Ransomware
June 3, 2025
Lyrix Ransomware Targets Windows Users with Advanced Evasion Techniques Full Text
Abstract
A new ransomware variant named Lyrix is targeting Windows systems with advanced evasion and encryption techniques. It poses a significant threat to both individuals and enterprises by encrypting critical files and demanding cryptocurrency ransoms.GBHackers
May 20, 2025
Ransomware strikes UK food distributor in latest retail blow Full Text
Abstract
Peter Green Chilled suffered a ransomware attack on May 14, 2025, severely impacting its operations and disrupting supply chains to major UK supermarkets including Asda, Tesco, Sainsbury’s, Waitrose, and M&S.The Register
May 20, 2025
New Nitrogen Ransomware Targets Financial Firms in the US, UK and Canada Full Text
Abstract
Nitrogen ransomware, first publicly identified in September 2024, has emerged as a significant threat targeting organizations across the finance, construction, manufacturing, and technology sectors.HackRead
April 28, 2025
VerdaCrypt: The PowerShell Ransomware That Thinks It’s a Philosophy Professor Full Text
Abstract
VerdaCrypt is a sophisticated PowerShell-based ransomware that blends technical stealth with psychological manipulation. Active since April 2025, it operates filelessly and delivers ransom notes filled with philosophical musings.Smith Brendan
April 25, 2025
ELENOR-corp Ransomware Targets Healthcare Sector Full Text
Abstract
A new variant of the Mimic ransomware, named ELENOR-corp (v7.5), has been identified in targeted attacks against the healthcare sector. It has been deployed in a series of attacks on healthcare organizations, leveraging aggressive techniques.Infosecurity Magazine
April 23, 2025
Ransomware groups test new business models to hit more victims, increase profits Full Text
Abstract
DragonForce and Anubis are attempting to entice hackers to come and work with them by adopting affiliate models that would increase the volume of incidents their services can be used in.The Record
April 21, 2025
FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE Full Text
Abstract
Researchers found that FOG ransomware is being distributed by cybercriminals trolling users by abusing the name of the Department of Government Efficiency (DOGE), or individuals connected to the government initiative.Trend Micro
April 17, 2025
Ghost Ransomware Targets Organizations Across 70+ Countries Full Text
Abstract
A new ransomware variant known as Ghost (also referred to as Cring) has emerged as a significant global threat. The FBI and CISA issued a joint advisory in February 2025 in response to the growing threat.GBHackers
April 10, 2025
Emulating the Misleading CatB Ransomware Full Text
Abstract
CatB ransomware, also known as CatB99 or Baxtoy, emerged in late 2022 and has gained attention for its use of DLL hijacking via MSDTC to execute its payload. It is suspected to be a rebrand of Pandora ransomware.Attack IQ
April 8, 2025
Everest Ransomware’s Dark Web Leak Site Defaced, Now Offline Full Text
Abstract
The dark web leak site of the Everest ransomware gang was hacked over the weekend by an unknown attacker and is now offline. The Everest operation has since taken down its leak site.Bleeping Computer
March 27, 2025
RedCurl Threat Group Create QWCrypt Ransomware to Target Hyper-V Virtual Machines Full Text
Abstract
While most ransomware operations focus on VMware ESXi servers, RedCurl's new QWCrypt ransomware specifically targets virtual machines hosted on Hyper-V. Bitdefender observed attacks involving phishing emails with ".IMG" attachments disguised as CVs.Bleeping Computer
March 24, 2025
Babuk2 Ransomware Attempts Extortion Based on False Claims Full Text
Abstract
Babuk2, aka Babuk-Bjorka, appears to be reusing data from earlier breaches to back up its extortion claims. Many of the victims listed in their announcements have already been targeted by other groups such as RansomHub, FunkSec, LockBit, and Babuk.Halcyon
March 24, 2025
VanHelsing, new RaaS in Town - Check Point Research Full Text
Abstract
In recent weeks, a new and rapidly expanding ransomware-as-a-service (RaaS) program called VanHelsingRaaS has been making waves in the cybercrime world, having infected three victims within just two weeks of its introduction.CheckPoint
March 22, 2025
Albabat Ransomware Evolves to Target Linux and macOS Full Text
Abstract
Trend Micro researchers said the Albabat ransomware version 2.0 not only targets Microsoft Windows but also gathers system and hardware information on Linux and macOS systems.Infosecurity Magazine
March 22, 2025
Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates Full Text
Abstract
Researchers at Elastic Security Labs observed a Medusa ransomware attack that delivered the encryptor by means of a loader packed using a packer-as-a-service (PaaS) called HeartCrypt.The Hacker News
March 21, 2025
VSCode Extensions Found Downloading Early-Stage Ransomware Full Text
Abstract
The two malicious extensions, named "ahban.shiba" and "ahban.cychelloworld," were downloaded seven and eight times, respectively, before they were eventually removed from the store.Bleeping Computer
March 15, 2025
Black Basta Ransomware Gang Creates Tool to Automate VPN Brute-Force Attacks Full Text
Abstract
The Black Basta ransomware operation created an automated brute-forcing framework dubbed 'BRUTED' to breach edge networking devices like firewalls and VPNs to gain network access and scale ransomware attacks on vulnerable internet-exposed endpoints.Bleeping Computer
March 13, 2025
Elysium Ransomware: A New Variant of the Ghost Family Targeting Critical Infrastructure Full Text
Abstract
This group has been active since 2021, targeting organizations in critical infrastructure, healthcare, and government sectors. The attackers typically gain initial access by exploiting known vulnerabilities in outdated applications.Security Online
March 11, 2025
EByte Ransomware: A New Go-Based Threat with Advanced Encryption Techniques Full Text
Abstract
CYFIRMA has identified a new ransomware variant, EByte Ransomware, written in Go and actively targeting Windows systems. This malware leverages advanced cryptographic methods, combining ChaCha20 for encryption and ECIES for secure key transmission.Security Online
March 8, 2025
Medusa Ransomware Activity Continues to Increase Full Text
Abstract
Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024.Security
February 22, 2025
New XELERA Ransomware Campaign Spreading Through Malicious Documents Full Text
Abstract
Security researchers at Seqrite Labs APT-Team uncovered a sophisticated spear-phishing attack that delivers a Python-based ransomware via malicious documents disguised as job notifications.Security Online
February 10, 2025
The Anatomy of Abyss Locker Ransomware Attack Full Text
Abstract
The threat actors behind Abyss Locker consistently employ a TTP of deploying malware on critical network devices to tunnel their activity within the network. This includes targeting VPN appliances, network- attached storage (NAS) and ESXi servers.Sygnia
January 20, 2025
Black Basta Ransomware Exploits Microsoft Teams for Phishing Attacks Full Text
Abstract
The campaign begins with an email bombing strategy where victims’ inboxes are flooded with benign spam emails, such as newsletter subscriptions. This tactic aims to distract users and mask the malicious intent.Security Online
January 17, 2025
RansomHub Affiliate Leverages Python-based Backdoor to Maintain Access and Deploy Encryptors Full Text
Abstract
In an incident response in Q4 2024, GuidePoint Security identified evidence of a threat actor utilizing a Python-based backdoor to maintain access to compromised endpoints. The threat actor later leveraged this access to deploy RansomHub encryptors.GuidePoint
January 13, 2025
HexaLocker Returns in New Improved Variant Propagated via Skuld Stealer Full Text
Abstract
HexaLocker V2 exhibits a major evolution in both functionality and complexity compared to its predecessor. According to Cyble Research and Intelligence Labs, the ransomware now combines advanced encryption techniques with data theft capabilities.Security Online
January 11, 2025
AI-Driven Ransomware FunkSec Targets 85 Victims Using Double Extortion Tactics Full Text
Abstract
Cybersecurity researchers have shed light on a nascent artificial intelligence (AI) assisted ransomware family called FunkSec that sprang forth in late 2024, and has claimed more than 85 victims to date.The Hacker News
January 10, 2025
Unmasking Play Ransomware: Tactics, Techniques, and Mitigation Strategies Full Text
Abstract
Play ransomware, also known as Balloonfly or PlayCrypt, has emerged as a significant cyber threat since its discovery in June 2022. Responsible for over 300 global attacks, this ransomware encrypts files and appends them with the “.PLAY” extension.Security Online
December 26, 2024
Clop Ransomware is Now Extorting 66 Cleo Data-Theft Victims Full Text
Abstract
The Cleo data theft attack represents another major success for Clop, who leveraged leveraging a zero-day vulnerability in Cleo LexiCom, VLTransfer, and Harmony products to steal data from the networks of breached companies.Cyware
December 17, 2024
Update: Clop Ransomware Claims Responsibility for Cleo Data Theft Attacks Full Text
Abstract
The Clop ransomware gang has confirmed to BleepingComputer that they are behind the recent Cleo data-theft attacks, utilizing zero-day exploits tracked as CVE-2024-50623 and CVE-2024-55956 to breach corporate networks and steal data.Bleeping Computer
December 7, 2024
Black Basta Ransomware Campaign Drops Zbot, DarkGate, & Custom Malware Full Text
Abstract
According to a detailed analysis by Rapid7, the threat actors have refined their techniques, introducing novel methods for gaining access and delivering malware, including Zbot, DarkGate, and custom-developed tools.Rapid 7
December 4, 2024
Inside Akira Ransomware’s Rust Experiment Full Text
Abstract
Check Point Research dissected Akira ransomware’s Rust version, targeting ESXi servers, revealing how Rust's design, compiler optimizations, and library usage complicate reverse-engineering.Check Point
November 5, 2024
New Interlock Ransomware Found Targeting FreeBSD Servers Full Text
Abstract
A new ransomware group named Interlock has been attacking organizations worldwide by targeting FreeBSD servers with a unique encryptor. Launched in September 2024, Interlock has already hit six organizations, including Wayne County, Michigan.Bleeping Computer
October 28, 2024
Black Basta Ransomware Poses as IT Support on Microsoft Teams to Breach Networks Full Text
Abstract
In a recent campaign observed by Rapid7 and ReliaQuest, Black Basta flooded employees' inboxes with emails and then contacted them through Microsoft Teams, posing as corporate help desks to assist with spam issues.Cyware
October 22, 2024
Beast Ransomware: RaaS Platform Targets Windows, Linux, and VMware ESXi Full Text
Abstract
Cybereason recently analyzed the Beast Ransomware, a Ransomware-as-a-Service platform actively targeting organizations since 2022, evolving with new features for Windows, Linux, and VMware ESXi servers.Cyware
October 14, 2024
Lynx Ransomware: A Rebranding of INC Ransomware Full Text
Abstract
The malicious actors behind Lynx use tactics like double extortion, where they steal victims' data before encrypting it and threaten to leak or sell it if the ransom is not paid.Palo Alto Network
October 12, 2024
Fog and Akira Ransomware Exploit Critical Veeam RCE Flaw After PoC Release Full Text
Abstract
Sophos X-Ops MDR and Incident Response warned of rising ransomware attacks exploiting Veeam Backup & Replication flaw CVE-2024-40711, allowing unauthorized account creation for ransomware deployments like Fog and Akira.Security Online
September 19, 2024
Microsoft Warns of New INC Ransomware Targeting U.S. Healthcare Sector Full Text
Abstract
Microsoft said Vanilla Tempest has been active since at least July 2022, with previous attacks targeting education, healthcare, IT, and manufacturing sectors using various ransomware families such as BlackCat, Quantum Locker, Zeppelin, and Rhysida.The Hacker News
September 12, 2024
Inc Ransom Attack Analysis: Extortion Methodologies Full Text
Abstract
The attack lifecycle involved initial access gained through a firewall vulnerability, followed by enumeration of network shares and lateral movement using Impacket and pass-the-hash attacks.ReliaQuest
September 7, 2024
Fog Ransomware Now Targeting the Financial Sector Full Text
Abstract
Fog, a variant of STOP/DJVU family, targets various sectors, exploiting VPN vulnerabilities to infiltrate network defenses. After infiltration, Fog ransomware disables protective measures, encrypts vital files, and demands ransom via the Tor network.Adlumin
September 7, 2024
CyberVolk Ransomware: A New and Evolving Threat to Global Cybersecurity Full Text
Abstract
CyberVolk, infamous for DDoS attacks and data breaches, has gained particular notoriety for its ransomware, detected in July 2024, due to its advanced features and capabilities.Security Online
September 5, 2024
RomCom Group’s Underground Ransomware Exploits Microsoft Zero-Day Flaw Full Text
Abstract
A new ransomware variant named Underground, linked to the Russia-based RomCom group, encrypts files on victims’ Windows machines and demands a ransom for decryption. It has been active since July 2023.Security Online
September 2, 2024
A New Variant of Cicada Ransomware Targets VMware ESXi Systems Full Text
Abstract
The group behind Cicada3301 has been recruiting affiliates on cybercrime forums since June. It is speculated that Cicada3301 could be related to the now-defunct ALPHV group, as both ransomware share similarities.Security Affairs
August 28, 2024
BlackByte Blends Known Tactics With New Encryptor Variant and Vulnerability Exploits to Support Ongoing Attacks Full Text
Abstract
The latest encryptor variant identified by researchers at Cisco Talos appends the file extension ‘blackbytent_h’ to encrypted files. This variant also includes the deployment of four vulnerable drivers, an increase from previous reports.Talos Intelligence
August 27, 2024
Lateral Movement: Clearest Sign of Unfolding Ransomware Attack Full Text
Abstract
Lateral movement is a key indicator of ransomware attacks, with 44% of attacks being spotted during this phase, as reported by Barracuda Networks. Additionally, file modifications and off-pattern behavior were also significant triggers for detection.Help Net Security
August 27, 2024
PythonAnywhere Cloud Platform Abused for Hosting Ransomware Full Text
Abstract
Researchers found that attackers are leveraging PythonAnywhere cloud platform to host and distribute malicious files using Razr ransomware discreetly. The ransomware generates a unique machine ID, encryption key, and IV to begin operations.HackRead
August 7, 2024
Threat Actors Announced Doubleface Ransomware, Claims Fully Undetectable Full Text
Abstract
Threat actors have introduced Doubleface ransomware, claiming it to be fully undetectable by major antivirus software. The ransomware utilizes a unique algorithm with AES-128 and RSA-4096 encryption, making decryption difficult without the right key.Cybersecurity News
July 20, 2024
New Play Ransomware Linux Variant Targets ESXi Shows Ties With Prolific Puma Full Text
Abstract
The Play ransomware group has introduced a Linux variant that targets ESXi environments. This variant verifies its environment before executing and has been successful in evading security measures.Trend Micro
July 16, 2024
SEXi Ransomware Rebrands as ‘APT Inc.,’ Retains Prior Extortion Tactics Full Text
Abstract
The cybercrime group known as SEXi ransomware, now operating as APT Inc., has been targeting organizations since February. They use a leaked Babuk encryptor for VMware ESXi servers and LockBit 3 encryptor for Windows servers.Cyware
July 16, 2024
HardBit Ransomware Version 4.0 Supports New Obfuscation Techniques Full Text
Abstract
To ensure victims cannot recover encrypted files easily, the ransomware deletes the Volume Shadow Copy Service (VSS) and makes adjustments to the boot configuration to prevent errors upon restart.Cyware
July 10, 2024 – Phishing
Regional Transport Office Themed Phishing Campaign Targets Android Users In India Full Text
Abstract
Phishing messages impersonating the Regional Transport Office have been circulating since 2024, claiming traffic violations and prompting users to download a malicious APK named "VAHAN PARIVAHAN.apk".Cyble As CISOs Grapple with the C-Suite, Job Satisfaction Takes a Hit Full Text
Abstract
Research shows that 75% of CISOs are considering a job change due to various challenges and pressures. CISOs often face accountability for cyber incidents and compliance failures, leading to discontent.Cybersecurity Dive
May 14, 2024
INC Ransomware Source Code Selling on Hacking Forums for $300,000 Full Text
Abstract
The source code of the INC ransomware-as-a-service (RaaS) operation, which has targeted organizations like Xerox Business Solutions, Yamaha Motor Philippines, and Scotland's National Health Service (NHS), is being sold on hacking forums for $300,000.Bleeping Computer
May 2, 2024
LockBit, Black Basta, Play Dominate Ransomware in Q1 2024 Full Text
Abstract
LockBit, Black Basta, and Play have been observed to be the most active ransomware groups in Q1 2024, with Black Basta experiencing a notable 41% increase in activity, according to a report by ReliaQuest.Infosecurity Magazine
April 23, 2024
Behavioral Patterns of Ransomware Groups are Changing Full Text
Abstract
The ransomware landscape has undergone significant changes in Q1 2024, with major shifts in the behavior of Ransomware-as-a-Service (RaaS) groups, according to GuidePoint Security's GRIT Q1 2024 Ransomware Report.Help Net Security
March 26, 2024
Agenda Ransomware Propagates to vCenters and ESXi via Custom PowerShell Script Full Text
Abstract
Agenda ransomware group uses RMM tools, as well as Cobalt Strike for deployment of the ransomware binary. It can also propagate via PsExec and SecureShell, while also making use of different vulnerable SYS drivers for defense evasion.March 14, 2024
The Effects of Law Enforcement Takedowns on the Ransomware Landscape Full Text
Abstract
Following the disruption of the Qakbot botnet in August 2023, ransomware affiliates have transitioned to exploiting vulnerabilities as the primary method of delivering malware.Help Net Security
March 12, 2024
New DoNex Ransomware Observed in the Wild Targeting Enterprises Full Text
Abstract
The DoNex ransomware strain is actively targeting companies in the United States and Europe, employing a double-extortion method to hold files and sensitive data hostage.Cyware
March 5, 2024
GhostLocker 2.0 Haunts Businesses Across Middle East, Africa, and Asia Full Text
Abstract
Cybercriminal groups GhostSec and Stormous have collaborated to unleash GhostLocker 2.0 ransomware in targeted attacks across the Middle East, Africa, and Asia, affecting organizations in various sectors.Cyware
March 5, 2024
Update: BlackCat Ransomware Turns off Servers Amid Claim They Stole $22 Million Ransom Full Text
Abstract
The shutdown may indicate an exit scam, with the affiliate claiming they still have critical data from Optum and other providers, while ALPHV/BlackCat has shut down its negotiation sites and messaging platform.Cyware
March 4, 2024
Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO Full Text
Abstract
The RA World ransomware employs multi-stage components to target healthcare organizations in the Latin American region, signifying a strategic and targeted approach to compromising systems within the target network.Cyware
March 1, 2024
Abyss Locker Ransomware Attacks Both Windows And Linux Users Full Text
Abstract
This ransomware steals and encrypts files, demanding ransom for decryption and not releasing stolen data. It is based on the HelloKitty ransomware source code and has been observed in various regions.Cyware
February 29, 2024
LockBit Ransomware Returns to Attacks With New Encryptors, Servers Full Text
Abstract
LockBit has set up new data leak and negotiation sites, and is actively recruiting experienced pentesters to join their operation, indicating a potential increase in future attacks.Cyware
February 21, 2024
Knight Ransomware Source Code for Sale After Leak Site Shuts Down Full Text
Abstract
The alleged source code for the third iteration of the Knight ransomware is being offered for sale to a single buyer on a hacker forum, indicating a potential shift in the group's operations.Cyware
February 17, 2024
Alpha Ransomware Emerges From NetWalker Ashes Full Text
Abstract
The Alpha ransomware operation appears to be linked to the previously inactive NetWalker ransomware, suggesting a potential revival or acquisition of the original payload.Cyware
February 13, 2024
Ransomware Tactics Evolve, Become Scrappier Full Text
Abstract
Ransomware attacks surged in 2023, with the United States accounting for almost half of all attacks according to Malwarebytes, and cybercriminals evolving their tactics to target a higher volume of victims simultaneously.Cyware
February 12, 2024
Decryptor for Rhysida Ransomware is Available Full Text
Abstract
Files encrypted by Rhysida ransomware can be successfully decrypted, due to a implementation vulnerability discovered by Korean researchers and leveraged to create a decryptor.Cyware
January 29, 2024
Albabat, Kasseika, Kuiper: New Ransomware Gangs Rise with Rust and Golang Full Text
Abstract
Cybersecurity researchers have detected in the wild yet another variant of the Phobos ransomware family known as Faust . Fortinet FortiGuard Labs, which detailed the latest iteration of the ransomware, said it's being propagated by means of an infection that delivers a Microsoft Excel document (.XLAM) containing a VBA script. "The attackers utilized the Gitea service to store several files encoded in Base64, each carrying a malicious binary," security researcher Cara Lin said in a technical report published last week. "When these files are injected into a system's memory, they initiate a file encryption attack." Faust is the latest addition to several ransomware variants from the Phobos family, including Eking, Eight, Elbie, Devos, and 8Base. It's worth noting that Faust was previously documented by Cisco Talos in November 2023. The cybersecurity firm described the variant as active since 2022 and "does not target specific industries or reThe Hacker News
January 24, 2024
Kasseika Ransomware Using BYOVD Trick to Disarm Security Pre-Encryption Full Text
Abstract
