data, Antonenko and others used Bitcoin as well as traditional bank and cash transactions to launder the proceeds in order to disguise their nature, location, source, ownership, and control," the DoJ noted in May 2020. "

Romanian national was sentenced to 20 years in prison for his role in NetWalker ransomware attacks

Autosummary: “The Department of Justice today announced a coordinated international law enforcement action to disrupt a sophisticated form of ransomware known as NetWalker.” reads the press release published by DoJ. “NetWalker ransomware has impacted numerous victims, including companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges, and universities. "

Romanian Netwalker ransomware affiliate sentenced to 20 years in prison

Autosummary: Affiliates of the NetWalker cybercrime gang have deployed this malware in attacks against hundreds of victims worldwide, including hospitals, law enforcement, emergency services, companies, municipalities, school districts, colleges, and universities. "

Ascension: Health data of 5.6 million stolen in ransomware attack

Autosummary: " Since the breach, Ascension"s investigation has revealed that some of the stolen files contained patients" and employees" names and information across one or more of the following categories (the specific type of exposed information varies from one individual to another): Medical information, such as medical record numbers, dates of service, types of lab tests, or procedure codes, Payment information encompassing credit card information or bank account numbers, Insurance information containing Medicaid/Medicare IDs, policy numbers, or insurance claims, Government identification information, including Social Security numbers, tax identification numbers, driver"s license numbers, or passport numbers, And other personal information, such as dates of birth or addresses. "

US charges Russian-Israeli as suspected LockBit ransomware coder

Autosummary: "As alleged in the superseding complaint, at the time of Panev"s arrest in Israel in August, law enforcement discovered on Panev"s computer administrator credentials for an online repository that was hosted on the dark web and stored source code for multiple versions of the LockBit builder, which allowed LockBit"s affiliates to generate custom builds of the LockBit ransomware malware for particular victims," reads the complaint. "

Krispy Kreme breach, data theft claimed by Play ransomware gang

Autosummary: Krispy Kreme entry on Play Ransomware leak site (BleepingComputer) Play ransomware claims, without proof, that they collected and stole files containing "private and personal confidential data, client documents, budget, payroll, accounting, contracts, taxes, IDs, finance information," and more. "

Rhode Island confirms data breach after Brain Cipher ransomware attack

Autosummary: "On December 13, 2024, the State was informed by its vendor, Deloitte, that there was a major security threat to the RIBridges system," reads the announcement published by the Rhode Island authorities on Saturday. "

Clop ransomware claims responsibility for Cleo data theft attacks

Autosummary: If the data is government services, institutions, medicine, then we will immediately delete this data without hesitation (let me remind you about the last time when it was with moveit - all government data, medicine, clinics, data of scientific research at the state level were deleted), we comply with our regulations. "

CISA confirms critical Cleo bug exploitation in ransomware attacks

Autosummary: While the cybersecurity agency didn"t provide any other information regarding the ransomware campaign targeting Cleo servers left vulnerable to CVE-2024-50623 exploits, these attacks are uncannily similar to previous Clop data theft attacks that exploited zero-days in MOVEit Transfer, GoAnywhere MFT, and Accellion FTA in recent years. "

Cleo patches zero-day exploited by ransomware gang

Autosummary: The post-exploitation framework: Deletes the first stage payload (downloader) Sends out status updates to the C2 server Allows operators to read and collect files or directories Allows operators to retrieve Cleo configuration files (for information about the installation) and issue execution commands Allows operators to perform basic read and write operations on the filesystem Rapid7 researchers have visually explained the attack flow thus: Attack flow (Source: Rapid7) After initial exploitation, they’ve also observed the attacker: Executing commands aimed at gathering user, group and system information from the impacted system and displaying domain trust relationships Executing an overpass-the-hash attack to create a valid Kerberos ticket and thus gain access to additional network resources within the impacted environment. "

Lynx ransomware behind Electrica energy supplier cyberattack

Autosummary: INC vs Lynx ransomware string comparison (BleepingComputer) Since it emerged as a ransomware-as-a-service (RaaS) operation in July 2023, INC Ransom has also breached many education, healthcare, government, and industrial entities, including Yamaha Motor Philippines, Scotland"s National Health Service (NHS), and the U.S. division of Xerox Business Solutions (XBS). "

SecureAuth protects sensitive information with biometric continuous identity assurance

Autosummary: According to SecureAuth CRO Tom Smith, these expanded capabilities strengthen SecureAuth’s competitiveness in sectors with high security needs, especially legal services, call centers and regulated industries like financial services, healthcare, defense contracting, and more. "

US sanctions Chinese firm for hacking firewalls in ransomware attacks

Autosummary: "Between April 22 and 25, 2020, Guan Tianfeng used this zero-day exploit to deploy malware to approximately 81,000 firewalls owned by thousands of businesses worldwide," a press release published today revealed. "

3AM ransomware: what you need to know

Autosummary: Not "backup" as in a "backup of your data" unfortunately but rather as a "backup plan". 3AM drops a ransom note on attacked systems, warning victims that their sensitive data has been stolen and proposing "a deal" to prevent it from being sold on the dark web.The latter of those not only saw social security numbers, driver’s licenses, payroll, health and other personal data of Hoboken workers and residents leaked, but also erotic short stories found on an employee"s computer. "

US sanctions Chinese cybersecurity company for firewall compromise, ransomware attacks

Autosummary: OFAC is designating Sichuan Silence and Guan pursuant to Executive Order (E.O.) 13694, as amended by E.O. 13757, for being responsible for or complicit in, or having engaged in, directly or indirectly cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector. "

Romanian energy supplier Electrica Group is facing a ransomware attack

Autosummary: The teams of specialists are working closely with the national cybersecurity authorities to manage and resolve the incident, aiming to address the situation as quickly as possible, identify the source of the attack, and limit its impact.” reads the note. Pierluigi Paganini December 10, 2024 December 10, 2024 Romanian energy supplier Electrica Group is investigating an ongoing ransomware attack impacting its operations. "

Romanian energy supplier Electrica hit by ransomware attack

Autosummary: "

Black Basta Ransomware Evolves with Email Bombing, QR Codes, and Social Engineering

Autosummary: The threat actor, which is also referred to as UNC4393, has since put to use various bespoke malware families to carry out its objectives - KNOTWRAP, a memory-only dropper written in C/C++ that can execute an additional payload in memory KNOTROCK, a .NET-based utility that"s used to execute the ransomware DAWNCRY, a memory-only dropper that decrypts an embedded resource into memory with a hard-coded key PORTYARD, a tunneler that establishes a connection to a hard-coded command-and-control (C2) server using a custom binary protocol over TCP COGSCAN, a .NET reconnaissance assembly used to gather a list of hosts available on the network "Black Basta"s evolution in malware dissemination shows a peculiar shift from a purely botnet-reliant approach to a hybrid model that integrates social engineering," RedSense"s Yelisey Bohuslavskiy said. "