The ransomware group known as Kasseika has become the latest to leverage the Bring Your Own Vulnerable Driver ( BYOVD ) attack to disarm security-related processes on compromised Windows hosts, joining the likes of other groups like Akira , AvosLocker, BlackByte, and RobbinHood . The tactic allows "threat actors to terminate antivirus processes and services for the deployment of ransomware," Trend Micro said in a Tuesday analysis. Kasseika, first discovered by the cybersecurity firm in mid-December 2023, exhibits overlaps with the now-defunct BlackMatter , which emerged in the aftermath of DarkSide's shutdown. There is evidence to suggest that the ransomware strain could be the handiwork of an experienced threat actor that acquired or purchased access to BlackMatter, given that the latter's source code has never publicly leaked post its demise in November 2021. Attack chains involving Kasseika commence with a phishing email for initial access, subsequentlyThe Hacker News
January 23, 2024
Threat Assessment of BianLian Ransomware Full Text
Abstract
The BianLian ransomware group has shifted from a double extortion scheme to a focus on extortion without encryption, posing a significant threat to organizations, particularly in the healthcare and manufacturing sectors in the US and Europe.Cyware
January 15, 2024
3 Ransomware Group Newcomers to Watch in 2024 Full Text
Abstract
The ransomware industry surged in 2023 as it saw an alarming 55.5% increase in victims worldwide, reaching a staggering 4,368 cases. Figure 1: Year over year victims per quarter The rollercoaster ride from explosive growth in 2021 to a momentary dip in 2022 was just a teaser—2023 roared back with the same fervor as 2021, propelling existing groups and ushering in a wave of formidable newcomers. Figure 2: 2020-2023 ransomware victim count LockBit 3.0 maintained its number one spot with 1047 victims achieved through the Boeing attack, the Royal Mail Attack, and more. Alphv and Cl0p achieved far less success, with 445 and 384 victims attributed to them, respectively, in 2023. Figure 3: Top 3 active ransomware groups in 2023 These 3 groups were heavy contributors to the boom in ransomware attacks in 2023, but they were not the sole groups responsible. Many attacks came from emerging ransomware gangs such as 8Base , Rhysida, 3AM, Malaslocker, BianLian , Play, Akira ,The Hacker News
January 12, 2024
Medusa Ransomware on the Rise: From Data Leaks to Multi-Extortion Full Text
Abstract
The threat actors associated with the Medusa ransomware have ramped up their activities following the debut of a dedicated data leak site on the dark web in February 2023 to publish sensitive data of victims who are unwilling to agree to their demands. "As part of their multi-extortion strategy, this group will provide victims with multiple options when their data is posted on their leak site, such as time extension, data deletion or download of all the data," Palo Alto Networks Unit 42 researchers Anthony Galiette and Doel Santos said in a report shared with The Hacker News. "All of these options have a price tag depending on the organization impacted by this group." Medusa (not to be confused with Medusa Locker) refers to a ransomware family that appeared in late 2022 before coming into prominence in 2023. It's known for opportunistically targeting a wide range of industries such as high technology, education, manufacturing, healthcare, and retail. As many as 74 organizationThe Hacker News
January 10, 2024
Free Decryptor Released for Black Basta and Babuk’s Tortilla Ransomware Victims Full Text
Abstract
A decryptor for the Tortilla variant of the Babuk ransomware has been released by Cisco Talos, allowing victims targeted by the malware to regain access to their files. The cybersecurity firm said the threat intelligence it shared with Dutch law enforcement authorities made it possible to arrest the threat actor behind the operations. The encryption key has also been shared with Avast, which had previously released a decryptor for Babuk ransomware after its source code was leaked in September 2021. The updated decryptor can be accessed here [EXE file]. "A single private key is used for all victims of the Tortilla threat actor," Avast noted . "This makes the update to the decryptor especially useful, as all victims of the campaign can use it to decrypt their files." The Tortilla campaign was first disclosed by Talos in November 2021, with the attacks leveraging ProxyShell flaws in Microsoft Exchange servers to drop the ransomware within victim environments. TortillaThe Hacker News
January 9, 2024
New Decryptor for Babuk Tortilla Ransomware Variant Released Full Text
Abstract
Cisco Talos, in collaboration with Dutch Police and Avast, recovered a decryptor for the Babuk Tortilla ransomware variant, allowing users to quickly recover their encrypted files.Cyware
January 3, 2024
Ban on Ransomware Payments? The Alternative Isn’t Working Full Text
Abstract
Ransomware attacks in the US reached record levels in 2023, targeting hospitals, schools, government organizations, and private-sector businesses, costing victims an average of $1.5 million to rectify.Cyware
January 2, 2024
Zeppelin2 Ransomware Builder for Sale on Dark Web Full Text
Abstract
A user on an underground forum is promoting the sale of Zeppelin2 ransomware, offering its source code and a cracked version of its builder tool. Zeppelin2 has been used since 2019, targeting various sectors including healthcare and technology.Cyware
December 20, 2023
Remote Encryption Attacks Surge: How One Vulnerable Device Can Spell Disaster Full Text
Abstract
Ransomware groups are increasingly switching to remote encryption in their attacks, marking a new escalation in tactics adopted by financially motivated actors to ensure the success of their campaigns. "Companies can have thousands of computers connected to their network, and with remote ransomware, all it takes is one underprotected device to compromise the entire network," Mark Loman, vice president of threat research at Sophos, said . "Attackers know this, so they hunt for that one' weak spot' — and most companies have at least one. Remote encryption is going to stay a perennial problem for defenders." Remote encryption (aka remote ransomware), as the name implies, occurs when a compromised endpoint is used to encrypt data on other devices on the same network. In October 2023, Microsoft revealed that around 60% of ransomware attacks now involve malicious remote encryption in an effort to minimize their footprint, with more than 80% of all comprThe Hacker News
December 08, 2023
Ransomware-as-a-Service: The Growing Threat You Can’t Ignore Full Text
Abstract
Ransomware attacks have become a significant and pervasive threat in the ever-evolving realm of cybersecurity. Among the various iterations of ransomware, one trend that has gained prominence is Ransomware-as-a-Service (RaaS). This alarming development has transformed the cybercrime landscape, enabling individuals with limited technical expertise to carry out devastating attacks. Traditional and double extortion ransomware attacks Traditionally, ransomware refers to a type of malware that encrypts the victim's files, effectively blocking access to data and applications until a ransom is paid to the attacker. However, more contemporary attackers often employ an additional strategy. The bad actors create copies of the compromised data and leverage the threat of publishing sensitive information online unless their demands for ransom are met. This dual approach adds an extra layer of complexity and potential harm to the victims. A new model for ransomware RaaS is the latest businThe Hacker News
December 2, 2023
Expert Warns of Turtle macOS Ransomware Full Text
Abstract
While the Turtle ransomware may not pose a significant risk to macOS users currently, its existence highlights the ongoing efforts by ransomware authors to target Apple devices.Cyware
November 30, 2023
CACTUS Ransomware Exploits Qlik Sense Vulnerabilities in Targeted Attacks Full Text
Abstract
A CACTUS ransomware campaign has been observed exploiting recently disclosed security flaws in a cloud analytics and business intelligence platform called Qlik Sense to obtain a foothold into targeted environments. "This campaign marks the first documented instance [...] where threat actors deploying CACTUS ransomware have exploited vulnerabilities in Qlik Sense for initial access," Arctic Wolf researchers Stefan Hostetler, Markus Neis, and Kyle Pagelow said . The cybersecurity company, which said it's responding to "several instances" of exploitation of the software, noted that the attacks are likely taking advantage of three flaws that have been disclosed over the past three months - CVE-2023-41265 (CVSS score: 9.9) - An HTTP Request Tunneling vulnerability that allows a remote attacker to elevate their privilege and send requests that get executed by the backend server hosting the repository application. CVE-2023-41266 (CVSS score: 6.5) - A path trThe Hacker News
November 29, 2023
DJVU Ransomware’s Latest Variant ‘Xaro’ Disguised as Cracked Software Full Text
Abstract
A variant of a ransomware strain known as DJVU has been observed to be distributed in the form of cracked software. "While this attack pattern is not new, incidents involving a DJVU variant that appends the .xaro extension to affected files and demanding ransom for a decryptor have been observed infecting systems alongside a host of various commodity loaders and infostealers," Cybereason security researcher Ralph Villanueva said . The new variant has been codenamed Xaro by the American cybersecurity firm. DJVU, in itself a variant of the STOP ransomware , typically arrives on the scene masquerading as legitimate services or applications. It's also delivered as a payload of SmokeLoader . A significant aspect of DJVU attacks is the deployment of additional malware, such as information stealers (e.g., RedLine Stealer and Vidar), making them more damaging in nature. In the latest attack chain documented by Cybereason, Xaro is propagated as an archive file from a dubThe Hacker News
November 22, 2023
LockBit Ransomware Exploiting Critical Citrix Bleed Vulnerability to Break In Full Text
Abstract
Multiple threat actors, including LockBit ransomware affiliates, are actively exploiting a recently disclosed critical security flaw in Citrix NetScaler application delivery control (ADC) and Gateway appliances to obtain initial access to target environments. The joint advisory comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and Australian Signals Directorate's Australian Cyber Security Center (ASD's ACSC). "Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances," the agencies said . "Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions toThe Hacker News
November 21, 2023
Play Ransomware Goes Commercial - Now Offered as a Service to Cybercriminals Full Text
Abstract
The ransomware strain known as Play is now being offered to other threat actors "as a service," new evidence unearthed by Adlumin has revealed. "The unusual lack of even small variations between attacks suggests that they are being carried out by affiliates who have purchased the ransomware-as-a-service (RaaS) and are following step-by-step instructions from playbooks delivered with it," the cybersecurity company said in a report shared with The Hacker News. The findings are based on various Play ransomware attacks tracked by Adlumin spanning different sectors that incorporated almost identical tactics and in the same sequence. This includes the use of the public music folder (C:\...\public\music) to hide the malicious file, the same password to create high-privilege accounts, and both attacks, and the same commands. Play , also called Balloonfly and PlayCrypt, first came to light in June 2022, leveraging security flaws in Microsoft Exchange Server – i.e.,The Hacker News
November 21, 2023
8Base Group Found Deploying a New Phobos Ransomware Variant Full Text
Abstract
The 8Base ransomware attackers have incorporated a new variant of the Phobos ransomware and publicly available tools for financially motivated attacks. The variant used by the 8Base group includes features that can enable attackers to establish persistence on victims’ systems, perform speedy encryp ... Read MoreCyware
November 18, 2023
8Base Group Deploying New Phobos Ransomware Variant via SmokeLoader Full Text
Abstract
The threat actors behind the 8Base ransomware are leveraging a variant of the Phobos ransomware to conduct their financially motivated attacks. The findings come from Cisco Talos, which has recorded an increase in activity carried out by cybercriminals. "Most of the group's Phobos variants are distributed by SmokeLoader, a backdoor trojan," security researcher Guilherme Venere said in an exhaustive two-part analysis published Friday. "This commodity loader typically drops or downloads additional payloads when deployed. In 8Base campaigns, however, it has the ransomware component embedded in its encrypted payloads, which is then decrypted and loaded into the SmokeLoader process' memory." 8Base came into sharp focus in mid-2023, when a similar spike in activity was observed by the cybersecurity community. It's said to be active at least since March 2022. A previous analysis from VMware Carbon Black in June 2023 identified parallels between 8Base and RansomHouThe Hacker News
November 13, 2023
New Ransomware Group Emerges with Hive’s Source Code and Infrastructure Full Text
Abstract
The threat actors behind a new ransomware group called Hunters International have acquired the source code and infrastructure from the now-dismantled Hive operation to kick-start its own efforts in the threat landscape. "It appears that the leadership of the Hive group made the strategic decision to cease their operations and transfer their remaining assets to another group, Hunters International," Martin Zugec, technical solutions director at Bitdefender, said in a report published last week. Hive, once a prolific ransomware-as-a-service (RaaS) operation, was taken down as part of a coordinated law enforcement operation in January 2023. While it's common for ransomware actors to regroup, rebrand, or disband their activities following such seizures, what can also happen is that the core developers can pass on the source code and other infrastructure in their possession to another threat actor. Reports about Hunters International as a possible Hive rebrand surThe Hacker News
November 08, 2023
Experts Expose Farnetwork’s Ransomware-as-a-Service Business Model Full Text
Abstract
Cybersecurity researchers have unmasked a prolific threat actor known as farnetwork, who has been linked to five different ransomware-as-a-service (RaaS) programs over the past four years in various capacities. Singapore-headquartered Group-IB, which attempted to infiltrate a private RaaS program that uses the Nokoyawa ransomware strain, said it underwent a "job interview" process with the threat actor, learning several valuable insights into their background and role within those RaaS programs. "Throughout the threat actor's cybercriminal career, which began in 2019, farnetwork has been involved in several connected ransomware projects, including JSWORM, Nefilim, Karma, and Nemty, as part of which they helped develop ransomware and manage the RaaS programs before launching their own RaaS program based on Nokoyawa ransomware," Nikolay Kichatov, threat intelligence analyst at Group-IB, said . The latest disclosure comes nearly six months after the cyberThe Hacker News
October 25, 2023
The Rise of S3 Ransomware: How to Identify and Combat It Full Text
Abstract
In today's digital landscape, around 60% of corporate data now resides in the cloud, with Amazon S3 standing as the backbone of data storage for many major corporations. Despite S3 being a secure service from a reputable provider, its pivotal role in handling vast amounts of sensitive data (customer personal information, financial data, intellectual property, etc.), provides a juicy target for threat actors. It remains susceptible to ransomware attacks which are often initiated using leaked access keys that have accidentally been exposed by human error and have access to the organization's buckets. To effectively combat these evolving threats, it is vital to ensure that your organization has visibility into your S3 environment, that you are aware of how threat actors can compromise data for ransom and most importantly, best practices for minimizing the risk of cyber criminals successfully executing such an attack. Ensuring Visibility: CloudTrail and Server Access Logs VThe Hacker News
September 28, 2023
Unraveling the CACTUS Ransomware Group’s Recent Exploits Full Text
Abstract
The CACTUS ransomware group employs unique encryption techniques, including hiding the decryption key within a file named ntuser.dat, to evade detection by anti-virus software.Cyware
September 27, 2023
ShadowSyndicate: New RaaS Connected to Multiple Ransomware Families Full Text
Abstract
Researchers have discovered the infrastructure linked to a threat group called ShadowSyndicate, believed to have launched attacks using seven distinct ransomware families in the last year. ShadowSyndicate has been identified as using a consistent SSH fingerprint across 85 servers.Cyware
September 13, 2023
Rust-Written 3AM Ransomware: A Sneak Peek into a New Malware Family Full Text
Abstract
A new ransomware family called 3AM has emerged in the wild after it was detected in a single incident in which an unidentified affiliate deployed the strain following an unsuccessful attempt to deliver LockBit (attributed to Bitwise Spider or Syrphid ) in the target network. "3AM is written in Rust and appears to be a completely new malware family," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News. "The ransomware attempts to stop multiple services on the infected computer before it begins encrypting files. Once encryption is complete, it attempts to delete Volume Shadow (VSS) copies." 3AM gets its name from the fact that it's referenced in the ransom note. It also appends encrypted files with the extension .threeamtime. That said, it's currently not known if the malware authors have any connections with known e-crime groups. In the attack spotted by Symantec, the adversary is said to have managed toThe Hacker News
September 1, 2023 – Breach
Data Breach Could Affect More Than 100,000 in Pima County Full Text
Abstract
More than 100,000 Pima County residents could be affected by a nationwide data breach that affected the company that handled COVID-19 case investigations and contact tracing here, officials say.Cyware
September 1, 2023
Free Decryptor Available for ‘Key Group’ Ransomware Full Text
Abstract
Also known as keygroup777, Key Group is a Russian-speaking cybercrime actor known for selling personally identifiable information (PII) and access to compromised devices, as well as extorting victims for money.Cyware
August 26, 2023
LockBit 3.0 Ransomware Builder Leak Gives Rise to Hundreds of New Variants Full Text
Abstract
The leak of the LockBit 3.0 ransomware builder last year has led to threat actors abusing the tool to spawn new variants. Russian cybersecurity company Kaspersky said it detected a ransomware intrusion that deployed a version of LockBit but with a markedly different ransom demand procedure. "The attacker behind this incident decided to use a different ransom note with a headline related to a previously unknown group, called NATIONAL HAZARD AGENCY," security researchers Eduardo Ovalle and Francesco Figurelli said . The revamped ransom note directly specified the amount to be paid to obtain the decryption keys, and directed communications to a Tox service and email, unlike the LockBit group, which doesn't mention the amount and uses its own communication and negotiation platform. NATIONAL HAZARD AGENCY is far from the only cybercrime gang to use the leaked LockBit 3.0 builder. Some of the other threat actors known to leverage it include Bl00dy and Buhti . KasperskThe Hacker News
August 25, 2023
Ransomware With an Identity Crisis Targets Small Businesses, Individuals Full Text
Abstract
A key reason it was so tricky for researchers to identify TZW as a spinoff of Adhubllka is because of the small ransom demands the group typically makes. At such a level, victims often pay attackers and the attackers continue to fly under the radar.Cyware
August 23, 2023
Spacecolon Toolset Fuels Global Surge in Scarab Ransomware Attacks Full Text
Abstract
A malicious toolset dubbed Spacecolon is being deployed as part of an ongoing campaign to spread variants of the Scarab ransomware across victim organizations globally. "It probably finds its way into victim organizations by its operators compromising vulnerable web servers or via brute forcing RDP credentials," ESET security researcher Jakub Souček said in a detailed technical write-up published Tuesday. The Slovak cybersecurity firm, which dubbed the threat actor CosmicBeetle, said the origins of the Spacecolon date back to May 2020. The highest concentration of victims has been detected in France, Mexico, Poland, Slovakia, Spain, and Turkey. While the exact provenance of the adversary is unclear, several Spacecolon variants are said to contain Turkish strings, likely pointing to the involvement of a Turkish-speaking developer. There is no evidence currently linking it to any other known threat actor group. Some of the targets include a hospital and a tourist resoThe Hacker News
August 23, 2023
Report: Ransomware Attackers’ Dwell Time Shrinks Full Text
Abstract
Ransomware-wielding hackers are moving faster than ever to pull the trigger on malicious encryption - but they could be bumping up against the limits of how fast they can go, said security researchers from Sophos.Cyware
August 19, 2023
Cuba Ransomware Deploys New Tools to Target U.S. Critical Infrastructure Sector and IT Integrator in Latin America Full Text
Abstract
The group's toolkit includes custom and off-the-shelf parts, such as the BUGHATCH downloader and the Metasploit framework. The attacks often start with the compromise of valid credentials through a credentials reuse scheme or vulnerability exploits.Cyware
August 18, 2023
New BlackCat Ransomware Variant Adopts Advanced Impacket and RemCom Tools Full Text
Abstract
Microsoft on Thursday disclosed that it found a new version of the BlackCat ransomware (aka ALPHV and Noberus) that embeds tools like Impacket and RemCom to facilitate lateral movement and remote code execution. "The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments," the company's threat intelligence team said in a series of posts on X (formerly Twitter). "This BlackCat version also has the RemCom hacktool embedded in the executable for remote code execution. The file also contains hardcoded compromised target credentials that actors use for lateral movement and further ransomware deployment." RemCom, billed as an open-source alternative to PsExec, has been put to use by Chinese and Iranian nation-state threat actors like Dalbit and Chafer (aka Remix Kitten) to move across the victim environments in the past. Redmond said it startedThe Hacker News