Deloitte denied its systems were hacked by Brain Cipher ransomware group

Autosummary: Deloitte denied its systems were hacked by Brain Cipher ransomware group Pierluigi Paganini December 09, 2024 December 09, 2024 Deloitte has responded to claims by the Brain Cipher ransomware group, which alleges the theft of over 1 terabyte of the company’s data. "

Anna Jaques Hospital ransomware breach exposed data of 300K patients

Autosummary: "

8Base ransomware group hacked Croatia’s Port of Rijeka

Autosummary: "

Blue Yonder SaaS giant breached by Termite ransomware gang

Autosummary: Its list of over 3,000 customers includes other high-profile companies like Microsoft, Renault, Bayer, Tesco, Lenovo, DHL, 3M, Ace Hardware, Procter & Gamble, Carlsberg, Dole, Wallgreens, Western Digital, and 7-Eleven. "

Netography introduces AI-powered ransomware detection capabilities

Autosummary: The Fusion platform also reduces the workload of operations teams by automatically discovering new VPCs or VNet instances (or changes in the behavior in existing instances), applying policies, and monitoring the activity of those instances: Virtual Private Cloud (VPC) and Virtual Network (VNet) Auto-Detection and Auto-Onboarding – Fusion can now automatically detect, apply policies, and monitor newly discovered VPC and VNets, eliminating blind spots in security monitoring. "

Russian money-laundering network linked to drugs and ransomware disrupted, 84 arrests

Autosummary: Led by the National Crime Agency working with Border Force, Op Destabilise has exposed Russian kleptocrats, drug gangs, and cyber criminals - all of whom relied on the flow of dirty money," said Security Minister Dan Jarvis. "

UK disrupts Russian money laundering networks used by ransomware

Autosummary: As part of this Operation Destabilise, U.K. law enforcement has collaborated with many international partners, including the U.S. Department of the Treasury"s Office of Foreign Assets Control (OFAC), the FBI, the Drug Enforcement Agency, the French Direction Centrale de la Police Judiciaire, and Ireland"s national police and security service, An Garda Síochána (AGS). "

BT unit took servers offline after Black Basta ransomware breach

Autosummary: Some of its most notable victims include U.S. healthcare giant Ascension, U.K. tech outsourcing firm Capita, German defense contractor Rheinmetall, government contractor ABB, Hyundai"s European division, the Toronto Public Library, the American Dental Association, and Yellow Pages Canada. "

Black Basta ransomware gang hit BT Group

Autosummary: The group claimed to have stolen 500GB of data including Finacial data, Organisation data, Users data and personal documents, NDA’s, Confidential data, and more. "

No guarantees of payday for ransomware gang that claims to have hacked children’s hospital

Autosummary: Fortunately, Alder Hey Children"s Hospital says that it continues to operate as normal, and that patients" care has not been disrupted as a result of the suspected data breach, in what appears to be the latest in a string of ransomware attacks against NHS organisations. "

US government, energy sector contractor hit by ransomware

Autosummary: "

Energy industry contractor ENGlobal Corporation discloses a ransomware attack

Autosummary: Energy industry contractor ENGlobal Corporation discloses a ransomware attack Pierluigi Paganini December 03, 2024 December 03, 2024 ENGlobal Corporation disclosed a ransomware attack, discovered on November 25, disrupting operations, in a filing to the SEC. "

Vodka maker Stoli files for bankruptcy in US after ransomware attack

Autosummary: "

No company too small for Phobos ransomware gang, indictment reveals

Autosummary: Ptitsyn, who was extradited to the United States out of South Korea, now faces 13 counts, which include wire fraud, conspiracy to commit wire fraud, and conspiracy to commit computer fraud and abuse, along with four counts each of causing intentional damage to protected computers and extortion in relation to hacking. "

Radiant Logic provides continuous identity hygiene assessments via real-time streaming data

Autosummary: "

Wanted Russian Cybercriminal Linked to Hive and LockBit Ransomware Has Been Arrested

Autosummary: "

Notorious ransomware programmer Mikhail Pavlovich Matveev arrested in Russia

Autosummary: He has been tied to Lockbit, Conti, and BABUKhttps://t.co/t2VAJjhlJS — vx-underground (@vxunderground) November 29, 2024 “The Kaliningrad Interior Ministry and the prosecutor’s office reported that the case of a programmer accused of creating a malicious program has been sent to court; according to a RIA Novosti source, this is hacker Mikhail Matveyev, for whom the American FBI is offering a $10 million reward for help in capturing him.” reported RIA Novosti. "

Russia arrests cybercriminal Wazawaka for ties with ransomware gangs

Autosummary: In April 2021, the defendant and Babuk ransomware coconspirators allegedly deployed malicious payloads on the systems of the Metropolitan Police Department in Washington, D.C. In May 2022, Matveev and Hive ransomware gang members allegedly encrypted the systems of a nonprofit behavioral healthcare organization headquartered in Mercer County, New Jersey. "

Bologna FC confirms data breach after RansomHub ransomware attack

Autosummary: Complete financial data of the club"s history Personal and confidential player data Transfer strategies for new and young players Confidential data of fans and employees Data on young athletes Medical records Information on structures and stadiums Commercial strategies and business plans Previously, the threat actors attempted to blackmail the Italian football team by listing examples of how leaked documents caused other teams to pay huge fines over various violations and used GDPR as leverage. "

Phishing-as-a-Service Rockstar 2FA continues to be prevalent

Autosummary: Phishing-as-a-Service Rockstar 2FA continues to be prevalent Pierluigi Paganini November 29, 2024 November 29, 2024 Phishing tool Rockstar 2FA targets Microsoft 365 credentials, it uses adversary-in-the-middle (AitM) attacks to bypass multi-factor authentication. "

VPN vulnerabilities, weak credentials fuel ransomware attacks

Autosummary: For example, following law enforcement’s takedown of LockBit in Q1, RansomHub, which emerged in February 2024, quickly filled the void, becoming one of the more prolific and dangerous cybercriminal groups. "

Mimic ransomware: what you need to know

Autosummary: Yes, some variants of Mimic can also exfiltrate data from a user"s computers before it is encrypted - the stolen data is typically used as an additional bargaining chip by the extortionists, who may threaten to release it online or sell it to other criminals. Well, a new variant of Mimic has recently been discovered called Elpaco, which has been used in attacks where malicious hackers accessed victims" systems via RDP after successfully brute-forcing their way in. "

Starbucks, grocery stores impacted by Blue Yonder ransomware attack

Autosummary: "

Software firm Blue Yonder providing services to US and UK stores, including Starbucks, hit by ransomware attack

Autosummary: Pierluigi Paganini November 26, 2024 November 26, 2024 Blue Yonder, a supply chain software provider, suffered a ransomware attack, impacting operations for clients like Starbucks and grocery stores. "

Blue Yonder ransomware attack disrupts grocery store supply chain

Autosummary: Among its 3,000 customers are high-profile organizations like DHL, Renault, Bayer, Morrisons, Nestle, 3M, Tesco, Starbucks, Ace Hardware, Procter & Gamble, Sainsbury, and 7-Eleven. "

Cybercriminals turn to pen testers to test ransomware efficiency

Autosummary: Out of the hundreds of AI applications that Cato CTRL monitors, 10 AI applications were tracked and used by organizations (Bodygram, Craiyon, Otter.ai, Writesonic, Poe, HIX.AI, Fireflies.ai, PeekYou, Character.AI, and Luma AI), revealing various security risks. "

Deep Instinct delivers malware and ransomware prevention for cloud data stored in S3 buckets

Autosummary: "

CISA says BianLian ransomware now focuses only on data theft

Autosummary: The advisory has also been updated with the ransomware gang"s new techniques, tactics, and procedures: Targets Windows and ESXi infrastructure, possibly the ProxyShell exploit chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) for initial access. "

Ransomhub ransomware gang claims the hack of Mexican government Legal Affairs Office

Autosummary: Ransomhub ransomware gang claims the hack of Mexican government Legal Affairs Office Pierluigi Paganini November 21, 2024 November 21, 2024 Mexico is investigating a ransomware attack targeting its legal affairs office, as confirmed by the president amidst growing cybersecurity concerns. "

Five backup lessons learned from the UnitedHealth ransomware attack

Autosummary: Auditing should include: Multifactor authentication Immutability best practices CISA #StopRansomware guidelines Dual authorization for critical changes Restricted administrative access Logging best practices Account lockout settings Backup isolation NAS security guidelines Secure snapshots Encryption Adherence to NIST, ISO, NERC CIP, HIPAA and other standards And more… Implementing these strategies and leveraging a security posture management tool ensures that backup systems remain secure, reliable, and resilient against evolving cyber threats. Some ransomware groups – BlackCat, Akira, Lockbit, Phobos, and Crypto, for example – have been bypassing production systems altogether, and going straight for the backups. "

Phobos ransomware administrator faces US cybercrime charges

Autosummary: Phobos ransomware suspect charged with 13 crimes Ptitsyn is charged in a 13-count indictment with wire fraud conspiracy, wire fraud, conspiracy to commit computer fraud and abuse, four counts of causing intentional damage to protected computers, and four counts of extortion in relation to hacking. "

New "Helldown" Ransomware Variant Expands Attacks to VMware and Linux Systems

Autosummary: Truesec, in an analysis published earlier this month, detailed Helldown attack chains that have been observed making use of internet-facing Zyxel firewalls to obtain initial access, followed by carrying out persistence, credential harvesting, network enumeration, defense evasion, and lateral movement activities to ultimately deploy the ransomware. Interlock is assessed to be a new group that sprang forth from Rhysida operators or developers, the company added, citing overlaps in tradecraft, tools, and ransomware behavior. "

Great Plains Regional Medical Center ransomware attack impacted 133,000 individuals

Autosummary: The exposed patient info varied by individual and may include name, demographic information, health insurance information, clinical treatment information, such as diagnosis and medication information, driver’s license number, and/or in some instances, Social Security number. "

Helldown ransomware exploits Zyxel VPN flaw to breach networks

Autosummary: Configuration files similarities Source: Sekoia As of November 7, 2024, the threat group listed 31 victims on its recently-renewed extortion portal, primarily small and medium-sized firms based in the United States and Europe. "

Russian Phobos ransomware operator faces cybercrime charges

Autosummary: According to the DoJ, the Phobos ransomware operation targeted over 1,000 public and private entities in the United States and worldwide, extorting more than $16 million in ransom payments “The Justice Department unsealed criminal charges today against Evgenii Ptitsyn, 42, a Russian national, for allegedly administering the sale, distribution, and operation of Phobos ransomware.” "

US charges Phobos ransomware admin after South Korea extradition

Autosummary: "Ptitsyn and his co-conspirators hacked not only large corporations but also schools, hospitals, nonprofits, and a federally recognized tribe, and they extorted more than $16 million in ransom payments," said Nicole M. Argentieri, the head of the Justice Department"s Criminal Division. "

5 BCDR Oversights That Leave You Exposed to Ransomware

Autosummary: According to IBM X-Force Threat Intelligence Index 2024, cyberattacks involving valid stolen or compromised credentials rose by over 70% year-over-year.[3] To better protect your SaaS data from ransomware, consider implementing these key recommendations: Implement third-party backup solutions that are purpose-built for SaaS environments.Regular application-level recovery tests help identify hidden issues like data corruption, configuration errors, or dependency failures, which can prevent applications from running smoothly post-recovery.Today, SaaS apps, such as Google Workspace, Microsoft 365 and Salesforce, hold large volumes of business-critical data. Insufficient recovery testing can result in prolonged downtime, failed recoveries, loss of critical data and operational disruption, impacting business continuity and escalating costs associated with restoring services.Whether your organization"s critical data is stored on on-premises data centers, in the cloud, within SaaS applications or on endpoints, Unitrends protects it all. "

ShrinkLocker ransomware: what you need to know

Autosummary: Which is great if your laptop is stolen by a thief... ...but not so good if ShrinkLocker is the one that"s chosen to scramble your data with Bitlocker, and not told you the password it used. "

Bitdefender released a decryptor for the ShrinkLocker ransomware

Autosummary: Bitdefender released a decryptor for the ShrinkLocker ransomware Pierluigi Paganini November 14, 2024 November 14, 2024 Bitdefender released a decryptor for the ShrinkLocker ransomware, which modifies BitLocker configurations to encrypt a system’s drives. Proactive monitoring of Windows event logs, specifically from the “Microsoft-Windows-BitLocker-API/Management” source, can help organizations detect early stages of BitLocker attacks, such as when attackers test encryption capabilities. "

New ShrinkLocker ransomware decryptor recovers BitLocker password

Autosummary: In a report today, Bitdefender highlights a ShrinkLocker attack against a healthcare organization where attackers encrypted Windows 10, Windows 11, and Windows Server devices across the network, including backups. "

Free Decryptor Released for BitLocker-Based ShrinkLocker Ransomware Victims

Autosummary: "Even if the server is rebooted manually (e.g. by an unsuspecting administrator), the script does not have a mechanism to resume its execution after the reboot, meaning that the attack may be interrupted or prevented," Martin Zugec, technical solutions director at Bitdefender, said. "