August 17, 2023
Play Ransomware Found Using Security MSPs and N-Day Exploits to Attack Full Text
Abstract
The Play ransomware group is targeting managed security service providers (MSSPs) to gain initial access and use up to a half-decade-old vulnerabilities in security appliances, warn security researchers with Adlumin.Cyware
August 15, 2023
Monti Ransomware gang launched a new Linux encryptor Full Text
Abstract
Monti Ransomware operators returned, after a two-month pause, with a new Linux variant of their encryptor. The Monti ransomware operators returned, after a two-month break, with a new Linux version of the encryptor. The variant was employed in attacks...Security Affairs
August 14, 2023
Monti Ransomware Unleashes New Encryptor for Linux Full Text
Abstract
The Monti ransomware group has reemerged after a two-month break, targeting legal and government institutions with a new Linux-based variant that shows significant differences from its previous versions.Cyware
August 9, 2023
The Ransomware Rollercoaster Continues as Criminals Advance Their Business Models Full Text
Abstract
Ransomware shows no signs of slowing, with ransomware activity ending 13 times higher than at the start of 2023 as a proportion of all malware detections, according to Fortinet.Cyware
August 08, 2023
New Yashma Ransomware Variant Targets Multiple English-Speaking Countries Full Text
Abstract
An unknown threat actor is using a variant of the Yashma ransomware to target various entities in English-speaking countries, Bulgaria, China, and Vietnam at least since June 4, 2023. Cisco Talos, in a new write-up, attributed the operation with moderate confidence to an adversary of likely Vietnamese origin. "The threat actor uses an uncommon technique to deliver the ransom note," security researcher Chetan Raghuprasad said . "Instead of embedding the ransom note strings in the binary, they download the ransom note from the actor-controlled GitHub repository by executing an embedded batch file." Yashma, first described by the BlackBerry research and intelligence team in May 2022, is a rebranded version of another ransomware strain called Chaos. A month prior to its emergence, the Chaos ransomware builder was leaked in the wild. A notable aspect of the ransom note is its resemblance to the well-known WannaCry ransomware, possibly done so in an attempt to obsThe Hacker News
August 1, 2023
Spike in Ransomware Delivery via URLs, Reports Unit 42 Full Text
Abstract
Ransomware delivered through URLs has become the leading method for distributing ransomware, accounting for over 77% of cases in 2022 - found Unit 42. This is followed by emails at 12%. Researchers observed attackers using different URLs/hostnames to host or deliver different malware, including ran ... Read MoreCyware
July 31, 2023
VMware ESXi Servers Face New Threat from Abyss Locker Full Text
Abstract
MalwareHunterTeam reported a new variant of the Abyss Locker ransomware designed to target Linux-based VMware ESXi servers. It employs SSH brute force attacks to gain unauthorized access to servers. The ransomware has claimed data theft ranging from 35GB to 700GB. Researchers also suspect a connect ... Read MoreCyware
July 21, 2023
Mallox Ransomware Activity Surges by 174% Full Text
Abstract
Mallox ransomware activity surged by nearly 174% in 2023, using the new variant Xollam, employing the double extortion tactic to demand ransom from victims. The development is also being perceived as more affiliate groups coming together in this mission. Organizations must remain vigilant and adapt ... Read MoreCyware
July 20, 2023
Mallox Ransomware Exploits Weak MS-SQL Servers to Breach Networks Full Text
Abstract
Mallox ransomware activities in 2023 have witnessed a 174% increase when compared to the previous year, new findings from Palo Alto Networks Unit 42 reveal. "Mallox ransomware, like many other ransomware threat actors, follows the double extortion trend: stealing data before encrypting an organization's files, and then threatening to publish the stolen data on a leak site as leverage to convince victims to pay the ransom fee," security researchers Lior Rochberger and Shimi Cohen said in a new report shared with The Hacker News. Mallox is linked to a threat actor that's also linked to other ransomware strains , such as TargetCompany, Tohnichi, Fargo, and, most recently, Xollam. It first burst onto the scene in June 2021. Some of the prominent sectors targeted by Mallox are manufacturing, professional and legal services, and wholesale and retail. A notable aspect of the group is its pattern of exploiting poorly secured MS-SQL servers via dictionary attacks asThe Hacker News
July 11, 2023
Beware of Big Head Ransomware: Spreading Through Fake Windows Updates Full Text
Abstract
A developing piece of ransomware called Big Head is being distributed as part of a malvertising campaign that takes the form of bogus Microsoft Windows updates and Word installers. Big Head was first documented by Fortinet FortiGuard Labs last month, when it discovered multiple variants of the ransomware that are designed to encrypt files on victims' machines in exchange for a cryptocurrency payment. "One Big Head ransomware variant displays a fake Windows Update, potentially indicating that the ransomware was also distributed as a fake Windows Update," Fortinet researchers said at the time. "One of the variants has a Microsoft Word icon and was likely distributed as counterfeit software." A majority of the Big Head samples have been submitted so far from the U.S., Spain, France, and Turkey. In a new analysis of the .NET-based ransomware, Trend Micro detailed its inner workings, calling out its ability to deploy three encrypted binaries: 1.exe to propagThe Hacker News
July 8, 2023
Tailing Big Head Ransomware’s Variants, Tactics, and Impact Full Text
Abstract
The Big Head ransomware displays a fake Windows update to deceive victims, communicates with the threat actor via a Telegram bot, and drops ransom notes with contact information.Cyware
July 07, 2023
BlackByte 2.0 Ransomware: Infiltrate, Encrypt, and Extort in Just 5 Days Full Text
Abstract
Ransomware attacks are a major problem for organizations everywhere, and the severity of this problem continues to intensify. Recently, Microsoft's Incident Response team investigated the BlackByte 2.0 ransomware attacks and exposed these cyber strikes' terrifying velocity and damaging nature. The findings indicate that hackers can complete the entire attack process, from gaining initial access to causing significant damage, in just five days. They waste no time infiltrating systems, encrypting important data, and demanding a ransom to release it. This shortened timeline poses a significant challenge for organizations trying to protect themselves against these harmful operations. BlackByte ransomware is used in the final stage of the attack, using an 8-digit number key to encrypt the data. To carry out these attacks, hackers use a powerful combination of tools and techniques. The investigation revealed that they take advantage of unpatched Microsoft Exchange Servers—anThe Hacker News
July 6, 2023
RedEnergy: New Stealer-as-a-Ransomware Out in the Wild Full Text
Abstract
The recent detection of RedEnergy stealer-as-a-ransomware represents an advanced threat that combines stealthy data theft and encryption techniques to cause significant damage and seize control over its targets.Cyware
July 5, 2023
Ransomware Redefined: RedEnergy Stealer-as-a-Ransomware Full Text
Abstract
RedEnergy stealer uses a fake update campaign to target multiple industry verticals and possesses the ability to steal information from various browsers while also incorporating different modules for carrying out ransomware activities.Cyware
July 05, 2023
RedEnergy Stealer-as-a-Ransomware Threat Targeting Energy and Telecom Sectors Full Text
Abstract
A sophisticated stealer-as-a-ransomware threat dubbed RedEnergy has been spotted in the wild targeting energy utilities, oil, gas, telecom, and machinery sectors in Brazil and the Philippines through their LinkedIn pages. The malware "possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities," Zscaler researchers Shatak Jain and Gurkirat Singh said in a recent analysis. The goal, the researchers noted, is to couple data theft with encryption with the goal of inflicting maximum damage to the victims. The starting point for the multi-stage attack is a FakeUpdates (aka SocGholish) campaign that tricks users into downloading JavaScript-based malware under the guise of web browser updates. What makes it novel is the use of reputable LinkedIn pages to target victims, redirecting users clicking on the website URLs to a bogus landing pageThe Hacker News
July 1, 2023
Avast released a free decryptor for the Windows version of the Akira ransomware Full Text
Abstract
Avast released a free decryptor for the Akira ransomware that can allow victims to recover their data without paying the ransom. Cybersecurity firm Avast released a free decryptor for the Akira ransomware that can allow victims to recover their data...Security Affairs
June 29, 2023
Dark Power Ransomware on the Ascent – A Technical Insight into 2023’s Latest Ransomware Strain Full Text
Abstract
Dark Power is a highly advanced ransomware strain that uses advanced encryption techniques and targets various industries globally. It stops critical system services and processes, encrypts files, and drops a ransom note with payment instructions.Cyware
June 28, 2023
Linux version of Akira ransomware targets VMware ESXi servers Full Text
Abstract
The Akira ransomware operation uses a Linux encryptor to encrypt VMware ESXi virtual machines in double-extortion attacks against companies worldwide.BleepingComputer
June 28, 2023
8Base Ransomware Spikes in Activity, Threatens U.S. and Brazilian Businesses Full Text
Abstract
A ransomware threat called 8Base that has been operating under the radar for over a year has been attributed to a "massive spike in activity" in May and June 2023. "The group utilizes encryption paired with 'name-and-shame' techniques to compel their victims to pay their ransoms," VMware Carbon Black researchers Deborah Snyder and Fae Carlisle said in a report shared with The Hacker News. "8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries." 8Base, according to statistics gathered by Malwarebytes and NCC Group , has been linked to 67 attacks as of May 2023, with about 50% of the victims operating in the business services, manufacturing, and construction sectors. A majority of the targeted companies are located in the U.S. and Brazil. With very little known about the operators of the ransomware, its origins remain something of a cipher. What's evident is that it has been active sincThe Hacker News
June 26, 2023
An Overview of the Different Versions of the Trigona Ransomware Full Text
Abstract
Trigona ransomware is a relatively new family that targets compromised MSSQL servers and has been detected mainly in the technology and healthcare industries in countries such as the US, India, and Israel.Cyware
June 21, 2023
May ransomware activity rises behind 8base, LockBit gangs Full Text
Abstract
LockBit was the most active group last month, but NCC Group researchers were surprised by 8base, which started listing victims from attacks that occurred beginning in April 2022.Cyware
June 12, 2023
New Entrants to Ransomware Unleash Frankenstein Malware Full Text
Abstract
In their haste to make money, some new players are picking over the discarded remnants of previous ransomware groups, cobbling together ransomware rather than going through the trouble of coding bespoke crypto-locking software.Cyware
June 06, 2023
Cyclops Ransomware Gang Offers Go-Based Info Stealer to Cybercriminals Full Text
Abstract
Threat actors associated with the Cyclops ransomware have been observed offering an information stealer malware that's designed to capture sensitive data from infected hosts. "The threat actor behind this [ransomware-as-a-service] promotes its offering on forums," Uptycs said in a new report. "There it requests a share of profits from those engaging in malicious activities using its malware." Cyclops ransomware is notable for targeting all major desktop operating systems, including Windows, macOS, and Linux. It's also designed to terminate any potential processes that could interfere with encryption. The macOS and Linux versions of Cyclops ransomware are written in Golang. The ransomware further employs a complex encryption scheme that's a mix of asymmetric and symmetric encryption. The Go-based stealer, for its part, is designed to target Windows and Linux systems, capturing details such as operating system information, computer name, number oThe Hacker News
June 4, 2023
New BlackSuit Ransomware Exhibit Striking Similarities With Royal Full Text
Abstract
Trend Micro examined and uncovered “an extremely high degree of similarity” between the recently surfaced BlackSuit group and the Royal ransomware group. They share approximately 98% similarity in functions, 99.5% similarity in code blocks, and 98.9% similarity in jump instructions, as witnessed on ... Read MoreCyware
June 03, 2023
New Linux Ransomware Strain BlackSuit Shows Striking Similarities to Royal Full Text
Abstract
An analysis of the Linux variant of a new ransomware strain called BlackSuit has covered significant similarities with another ransomware family called Royal . Trend Micro, which examined an x64 VMware ESXi version targeting Linux machines, said it identified an "extremely high degree of similarity" between Royal and BlackSuit. "In fact, they're nearly identical, with 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps based on BinDiff, a comparison tool for binary files," Trend Micro researchers noted . A comparison of the Windows artifacts has identified 93.2% similarity in functions, 99.3% in basic blocks, and 98.4% in jumps based on BinDiff. BlackSuit first came to light in early May 2023 when Palo Alto Networks Unit 42 drew attention to its ability to target both Windows and Linux hosts. In line with other ransomware groups, it runs a double extortion scheme that steals and encrypts sensitive data in a cThe Hacker News
June 3, 2023
New Linux Ransomware BlackSuit is similar to Royal ransomware Full Text
Abstract
Experts noticed that the new Linux ransomware BlackSuit has significant similarities with the Royal ransomware family. Royal ransomware is one of the most notable ransomware families of 2022, it made the headlines in early May 2023 with the attack...Security Affairs
June 01, 2023
Improved BlackCat Ransomware Strikes with Lightning Speed and Stealthy Tactics Full Text
Abstract
The threat actors behind BlackCat ransomware have come up with an improved variant that prioritizes speed and stealth in an attempt to bypass security guardrails and achieve their goals. The new version, dubbed Sphynx and announced in February 2023, packs a "number of updated capabilities that strengthen the group's efforts to evade detection," IBM Security X-Force said in a new analysis. The "product" update was first highlighted by vx-underground in April 2023. Trend Micro, last month, detailed a Linux version of Sphynx that's "focused primarily on its encryption routine." BlackCat , also called ALPHV and Noberus, is the first Rust-language-based ransomware strain spotted in the wild. Active since November 2021, it has emerged as a formidable ransomware actor, victimizing more than 350 targets as of May 2023. The group, like other ransomware-as-a-service (RaaS) offerings, is known to operate a double extortion scheme, deploying cThe Hacker News
May 27, 2023
New Buhti ransomware operation uses rebranded LockBit and Babuk payloads Full Text
Abstract
The recently identified Buhti operation targets organizations worldwide with rebranded LockBit and Babuk ransomware variants. Researchers from Symantec discovered a new ransomware operation called Buhti (aka Blacktail) that is using LockBit and Babuk...Security Affairs
May 25, 2023
New Buhti Ransomware Operation Relies on Repurposed Payloads Full Text
Abstract
While the group doesn’t develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types.Cyware
May 23, 2023
BlackCat Ransomware affiliate uses signed kernel driver to evade detection Full Text
Abstract
Experts spotted the ALPHV/BlackCat ransomware group using signed malicious Windows kernel drivers to evade detection. Trend Micro researchers shared details about ALPHV/BlackCat ransomware incident that took place on February 2023. A BlackCat affiliate...Security Affairs
May 22, 2023
Malicious Windows kernel drivers used in BlackCat ransomware attacks Full Text
Abstract
The ALPHV ransomware group (aka BlackCat) was observed employing signed malicious Windows kernel drivers to evade detection by security software during attacks.BleepingComputer
May 22, 2023
BlackCat Ransomware Deploys New Signed Kernel Driver Full Text
Abstract
Trend Micro researchers reported on an incident involving the BlackCat ransomware that took place in February 2023. The researchers highlighted a new capability, which involved the utilization of a signed kernel driver for evasion.Cyware
May 20, 2023
Newcomer MalasLocker Group Demands Ransom as Donation for Charity Full Text
Abstract
MalasLocker emerged as a new ransomware operation, since the end of March, targeting Zimbra servers. The group gains access to servers by exploiting vulnerabilities in Zimbra software. Instead of demanding a ransom payment, MalasLocker demands a donation to a charity to provide a decryptor and prev ... Read MoreCyware
May 17, 2023
MalasLocker ransomware targets Zimbra servers, demands charity donation Full Text
Abstract
A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking.BleepingComputer
May 16, 2023
Inside Qilin Ransomware: Affiliates Take Home 85% of Ransom Payouts Full Text
Abstract
Ransomware affiliates associated with the Qilin ransomware-as-a-service (RaaS) scheme earn anywhere between 80% to 85% of each ransom payment, according to new findings from Group-IB. The cybersecurity firm said it was able to infiltrate the group in March 2023, uncovering details about the affiliates' payment structure and the inner workings of the RaaS program following a private conversation with a Qilin recruiter who goes by the online alias Haise. "Many Qilin ransomware attacks are customized for each victim to maximize their impact," the Singapore-headquartered company said in an exhaustive report. "To do this, the threat actors can leverage such tactics as changing the filename extensions of encrypted files and terminating specific processes and services." Qilin, also known as Agenda, was first documented by Trend Micro in August 2022, starting off as a Go-based ransomware before switching to Rust in December 2022. The adoption of Rust is alsoThe Hacker News
May 15, 2023
Rise in Attacks Against ESXi: Babuk Source Code Inspires Nine Different Ransomware Strains Full Text
Abstract
SentinelLabs detected 10 ransomware families employing VMware ESXi lockers, derived from the leaked 2021 Babuk source code. These variants emerged between H2 2022 and H1 2023. The report also highlights similarities between Babuk's source code and the ESXi encrypters used by Conti and REvil, indica ... Read MoreCyware
May 15, 2023
Introducing the DRM-Report Q1 2023: Unveiling the Current State of Ransomware Full Text
Abstract
DRM Dashboard Ransomware Monitor released the first quarterly report for the year 2023 about the activities of ransomware groups globally. DRM Dashboard Ransomware Monitor, an independent platform of cybersecurity monitoring, is pleased to release...Security Affairs
May 15, 2023
New ‘MichaelKors’ Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems Full Text
Abstract
A new ransomware-as-service (RaaS) operation called MichaelKors has become the latest file-encrypting malware to target Linux and VMware ESXi systems as of April 2023. The development points to cybercriminal actors increasingly setting their eyes on the ESXi, cybersecurity firm CrowdStrike said in a report shared with The Hacker News. "This trend is especially noteworthy given the fact that ESXi, by design, does not support third-party agents or AV software," the company said. "In fact, VMware goes as far as to claim it's not required. This, combined with the popularity of ESXi as a widespread and popular virtualization and management system, makes the hypervisor a highly attractive target for modern adversaries." The targeting of VMware ESXi hypervisors with ransomware to scale such campaigns is a technique known as hypervisor jackpotting . Over the years, the approach has been adopted by several ransomware groups, including Royal. What's more,The Hacker News
May 15, 2023
Russia-Affiliated CheckMate Ransomware Quietly Targets Popular File-Sharing Protocol Full Text
Abstract
After gaining access to SMB shares, threat actors behind CheckMate ransomware encrypt all files and leave a ransom note demanding payment in exchange for the decryption key.Cyware
May 13, 2023
Russia-affiliated CheckMate ransomware quietly targets popular file-sharing protocol Full Text
Abstract
The CheckMate ransomware operators have been targeting the Server Message Block (SMB) communication protocol used for file sharing to compromise their victims’ networks. Unlike most ransom campaigns, CheckMate, discovered in 2022, has been quiet...Security Affairs
May 12, 2023
Leaked source code of Babuk ransomware used by 10 different ransomware families targeting VMware ESXi Full Text
Abstract
The leak of the source code of the Babuk ransomware allowed 9 ransomware gangs to create their own ransomware targeting VMware ESXi systems. SentinelLabs researchers have identified 10 ransomware families using VMware ESXi lockers based on the source...Security Affairs
May 9, 2023
New CACTUS ransomware appeared in the threat landscape Full Text
Abstract
Researchers warn of a new ransomware family called CACTUS that exploits known vulnerabilities in VPN appliances to gain initial access to victims' networks. Researchers from cybersecurity firm Kroll have analyzed on a new ransomware family called...Security Affairs
May 09, 2023
New Ransomware Strain ‘CACTUS’ Exploits VPN Flaws to Infiltrate Networks Full Text
Abstract