New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks

Autosummary: "If the brokers are indeed the same actors who deployed the ransomware, this could signal a new trend, creating additional hijacking options without relying on traditional Ransomware-as-a-Service (RaaS) groups," Kaspersky researcher Cristian Souza said. Last month, Secureworks, which is set to be acquired by Sophos early next year, revealed that the number of active ransomware groups has witnessed a 30% year-over-year increase, driven by the emergence of 31 new groups in the ecosystem. "

Zscaler Zero Trust Segmentation prevents lateral movement from ransomware attacks

Autosummary: Zscaler announced a Zero Trust Segmentation solution to provide a more secure, agile and cost-effective means to connect users, devices, and workloads across and within globally distributed branches, factories, campuses, data centers, and public clouds. "

Ymir ransomware, a new stealthy ransomware grow in the wild

Autosummary: Ymir ransomware, a new stealthy ransomware grow in the wild Pierluigi Paganini November 12, 2024 November 12, 2024 New Ymir ransomware was deployed in attacks shortly after systems were breached by RustyStealer malware, Kaspersky warns. "

How human ingenuity continues to outpace automated security tools

Autosummary: 30% now hack full-time, up from 24% in 2023, and 44% spend over 20 hours a week hacking, compared to 35% the previous year. "

Halliburton reports $35 million loss after ransomware attack

Autosummary: "

New Ymir ransomware partners with RustyStealer in attacks

Autosummary: Ymir is a novel Windows ransomware strain that operates entirely from memory, leveraging functions like "malloc," "memove," and "memcmp," to evade detection. "

Veeam Backup & Replication exploit reused in new Frag ransomware attack

Autosummary: Veeam Backup & Replication exploit reused in new Frag ransomware attack Pierluigi Paganini November 09, 2024 November 09, 2024 A critical flaw, tracked as CVE-2024-40711, in Veeam Backup & Replication (VBR) was also recently exploited to deploy Frag ransomware. In a recent attack, threat group STAC 5881 accessed networks via a compromised VPN appliance, exploited a VEEAM vulnerability, and then created accounts named “point” and “point2.” "

Critical Veeam RCE bug now used in Frag ransomware attacks

Autosummary: Frag ransom note (Sophos) ​"In a recent case MDR analysts once again observed the tactics associated with STAC 5881 – but this time observed the deployment of a previously-undocumented ransomware called "Frag,"" said Sean Gallagher, a principal threat researcher at Sophos X-Ops. "

Texas oilfield supplier Newpark Resources suffered a ransomware attack

Autosummary: "

GoZone ransomware accuses and threatens victims

Autosummary: "

Memorial Hospital and Manor suffered a ransomware attack

Autosummary: Read more: https://t.co/onRsd2ZfF2 pic.twitter.com/qenqRNZrrF — Comparitech (@Comparitech) November 5, 2024 The Embargo ransomware gang has been active since April 2024, it runs a ransomware-as-a-service model and has claimed eight attacks, including another two attacks on U.S. healthcare providers, NorthBay Healthcare and Weiser Memorial Hospital. "

City of Columbus: Data of 500,000 stolen in July ransomware attack

Autosummary: "The information involved in the Incident may have included your personal information, such as your first and last name, date of birth, address, bank account information, driver"s license(s), Social Security number, and other identifying information concerning you and/or your interactions with the City," the breach notification letters reveal. "

July 2024 ransomware attack on the City of Columbus impacted 500,000 people

Autosummary: “The information involved in the Incident may have included your personal information, such as your first and last name, date of birth, address, bank account information, driver’s license(s), Social Security number, and other identifying information concerning you and/or your interactions with the City.” "

Meet Interlock — The new ransomware targeting FreeBSD servers

Autosummary: interlock.elf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=c7f876806bf4d3ccafbf2252e77c2a7546c301e6, for FreeBSD 10.4, FreeBSD-style, not stripped However, even when testing the sample on a FreeBSD virtual machine, BleepingComputer was unable to get the sample to properly execute. "

LA housing authority confirms breach claimed by Cactus ransomware

Autosummary: Before encrypting devices on the breached network on December 31, 2022, the attackers had access to HACLA members" sensitive personal information, including (but not limited to) names, social security numbers, contact information, driver"s licenses, credit card and financial account numbers, as well as their health insurance and medical information. "

North Korean hackers pave the way for Play ransomware

Autosummary: "

North Korean govt hackers linked to Play ransomware attack

Autosummary: However, this led the threat actors to frequently rebrand under different names, like WastedLocker, Hades, Phoenix CryptoLocker, PayLoadBin, and Macaw, to evade sanctions. "

North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack

Autosummary: The activity, observed between May and September 2024, has been attributed to a threat actor tracked as Jumpy Pisces, which is also known as Andariel, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, Silent Chollima, and Stonefly. "

Massive PSAUX ransomware attack targets 22,000 CyberPanel instances

Autosummary: Error. "

Fog and Akira ransomware attacks exploit SonicWall VPN flaw CVE-2024-40766

Autosummary: “An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash.” reads the SonicWall’s advisory. “An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash.” reads the advisory. "

Four REvil Ransomware members sentenced for hacking and money laundering

Autosummary: Vasinskyi (aka Profcomserv, Rabotnik, Rabotnik_New, Yarik45, Yaraslav2468, and Affiliate 22) was arrested on October 8, 2021, while he was trying to enter Poland. "

Fog ransomware targets SonicWall VPNs to breach corporate networks

Autosummary: Akira, a far more established player in the ransomware space, has recently had Tor website access problems, as observed by BleepingComputer, but those are gradually returning online now. "

Four REvil Ransomware Members Sentenced in Rare Russian Cybercrime Convictions

Autosummary: "

Black Basta ransomware poses as IT support on Microsoft Teams to breach networks

Autosummary: The accounts are created under Entra ID tenants that are named to appear to be help desk, like: securityadminhelper.onmicrosoft[.]com supportserviceadmin.onmicrosoft[.]com supportadministrator.onmicrosoft[.]com cybersecurityadmin.onmicrosoft[.]com "These external users set their profiles to a "DisplayName" designed to make the targeted user think they were communicating with a help-desk account," explains the new ReliaQuest report. "

Russia sentences REvil ransomware members to over 4 years in prison

Autosummary: As reported by The Record, eight members were ultimately tried, with Artem Zayets, Alexey Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov sentenced today and four others put into a separate proceeding. "

New Qilin ransomware encryptor features stronger encryption, evasion

Autosummary: Veeam (backup and recovery) Windows Volume Shadow Copy Service (system backup and recovery) SQL database services (enterprise data management) Sophos (security and antivirus software) Acronis Agent (backup and recovery service) SAP (enterprise resource planning) Existing volume shadow copies are wiped to prevent easy system restoration, and Windows Event Logs are cleared to hinder forensic analysis. "

NotLockBit: ransomware discovery serves as wake-up call for Mac users

Autosummary: Although malware targeting Apple devices actually predates viruses written for PCs, and there have been some families of malware that have presented a significant threat for both operating systems (for instance, the Word macro viruses that hit computers hard from 1995 onwards), it is generally the case that you"re simply a lot less likely to encounter malware on your Mac than you are on your Windows PC. "

New Qilin.B Ransomware Variant Emerges with Improved Encryption and Evasion Tactics

Autosummary: "Out of the 99 healthcare organizations that admitted to paying the ransom and disclosed the ransom paid, the median payment was $1.5 million, and the average payment was $4.4 million," the tech giant said. "

Henry Schein discloses data breach a year after ransomware attack

Autosummary: "

Ransomware Gangs Use LockBit"s Fame to Intimidate Victims in Latest Attacks

Autosummary: Some of the vulnerabilities exploited by Akira affiliates are listed below - "Throughout 2024, Akira has targeted a significant number of victims, with a clear preference for organizations in the manufacturing and professional, scientific, and technical services sectors," Talos researchers James Nutland and Michael Szeliga said. "

Embargo ransomware: Rock’n’Rust

Autosummary: The loader achieves this using a combination of Windows command line tools bcdedit, sc, and reg to: set Safe Mode as the default boot mode, disable Windows Defender in Safe Mode, create a service, irnagentd , that executes the loader after the system is rebooted into Safe Mode, and , that executes the loader after the system is rebooted into Safe Mode, and restart the system. There are four stages that the attacker distinguishes in their log messages – they use a different prefix for logging errors in each of them: [dec] – payload decryption, – payload decryption, [exec] – ransomware execution, – ransomware execution, [execk] – MS4Killer execution, and – MS4Killer execution, and [kler] – MS4Killer run (this prefix is used when MS4Killer exits unexpectedly).Decryption and dropping of vulnerable driver probmon.sys Driver loading is consistent with s4killer: enabling the SeLoadDriverPrivilege necessary for loading and unloading device drivers, creating a service via CreateServiceW , creating additional registry keys, required for filter loading, in HKLM\SYSTEM\ControlSet001\services\<service_name> , and loading a minifilter driver into the system via FilterLoad .N/A Subject C KR Valid from 2011-06-08 06:01:39 Valid to 2014-06-07 08:32:23 Additional MDeployer file paths C:\Windows\Debug\b.cache C:\Windows\Debug\a.cache C:\Windows\Debug\fail.txt C:\Windows\Debug\stop.exe Commands used by MDeployer reg delete HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\Network\WinDefend /f C:\Windows\System32\cmd.exe /c takeown /R /A /F After that, it does a “Safe Mode cleanup” – it deletes the decrypted ransomware file pay.exe, creates the control flow file stop.exe to prevent double encryption, deletes the persistence service irnagentd, and reboots the system back into normal mode.{default} safeboot reg delete HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\Network\WinDefend /f C:\Windows\System32\cmd.exe /c ping localhost -n 5 > nul & del C:\Windows\Debug\dtest.dll shutdown -r -f -t 00 C:\Windows\praxisbackup.exe C:\Windows\Debug\pay.exe MITRE ATT&CK techniques This table was built using version 15 of the MITRE ATT&CK framework.Attributes of the exploited driver probmon.sys String decryption MS4Killer uses encryption to hide embedded strings in the binary from plain sight: specifically, it XORs log message strings, the RC4 key used to decrypt the embedded driver, and the list of process names to terminate. In this particular case, MS4Killer abuses an older, vulnerable minifilter driver: probmon.sys, version 3.0.0.4 (Figure 7), signed by an already revoked certificate from ITM System Co.,LTD.Decryption of log message after OpenProcessToken API call Loading probmon.sys As mentioned previously, the legitimate vulnerable driver is embedded as an RC4-encrypted blob (using the key FGFOUDa87c21Vg+cxrr71boU6EG+QC1mwViTciNaTUBuW4gQbcKboN9THK4K35sL), which is also XOR encrypted, in the MS4Killer binary.Figure 11 shows a code snippet, where, in that particular case, only process names ERAAgent.exe and ekrn.exe, which are from ESET products, are compared against the running processes. Execution In all of the observed cases, the persistence of the loader was achieved by a scheduled task, Perf_sys (Figure 5), created by an already elevated system user BITCH\Administrator.[reg-del] – modifying Windows registry, and , – modifying Windows registry, and [setsb] – using the bcdedit.exe command line tool to set Safe Mode on next restart. During cleanup, the loader terminates the MS4Killer process, deletes the decrypted payloads and the vulnerable driver dropped by MS4Killer, and creates the flow control file stop.exe.[sc delete] – creating or deleting the service irnagentd , , – creating or deleting the service , [reg] ,Next, it does the same for the ransomware payload, which is decrypted from a.cache , saved as pay.exe , and executed. "

The Internet Archive breach continues

Autosummary: A new development On Friday, October 18, IA’s founder Brewster Kahle said that the stored data of the Internet Archive is safe, and that “the Wayback Machine, Archive-It, scanning, and national library crawls have resumed, as well as email, blog, helpdesk, and social media communications.” "

Crypt Ghouls Targets Russian Firms with LockBit 3.0 and Babuk Ransomware Attacks

Autosummary: "

Tech giant Nidec confirms data breach following ransomware attack

Autosummary: The investigation also revealed that the attackers stole 50,694 files, including the following: Internal documents Letters from business partners Documents related to green procurement Labor safety and health policies (business and supply chain, etc.) "

Researchers Uncover Cicada3301 Ransomware Operations and Its Affiliate Program

Autosummary: "

BianLian ransomware claims attack on Boston Children"s Health Physicians

Autosummary: Full names Social Security numbers Addresses Dates of birth Driver"s license numbers Medical record numbers Health insurance information Billing information Treatment information (limited) BHCP clarifies that the cyberattack did not impact its electronic medical record systems, as they are hosted on a separate network. "

A glimmer of good news on the ransomware front, as encryption rates plummet

Autosummary: The 114-page Microsoft Digital Defense Report (MMDR) looks at multiple aspects of the cybersecurity landscape, including AI security, denial-of-service attacks, phishing, social engineering, and nation-state threats. "

Critical Veeam Vulnerability Exploited to Spread Akira and Fog Ransomware

Autosummary: " The disclosure comes as Palo Alto Networks Unit 42 detailed a successor to INC ransomware named Lynx that has been active since July 2024, targeting organizations in retail, real estate, architecture, financial, and environmental services sectors in the U.S. and U.K. The emergence of Lynx is said to have been spurred by the sale of INC ransomware"s source code on the criminal underground market as early as March 2024, prompting malware authors to repackage the locker and spawn new variants. "