Cybersecurity researchers have shed light on a new ransomware strain called CACTUS that has been found to leverage known flaws in VPN appliances to obtain initial access to targeted networks. "Once inside the network, CACTUS actors attempt to enumerate local and network user accounts in addition to reachable endpoints before creating new user accounts and leveraging custom scripts to automate the deployment and detonation of the ransomware encryptor via scheduled tasks," Kroll said in a report shared with The Hacker News. The ransomware has been observed targeting large commercial entities since March 2023, with attacks employing double extortion tactics to steal sensitive data prior to encryption. No data leak site has been identified to date. Following a successful exploitation of vulnerable VPN devices, an SSH backdoor is set up to maintain persistent access and a series of PowerShell commands are executed to conduct network scanning and identify a list of machines foThe Hacker News
May 05, 2023
The Week in Ransomware - May 5th 2023 - Targeting the public sector Full Text
Abstract
This week's ransomware news has been dominated by a Royal ransomware attack on the City of Dallas that took down part of the IT infrastructure.BleepingComputer
April 29, 2023
Coercion in the Age of Ransomware: New Tactics for Extorting Payments Full Text
Abstract
A ransomware report by GuidePoint Security offers valuable information on the current ransomware threat scenario and highlights the coercion tactic utilized by significant ransomware groups such as double extortion and DDoS attack. In the education sector, there was a 17% rise in publicly disclosed ... Read MoreCyware
April 29, 2023
RTM Group Launches its Linux Ransomware Full Text
Abstract
RTM Locker threat actors have launched a new version of the ransomware strain that can infects Linux, NAS, and ESXi hosts. Its code share similarities to the Babuk ransomware's leaked source code, revealed Uptycs experts. The encryption function uses pthreads (aka POSIX threads) to speed up executi ... Read MoreCyware
April 28, 2023
Rapture, a Ransomware Family With Similarities to Paradise Full Text
Abstract
In March and April 2023, Trend Micro researchers observed a type of ransomware targeting its victims via a minimalistic approach with tools that leave only a minimal footprint behind.Cyware
April 27, 2023
Researchers found the first Linux variant of the RTM locker Full Text
Abstract
RTM ransomware-as-a-service (RaaS) started offering locker ransomware that targets Linux, NAS, and ESXi systems. The Uptycs threat research team discovered the first ransomware binary attributed to the RTM ransomware-as-a-service (RaaS) provider....Security Affairs
April 27, 2023
Crooks use PaperCut exploits to deliver Cl0p and LockBit ransomware Full Text
Abstract
Microsoft revealed that recent attacks against PaperCut servers aimed at distributing Cl0p and LockBit ransomware. Microsoft linked the recent attacks against PaperCut servers to a financially motivated threat actor tracked as Lace Tempest (formerly...Security Affairs
April 27, 2023
RTM Locker’s First Linux Ransomware Strain Targeting NAS and ESXi Hosts Full Text
Abstract
The threat actors behind RTM Locker have developed a ransomware strain that's capable of targeting Linux machines, marking the group's first foray into the open source operating system. "Its locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by Babuk ransomware's leaked source code," Uptycs said in a new report published Wednesday. "It uses a combination of ECDH on Curve25519 (asymmetric encryption) and Chacha20 (symmetric encryption) to encrypt files." RTM Locker was first documented by Trellix earlier this month, describing the adversary as a private ransomware-as-a-service (RaaS) provider. It has its roots in a cybercrime group called Read The Manual (RTM) that's known to be active since at least 2015. The group is notable for deliberately avoiding high-profile targets such as critical infrastructure, law enforcement, and hospitals so as to draw as little attention as possible. It also leverages affiliaThe Hacker News
April 27, 2023
New coercive tactics used to extort ransomware payments Full Text
Abstract
The increase in reported ransomware victims across Q1 2023 reflects the continued prevalence of ransomware as a worldwide, industry-agnostic threat, according to GuidePoint Security.Cyware
April 24, 2023
Play Ransomware Group Adds Two New Tools to Harvest More Data Full Text
Abstract
The Play ransomware group has added two custom tools written in .NET to expand the effectiveness of its attacks. Named Grixba and Volume Shadow Copy Service (VSS), these tools enable attackers to keep track of users in compromised networks and gather information about security, backup, and remote a ... Read MoreCyware
April 24, 2023
Ransomware Hackers Using AuKill Tool to Disable EDR Software Using BYOVD Attack Full Text
Abstract
Threat actors are employing a previously undocumented "defense evasion tool" dubbed AuKill that's designed to disable endpoint detection and response (EDR) software by means of a Bring Your Own Vulnerable Driver ( BYOVD ) attack. "The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer , to disable EDR processes before deploying either a backdoor or ransomware on the target system," Sophos researcher Andreas Klopsch said in a report published last week. Incidents analyzed by the cybersecurity firm show the use of AuKill since the start of 2023 to deploy various ransomware strains such as Medusa Locker and LockBit. Six different versions of the malware have been identified to date. The oldest AuKill sample features a November 2022 compilation timestamp. The BYOVD technique relies on threat actors misusing a legitimate, but out-of-date and exploitable, driver signed by Microsoft (or usinThe Hacker News
April 20, 2023
LockBit Eyes macOS; Test Version of macOS Encryptor Revealed Full Text
Abstract
MalwareHunterTeam discovered a ZIP archive—belonging to the LockBit ransomware group—uploaded to VirusTotal containing previously unknown encryptors for macOS, ARM, FreeBSD, MIPS, and SPARC. Security analysts from BleepingComputer assert that the discovered builds could have been created for testin ... Read MoreCyware
April 20, 2023
Fortra Sheds Light on GoAnywhere MFT Zero-Day Exploit Used in Ransomware Attacks Full Text
Abstract
Fortra, the company behind Cobalt Strike, shed light on a zero-day remote code execution (RCE) vulnerability in its GoAnywhere MFT tool that has come under active exploitation by ransomware actors to steal sensitive data. The high-severity flaw, tracked as CVE-2023-0669 (CVSS score: 7.2), concerns a case of pre-authenticated command injection that could be abused to achieve code execution. The issue was patched by the company in version 7.1.2 of the software in February 2023, but not before it was weaponized as a zero-day since January 18. Fortra, which worked with Palo Alto Networks Unit 42, said it was made aware of suspicious activity associated with some of the file transfer instances on January 30, 2023. "The unauthorized party used CVE-2023-0669 to create unauthorized user accounts in some MFTaaS customer environments," the company said . "For a subset of these customers, the unauthorized party leveraged these user accounts to download files from their hThe Hacker News
April 20, 2023
Trigona Ransomware targets Microsoft SQL servers Full Text
Abstract
Threat actors are hacking poorly secured and Interned-exposed Microsoft SQL servers to deploy the Trigona ransomware. Threat actors are hacking into poorly secured and public-facing Microsoft SQL servers to deploy Trigona ransomware. Trigona is a malware...Security Affairs
April 19, 2023
Action1 RMM Abused by Threat Actors for Ransomware Attacks Full Text
Abstract
A rising trend has been identified among cybercriminals; they are using Action1 remote access software for reconnaissance activity and to run code with system privileges on network hosts. In fact, it was observed in at least three ransomware attacks by threat actor groups.Cyware
April 18, 2023
LockBit Ransomware Now Targeting Apple macOS Devices Full Text
Abstract
Threat actors behind the LockBit ransomware operation have developed new artifacts that can encrypt files on devices running Apple's macOS operating system. The development, which was reported by the MalwareHunterTeam over the weekend, appears to be the first time a big-game ransomware crew has created a macOS-based payload. Additional samples identified by vx-underground show that the macOS variant has been available since November 11, 2022, and has managed to evade detection by anti-malware engines until now. LockBit is a prolific cybercrime crew with ties to Russia that has been active since late 2019, with the threat actors releasing two major updates to the locker in 2021 and 2022. According to statistics released by Malwarebytes last week, LockBit emerged as the second most used ransomware in March 2023 after Cl0p, accounting for 93 successful attacks. An analysis of the new macOS version ("locker_Apple_M1_64"_ reveals that it's still a work in prThe Hacker News
April 18, 2023
PowerShell Data Theft: Vice Society Ransomware’s Latest Weapon Full Text
Abstract
Researchers revealed that the Vice Society ransomware group is utilizing a specialized tool based on PowerShell to escape detection and automate the data extraction process. With the adoption of increasingly sophisticated tools, Vice Society has become a formidable threat to organizations globally. ... Read MoreCyware
April 17, 2023
Vice Society Ransomware Using Stealthy PowerShell Tool for Data Exfiltration Full Text
Abstract
Threat actors associated with the Vice Society ransomware gang have been observed using a bespoke PowerShell-based tool to fly under the radar and automate the process of exfiltrating data from compromised networks. "Threat actors (TAs) using built-in data exfiltration methods like [living off the land binaries and scripts] negate the need to bring in external tools that might be flagged by security software and/or human-based security detection mechanisms," Palo Alto Networks Unit 42 researcher Ryan Chapman said . "These methods can also hide within the general operating environment, providing subversion to the threat actor." Vice Society , tracked by Microsoft under the name DEV-0832, is an extortion-focused hacking group that emerged on the scene in May 2021. It's known to rely on ransomware binaries sold on the criminal underground to meet its goals. In December 2022, SentinelOne detailed the group's use of a ransomware variant, dubbed PolyViThe Hacker News
April 16, 2023
Experts found the first LockBit encryptor that targets macOS systems Full Text
Abstract
Researchers warn that the LockBit ransomware gang has developed encryptors to target macOS devices. The LockBit group is the first ransomware gang of all time that has created encryptors to target macOS systems, MalwareHunterTeam team warn. MalwareHunterTeam...Security Affairs
April 15, 2023
RTM Locker Enforces Strict Rules on Affiliates to Avoid Public Attention Full Text
Abstract
Trellix detected a new private RaaS group, named Read The Manual (RTM) Locker, that has been leveraging affiliates for ransom. Also, it flies under the radar by avoiding high-profile targets. Moreover, the self-destructive nature of RTM Locker and the wipeout of logs make it a tough game to cr ... Read MoreCyware
April 5, 2023
Rorschach - New Ransomware with Highest-Ever Encryption Speed Full Text
Abstract
A new ransomware strain, named Rorschach, was unveiled by Check Point Research. The ransomware boasts an advanced level of customization and fast encryption, which sets it apart from other strains. Furthermore, an in-depth examination of Rorschach's source code indicates similarities with the Babuk ... Read MoreCyware
April 04, 2023
Rorschach Ransomware Emerges: Experts Warn of Advanced Evasion Strategies Full Text
Abstract
Cybersecurity researchers have taken the wraps off a previously undocumented ransomware strain called Rorschach that's both sophisticated and fast. "What makes Rorschach stand out from other ransomware strains is its high level of customization and its technically unique features that have not been seen before in ransomware," Check Point Research said in a new report. "In fact, Rorschach is one of the fastest ransomware strains ever observed, in terms of the speed of its encryption." The cybersecurity firm said it observed the ransomware deployed against an unnamed U.S.-based company, adding it found no branding or overlaps that connect it to any previously known ransomware actors. However, further analysis of Rorschach's source code reveals similarities to Babuk ransomware , which suffered a leak in September 2021, and LockBit 2.0 . On top of that, the ransom notes sent out to the victims appear to be inspired by that of Yanluowang and DarkSiThe Hacker News
April 4, 2023
Rorschach ransomware has the fastest file-encrypting routine to date Full Text
Abstract
A new ransomware strain named Rorschach ransomware supports the fastest file-encrypting routine observed to date. Check Point Research (CPR) and Check Point Incident Response Team (CPIRT) researchers detected a previously unknown ransomware strain,...Security Affairs
April 1, 2023
New Cylance Ransomware Targets Linux and Windows, Warn Researchers Full Text
Abstract
Researchers at Palo Alto Networks Unit 42 discovered the new Cylance ransomware, which has already claimed several victims. Researchers noticed it early Friday morning, and further probing revealed that it is targeting Linux and Windows devices.Cyware
April 1, 2023
Ransomware Roundup – Dark Power and PayMe100USD Ransomware Full Text
Abstract
Dark Power is a relatively new ransomware written in the Nim programming language and launched in early February 2023. PayMe100USD is a new ransomware written in Python that was discovered in March 2023.Cyware
March 22, 2023
Trigona Evolves TTPs, Targets Orgs Worldwide Full Text
Abstract
Trigona ransomware, which surfaced in December 2022, targeted at least 15 organizations across different sectors in the U.S., Australia, Italy, France, New Zealand, and Germany. The malware is capable of getting initial access, performing reconnaissance, transferring malware via a remote monitoring ... Read MoreCyware
March 20, 2023
Researchers Shed Light on CatB Ransomware’s Evasion Techniques Full Text
Abstract
The threat actors behind the CatB ransomware operation have been observed using a technique called DLL search order hijacking to evade detection and launch the payload. CatB, also referred to as CatB99 and Baxtoy, emerged late last year and is said to be an "evolution or direct rebrand" of another ransomware strain known as Pandora based on code-level similarities. It's worth noting that the use of Pandora has been attributed to Bronze Starlight (aka DEV-0401 or Emperor Dragonfly), a China-based threat actor that's known to employ short-lived ransomware families as a ruse to likely conceal its true objectives. One of the key defining characteristics of CatB is its reliance on DLL hijacking via a legitimate service called Microsoft Distributed Transaction Coordinator ( MSDTC ) to extract and launch the ransomware payload. "Upon execution, CatB payloads rely on DLL search order hijacking to drop and load the malicious payload," SentinelOne researcThe Hacker News
March 18, 2023
QBot Laying the Foundations for Black Basta Ransomware Activity Full Text
Abstract
The attacker’s actions had the whiff of a Black Basta affiliate, with Qbot activity widely reported as being a cornerstone of Black Basta intrusions. Black Basta is a splinter group that emerged after the “Conti” ransomware syndicate was quelled.Cyware
March 18, 2023
Kaspersky released a new decryptor for Conti-based ransomware Full Text
Abstract
Kaspersky released a new version of the decryptor for the Conti ransomware that is based on the previously leaked source code of the malware. Kaspersky has published a new version of a decryption tool for the Conti ransomware based on previously leaked...Security Affairs
March 18, 2023
Bee-Ware of Trigona, An Emerging Ransomware Strain Full Text
Abstract
By analyzing Trigona ransomware binaries and ransom notes from VirusTotal, as well as information from incident response, Unit 42 determined that Trigona was very active during December 2022, with at least 15 potential victims being compromised.Cyware
March 14, 2023
The Prolificacy of LockBit Ransomware Full Text
Abstract
Today, the LockBit ransomware is the most active and successful cybercrime organization in the world. Attributed to a Russian Threat Actor, LockBit has stepped out from the shadows of the Conti ransomware group, who were disbanded in early 2022. LockBit ransomware was first discovered in September 2019 and was previously known as ABCD ransomware because of the ".abcd virus" extension first observed. LockBit operates as a Ransomware-as-a-service (RaaS) model. In short, this means that affiliates make a deposit to use the tool, then split the ransom payment with the LockBit group. It has been reported that some affiliates are receiving a share as high of 75%. LockBit's operators have posted advertisements for their affiliate program on Russian-language criminal forums stating they will not operate in Russia or any CIS countries, nor will they work with English-speaking developers unless a Russian-speaking "guarantor" vouches for them. Initial attack vectors ofThe Hacker News
March 10, 2023
Nevada Ransomware: Yet Another Nokayawa Variant Full Text
Abstract
Zscaler ThreatLabz has identified significant code similarities between Nevada and Nokoyawa ransomware including debug strings, command-line arguments, and encryption algorithmsCyware
March 09, 2023
IceFire Ransomware Exploits IBM Aspera Faspex to Attack Linux-Powered Enterprise Networks Full Text
Abstract
A previously known Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world. The intrusions entail the exploitation of a recently disclosed deserialization vulnerability in IBM Aspera Faspex file-sharing software ( CVE-2022-47986 , CVSS score: 9.8), according to cybersecurity company SentinelOne. "This strategic shift is a significant move that aligns them with other ransomware groups that also target Linux systems," Alex Delamotte, senior threat researcher at SentinelOne, said in a report shared with The Hacker News. A majority of the attacks observed by SentinelOne have been directed against companies located in Turkey, Iran, Pakistan, and the U.A.E., countries that are not typically targeted by organized ransomware crews. IceFire was first detected in March 2022 by the MalwareHunterTeam , but it wasn't until August 2022 thaThe Hacker News
March 9, 2023
Recently discovered IceFire Ransomware now also targets Linux systems Full Text
Abstract
The recently discovered Windows ransomware IceFire now also targets Linux enterprise networks in multiple sectors. SentinelLabs researchers discovered new Linux versions of the recently discovered IceFire ransomware that was employed in attacks against...Security Affairs
March 6, 2023
LockBit Introduces New Method to Bypass MOTW Protection Full Text
Abstract
Researchers uncovered a new LockBit ransomware campaign last December and January using a novel technique involving the use of a .img container to bypass the Mark of The Web (MOTW) protection mechanism. LockBit remained one of the most active ransomware families in successful RaaS and extortion att ... Read MoreCyware
March 1, 2023
Universal Decryptor for MortalKombat Ransomware Released Full Text
Abstract
A new decryptor for the MortalKombat ransomware is now available for download. Bitdefender has been monitoring the MortalKombat ransomware family since it first appeared online in January this year.Cyware
February 28, 2023
Bitdefender Releases Free Decryptor for MortalKombat Ransomware Strain Full Text
Abstract
Romanian cybersecurity company Bitdefender has released a free decryptor for a new ransomware strain known as MortalKombat . MortalKombat is a new ransomware strain that emerged in January 2023. It's based on commodity ransomware dubbed Xorist and has been observed in attacks targeting entities in the U.S., the Philippines, the U.K., and Turkey. Xorist , detected since 2010, is distributed as a ransomware builder, allowing cyber threat actors to create and customize their own version of the malware. This includes the ransom note, the file name of the ransom note, the list of file extensions targeted, the wallpaper to be used, and the extension to be used on encrypted files. MortalKombat notably was deployed in recent attacks mounted by an unnamed financially motivated threat actor as a part of a phishing campaign aimed at a wide range of organizations. "MortalKombat encrypts various files on the victim machine's filesystem, such as system, application, database,The Hacker News
February 28, 2023
Bitdefender released a free decryptor for the MortalKombat Ransomware family Full Text
Abstract
Antivirus company Bitdefender has released a free decryptor for the recently discovered ransomware family MortalKombat. Good news for the victims of the recently discovered MortalKombat ransomware, the antivirus firm Bitdefender has released a...Security Affairs
February 28, 2023
New EX-22 Tool Empowers Hackers with Stealthy Ransomware Attacks on Enterprises Full Text
Abstract
A new post-exploitation framework called EXFILTRATOR-22 (aka EX-22) has emerged in the wild with the goal of deploying ransomware within enterprise networks while flying under the radar. "It comes with a wide range of capabilities, making post-exploitation a cakewalk for anyone purchasing the tool," CYFIRMA said in a new report. Some of the notable features include establishing a reverse shell with elevated privileges, uploading and downloading files, logging keystrokes, launching ransomware to encrypt files, and starting a live VNC (Virtual Network Computing) session for real-time access. It's also equipped to persist after system reboots, perform lateral movement via a worm, view running processes, generate cryptographic hashes of files, and extract authentication tokens. The cybersecurity firm assessed with moderate confidence that threat actors responsible for creating the malware are operating from North, East, or Southeast Asia and are likely former affiliatThe Hacker News
February 22, 2023
A Deep Dive into the Evolution of Ransomware Part 1 Full Text
Abstract
Ransomware extortion tactics range from publishing data bit by bit in an attempt to increase pressure on targets through more aggressive measures, making these threats all the harder for organizations and individuals alike to protect against.Cyware
February 21, 2023
HardBit 2.0 Engages in Clever Ransom Negotiation Based on Cyber Insurance Coverage Full Text
Abstract