Casio confirms customer data stolen in a ransomware attack

Autosummary: "Please refrain from spreading this information through social media, etc., as it could increase the damage caused by the leak of information on this case, violate the privacy of those affected, have serious effects on their lives and businesses, and encourage crime," says the updated Casio statement. "

Underground ransomware claims attack on Casio, leaks stolen data

Autosummary: The leaked data includes: Confidential documents (社外秘) Legal documents Personal data of employees Confidential NDA"s Employee payroll information Patents information Company financial documents "

Akira and Fog ransomware now exploit critical Veeam RCE flaw

Autosummary: Weeks later, in late March, Finnish cybersecurity and privacy company WithSecure spotted CVE-2023-27532 exploits deployed in attacks linked to the financially motivated FIN7 threat group, known for its links to the Conti, REvil, Maze, Egregor, and BlackBasta ransomware operations. "

MoneyGram: No evidence ransomware is behind recent cyberattack

Autosummary: "After working with leading external cybersecurity experts, including CrowdStrike, and coordinating with U.S. law enforcement, the majority of our systems are now operational, and we have resumed money transfer services," says an email obtained by BleepingComputer. "

Highline Public Schools confirms ransomware behind shutdown

Autosummary: "In response, a third-party cybersecurity forensic specialist was engaged, and an investigation was launched, which confirmed that the unauthorized activity was a form of ransomware," the school district said this week. "

LockBit Ransomware and Evil Corp Members Arrested and Sanctioned in Joint Global Effort

Autosummary: In conjunction, authorities outed a Russian national named Aleksandr Ryzhenkov (aka Beverley, Corbyn_Dallas, G, Guester, and Kotosel) as one of the high-ranking members of the Evil Corp cybercrime group, while simultaneously painting him as a LockBit affiliate. "

Tick tock.. Operation Cronos arrests more LockBit ransomware gang suspects

Autosummary: Australia, the UK, and the United States have additionally implemented sanctions against an individual that the NCA believes to be a highly active affiliate of LockBit (and who they also suspect of being strongly linked to another cybercrime group, Evil Corp.) 31-year-old Aleksandr Ryzhenkov, believed to reside in Russia, is wanted for his alleged involvement in a series of ransomware attacks and money laundering activities. "

Police arrested four new individuals linked to the LockBit ransomware operation

Autosummary: Police arrested four new individuals linked to the LockBit ransomware operation Pierluigi Paganini October 02, 2024 October 02, 2024 An international police operation led to the arrest of four individuals linked to the LockBit ransomware group, including a developer. "

4 new LockBit-related arrests, identities of suspected Evil Corp members, affiliates revealed

Autosummary: "

Halcyon offers ransomware protection for Linux environments

Autosummary: "

Use Windows event logs for ransomware investigations, JPCERT/CC advises

Autosummary: "

Evil Corp hit with new sanctions, BitPaymer ransomware charges

Autosummary: "Eduard Benderskiy (Benderskiy), a former Spetnaz officer of the Russian Federal Security Service (FSB), which is designated under numerous OFAC sanctions authorities, current Russian businessman, and the father-in-law of Evil Corp"s leader Maksim Viktorovich Yakubets (Maksim), has been a key enabler of Evil Corp"s relationship with the Russian state," alleges the U.S. Department of the Treasury announcement. The sanctioned individuals are Eduard Benderskiy (Maksim"s father-in-law), Viktor Grigoryevich Yakubets (Maksim"s father), Aleksandr Viktorovich Ryzhenkov, Sergey Viktorovich Ryzhenkov, Aleksey Yevgenevich Shchetinin, Beyat Enverovich Ramazanov, and Vadim Gennadievich Pogodin. "

Police arrest four suspects linked to LockBit ransomware gang

Autosummary: ​Additional LockBit arrests and charges LockBit emerged in September 2019 and has since claimed responsibility for and been linked to attacks against many high-profile companies and organizations worldwide, including Bank of America, Boeing, the Continental automotive giant, the Italian Internal Revenue Service, and the UK Royal Mail. "

UMC Health System diverted patients following a ransomware attack

Autosummary: UMC Health System diverted patients following a ransomware attack Pierluigi Paganini October 01, 2024 October 01, 2024 US healthcare provider UMC Health System had to divert patients due to a network outage caused by a ransomware attack.It’s unclear if threat actors had exfiltrated patients’ data during the attack Healthcare infrastructure in the US continues to be under attack, in July, the Lockbit ransomware gang breached the Fairfield Memorial Hospital in Illinois. "

Community Clinic of Maui discloses a data breach following May Lockbit ransomware attack

Autosummary: “The personal information that was potentially impacted included first and last names with one or more of the following identifiers: Social Security Number, Date Of Birth, Driver’s License Number / State Id Number, Passport Number, Financial Account Number, Routing Number, Bank Name, Credit / Debit Card Number, Card CVV Expiration Date, Pin/Security Code, Login Information, Medical Diagnosis, Clinical Information, Medical Treatment/Procedure Information, Treatment Type, Treatment Location, Treatment Cost Information, Doctor’s Name, Medical Record Number, Patient Account Number, Prescription Information and/ or Biometric Data. Mālama investigated the security breach with external cybersecurity professionals, and on August 7, 2024, the experts determined that personal data may ‘have been subject to unauthorized access and acquisition between May 4, 2024 and May 7, 2024.’ "

JPCERT shares Windows Event Log tips to detect ransomware attacks

Autosummary: Characteristic Bisamware ransomware logs Source: JPCERT/CC JPCERT/CC also notes that seemingly unrelated ransomware variants such as Shade, GandCrab, AKO, AvosLocker, BLACKBASTA, and Vice Society, leave behind very similar traces (event IDs: 13, 10016). "

Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks

Autosummary: Active since 2021, the threat actor has a history of targeting education entities with Sabbath (54bb47h) ransomware before evolving into a ransomware-as-a-service (RaaS) affiliate delivering various ransomware payloads over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware. "

Embargo ransomware escalates attacks to cloud environments

Autosummary: "Once the threat actor achieved sufficient control over the network, successfully extracted sensitive files, and managed to move laterally to the cloud environment, the threat actor then deployed the Embargo ransomware across the organization" Microsoft "We observed that the threat actor did not always resort to ransomware distribution, and in some cases only maintained backdoor access to the network," Microsoft said. "

US sanctions crypto exchanges used by Russian ransomware gangs

Autosummary: "Cryptex is also associated with over $720 million in transactions to services frequently used by Russia-based ransomware actors and cybercriminals, including fraud shops, mixing services, exchanges lacking KYC programs, and OFAC-designated virtual currency exchange Garantex," the Treasury said. "

How cyber compliance helps minimize the risk of ransomware infections

Autosummary: The platform comes with features designed to simplify the entire compliance lifecycle, with tools to support selecting frameworks, creating custom frameworks based on risk analyses, collecting evidence from integrated platforms, identifying gaps, executing user access reviews, implementing new controls, generating reports and continuously monitoring compliance efforts. Cyber governance, risk, and compliance (GRC) platform Cypago provides a centralized approach to managing compliance by automating many of the repetitive and time-consuming tasks involved in tracking, reporting, and maintaining adherence to various standards. By following the standards and practices outlined in these frameworks, organizations can establish structured and industry-standard cybersecurity programs that are capable of minimizing vulnerabilities, adapting to evolving ransomware trends, and responding to security incidents. "

MFA bypass becomes a critical security issue as ransomware tactics advance

Autosummary: Insurance: 6.3x more likely to experience a ransomware attack Healthcare: 2.1x more likely to experience a ransomware attack CIOs, CISOs, and other IT security executives (91%) are almost twice as confident than their security practitioner counterparts (54%) in their organization’s ability to prevent a full-blown ransomware attack – outlining an alarming disconnect between key decision makers and front-line teams on their preparedness for this costly threat. Rise of infostealer malware and digital identity exposure Cybercriminals have pivoted to next-generation tactics, using information-stealing malware (or “infostealers”) to siphon digital identity data, authentication details, and session cookies from infected users and selling this information to ransomware operators – leaving virtually every respondent (99.8%) concerned about this trend. "

Discover Latest Ransomware Tactics and Zero Trust Strategies in This Expert Webinar

Autosummary: In this informative session, you will: Go Beyond the Headlines : Explore the details behind recent ransomware incidents and uncover how attackers infiltrate, encrypt, and extort their victims. "

Warnings after new Valencia ransomware group strikes businesses and leaks data

Autosummary: Image The alleged victims include the City of Pleasanton in California (where the attacker claims to have stolen 283GB of sensitive information), Malaysian pharmaceutical firm Duopharma Biotech (25.7GB), Indian paper manufacturer Satia (7.1GB), and Bangladeshi drugs maker Globe Pharmaceuticals (200MB). "

AutoCanada says ransomware attack "may" impact employee data

Autosummary: The data that has been exposed includes: Full name Address Date of birth Payroll information, including salaries and bonuses Social insurance number Bank account number used for direct deposits Scans of government-issued identification documents Any personal documents stored on a work computer or drives tied to a work computer Those impacted will receive a three-year free-of-charge identity theft protection and credit monitoring coverage through Equifax, with the enrollment deadline set to January 31, 2025. "

New Mallox ransomware Linux variant based on leaked Kryptina code

Autosummary: "

The Vanilla Tempest cybercrime gang used INC ransomware for the first time in attacks on the healthcare sector

Autosummary: "

Microsoft Warns of New INC Ransomware Targeting U.S. Healthcare Sector

Autosummary: "

Germany seizes 47 crypto exchanges used by ransomware gangs

Autosummary: "

Wherever There"s Ransomware, There"s Service Account Compromise. Are You Protected?

Autosummary: Silverfort"s service account protection: Automated discovery, profiling, and protection Silverfort enables identity and security teams to keep their service accounts secure in the following manner: Automated discovery Silverfort sees and analyzes every AD authentication. In this article, we explore what makes service accounts such a lucrative target, why they are beyond the scope of most security control, and how the new approach of unified identity security can prevent service accounts from compromise and abuse.Silverfort"s identity security platform is built on a proprietary technology that enables it to have continuous visibility, risk analysis, and active enforcement on any AD authentication, including, of course, the ones made by service accounts. "

Rapid7 launches Vector Command for continuous red teaming and security gap identification

Autosummary: "

Microsoft: Vanilla Tempest hackers hit healthcare with INC ransomware

Autosummary: "

Qilin ransomware attack on Synnovis impacted over 900,000 patients

Autosummary: “People with symptoms of sensitive medical conditions, including cancer and sexually transmitted infections, are among almost a million individuals who had their personal information published online following a ransomware attack that disrupted NHS hospitals in London earlier this year, according to an analysis shared with Recorded Future News.” reported Recorded Future News. "

Port of Seattle confirmed that Rhysida ransomware gang was behind the August attack

Autosummary: The Port confirmed that an unauthorized actor accessed and encrypted parts of their computer systems, disrupting key services like baggage handling, check-in kiosks, ticketing, Wi-Fi, and parking.The ransomware gang hit organizations in multiple industries, including the education, healthcare, manufacturing, information technology, and government sectors. "

Port of Seattle hit by Rhysida ransomware in August attack

Autosummary: " The Port"s decision to take systems offline and the ransomware gang encrypting those that weren"t isolated in time caused outages impacting multiple services and systems, including baggage, check-in kiosks, ticketing, Wi-Fi, passenger display boards, the Port of Seattle website, the flySEA app, and reserved parking. "

RansomHub ransomware gang relies on Kaspersky TDSKiller tool to disable EDR

Autosummary: RansomHub ransomware gang relies on Kaspersky TDSKiller tool to disable EDR Pierluigi Paganini September 11, 2024 September 11, 2024 Researchers observed the RansomHub ransomware group using the TDSSKiller tool to disable endpoint detection and response (EDR) systems. "

NoName ransomware gang deploying RansomHub malware in recent attacks

Autosummary: - ESET NoName has been using brute force to gain access to networks but the threat actor also exploits several vulnerabilities that are more likely to be present in SMB environments: • CVE-2017-0144 (aka EternalBlue), • CVE-2023-27532 (a vulnerability in a Veeam Backup & Replication component) • CVE-2021-42278 and CVE-2021-42287 (AD privilege escalation vulnerabilities) through noPac • CVE-2022-42475 (a vulnerability in FortiOS SSL-VPN) • CVE-2020-1472 (aka Zerologon) Before launching the encryptor, ScRansom kills a list of processes and services on the Windows host, including Windows Defender, the Volume Shadow Copy, SVCHost, RDPclip, LSASS, and processes associated with VMware tools. "

RansomHub ransomware abuses Kaspersky TDSSKiller to disable EDR software

Autosummary: EDR agents are more advanced solutions that operate, at least partially, at the kernel level, as they need to monitor and control low-level system activities such as file access, process creation, and network connections, all providing real-time protection against threats like ransomware. "

CosmicBeetle Deploys Custom ScRansom Ransomware, Partnering with RansomHub

Autosummary: " Targets of ScRansom attacks span manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality, leisure, financial services, and regional government sectors. POORTRY, detected as far back as in 2021, is also referred to as BURNTCIGAR, and has been used by multiple ransomware gangs, including CUBA, BlackCat, Medusa, LockBit, and RansomHub over the years. "