Seemingly improving upon their initial release, HardBit version 2.0 was introduced toward the end of November 2022, with samples seen throughout the end of 2022 and into 2023.Cyware
February 18, 2023
Analysis of New CatB Ransomware Variant Full Text
Abstract
CatB is a reasonably new entrant to the ransomware field, with samples only dating back to December 2022. The CatB threat actor does not offer a web portal (on TOR or otherwise) to name and shame victims.Cyware
February 16, 2023
New MortalKombat ransomware employed in financially motivated campaign Full Text
Abstract
Talos researchers observed a financially motivated threat actor using a new ransomware dubbed MortalKombat and a clipper malware named Laplas. Since December 2022, Cisco Talos researchers have been observing an unidentified financially motivated...Security Affairs
February 14, 2023
VMware ransomware was on the rise leading up to ESXiArgs spree, research finds Full Text
Abstract
Only two cyberattacks targeted ESXi with ransomware in 2020, but in 2021, Recorded Future identified more than 400 incidents. Last year the number ballooned, growing almost threefold to 1,118 in 2022, the research found.Cyware
February 11, 2023
New ESXiArgs Ransomware Variant Emerges After CISA Releases Decryptor Tool Full Text
Abstract
After the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a decryptor for affected victims to recover from ESXiArgs ransomware attacks , the threat actors have bounced back with an updated version that encrypts more data. The emergence of the new variant was reported by a system administrator on an online forum, where another participant stated that files larger than 128MB will have 50% of their data encrypted, making the recovery process more challenging. Another notable change is the removal of the Bitcoin address from the ransom note, with the attackers now urging victims to contact them on Tox to obtain the wallet information. The threat actors "realized that researchers were tracking their payments, and they may have even known before they released the ransomware that the encryption process in the original variant was relatively easy to circumvent," Censys said in a write-up. "In other words: they are watching." Statistics sharedThe Hacker News
February 11, 2023
Cl0p Goes Linux Ways, With Flaws and Frowns Full Text
Abstract
SentinelLabs claimed to have observed the first Linux variant of Cl0p ransomware. The ELF variant of the ransomware uses the same encryption method and similar process logic as it does for Windows. Given that some Windows-only capabilities are missing from this new Linux version, it appears to stil ... Read MoreCyware
February 9, 2023
A new variant of ESXiArgs ransomware makes recovery much harder Full Text
Abstract
Experts warn of new ESXiArgs ransomware attacks using an upgraded version that makes it harder to recover VMware ESXi virtual machines. Experts spotted a new variant of ESXiArgs ransomware targeting VMware ESXi servers, authors have improved the encryption...Security Affairs
February 7, 2023
New Linux variant of Clop Ransomware uses a flawed encryption algorithm Full Text
Abstract
A new Linux variant of the Clop ransomware has been observed in the wild, the good news is that its encryption algorithm is flawed. SentinelLabs researchers have observed the first Linux variant of the Clop ransomware. The researchers noticed that...Security Affairs
February 07, 2023
Linux Variant of Clop Ransomware Spotted, But Uses Faulty Encryption Algorithm Full Text
Abstract
The first-ever Linux variant of the Clop ransomware has been detected in the wild, but with a faulty encryption algorithm that has made it possible to reverse engineer the process. "The ELF executable contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom," SentinelOne researcher Antonis Terefos said in a report shared with The Hacker News. The cybersecurity firm, which has made available a decryptor , said it observed the ELF version on December 26, 2022, while also noting its similarities to the Windows flavor when it comes using the same encryption method. The detected sample is said to be part of a larger attack targeting educational institutions in Colombia, including La Salle University, around the same time. The university was added to the criminal group's leak site in early January 2023, per FalconFeedsio . Known to have been active since 2019, the Clop (stylized as Cl0p) ransomware operation sufferedThe Hacker News
February 6, 2023
Italy, France and Singapore Warn of a Spike in ESXI Ransomware Full Text
Abstract
ESXi ransomware targeted thousands of VMware servers in a global-scale campaign, security experts and international CERTs warn. Thousands of computer servers have been targeted by a global ransomware hacking attack targeting VMware (VMW.N) ESXi servers....Security Affairs
February 6, 2023
Royal Ransomware adds support for encrypting Linux, VMware ESXi systems Full Text
Abstract
Royal Ransomware operators added support for encrypting Linux devices and target VMware ESXi virtual machines. The Royal Ransomware gang is the latest extortion group in order of time to add support for encrypting Linux devices and target VMware ESXi...Security Affairs
February 3, 2023
Nevada Ransomware: Another Feather in the RaaS Ecosystem Full Text
Abstract
A new ransomware family called Nevada Ransomware has emerged on underground forums. The actors behind this variant, as experts with Resecurity confirmed, have an affiliate platform first introduced in the RAMP underground community. The group recently distributed an updated locker—written in Rust— ... Read MoreCyware
February 1, 2023
Nevada Ransomware has Released Upgraded Locker Full Text
Abstract
The actors behind this new project have an affiliate platform first introduced on the RAMP underground community, which is known for initial access brokers (IABs) and other cybercriminal actors and ransomware groups.Cyware
February 1, 2023
New LockBit Green Ransomware Variant Borrows Code From Conti Ransomware Full Text
Abstract
Lockbit ransomware operators have implemented a new version of their malware, dubbed LockBit Green, which was apparently designed to include cloud-based services among its targets.Cyware
February 1, 2023
New LockBit Green ransomware variant borrows code from Conti ransomware Full Text
Abstract
Lockbit ransomware operators have released a new version of their malware, LockBit Green, that also targets cloud-based services. Lockbit ransomware operators have implemented a new version of their malware, dubbed LockBit Green, which was designed...Security Affairs
February 1, 2023
Nevada Ransomware Has Released Upgraded Locker Full Text
Abstract
Researchers from Resecurity have identified a new version of Nevada Ransomware which recently emerged on the Dark Web right before the start of 2023. Resecurity, California-based cybersecurity company protecting Fortune 500 globally, has identified...Security Affairs
January 23, 2023
New CrySIS/Dharma Ransomware Variants Budding like Mushrooms Full Text
Abstract
Following the leak of the source code of the CrySIS/Dharma ransomware family, cybercriminals worldwide continue to spin variants of it and deliver them via phishing attacks masked as genuine software. To gain access to the victim’s machine, CrySIS/Dharma operators abuse exposed RDP servers and also ... Read MoreCyware
January 20, 2023
Playing Whack-a-Mole with New CrySIS/Dharma Variants Full Text
Abstract
The CrySIS/Dharma ransomware family has been around for several years – dating back to at least 2016. At least one version of the ransomware had its source code leaked, allowing anyone to purchase and repurpose it for their own ends.Cyware
January 16, 2023
Avast researchers released a free BianLian ransomware decryptor for some variants of the malware Full Text
Abstract
Antivirus firm Avast released a free decryptor for the BianLian ransomware family that allows victims to recover locked files. Security firm Avast has released a free decryptor for the BianLian ransomware to allow victims of the malware to recover...Security Affairs
January 16, 2023
Cuba Ransomware Exploits Microsoft SSRF Vulnerability Full Text
Abstract
Sophos reported that the Cuba ransomware group used malicious hardware devices certified by Microsoft’s Windows Hardware Developer Program in an attack that abuses OWASSRF vulnerability.Cyware
January 11, 2023
Ransomware tracker: the latest figures [January 2023] Full Text
Abstract
The number of victims posted on ransomware extortion sites rose more than 20% in December to 241 organizations — the highest monthly count since April, according to data collected by Recorded Future.Cyware
January 9, 2023
Tactics of Four Ransomware Targeting macOS Full Text
Abstract
Microsoft has laid bare four ransomware families, namely KeRanger, FileCoder, MacRansom, and EvilQuest, that are targeting macOS systems worldwide. The initial vector for all these malware is a user-assisted method, where the victim downloads and installs trojanized apps. The attackers rely on ... Read MoreCyware
January 06,2023
Microsoft Reveals Tactics Used by 4 Ransomware Families Targeting macOS Full Text
Abstract
Microsoft has shed light on four different ransomware families – KeRanger , FileCoder, MacRansom, and EvilQuest – that are known to impact Apple macOS systems. "While these malware families are old, they exemplify the range of capabilities and malicious behavior possible on the platform," the tech giant's Security Threat Intelligence team said in a Thursday report. The initial vector for these ransomware families involves what the Windows maker calls "user-assisted methods," wherein the victim downloads and installs trojanized applications. Alternatively, it can also arrive as a second-stage payload that's dropped by an already existing malware on the infected host or as part of a supply chain attack. Irrespective of the modus operandi employed, the attacks proceed along similar lines, with the threat actors relying on legitimate operating system features and exploiting vulnerabilities to break into the systems and encrypt files of interest. This iThe Hacker News
January 6, 2023
Microsoft details techniques of Mac ransomware Full Text
Abstract
Microsoft warns of different ransomware families (KeRanger, FileCoder, MacRansom, and EvilQuest) targeting Apple macOS systems. Microsoft Security Threat Intelligence team warns of four different ransomware families (KeRanger, FileCoder, MacRansom,...Security Affairs
January 6, 2023
Bitdefender released a free decryptor for the MegaCortex ransomware Full Text
Abstract
Antivirus firm Bitdefender released a decryptor for the MegaCortex ransomware allowing its victims to restore their data for free. Antivirus firm Bitdefender released a decryptor for the MegaCortex ransomware, which can allow victims of the group...Security Affairs
January 3, 2023
Newly Found CatB Ransomware Uses DLL Hijacking to Evade Detection Full Text
Abstract
A newly identified CatB ransomware group has been found implementing several anti-VM and DLL hijacking techniques to evade detection. Before activating anti-evasion techniques, the malware checks for a processor's core, hard drive size, and physical memory of targeted machines. The ransomware is be ... Read MoreCyware
December 23, 2022
The Week in Ransomware - December 23rd 2022 - Targeting Microsoft Exchange Full Text
Abstract
Reports this week illustrate how threat actors consider Microsoft Exchange as a prime target for gaining initial access to corporate networks to steal data and deploy ransomware.BleepingComputer
December 22, 2022
Vice Society ransomware gang switches to new custom encryptor Full Text
Abstract
The Vice Society ransomware operation has switched to using a custom ransomware encrypt that implements a strong, hybrid encryption scheme based on NTRUEncrypt and ChaCha20-Poly1305.BleepingComputer
December 21, 2022
Play ransomware attacks use a new exploit to bypass ProxyNotShell mitigations on Exchange servers Full Text
Abstract
Play ransomware attacks target Exchange servers with a new exploit that bypasses Microsoft’s ProxyNotShell mitigations. Play ransomware operators target Exchange servers using a new exploit chain, dubbed OWASSRF by Crowdstrike, that bypasses Microsoft’s...Security Affairs
December 19, 2022
How Reveton Ransomware-as-a-Service Changed Cybersecurity Full Text
Abstract
In 2012, Reveton ransomware emerged. It’s considered to be the first Ransomware-as-a-Service (RaaS) operation ever. Since then, RaaS has enabled gangs with basic technical skills to launch attacks indiscriminately.Cyware
December 19, 2022
Experts spotted a variant of the Agenda Ransomware written in Rust Full Text
Abstract
Researchers spotted a new variant of the Agenda ransomware which is written in the cross-platform programming language Rust. Trend Micro researchers have spotted a new variant of the Agenda ransomware (aka Qilin) that is written in Rust Language....Security Affairs
December 16, 2022
Agenda Ransomware Uses Rust to Target More Vital Industries Full Text
Abstract
The new Rust-based variant of Agenda ransomware has also been seen using intermittent encryption, one of the emerging tactics that threat actors use today for faster encryption and detection evasion.Cyware
December 16, 2022
The Week in Ransomware - December 16th 2022 - Losing Trust Full Text
Abstract
Today's Week in Ransomware brings you the latest news and stories about the cyberattacks, new tactics, and reports related to ransomware operations.BleepingComputer
December 15, 2022
Royal Ransomware Puts Novel Spin on Encryption Tactics Full Text
Abstract
An emerging cybercriminal group linked with Conti has expanded its partial encryption strategy and demonstrates other evasive maneuvers, as it takes aim at healthcare and other sectors.Cyware
December 13, 2022
New Ransomware Families Lead Attacks Against Windows Systems Full Text
Abstract
According to Fortinet, three new (typical) ransomware families, named Aerst, ScareCrow, and Vohuk, are being increasingly used in attacks. The core target of the malware infection remains users in Germany and India. Experts have jotted down some similarities between ScareCrow and Conti, suggesting ... Read MoreCyware
December 12, 2022
Researchers Warn of New Aerst, ScareCrow, and Vohuk Ransomware Families Full Text
Abstract
Targeting Windows computers, these are typical ransomware families that encrypt victim files and demand a ransom payment in exchange for a decryption key. These new ransomware have been used in an increasing number of attacks.Cyware
December 11, 2022
Clop ransomware uses TrueBot malware for access to networks Full Text
Abstract
Security researchers have noticed a spike in devices infected with the TrueBot malware downloader created by a Russian-speaking hacking group known as Silence.BleepingComputer
December 09, 2022
The Week in Ransomware - December 9th 2022 - Wide Impact Full Text
Abstract
This week has been filled with research reports and news of significant attacks having a wide impact on many organizations.BleepingComputer
December 9, 2022
New Ransom Payment Schemes Target Executives, Telemedicine – Krebs on Security Full Text
Abstract
Ransomware groups are constantly devising new methods for infecting victims and convincing them to pay up, but a couple of strategies tested recently seem especially devious.Cyware
December 8, 2022
Babuk Ransomware Variant in Major New Attack Full Text
Abstract
Attackers used a new Babuk strain to target a multibillion-dollar manufacturing company with more than 10,000 workstations and server devices. The attackers had network access for two weeks of full reconnaissance prior to launching their attack.Cyware
December 6, 2022
Ransomware Professionalization Grows as RaaS Takes Hold Full Text
Abstract
As ransomware's prevalence has grown over the past decade, leading ransomware groups such as Conti have added services and features as part of a growing trend toward professionalization.Cyware
December 02, 2022
The Week in Ransomware - December 2nd 2022 - Disrupting Health Care Full Text
Abstract
This week's big news was the Colombia health system being severely disrupted by a ransomware attack on Keralty, one of the country's largest healthcare providers.BleepingComputer
November 29, 2022
Trigona ransomware spotted in increasing attacks worldwide Full Text
Abstract
A previously unnamed ransomware has rebranded under the name 'Trigona,' launching a new Tor negotiation site where they accept Monero as ransom payments.BleepingComputer
November 29, 2022
Cryptonite and Punisher - An Analysis of New Ransomware Full Text
Abstract
The threat landscape is constantly evolving with new ransomware. FortiGuard Labs and Cyble spotted new Cryptonite and Punisher ransomware variants. The latter targeted users in Chile. Cryptonite is a free and open-source ransomware kit that can be downloaded by anyone willing to deploy it. Pu ... Read MoreCyware Alerts - Hacker News
November 29, 2022
How WannaCry Shapes Cybersecurity Today Full Text
Abstract
What set WannaCry apart, however, was its use of the SMB vulnerability to replicate itself across multiple network-connected devices. This exploit effort — known as EternalBlue — took WannaCry from mildly annoying to massively problematic.Security Intelligence
November 28, 2022
RansomBoggs Ransomware hit several Ukrainian entities, experts attribute it to Russia Full Text
Abstract
Several Ukrainian organizations were hit by Russia-based RansomBoggs Ransomware in the last week, ESET reports. Researchers from ESET observed multiple attacks involving a new family of ransomware, tracked as RansomBoggs ransomware, against Ukrainian...Security Affairs
November 26, 2022
Russia-based RansomBoggs Ransomware Targeted Several Ukrainian Organizations Full Text
Abstract
Ukraine has come under a fresh onslaught of ransomware attacks that mirror previous intrusions attributed to the Russia-based Sandworm nation-state group. Slovak cybersecurity company ESET, which dubbed the new ransomware strain RansomBoggs , said the attacks against several Ukrainian entities were first detected on November 21, 2022. "While the malware written in .NET is new, its deployment is similar to previous attacks attributed to Sandworm," the company said in a series of tweets Friday. The development comes as the Sandworm actor, tracked by Microsoft as Iridium, was implicated for a set of attacks aimed at transportation and logistics sectors in Ukraine and Poland with another ransomware strain called Prestige in October 2022. The RansomBoggs activity is said to employ a PowerShell script to distribute the ransomware, with the latter "almost identical" to the one used in the Industroyer2 malware attacks that came to light in April. According toThe Hacker News
November 24, 2022
Yanluowang Ransomware: The Hunter Becomes the Hunted Full Text
Abstract
Trellix researchers analyzed thousands of leaked internal messages related to the Yanluowang group and revealed the group's inner workings, victims, and possible collaboration with other Russian ransomware groups.Cyware Alerts - Hacker News
November 24, 2022
New RansomExx Ransomware Variant Rewritten in the Rust Programming Language Full Text
Abstract
The operators of the RansomExx ransomware have become the latest to develop a new variant fully rewritten in the Rust programming language, following other strains like BlackCat , Hive , and Luna . The latest version, dubbed RansomExx2 by the threat actor known as Hive0091 (aka DefrayX), is primarily designed to run on the Linux operating system, although it's expected that a Windows version will be released in the future. RansomExx, also known as Defray777 and Ransom X, is a ransomware family that's known to be active since 2018. It has since been linked to a number of attacks on government agencies, manufacturers, and other high-profile entities like Embraer and GIGABYTE. "Malware written in Rust often benefits from lower [antivirus] detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language," IBM Security X-Force researcher Charlotte Hammond said in a report published this week.The Hacker News
November 24, 2022
RansomExx Ransomware upgrades to Rust programming language Full Text
Abstract
RansomExx ransomware is the last ransomware in order of time to have a version totally written in the Rust programming language. The operators of the RansomExx ransomware (aka Defray777 and Ransom X) have developed a new variant of their malware,...Security Affairs
November 24, 2022
WannaRen Returns as Life Ransomware, Targets India Full Text
Abstract
Unlike its previous version, this new variant dubbed Life ransomware uses a batch file to download and execute WINWORD.exe to perform DLL side-loading and load the ransomware in memory.Trend Micro
November 23, 2022
RansomExx Ransomware Upgraded in Rust Full Text
Abstract
RansomExx is a ransomware that emerged first in 2018 under the name Defray. Since then, the malware has undergone multiple changes, with the latest updates being added in Rust language.Cyware Alerts - Hacker News
November 23, 2022
Donut Leaks Now Targets Victims With Its Own Custom Ransomware Tool Full Text
Abstract
BleepingComputer researchers have found new samples of an encryptor for Donut ransomware and confirmed that it is using its own customized ransomware in recent attacks.Cyware Alerts - Hacker News
November 23, 2022
RansomExx Upgrades to Rust Full Text
Abstract
RansomExx2 has been completely rewritten using Rust, but otherwise, its functionality is similar to its C++ predecessor. It requires a list of target directories to encrypt to be passed as command line parameters and then encrypts files with AES-256.Security Intelligence
November 21, 2022
Octocrypt, Alice, and AXLocker Ransomware, new threats in the wild Full Text
Abstract
Experts from Cyble Research and Intelligence Labs (CRIL) discovered three new ransomware families: AXLocker, Octocrypt, and Alice Ransomware. Threat intelligence firm Cyble announced the discovery of three new ransomware families named AXLocker, Octocrypt,...Security Affairs
November 20, 2022
New ransomware encrypts files, then steals your Discord account Full Text
Abstract
The new 'AXLocker' ransomware family is not only encrypting victims' files and demanding a ransom payment but also stealing the Discord accounts of infected users.BleepingComputer
November 18, 2022
The Week in Ransomware - November 18th 2022 - Rising Operations Full Text
Abstract
There have been some interesting developments in ransomware this week, with the arrest of a cybercrime ring leader and reports shedding light on two new, but up-and-coming, ransomware operations.BleepingComputer
November 18, 2022
Keeping Up With Ransomware Full Text
Abstract
The recent meeting of the International Counter Ransomware Initiative brought together representatives from over 30 countries and the private sector. It’s a good step in responding to different aspects of the ransomware threat, but the initiative seems to struggle to prevent future attacks.Lawfare
November 18, 2022
Hive Ransomware extorted over $100M in ransom payments from over 1,300 companies Full Text
Abstract
Hive ransomware operators have extorted over $100 million in ransom payments from over 1,300 companies worldwide as of November 2022. The threat actors behind the Hive ransomware-as-a-service (RaaS) have extorted $100 million in ransom payments from...Security Affairs
November 18, 2022
Researchers secretly helped decrypt Zeppelin ransomware for 2 years Full Text
Abstract
Security researchers found vulnerabilities in the encryption mechanism of the Zeppelin ransomware and exploited them to create a working decryptor they used since 2020 to help victim companies recover files without paying the attackers.BleepingComputer
November 17, 2022
Previously unidentified ARCrypter ransomware expands worldwide Full Text
Abstract
A previously unknown 'ARCrypter' ransomware that compromised key organizations in Latin America is now expanding its attacks worldwide.BleepingComputer
November 14, 2022
Russia Targets Ukraine With New Somnia Ransomware Full Text
Abstract
During an investigation into the recent series of attacks against organizations in Ukraine, the CERT-UA discovered a new ransomware variant called Somnia. The government has attributed the attacks to the group ‘From Russia with Love’ (FRwL), allegedly a Pro-Russian hacker group. The attackers appar ... Read MoreCyware Alerts - Hacker News
November 11, 2022
The Week in Ransomware - November 11th 2022 - LockBit feeling the heat Full Text
Abstract
This 'Week in Ransomware' covers the last two weeks of ransomware news, with new information on attacks, arrests, data wipers, and reports shared by cybersecurity firms and researchers.BleepingComputer
November 10, 2022
US Health Dept warns of Venus ransomware targeting healthcare orgs Full Text
Abstract
The U.S. Department of Health and Human Services (HHS) warned today that Venus ransomware attacks are also targeting the country's healthcare organizations.BleepingComputer
November 08, 2022
LockBit affiliate uses Amadey Bot malware to deploy ransomware Full Text
Abstract
A LockBit 3.0 ransomware affiliate is using phishing emails that install the Amadey Bot to take control of a device and encrypt devices.BleepingComputer
November 07, 2022
Azov Ransomware is a wiper, destroying data 666 bytes at a time Full Text
Abstract
The Azov Ransomware continues to be heavily distributed worldwide, now proven to be a data wiper that intentionally destroys victims' data and infects other programs.BleepingComputer
November 1, 2022
Azov Ransomware - New Data Wiper Frames Security Researchers Full Text
Abstract
A new data wiper strain, dubbed Azov Ransomware, has debuted recently. It is being distributed through pirated software, key generators, and adware bundles. In the ongoing campaign, the wiper operators try to frame some renowned security groups and researchers. The wiper appears to have borrowed it ... Read MoreCyware Alerts - Hacker News
October 28, 2022
The Week in Ransomware - October 28th 2022 - Healthcare leaks Full Text
Abstract
This week, we learned of healthcare data leaks out of Australia, information about existing attacks, and reports on how ransomware gangs operate and partner with malware developers for initial access.BleepingComputer
October 27, 2022
Microsoft links Raspberry Robin worm to Clop ransomware attacks Full Text
Abstract
Microsoft says a threat group tracked as DEV-0950 used Clop ransomware to encrypt the network of a victim previously infected with the Raspberry Robin worm.BleepingComputer
October 27, 2022
Ransomware: Open Source to the Rescue Full Text
Abstract
Automobile, Energy, Media, Ransomware? When thinking about verticals, one may not instantly think of cyber-criminality. Yet, every move made by governments, clients, and private contractors screams toward normalizing those menaces as a new vertical. Ransomware has every trait of the classical economical vertical. A thriving ecosystem of insurers, negotiators, software providers, and managed service experts. This cybercrime branch looks at a loot stash that counts for trillions of dollars. The cybersecurity industry is too happy to provide services, software, and insurance to accommodate this new normal. Intense insurer lobbying in France led the finance ministry to give a positive opinion about reimbursing ransoms, against the very advice of its government's cybersecurity branch. The market is so big and juicy that no one can get in the way of "the development of the cyber insurance market." In the US, Colonial pipeline is seeking tax reductions from the loss incuThe Hacker News
October 25, 2022
Microsoft: Vice Society targets schools with multiple ransomware families Full Text
Abstract
A threat group known as Vice Society has been switching ransomware payloads in attacks targeting the education sector across the United States and worldwide.BleepingComputer
October 24, 2022
Cuba ransomware affiliate targets Ukrainian govt agencies Full Text
Abstract
The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an alert about potential Cuba Ransomware attacks against critical networks in the country.BleepingComputer
October 22, 2022
LockBit Ransomware - The Most Active Global Threat Full Text
Abstract
LockBit, a RaaS, ranks among the top in the ransomware threat category as it has been causing significant damage through its attack campaigns. Lockbit 3.0 is its latest variant. LockBit has hit 1,157 victims on record (throughout its lifetime), which is way ahead of Conti (900), Hive (192), and Bla ... Read MoreCyware Alerts - Hacker News
October 22, 2022
TommyLeaks and SchoolBoys: Two sides of the same ransomware gang Full Text
Abstract
Two new extortion gangs named 'TommyLeaks' and 'SchoolBoys' are targeting companies worldwide. However, there is a catch — they are both the same ransomware gang.BleepingComputer
October 21, 2022
The Week in Ransomware - October 21st 2022 - Stop the Presses Full Text
Abstract
Cybersecurity researchers did not disappoint, with reports linking RansomCartel to REvil, on OldGremlin hackers targeting Russia with ransomware, a new data exfiltration tool used by BlackByte, a warning that ransomware actors are exploiting VMware vulnerabilities, and finally, our own report on the Venus Ransomware.BleepingComputer
October 21, 2022
BlackByte ransomware uses new data theft tool for double-extortion Full Text
Abstract
A BlackByte ransomware affiliate is using a new custom data stealing tool called 'ExByte' to steal data from compromised Windows devices quickly.BleepingComputer
October 20, 2022
OldGremlin Ransomware Targeted Over a Dozen Russian Entities in Multi-Million Scheme Full Text
Abstract
A Russian-speaking ransomware group dubbed OldGremlin has been attributed to 16 malicious campaigns aimed at entities operating in the transcontinental Eurasian nation over the course of two and a half years. "The group's victims include companies in sectors such as logistics, industry, insurance, retail, real estate, software development, and banking," Group-IB said in an exhaustive report shared with The Hacker News. "In 2020, the group even targeted an arms manufacturer." In what's a rarity in the ransomware landscape, OldGremlin (aka TinyScouts) is one of the very few financially motivated cybercrime gangs that primarily focuses on Russian companies. Other notable groups consist of Dharma, Crylock, and Thanos, contributing to an uptick in ransomware attacks targeting businesses in the country by over 200% in 2021. OldGremlin first came to light in September 2020 when the Singapore-headquartered cybersecurity company disclosed nine campaigns orchThe Hacker News
October 17, 2022
Magniber Ransomware Learns New Techniques, Targets Home Users Full Text
Abstract
A new Magniber campaign was found delivering fake Windows 10 and antivirus software updates to target home users, while staying undetected. Post-encryption the attackers demand a ransom of up to $2,500. In April 2022, Magniber was spotted spreading as a Windows 10 update through malicious websites. ... Read MoreCyware Alerts - Hacker News
October 17, 2022
Ukraine, Poland Orgs Targeted by New Prestige Ransomware Full Text
Abstract
Microsoft Threat Intelligence Center discovered a new ransomware attack campaign directed at the transportation and logistics entities in Ukraine and Poland. For now, researchers have attributed the infections to an unnamed cluster - DEV-0960. They are also clueless about the method of initial acce ... Read MoreCyware Alerts - Hacker News
October 17, 2022
New Prestige Ransomware Targeting Polish and Ukrainian Organizations Full Text
Abstract
A new ransomware campaign targeted the transportation and logistics sectors in Ukraine and Poland on October 11 with a previously unknown payload dubbed Prestige . "The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper)," the Microsoft Threat Intelligence Center (MSTIC) said . The tech giant remarked the intrusions occurred within an hour of each other across all victims, attributing the infections to an unnamed cluster called DEV-0960. It did not disclose the scale of the attacks, but stated it's notifying all affected customers. The campaign is also believed to be distinct from other recent destructive attacks that have involved the use of HermeticWiper and CaddyWiper , the latter of which is launched by a malware loader called ArguePatch (aka AprilAxe). The method of initial access remains unknoThe Hacker News
October 16, 2022
Venus Ransomware targets publicly exposed Remote Desktop services Full Text
Abstract
Threat actors behind the relatively new Venus Ransomware are hacking into publicly-exposed Remote Desktop services to encrypt Windows devices.BleepingComputer
October 16, 2022
Mysterious Prestige ransomware targets organizations in Ukraine and Poland Full Text
Abstract
Microsoft warns that new Prestige ransomware is targeting transportation and logistics organizations in Ukraine and Poland. Microsoft reported that new Prestige ransomware is being used in attacks aimed at transportation and logistics organizations...Security Affairs
October 14, 2022
The Week in Ransomware - October 14th 2022 - Bitcoin Trickery Full Text
Abstract
This week's news is action-packed, with police tricking ransomware into releasing keys to victims calling ransomware operations liars.BleepingComputer
October 14, 2022
Microsoft: New Prestige ransomware targets orgs in Ukraine, Poland Full Text
Abstract
Microsoft says new Prestige ransomware is being used to target transportation and logistics organizations in Ukraine and Poland in ongoing attacks.BleepingComputer
October 14, 2022
Ransom Cartel Ransomware: A Possible Connection With REvil Full Text
Abstract
Ransom Cartel is ransomware as a service (RaaS) that surfaced in mid-December 2021. This ransomware performs double extortion attacks and exhibits several similarities and technical overlaps with REvil ransomware.Palo Alto Networks
October 13, 2022
Magniber ransomware now infects Windows users via JavaScript files Full Text
Abstract
A recent malicious campaign delivering Magniber ransomware has been targeting Windows home users with fake security updates.BleepingComputer
October 12, 2022
LockBit affiliates compromise Microsoft Exchange servers to deploy ransomware Full Text
Abstract
Lockbit ransomware affiliates are compromising Microsoft Exchange servers to deploy their ransomware, experts warn. South-Korean cybersecurity firm AhnLab reported that Lockbit ransomware affiliates are distributing their malware via compromised Microsoft...Security Affairs
October 11, 2022
Microsoft Exchange servers hacked to deploy LockBit ransomware Full Text
Abstract
Microsoft is investigating reports of a new zero-day bug abused to hack Exchange servers which were later used to launch Lockbit ransomware attacks.BleepingComputer
October 8, 2022
BlackByte Ransomware abuses vulnerable driver to bypass security solutions Full Text
Abstract
The BlackByte ransomware operators are leveraging a flaw in a legitimate Windows driver to bypass security solutions. Researchers from Sophos warn that BlackByte ransomware operators are using a bring your own vulnerable driver (BYOVD) attack to bypass...Security Affairs
October 07, 2022
The Week in Ransomware - October 7th 2022 - A 20 year sentence Full Text
Abstract
It was a very quiet week regarding ransomware news, with the most significant news being the sentencing of a Netwalker affiliate to 20-years in prison.BleepingComputer
October 07, 2022
BlackByte Ransomware Abuses Vulnerable Windows Driver to Disable Security Solutions Full Text
Abstract
In yet another case of bring your own vulnerable driver (BYOVD) attack, the operators of the BlackByte ransomware are leveraging a flaw in a legitimate Windows driver to bypass security solutions. "The evasion technique supports disabling a whopping list of over 1,000 drivers on which security products rely to provide protection," Sophos threat researcher Andreas Klopsch said in a new technical write-up. BYOVD is an attack technique that involves threat actors abusing vulnerabilities in legitimate, signed drivers to achieve successful kernel-mode exploitation and seize control of compromised machines. Weaknesses in signed drivers have been increasingly co-opted by nation-state threat groups in recent years, including Slingshot , InvisiMole , APT28 , and most recently, the Lazarus Group . BlackByte, believed to be an offshoot of the now-discontinued Conti group , is part of the big game cybercrime crews, which zeroes in on large, high-profile targets as part ofThe Hacker News
October 05, 2022
Avast releases free decryptor for MafiaWare666 ransomware variants Full Text
Abstract
Avast has released a decryptor for variants of the MafiaWare666 ransomware known as 'Jcrypt', 'RIP Lmao', and 'BrutusptCrypt,' allowing victims to recover their files for free.BleepingComputer
October 5, 2022
Conti Ransomware: The History Behind One of the World’s Most Aggressive RaaS Groups Full Text
Abstract
The Conti ransomware group has become one of the most notorious cybercrime collectives in the world, known for its aggressive tactics and large-scale attacks against a wide range of public and private organizations.Flashpoint
October 5, 2022
Avast releases a free decryptor for some Hades ransomware variants Full Text
Abstract
Avast released a free decryptor for variants of the Hades ransomware tracked as 'MafiaWare666', 'Jcrypt', 'RIP Lmao', and 'BrutusptCrypt,' . Avast has released a decryptor for variants of the Hades ransomware known as 'MafiaWare666', 'Jcrypt', 'RIP...Security Affairs
October 05, 2022
BlackByte ransomware abuses legit driver to disable security products Full Text
Abstract
The BlackByte ransomware gang is using a new technique that researchers are calling "Bring Your Own Driver," which enables bypassing protections by disabling more than 1,000 drivers used by various security solutions.BleepingComputer
October 05, 2022
Avast releases free decryptor for Hades ransomware variants Full Text
Abstract
Avast has released a decryptor for variants of the Hades ransomware known as 'MafiaWare666', 'Jcrypt', 'RIP Lmao', and 'BrutusptCrypt,' allowing victims to recover their files for free.BleepingComputer
October 5, 2022
This is how half of ransomware attacks begin, and this is how you can stop them Full Text
Abstract
Over half of ransomware attacks now begin with criminals exploiting vulnerabilities in remote and internet-facing systems as hackers look to take advantage of unpatched cybersecurity issues.ZDNet
October 04, 2022
Cheerscrypt ransomware linked to a Chinese hacking group Full Text
Abstract
The Cheerscrypt ransomware has been linked to a Chinese hacking group named 'Emperor Dragonfly,' known to frequently switch between ransomware families to evade attribution.BleepingComputer
October 03, 2022
Researchers Link Cheerscrypt Linux-Based Ransomware to Chinese Hackers Full Text
Abstract
The recently discovered Linux-Based ransomware strain known as Cheerscrypt has been attributed to a Chinese cyber espionage group known for operating short-lived ransomware schemes . Cybersecurity firm Sygnia attributed the attacks to a threat actor it tracks under the name Emperor Dragonfly, which is also known as Bronze Starlight (Secureworks) and DEV-0401 (Microsoft). "Emperor Dragonfly deployed open source tools that were written by Chinese developers for Chinese users," the company said in a report shared with The Hacker News. "This reinforces claims that the 'Emperor Dragonfly' ransomware operators are based in China." The use of Cheerscrypt is the latest addition to a long list of ransomware families previously deployed by the group in little over a year, including LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0. Secureworks, in its profile of the group, noted "it is plausible that Bronze Starlight deploys ransomware as a sThe Hacker News
September 30, 2022
The Week in Ransomware - September 30th 2022 - Emerging from the Shadows Full Text
Abstract
This week's news primarily revolves around LockBit, BlackMatter, and the rising enterprise-targeting Royal ransomware operation.BleepingComputer
September 30, 2022
Dissecting BlueSky Ransomware Payload Full Text
Abstract
BlueSky is a ransomware firstly spotted in May 2022. The group behind the ransomware doesn’t adopt the double-extortion model and their targets are even normal users because the ransomware has been discovered inside cracks of programs and games.Yoroi
September 29, 2022
New Royal Ransomware emerges in multi-million dollar attacks Full Text
Abstract
A new ransomware operation named Royal is quickly ramping up, targeting corporations with ransom demands ranging from $250,000 to over $2 million.BleepingComputer
September 28, 2022
Bl00dy ransomware gang started using leaked LockBit 3.0 builder in attacks Full Text
Abstract
The recently born Bl00Dy Ransomware gang has started using the recently leaked LockBit ransomware builder in attacks in the wild. The Bl00Dy Ransomware gang is the first group that started using the recently leaked LockBit ransomware builder in attacks...Security Affairs
September 26, 2022
Data Corruption, A Potential New Trend in Ransomware Attacks Full Text
Abstract
The new data corruption tactic was identified in a new BlackCat ransomware attack and analyzed by the Cyderes Special Operations team and the Stairwell Threat Research team.Heimdal Security
September 25, 2022
Ransomware data theft tool may show a shift in extortion tactics Full Text
Abstract
Data exfiltration malware known as Exmatter and previously linked with the BlackMatter ransomware group is now being upgraded with data corruption functionality that may indicate a new tactic that ransomware affiliates might switch to in the future.BleepingComputer
September 23, 2022
The Week in Ransomware - September 23rd 2022 - LockBit leak Full Text
Abstract
This week we saw some embarrassment for the LockBit ransomware operation when their programmer leaked a ransomware builder for the LockBit 3.0 encryptor.BleepingComputer
September 22, 2022
BlackCat ransomware’s data exfiltration tool gets an upgrade Full Text
Abstract
The BlackCat ransomware (aka ALPHV) isn't showing any signs of slowing down, and the latest example of its evolution is a new version of the gang's data exfiltration tool used for double-extortion attacks.BleepingComputer
September 21, 2022
LockBit ransomware builder leaked online by “angry developer” Full Text
Abstract
The LockBit ransomware operation has suffered a breach, with an allegedly disgruntled developer leaking the builder for the gang's newest encryptor.BleepingComputer
September 20, 2022
Hive ransomware claims attack on New York Racing Association Full Text
Abstract
The Hive ransomware operation claimed responsibility for an attack on the New York Racing Association (NYRA), which previously disclosed that a cyber attack on June 30, 2022, impacted IT operations and website availability and compromised member data.BleepingComputer
September 19, 2022
Europol and Bitdefender Release Free Decryptor for LockerGoga Ransomware Full Text
Abstract
A decryptor for the LockerGoga ransomware has been made available by Romanian cybersecurity firm Bitdefender in collaboration with Europol, the No More Ransom project, and Zürich law enforcement authorities. Identified in January 2019, LockerGoga drew headlines for its attacks against the Norwegian aluminum giant Norsk Hydro . It's said to have infected more than 1,800 victims in 71 countries, causing an estimated $104 million in damages. The ransomware operation received a significant blow in October 2021 when 12 people in connection with the group, alongside MegaCortex and Dharma, were apprehended as part of an international law enforcement effort . The arrests, which took place in Ukraine and Switzerland, also saw the seizure of cash worth $52,000, five luxury vehicles, and a number of electronic devices. One of the accused is currently in pretrial detention in Zurich. The Zurich Cantonal Police further said it spent the past months examining the data storage devicesThe Hacker News
September 16, 2022
The Week in Ransomware - September 16th 2022 - Iranian Sanctions Full Text
Abstract
It has been a fairly quiet week on the ransomware front, with the biggest news being US sanctions on Iranians linked to ransomware attacks.BleepingComputer
September 15, 2022
Hive ransomware claims cyberattack on Bell Canada subsidiary Full Text
Abstract
The Hive ransomware gang claimed responsibility for an attack that hit the systems of Bell Canada subsidiary Bell Technical Solutions (BTS).BleepingComputer
September 14, 2022
Lorenz Ransomware Exploit Mitel VoIP Systems to Breach Business Networks Full Text
Abstract
The operators behind the Lornenz ransomware operation have been observed exploiting a now-patched critical security flaw in Mitel MiVoice Connect to obtain a foothold into target environments for follow-on malicious activities. "Initial malicious activity originated from a Mitel appliance sitting on the network perimeter," researchers from cybersecurity firm Arctic Wolf said in a report published this week. "Lorenz exploited CVE-2022-29499 , a remote code execution vulnerability impacting the Mitel Service Appliance component of MiVoice Connect, to obtain a reverse shell and subsequently used Chisel as a tunneling tool to pivot into the environment." Lorenz, like many other ransomware groups, is known for double extortion by exfiltrating data prior to encrypting systems, with the actor targeting small and medium businesses (SMBs) located in the U.S., and to a lesser extent in China and Mexico, since at least February 2021. Calling it an "ever-evolvinThe Hacker News