Veeam Backup & Replication RCE flaw may soon be leveraged by ransomware gangs (CVE-2024-40711)

Autosummary: "

Wing Security SaaS Pulse: Continuous Security & Actionable Insights — For Free

Autosummary: Security teams instantly get a real-time security "health" score, prioritized risks, contextualized threat insights, and the organization"s app inventory—without setups or integrations.Users get instant clarity on App2App connectivity, third-party risk management (TPRM), Gen-AI, compliance, and more. "

Critical SonicWall SSLVPN bug exploited in ransomware attacks

Autosummary: Federal agencies ordered to patch by September 30 CISA followed suit on Monday, adding the critical access control flaw to its Known Exploited Vulnerabilities catalog, ordering federal agencies to secure vulnerable SonicWall firewalls on their networks within three weeks by September 30, as mandated by Binding Operational Directive (BOD) 22-01. "

83% of organizations experienced at least one ransomware attack in the last year

Autosummary: "

Planned Parenthood partly offline after ransomware attack

Autosummary: As laid out in a recent joint advisory by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS), RansomHub is a relatively new but very active Ransomware-as-a-Service group known to target healthcare organizations and other critical infrastructure sectors. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. "

Cicada ransomware – what you need to know

Autosummary: While there"s no definitive proof, the similarities between Cicada and BlackCat, including the use of Rusy, evasion techniques, and timing, suggest a possible connection. According to a blog post by security researchers at Morphisec, at least 21 companies, predominantly in North America and the UK, have been hit by Cicada since June 18, 2024. "

How ransomware tactics are shifting, and what it means for your business

Autosummary: The tools we found to be commonly used by RaaS actors included PDQ Connect, Action1, AnyDesk, and TeamViewer for remote access, as well as rclone, rsync, Megaupload, and FileZilla for data exfiltration.In this Help Net Security interview, Tim West, Director of Threat Intelligence and Outreach at WithSecure, discusses Ransomware-as-a-Service (RaaS) with a focus on how these cybercriminal operations are adapting to increased competition, shifting structures, and a fragmented ecosystem.At the same time, from a defender’s perspective, the mistrust among cybercriminals is beneficial, as it likely makes them less effective, less efficient, and easier to defend against. Proprietary data and intellectual property (IP), including designs, blueprints, and trade secrets are critical to maintaining a competitive edge, and therefore lucrative assets for theft or sale. At the same time, traditional defences against ransomware encryption, such as backup strategies and network segmentation, remain important. "

New Rust-Based Ransomware Cicada3301 Targets Windows and Linux Systems

Autosummary: "

RansomHub Ransomware Group Targets 210 Victims Across Critical Sectors

Autosummary: The victims span various sectors, including water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure. "

Lockbit gang claims the attack on the Toronto District School Board (TDSB)

Autosummary: LockBit also claims to have re-breached Bridgestone Americas and claims Albany Bank, PKF Australia, HP Hood… pic.twitter.com/KBU9CtXbIs — Dominic Alvieri (@AlvieriD) August 29, 2024 At the end of July, two foreign nationals, Ruslan Magomedovich Astamirov and Mikhail Vasiliev, pleaded guilty in Newark federal court for their roles in the LockBit ransomware operation. "

A new variant of Cicada ransomware targets VMware ESXi systems

Autosummary: Both are written in Rust Both use ChaCha20 for encryption Both use almost identical commands to shutdown VM and remove snapshots[1] Both use –ui command parameters to provide a graphic output on encryption Both use the same convention for naming files, but changing “RECOVER-“ransomware extension”-FILES.txt” to “RECOVER-“ransomware extension”-DATA.txt”[2] How the key parameter is used to decrypt the ransomware note The initial attack by the Cicada3301 group began with the use of stolen or brute-forced credentials to log in via ScreenConnect.A new variant of Cicada ransomware targets VMware ESXi systems Pierluigi Paganini September 02, 2024 September 02, 2024 A new ransomware-as-a-service (RaaS) operation called Cicada3301 has emerged in the threat landscape and already targeted tens of companies. "

Cicada3301 ransomware’s Linux encryptor targets VMware ESXi systems

Autosummary: It should be noted that BlackCat/ALPHV encryptors also used random seven-character extensions and a ransom note named "RECOVER-[extension]-FILES.txt." Cicada3301 ransom note Source: BleepingComputer The ransomware"s operators can set a sleep parameter to delay the encryptor"s execution, potentially to evade immediate detection. Cicada3301 ransomware operator seeking affiliates on RAMP forums Source: Truesec Like other ransomware operations, Cicada3301 conducts double-extortion tactics where they breach corporate networks, steal data, and then encrypt devices. "

Linux version of new Cicada ransomware targets VMware ESXi servers

Autosummary: It should be noted that BlackCat/ALPHV encryptors also used random seven-character extensions and a ransom note named "RECOVER-[extension]-FILES.txt." Cicada3301 ransom note Source: BleepingComputer The ransomware"s operators can set a sleep parameter to delay the encryptor"s execution, potentially to evade immediate detection. Cicada3301 ransomware operator seeking affiliates on RAMP forums Source: Truesec Like other ransomware operations, Cicada3301 conducts double-extortion tactics where they breach corporate networks, steal data, and then encrypt devices. "

Researcher sued for sharing data stolen by ransomware with media

Autosummary: On the same day, Rhysida ransomware claimed responsibility for the attack, alleging they stole 6.5 TB of databases, including employee credentials, server dumps, city video camera feeds, and other sensitive information. "

Why ransomware attackers target Active Directory

Autosummary: "

‘Big-game hunting’ – Ransomware gangs are focusing on more lucrative attacks

Autosummary: "

U.S. Agencies Warn of Iranian Hacking Group"s Ongoing Ransomware Attacks

Autosummary: " Initial access is accomplished by taking advantage of remote external services on internet-facing assets that are vulnerable to previously disclosed flaws (CVE-2019-19781, CVE-2022-1388, CVE-2023-3519, CVE-2024-3400, and CVE-2024-24919), followed by a series of steps to persist, escalate privileges, and set up remote access through tools like AnyDesk or the open-source Ligolo tunneling tool. Peach Sandstorm Delivers Tickler Malware in Long-Running Campaign The development comes as Microsoft said it observed Iranian state-sponsored threat actor Peach Sandstorm (aka APT33, Curious Serpens, Elfin, and Refined Kitten) deploying a new custom multi-stage backdoor referred to as Tickler in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the U.S. and U.A.E. between April and July 2024. "

#StopRansomware: RansomHub Ransomware