September 14, 2022
Ransomware Attacks on Agriculture Potentially Timed to Critical Seasons Full Text
Abstract
The FBI has warned the Food and Agriculture (FA) sector that ransomware actors may be preparing to attack agricultural cooperatives during critical planting and harvest seasons.Security Intelligence
September 12, 2022
Lorenz ransomware breaches corporate network via phone systems Full Text
Abstract
The Lorenz ransomware gang now uses a critical vulnerability in Mitel MiVoice VOIP appliances to breach enterprises using their phone systems for initial access to their corporate networks.BleepingComputer
September 09, 2022
The Week in Ransomware - September 9th 2022 - Schools under fire Full Text
Abstract
Ransomware gangs have been busy this week, launching attacks against NAS devices, one of the largest hotel groups, IHG, and LAUSD, the second largest school district in the USA.BleepingComputer
September 9, 2022
Ransomware Developers Turn to Intermittent Encryption to Evade Detection Full Text
Abstract
In contrast to full encryption, intermittent encryption helps to evade analysis by exhibiting a significantly lower intensity of file IO operations and much higher similarity between non-encrypted and encrypted versions of a given file.Sentinel One
September 08, 2022
Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group Full Text
Abstract
Microsoft's threat intelligence division on Wednesday assessed that a subgroup of the Iranian threat actor tracked as Phosphorus is conducting ransomware attacks as a "form of moonlighting" for personal gain. The tech giant, which is monitoring the activity cluster under the moniker DEV-0270 (aka Nemesis Kitten), said it's operated by a company that functions under the public aliases Secnerd and Lifeweb, citing infrastructure overlaps between the group and the two organizations. "DEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities," Microsoft said . "DEV-0270 also extensively uses living-off-the-land binaries (LOLBINs) throughout the attack chain for discovery and credential access. This extends to its abuse of the built-in BitLocker tool to encrypt files on compromised devices." The use of BitLocker and DiskCryptor by Iranian actorThe Hacker News
September 6, 2022
Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa Full Text
Abstract
Victims of this ransomware first surfaced in Bleeping Computer forums in June 2022. A month later, more details about Play ransomware were published on the “No-logs No breach” website.Trend Micro
September 06, 2022
QNAP Warns of New DeadBolt Ransomware Attacks Exploiting Photo Station Flaw Full Text
Abstract
QNAP has issued a new advisory urging users of its network-attached storage (NAS) devices to upgrade to the latest version of Photo Station following yet another wave of DeadBolt ransomware attacks in the wild by exploiting a zero-day flaw in the software. The Taiwanese company said it detected the attacks on September 3 and that "the campaign appears to target QNAP NAS devices running Photo Station with internet exposure." The issue has been addressed in the following versions - QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later Details of the flaw have been kept under wraps for now, but the company is advising users to disable port forwarding on the routers, prevent NAS devices from being accessible on the Internet, upgrade NAS firmware, apply strong passwords for user accounts, and take regulaThe Hacker News
September 06, 2022
Second largest U.S. school district LAUSD hit by ransomware Full Text
Abstract
Los Angeles Unified (LAUSD), the second largest school district in the U.S., disclosed that a ransomware attack hit its Information Technology (IT) systems over the weekend.BleepingComputer
September 5, 2022
QNAP warns new Deadbolt ransomware attacks exploiting zero-day Full Text
Abstract
QNAP warns customers of ongoing DeadBolt ransomware attacks that are exploiting a zero-day vulnerability in Photo Station. QNAP warns customers of an ongoing wave of DeadBolt ransomware attacks, threat actors are exploiting a zero-day vulnerability...Security Affairs
September 2, 2022
Linux devices ‘increasingly’ under attack from hackers, warn security researchers Full Text
Abstract
There's been a big rise in ransomware attacks targeting Linux as cybercriminals look to expand their options and exploit an operating system that is often overlooked when businesses think about security.ZDNet
September 02, 2022
BlackCat ransomware claims attack on Italian energy agency Full Text
Abstract
The BlackCat/ALPHV ransomware gang claimed responsibility for an attack that hit the systems of Italy's energy agency Gestore dei Servizi Energetici SpA (GSE) over the weekend.BleepingComputer
September 2, 2022
Another Ransomware For Linux Likely In Development Full Text
Abstract
Uptycs researchers recently spotted a new Linux ransomware that appears to be under active development. The Uptycs Threat Research team recently observed an Executable and Linkable Format (ELF) ransomware which encrypts the files inside Linux systems...Security Affairs
September 2, 2022
Another Ransomware for Linux Likely in Development Full Text
Abstract
The Uptycs Threat Research team recently observed an Executable and Linkable Format (ELF) ransomware that encrypts the files inside Linux systems based on the given folder path.Security Affairs
September 01, 2022
Researchers Detail Emerging Cross-Platform BianLian Ransomware Attacks Full Text
Abstract
The operators of the emerging cross-platform BianLian ransomware have increased their command-and-control (C2) infrastructure this month, a development that alludes to an increase in the group's operational tempo. BianLian, written in the Go programming language, was first discovered in mid-July 2022 and has claimed 15 victim organizations as of September 1, cybersecurity firm [redacted] said in a report shared with The Hacker News. It's worth noting that the double extortion ransomware family has no connection to an Android banking trojan of the same name, which targets mobile banking and cryptocurrency apps to siphon sensitive information. Initial access to victim networks is achieved via successful exploitation of the ProxyShell Microsoft Exchange Server flaws, leveraging it to either drop a web shell or an ngrok payload for follow-on activities. "BianLian has also targeted SonicWall VPN devices for exploitation, another common target for ransomware groups,&The Hacker News
August 29, 2022
New Golang-based ‘Agenda Ransomware’ Can Be Customized For Each Victim Full Text
Abstract
A new ransomware strain written in Golang dubbed " Agenda " has been spotted in the wild, targeting healthcare and education entities in Indonesia, Saudi Arabia, South Africa, and Thailand. "Agenda can reboot systems in safe mode, attempts to stop many server-specific processes and services, and has multiple modes to run," Trend Micro researchers said in an analysis last week. Qilin, the threat actor advertising the ransomware on the dark web, is said to provide affiliates with options to tailor the binary payloads for each victim, enabling the operators to decide the ransom note, encryption extension, as well as the list of processes and services to terminate before commencing the encryption process. Additionally, the ransomware incorporates techniques for detection evasion by taking advantage of the 'safe mode' feature of a device to proceed with its file encryption routine unnoticed, but not before changing the default user's password and enablThe Hacker News
August 28, 2022
LockBit ransomware gang gets aggressive with triple-extortion tactic Full Text
Abstract
LockBit ransomware gang announced that it is improving defenses against distributed denial-of-service (DDoS) attacks and working to take the operation to triple extortion level.BleepingComputer
August 28, 2022
New Agenda Ransomware appears in the threat landscape Full Text
Abstract
Trend Micro researchers warn of a new ransomware family called Agenda, which has been used in attacks on organizations in Asia and Africa. Trend Micro researchers recently discovered a new piece of targeted ransomware, tracked as Agenda, that...Security Affairs
August 26, 2022
The Week in Ransomware - August 26th 2022 - Fighting back Full Text
Abstract
We saw a bit of ransomware drama this week, mostly centered around LockBit, who saw their data leak sites taken down by a DDoS attack after they started leaking the allegedly stolen Entrust data.BleepingComputer
August 25, 2022
New Golang Ransomware Agenda Customizes Attacks Against Organizations in Asia and Africa Full Text
Abstract
Researchers revealed that the new ransomware in question targeted enterprises in Asia and Africa. Based on dark web posts by a user named “Qilin,” and through ransom notes, the ransomware is called “Agenda.”Trend Micro
August 24, 2022
New ‘BianLian’ Ransomware Variant on the Rise Full Text
Abstract
Attackers using BianLian typically demand unusually high ransoms, and they utilize a unique encryption style that divides the file content into chunks of 10 bytes to evade detection by antivirus products, the researchers said.Dark Reading
August 19, 2022
The Week in Ransomware - August 19th 2022 - Evolving extortion tactics Full Text
Abstract
Bringing you the latest ransomware news, including new research, tactics, and cyberattacks. We also saw the return of the BlackByte ransomware operation, who has started to use new extortion tactics.BleepingComputer
August 18, 2022
BlackByte ransomware v2 is out with new extortion novelties Full Text
Abstract
A new version of the BlackByte ransomware appeared in the threat landscape, version 2.0 uses extortion techniques similar to LockBit ones. BlackByte ransomware Version 2.0 appeared in the threat landscape after a short break, the latest version has a new data...Security Affairs
August 16, 2022
Black Basta: New Ransomware Threat Aiming for the Big League Full Text
Abstract
The gang behind Black Basta has reached a high level of success in a short time through its double extortion techniques and is possibly an offshoot of Conti and REvil. It has claimed responsibility for compromising at least 50 organizations so far.CSO Online
August 13, 2022
Novel Ransomware Comes to the Sophisticated SOVA Android Banking Trojan Full Text
Abstract
The Android banking Trojan SOVA is back in the action and sporting new and updated capabilities with an additional version in development that contains a ransomware module.Dark Reading
August 12, 2022
The Week in Ransomware - August 12th 2022 - Attacking the defenders Full Text
Abstract
It was a very busy week for ransomware news and attacks, especially with the disclosure that Cisco was breached by a threat actor affiliated with the Yanluowang ransomware gang.BleepingComputer
August 12, 2022
BazarCall attacks have revolutionized ransomware operations Full Text
Abstract
The Conti ransomware gang is using BazarCall phishing attacks as an initial attack vector to access targeted networks. BazarCall attack, aka call back phishing, is an attack vector that utilizes targeted phishing methodology and was first used by the Ryuk...Security Affairs
August 11, 2022
BlueSky Ransomware Conducts Faster File Encryption via Multithreading Full Text
Abstract
BlueSky ransomware predominantly targets Windows hosts and utilizes multithreading to encrypt files faster. The multithreaded architecture of BlueSky bears code similarities with Conti v3, and the network search module is an exact replica of it.Palo Alto Networks
August 8, 2022
An Introduction to Industrial Spy Ransomware Group Full Text
Abstract
Researchers have dissected the inner workings of a relatively new ransomware threat known as Industrial Spy that started as a data extortion marketplace in April. It has reportedly studied Cuba ransomware briefly before creating its own ransomware.Cyware Alerts - Hacker News
August 7, 2022
GwisinLocker ransomware exclusively targets South Korea Full Text
Abstract
Researchers spotted a new family of ransomware, named GwisinLocker, that encrypts Windows and Linux ESXi servers. Researchers warn of a new ransomware called GwisinLocker which is able to encrypt Windows and Linux ESXi servers. The ransomware targets...Security Affairs
August 06, 2022
New GwisinLocker ransomware encrypts Windows and Linux ESXi servers Full Text
Abstract
A new ransomware family called 'GwisinLocker' targets South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors, including support for encrypting VMware ESXi servers and virtual machines.BleepingComputer
August 05, 2022
The Week in Ransomware - August 5th 2022 - A look at cyber insurance Full Text
Abstract
For the most part, it has been a quiet week on the ransomware front, with a few new reports, product developments, and attacks revealed.BleepingComputer
August 3, 2022
SolidBit Ransomware Enters the RaaS Scene and Takes Aim at Gamers and Social Media Users Full Text
Abstract
The SolidBit ransomware group appears to be planning to expand its operations through these fraudulent apps and its recruitment of ransomware-as-a-service (RaaS) affiliates.Trend Micro
August 02, 2022
LockBit Ransomware Abuses Windows Defender to Deploy Cobalt Strike Payload Full Text
Abstract
A threat actor associated with the LockBit 3.0 ransomware-as-a-service (RaaS) operation has been observed abusing the Windows Defender command-line tool to decrypt and load Cobalt Strike payloads. According to a report published by SentinelOne last week, the incident occurred after obtaining initial access via the Log4Shell vulnerability against an unpatched VMware Horizon Server. "Once initial access had been achieved, the threat actors performed a series of enumeration commands and attempted to run multiple post-exploitation tools, including Meterpreter, PowerShell Empire, and a new way to side-load Cobalt Strike," researchers Julio Dantas, James Haughom, and Julien Reisdorffer said . LockBit 3.0 (aka LockBit Black), which comes with the tagline "Make Ransomware Great Again!," is the next iteration of the prolific LockBit RaaS family that emerged in June 2022 to iron out critical weaknesses discovered in its predecessor. It's notable for instiThe Hacker News
July 30, 2022
Reading the “ENISA THREAT LANDSCAPE FOR RANSOMWARE ATTACKS” report Full Text
Abstract
I'm proud to announce the release of the "ENISA THREAT LANDSCAPE FOR RANSOMWARE ATTACKS" report, Enjoy it! Ransomware has become one of the most dangerous threats for organizations worldwide. Cybercriminal organizations and ransomware gangs have...Security Affairs
July 29, 2022
LockBit ransomware abuses Windows Defender to load Cobalt Strike Full Text
Abstract
Security analysts have observed an affiliate of the LockBit 3.0 ransomware operation abusing a Windows Defender command line tool to decrypt and load Cobalt Strike beacons on the target systems.BleepingComputer
July 29, 2022
LockBit operator abuses Windows Defender to load Cobalt Strike Full Text
Abstract
Security analysts have observed an affiliate of the LockBit 3.0 ransomware operation abusing a Windows Defender command line tool to decrypt and load Cobalt Strike beacons on the target systems.BleepingComputer
July 27, 2022
The strange similarities between Lockbit 3.0 and Blackmatter ransomware Full Text
Abstract
Researchers found similarities between LockBit 3.0 ransomware and BlackMatter, which is a rebranded variant of the DarkSide ransomware. Cybersecurity researchers have found similarities between the latest version of the LockBit ransomware, LockBit...Security Affairs
July 26, 2022
Experts Find Similarities Between New LockBit 3.0 and BlackMatter Ransomware Full Text
Abstract
Cybersecurity researchers have reiterated similarities between the latest iteration of the LockBit ransomware and BlackMatter , a rebranded variant of the DarkSide ransomware strain that closed shop in November 2021. The new version of LockBit , called LockBit 3.0 aka LockBit Black, was released in June 2022, launching a brand new leak site and what's the very first ransomware bug bounty program, alongside Zcash as a cryptocurrency payment option. Its encryption process involves appending the extension "HLJkNskOq" or "19MqZqZ0s" to each and every file and changing the icons of the locked files to that of the .ico file that's dropped by the LockBit sample to kick-start the infection. "The ransomware then drops its ransom note, which references 'Ilon Musk' and the European Union's General Data Protection Regulation (GDPR)," Trend Micro researchers said in a Monday report. "Lastly, it changes the wallpaper of the victim'sThe Hacker News
July 26, 2022
New Redeemer 2.0 Promoted on Hacker Forum Full Text
Abstract
A new strain of the free-to-use Redeemer ransomware builder is being promoted on hacker forums. The new version 2.0 is written in C++ and features support for Windows 11 and GUI tools, among others. The author has threatened that the project's source code will become public if they lose interest, m ... Read MoreCyware Alerts - Hacker News
July 26, 2022
No More Ransom helps millions of ransomware victims in 6 years Full Text
Abstract
The No More Ransom project celebrates its sixth anniversary today after helping millions of ransomware victims recover their files for free.BleepingComputer
July 22, 2022
The Week in Ransomware - July 22nd 2022 - Attacks abound Full Text
Abstract
New ransomware operations continue to be launched this week, with the new Luna ransomware found to be targeting both Windows and VMware ESXi servers.BleepingComputer
July 21, 2022
LockBit Ransomware Puts Servers in the Crosshairs Full Text
Abstract
In one attack observed by Symantec, LockBit was seen identifying domain-related information, creating a Group Policy for lateral movement, and executing a command on all systems within the same domain to forcefully update group policy.Symantec
July 21, 2022
How Conti ransomware hacked and encrypted the Costa Rican government Full Text
Abstract
Details have emerged on how the Conti ransomware gang breached the Costa Rican government, showing the attack's precision and the speed of moving from initial access to the final stage of encrypting devices.BleepingComputer
July 21, 2022
New Redeemer ransomware version promoted on hacker forums Full Text
Abstract
A threat actor is promoting a new version of their free-to-use 'Redeemer' ransomware builder on hacker forums, offering unskilled threat actors an easy entry to the world of encryption-backed extortion attacks.BleepingComputer
July 20, 2022
New Luna ransomware targets Windows, Linux and ESXi systems Full Text
Abstract
Kaspersky researchers discovered a new ransomware family written in Rust, named Luna, that targets Windows, Linux, and ESXi systems. Researchers from Kaspersky Lab detailed a new ransomware family named Luna, which is written in Rust and is able to target...Security Affairs
July 20, 2022
New Rust-based Ransomware Family Targets Windows, Linux, and ESXi Systems Full Text
Abstract
Kaspersky security researchers have disclosed details of a brand-new ransomware family written in Rust, making it the third strain after BlackCat and Hive to use the programming language. Luna, as it's called, is "fairly simple" and can run on Windows, Linux, and ESXi systems, with the malware banking on a combination of Curve25519 and AES for encryption. "Both the Linux and ESXi samples are compiled using the same source code with some minor changes from the Windows version," the Russian firm noted in a report published today. Advertisements for Luna on darknet forums suggest that the ransomware is intended for use only by Russian-speaking affiliates. Its core developers are also believed to be of Russian origin owing to spelling mistakes in the ransom note hard-coded within the binary. "Luna confirms the trend for cross-platform ransomware," the researchers stated, adding how the platform agnostic nature of languages like Golang and RThe Hacker News
July 20, 2022
New Luna ransomware encrypts Windows, Linux, and ESXi systems Full Text
Abstract
A new ransomware family dubbed Luna can be used to encrypt devices running several operating systems, including Windows, Linux, and ESXi systems.BleepingComputer
July 17, 2022
North Korea-based Holy Ghost Ransomware Targets Victims Globally Full Text
Abstract
Microsoft attributed the Holy Ghost ransomware operation to North Korean hackers. Tracked as DEV-0530, the group has been targeting small businesses worldwide for over a year. For organizations to stay protected, experts recommend collaborative action, including sharing the indicators of compromise ... Read MoreCyware Alerts - Hacker News
July 16, 2022
New Lilith Ransomware Family Joins the Double Extortion Threat Landscape Full Text
Abstract
Cyble uncovered a new C/C++ console-based ransomware operation by a group dubbed Lilith. It has leaked the proof of first victim on its leak site. Before the encryption process starts, Lilith creates and drops ransom notes on all the folders one by one. The note gives three days to contact attacker ... Read MoreCyware Alerts - Hacker News
July 15, 2022
RedAlert, LILITH, and 0mega, 3 new ransomware in the wild Full Text
Abstract
Cyble researchers warn of three new ransomware operations named Lilith, RedAlert and 0mega targeting organizations worldwide. Researchers from threat intelligence firm Cyble warn of new ransomware gangs that surfaced recently, named Lilith, RedAlert,...Security Affairs
July 14, 2022
Researcher develops Hive ransomware decryption tool Full Text
Abstract
Despite being only a year old, Hive ransomware has grown into a prominent ransomware-as-a-service operation. The latest decryptor tackles Hive's newer, better-encrypted version.Tech Target
July 13, 2022
New Lilith ransomware emerges with extortion site, lists first victim Full Text
Abstract
A new ransomware operation has been launched under the name 'Lilith,' and it has already posted its first victim on a data leak site created to support double-extortion attacks.BleepingComputer
July 12, 2022
Recycled Ransomware are Faster Full Text
Abstract
Ransomware actors have started recycling codes from publicly available sources. A new Nokoyawa campaign has been observed, in which the ransomware strain is improving itself by following this tactic.Cyware Alerts - Hacker News
July 12, 2022
New 0mega Ransomware Joins the Double Extortion Threat Landscape Full Text
Abstract
A new ransomware operation, dubbed 0mega, has been spotted targeting organizations across the world in double-extortion schemes. Active since May, the group has already breached several firms, including an electronics repair firm. Organizations are suggested to always protect their sensitive data w ... Read MoreCyware Alerts - Hacker News
July 11, 2022
BlackCat (aka ALPHV) Ransomware is Increasing Stakes up to $2.5M in Demands Full Text
Abstract
The average time allocated for payment varies between 5-7 days, to give the victim some time to purchase BTC or XMR cryptocurrency. In case of difficulties, the victim may engage an “intermediary” for further recovery process.Resecurity
July 11, 2022
BlackCat (aka ALPHV) Ransomware is Increasing Stakes up to $2,5M in Demands Full Text
Abstract
BlackCat (aka ALPHV) Ransomware gang introduced an advanced search by stolen victim’s passwords, and confidential documents. The notorious cybercriminal syndicate BlackCat competes with Conti and Lockbit 3.0. They introduced an advanced search by stolen...Security Affairs
July 11, 2022
Experts warn of the new 0mega ransomware operation Full Text
Abstract
BleepingComputer reported a new ransomware operation named 0mega that is targeting organizations worldwide. 0mega is a new ransomware operation that is targeting organizations worldwide using a double-extortion model, BleepingComputer reported. The...Security Affairs
July 9, 2022
RedAlert: A Ransomware that Targets Multiple OS Platforms Full Text
Abstract
New ransomware, dubbed RedAlert or N13V, encrypts both Linux and Windows VMware ESXi servers on corporate networks. Currently, the group has only one victim listed on its data leak site. Similar to other enterprise-targeting ransomware operations, RedAlert carries out double-extortion attacks, in w ... Read MoreCyware Alerts - Hacker News
July 9, 2022
Evolution of the LockBit Ransomware operation relies on new techniques Full Text
Abstract
Experts documented the evolution of the LockBit ransomware that leverages multiple techniques to infect targets and evade detection. The Cybereason Global Security Operations Center (GSOC) Team published the Cybereason Threat Analysis...Security Affairs
July 08, 2022
The Week in Ransomware - July 8th 2022 - One down, many to go Full Text
Abstract
While we continue to see new ransomware operations launch, we also received some good news this week, with another ransomware shutting down.BleepingComputer
July 08, 2022
New 0mega ransomware targets businesses in double-extortion attacks Full Text
Abstract
A new ransomware operation named '0mega' targets organizations worldwide in double-extortion attacks and demands millions of dollars in ransoms.BleepingComputer
July 08, 2022
Researchers Detail Techniques LockBit Ransomware Using to Infect its Targets Full Text
Abstract
LockBit ransomware attacks are constantly evolving by making use of a wide range of techniques to infect targets while also taking steps to disable endpoint security solutions. "The affiliates that use LockBit's services conduct their attacks according to their preference and use different tools and techniques to achieve their goal," Cybereason security analysts Loïc Castel and Gal Romano said . "As the attack progresses further along the kill chain, the activities from different cases tend to converge to similar activities." LockBit, which operates on a ransomware-as-a-service (RaaS) model like most groups, was first observed in September 2019 and has since emerged as the most dominant ransomware strain this year, surpassing other well-known groups like Conti , Hive , and BlackCat . This involves the malware authors licensing access to affiliates, who execute the attacks in exchange for using their tools and infrastructure and earn as much as 80% of eaThe Hacker News
July 8, 2022
Emsisoft: Victims of AstraLocker and Yashma ransomware can recover their files for free Full Text
Abstract
Emsisoft has released a free decryption tool that allows victims of the AstraLocker and Yashma ransomware to recover their files without paying a ransom. Cybersecurity firm Emsisoft released a free decryptor tool that allows victims of the AstraLocker...Security Affairs
July 08, 2022
Free decryptor released for AstraLocker, Yashma ransomware victims Full Text
Abstract
New Zealand-based cybersecurity firm Emsisoft has released a free decryption tool to help AstraLocker and Yashma ransomware victims recover their files without paying a ransom.BleepingComputer
July 8, 2022
ALPHV’s ransomware makes it easy to search data from targets who do not pay Full Text
Abstract
The group has also decided to use a new method to put even more pressure on its targets: Provide a search engine for their victims’ data leaks, as revealed in a new publication from Cyble.Tech Republic
July 8, 2022
New Checkmate ransomware target QNAP NAS devices Full Text
Abstract
Taiwanese vendor QNAP wars of a new strain of ransomware, dubbed Checkmate, that is targeting its NAS devices. The Taiwanese vendor QNAP is warning of a new family of ransomware targeting its NAS devices using weak passwords. Threat actors are targeting...Security Affairs
July 6, 2022
New Hive ransomware variant is written in Rust and use improved encryption method Full Text
Abstract
Hive ransomware operators have improved their file-encrypting module by migrating to Rust language and adopting a more sophisticated encryption method. The operators of the Hive ransomware upgraded their malware by migrating the malware to the Rust...Security Affairs
July 06, 2022
Hive Ransomware Upgrades to Rust for More Sophisticated Encryption Method Full Text
Abstract
The operators of the Hive ransomware-as-a-service (RaaS) scheme have overhauled their file-encrypting software to fully migrate to Rust and adopt a more sophisticated encryption method. "With its latest variant carrying several major upgrades, Hive also proves it's one of the fastest evolving ransomware families, exemplifying the continuously changing ransomware ecosystem," Microsoft Threat Intelligence Center (MSTIC) said in a report on Tuesday. Hive , which was first observed in June 2021, has emerged as one of the most prolific RaaS groups, accounting for 17 attacks in the month of May 2022 alone, alongside Black Basta and Conti . The shift from GoLang to Rust makes Hive the second ransomware strain after BlackCat to be written in the programming language, enabling the malware to gain additional benefits such as memory safety and deeper control over low-level resources as well as make use of a wide range of cryptographic libraries. What it also affords isThe Hacker News
July 05, 2022
New RedAlert Ransomware targets Windows, Linux VMware ESXi servers Full Text
Abstract
A new ransomware operation called RedAlert, or N13V, encrypts both Windows and Linux VMWare ESXi servers in attacks on corporate networks.BleepingComputer
July 5, 2022
AstraLocker Shuts Down Operations, May Switch to Cryptojacking Full Text
Abstract
AstraLocker ransomware is shutting down its operations and has released decryptors. The threat actor plans on moving to cryptojacking from extortion schemes. However, some of the speculations are that the group feared some action by global law enforcement. Emsisoft is planning to soon roll out a un ... Read MoreCyware Alerts - Hacker News
July 04, 2022
AstraLocker ransomware shuts down and releases decryptors Full Text
Abstract
The threat actor behind the lesser-known AstraLocker ransomware told BleepingComputer they're shutting down the operation and plan to switch to cryptojacking.BleepingComputer
July 2, 2022
AstraLocker 2.0 ransomware isn’t going to give you your files back Full Text
Abstract
Reversing Labs reports that the latest version of AstraLocker ransomware is engaged in a so-called “smash and grab” ransomware operation that is all about maxing out profits in the fastest time.Malwarebytes Labs
July 01, 2022
The Week in Ransomware - July 1st 2022 - Bug Bounties Full Text
Abstract
It has been relatively busy this week with new ransomware attacks unveiled, a bug bounty program introduced, and new tactics used by the threat actors to distribute their encryptors.BleepingComputer
July 1, 2022
Black Basta Emerges From the Dead - Warn Experts Full Text
Abstract
Before deploying the ransomware, operators infiltrate and move laterally across the entire network, performing a full-fledged RansomOps attack. Similar to other groups, Black Basta employs the double extortion tactic.Cyware Alerts - Hacker News
July 1, 2022
Bumblebee Buzzes to Forefront of Ransomware Ecosystem Full Text
Abstract
Bumblebee has been linked to ransomware operations by Conti, Quantum, and Mountlocker, which signifies that the malware is now at the forefront of the ransomware ecosystem.Cyware Alerts - Hacker News
June 30, 2022
Korean cybersecurity agency released a free decryptor for Hive ransomware Full Text
Abstract
Good news for the victims of the Hive ransomware, Korean security researchers have released a free decryptor for some versions. Good news for the victims of the Hive ransomware, the South Korean cybersecurity agency KISA has released a free decryptor...Security Affairs
June 30, 2022
AstraLocker 2.0 infects users directly from Word attachments Full Text
Abstract
A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments.BleepingComputer
June 29, 2022
With LockBit 3.0 Launch, Hackers Announce Bug Bounty Program Full Text
Abstract
The LockBit RaaS launched LockBit 3.0, the first-ever ransomware bug bounty program for security experts to submit bug reports and get rewarded with up to $1 million. Various bug bounty categories include website bugs (such as XSS vulnerabilities, and MySQL injections), Locker bugs (bugs in the ran ... Read MoreCyware Alerts - Hacker News
June 29, 2022
AstraLocker 2.0 pushes ransomware direct from Office docs Full Text
Abstract
ReversingLabs recently discovered a new version of the AstraLocker ransomware (AstraLocker 2.0) that was being distributed directly from Microsoft Office files used as bait in phishing attacks.ReversingLabs
June 28, 2022
LockBit 3.0 introduces important novelties, including a bug bounty program Full Text
Abstract
The LockBit ransomware operators released LockBit 3.0 with important novelties, including a bug bounty program and Zcash payments. The Lockbit ransomware operation has released LockBit 3.0, which has important noveòties such as a bug bounty program,...Security Affairs
June 27, 2022
Cybersecurity Experts Warn of Emerging Threat of “Black Basta” Ransomware Full Text
Abstract
The Black Basta ransomware-as-a-service (RaaS) syndicate has amassed nearly 50 victims in the U.S., Canada, the U.K., Australia, and New Zealand within two months of its emergence in the wild, making it a prominent threat in a short window. "Black Basta has been observed targeting a range of industries, including manufacturing, construction, transportation, telcos, pharmaceuticals, cosmetics, plumbing and heating, automobile dealers, undergarments manufacturers, and more," Cybereason said in a report. Similar to other ransomware operations, Black Basta is known to employ the tried-and-tested tactic of double extortion to plunder sensitive information from the targets and threaten to publish the stolen data unless a digital payment is made. A new entrant in the already crowded ransomware landscape, intrusions involving the threat have leveraged QBot (aka Qakbot ) as a conduit to maintain persistence on the compromised hosts and harvest credentials, before moving laterThe Hacker News
June 27, 2022
LockBit 3.0 introduces the first ransomware bug bounty program Full Text
Abstract
The LockBit ransomware operation has released 'LockBit 3.0,' introducing the first ransomware bug bounty program and leaking new extortion tactics and Zcash cryptocurrency payment options.BleepingComputer
June 24, 2022
The Week in Ransomware - June 24th 2022 - Splinter Cells Full Text
Abstract
The Conti ransomware gang has finally ended their charade and turned off their Tor data leak and negotiation sites, effectively shutting down the operation.BleepingComputer
June 24, 2022
Mitel zero-day used by hackers in suspected ransomware attack Full Text
Abstract
Hackers used a zero-day exploit on Linux-based Mitel MiVoice VOIP appliances for initial access in what is believed to be the beginning of a ransomware attack.BleepingComputer
June 24, 2022
Conti ransomware finally shuts down data leak, negotiation sites Full Text
Abstract
The Conti ransomware operation has finally shut down its last public-facing infrastructure, consisting of two Tor servers used to leak data and negotiate with victims, closing the final chapter of the notorious cybercrime brand.BleepingComputer
June 21, 2022
After Deadbolt, eCh0raix Ransomware Targets QNAP NAS Devices Full Text
Abstract
Taiwanese vendor QNAP has been hit by another ransomware attack with the latest one coming from the eCh0raix. For this, only a few dozen eCh0raix samples have been submitted so far. To prevent from this, QNAP has urged customers to update their devices' QTS or QuTS hero operating systems to the lat ... Read MoreCyware Alerts - Hacker News
June 19, 2022
Ransomware Attacks on Microsoft Cloud’s Versioning Feature are Likely Full Text
Abstract
Researchers say ransomware actors can exploit a functionality flaw in Microsoft Office 365 suite to encrypt files stored on SharePoint and OneDrive Online. The attack uses the versioning (or autosave) feature for the files edited on OneDrive or SharePoint as it creates cloud backups of older file v ... Read MoreCyware Alerts - Hacker News
June 17, 2022
The Week in Ransomware - June 17th 2022 - Have I Been Ransomed? Full Text
Abstract
Ransomware operations are constantly evolving their tactics to pressure victims to pay. For example, this week, we saw a new extortion tactic come into play with the creation of dedicated websites to extort victims with searchable data.BleepingComputer
June 16, 2022
Microsoft Office 365 feature can help cloud ransomware attacks Full Text
Abstract
Security researchers are warning that threat actors could hijack Office 365 accounts to encrypt for a ransom the files stored in SharePoint and OneDrive services that companies use for cloud-based collaboration, document management and storage.BleepingComputer
June 13, 2022
HelloXD Ransomware Installing Backdoor on Targeted Windows and Linux Systems Full Text
Abstract
Windows and Linux systems are being targeted by a ransomware variant called HelloXD, with the infections also involving the deployment of a backdoor to facilitate persistent remote access to infected hosts. "Unlike other ransomware groups, this ransomware family doesn't have an active leak site; instead it prefers to direct the impacted victim to negotiations through Tox chat and onion-based messenger instances," Daniel Bunce and Doel Santos, security researchers from Palo Alto Networks Unit 42, said in a new write-up. HelloXD surfaced in the wild on November 30, 2021, and is based off leaked code from Babuk, which was published on a Russian-language cybercrime forum in September 2021. The ransomware family is no exception to the norm in that the operators follow the tried-and-tested approach of double extortion to demand cryptocurrency payments by exfiltrating a victim's sensitive data in addition to encrypting it and threatening to publicize the informThe Hacker News
June 12, 2022
Hello XD ransomware now drops a backdoor while encrypting Full Text
Abstract
Cybersecurity researchers report increased activity of the Hello XD ransomware, whose operators are now deploying an upgraded sample featuring stronger encryption.BleepingComputer
June 11, 2022
Exposing HelloXD Ransomware and x4k Full Text
Abstract
Unlike other ransomware groups, this ransomware family doesn’t have an active leak site; instead it prefers to direct the impacted victim to negotiations through TOX chat and onion-based messenger instances.Palo Alto Networks
June 10, 2022
The Week in Ransomware - June 10th 2022 - Targeting Linux Full Text
Abstract
It has been relatively quiet this week with many companies and researchers at the RSA conference. However, we still had some interesting ransomware reports released this week.BleepingComputer
June 10, 2022
Experts spotted a new variant of the Cuba Ransomware with optimized infection techniques Full Text
Abstract
The Cuba ransomware operators are back and employed a new version of its malware in recent attacks. Cuba ransomware has been active since at least January 2020. Its operators have a data leak site, where they post exfiltrated data from their victims...Security Affairs
June 09, 2022
Roblox Game Pass store used to sell ransomware decryptor Full Text
Abstract
A new ransomware is taking the unusual approach of selling its decryptor on the Roblox gaming platform using the service's in-game Robux currency.BleepingComputer
June 09, 2022
Bizarre ransomware sells decryptor on Roblox Game Pass store Full Text
Abstract
A new ransomware is taking the unusual approach of selling its decryptor on the Roblox gaming platform using the service's in-game Robux currency.BleepingComputer
June 08, 2022
Cuba ransomware returns to extorting victims with updated encryptor Full Text
Abstract
The Cuba ransomware operation has returned to regular operations with a new version of its malware found used in recent attacks.BleepingComputer
June 8, 2022
Black Basta ransomware now supports encrypting VMware ESXi servers Full Text
Abstract
Black Basta ransomware gang implemented a new feature to encrypt VMware ESXi virtual machines (VMs) running on Linux servers. The Black Basta ransomware gang now supports encryption of VMware ESXi virtual machines (VMs) running on Linux servers. Researchers...Security Affairs
June 7, 2022
Evil Corp gang starts using LockBit Ransomware to evade sanctions Full Text
Abstract
Mandiant researchers associate multiple LockBit ransomware attacks with the notorious Evil Corp Cybercrime Group. Mandiant researchers have investigated multiple LOCKBIT ransomware attacks that have been attributed to the financially motivated threat...Security Affairs
June 7, 2022
Deadbolt Ransomware Adopts Multi-Tiered Extortion Scheme Full Text
Abstract
Not only QNAP but Asustor—another NAS devices vendor—underwent DeadBolt attacks in February. The next month, the attackers again shifted to targeting QNAP devices and the number of infections reached 1,146.Cyware Alerts - Hacker News
June 07, 2022
Linux version of Black Basta ransomware targets VMware ESXi servers Full Text
Abstract
Black Basta is the latest ransomware gang to add support for encrypting VMware ESXi virtual machines running on enterprise Linux servers.BleepingComputer
June 7, 2022
YourCyanide: Latest CMD-Based Ransomware with Advanced Capabilities Full Text
Abstract
With multiple obfuscation layers, the ransomware leverages custom environment variables, as well as the Enable Delayed Expansion function, to evade detection.Cyware Alerts - Hacker News
June 03, 2022
The Week in Ransomware - June 3rd 2022 - Evading sanctions Full Text
Abstract
Ransomware gangs continue to evolve their operations as victims refuse to pay ransoms due to sanctions or other reasons.BleepingComputer
June 02, 2022
Researchers Demonstrate Ransomware for IoT Devices That Targets IT and OT Networks Full Text
Abstract
As ransomware infections have evolved from purely encrypting data to schemes such as double and triple extortion, a new attack vector is likely to set the stage for future campaigns. Called Ransomware for IoT or R4IoT by Forescout, it's a "novel, proof-of-concept ransomware that exploits an IoT device to gain access and move laterally in an IT [information technology] network and impact the OT [operational technology] network." This potential pivot is based on the rapid growth in the number of IoT devices as well as the convergence of IT and OT networks in organizations. The ultimate goal of R4IoT is to leverage exposed and vulnerable IoT devices such as IP cameras to gain an initial foothold, followed by deploying ransomware in the IT network and taking advantage of poor operational security practices to hold mission-critical processes hostage. "By compromising IoT, IT, and OT assets, R4IoT goes beyond the usual encryption and data exfiltration to cause physThe Hacker News
June 02, 2022
Conti ransomware targeted Intel firmware for stealthy attacks Full Text
Abstract
Researchers analyzing the leaked chats of the notorious Conti ransomware operation have discovered that teams inside the Russian cybercrime group were actively developing firmware hacks.BleepingComputer
May 28, 2022
Cheerscrypt Ransomware Targets VMware ESXi Servers Full Text
Abstract
The widescale use of VMware ESXi in enterprises has now attracted a new Cheerscrypt ransomware threat that is targeting poorly secured ESXi servers. According to the ransom notes, the attackers give their victims three days to access the provided Tor site to negotiate the ransom payment for a worki ... Read MoreCyware Alerts - Hacker News
May 27, 2022
BlackCat/ALPHV ransomware asks $5 million to unlock Austrian state Full Text
Abstract
Austrian federal state Carinthia has been hit by the BlackCat ransomware gang, also known as ALPHV, who demanded a $5 million to unlock the encrypted computer systems.BleepingComputer
May 26, 2022
New Chaos and Nokoyawa Ransomware Variants Found Full Text
Abstract
Security analysts spotted two new ransomware variants for Nokoyawa and Chaos ransomware, in two separate reports. Chaos' variant named Yashma includes two new improvements: the ability to stop execution on the basis of a victim's location and stop different running processes linked with antivirus a ... Read MoreCyware Alerts - Hacker News
May 25, 2022
New ‘Cheers’ Linux ransomware targets VMware ESXi servers Full Text
Abstract
A new ransomware named 'Cheers' has appeared in the cybercrime space and has started its operations by targeting vulnerable VMware ESXi servers.BleepingComputer
May 25, 2022
New Linux-Based Ransomware ‘Cheerscrypt’ Targets VMware ESXi Servers Full Text
Abstract
In the past, ESXi servers were also attacked by other known ransomware families such as LockBit, Hive, and RansomEXX as an efficient way to infect many computers with ransomware.Trend Micro
May 25, 2022
Link Found Connecting Chaos, Onyx and Yashma Ransomware Full Text
Abstract
A slip-up by a malware author has allowed researchers to taxonomize three ransomware variations going by different names.Threatpost
May 24, 2022
New Chaos Ransomware Builder Variant “Yashma” Discovered in the Wild Full Text
Abstract
Cybersecurity researchers have disclosed details of the latest version of the Chaos ransomware line, dubbed Yashma. "Though Chaos ransomware builder has only been in the wild for a year, Yashma claims to be the sixth version (v6.0) of this malware," BlackBerry research and intelligence team said in a report shared with The Hacker News. Chaos is a customizable ransomware builder that emerged in underground forums on June 9, 2021, by falsely marketing itself as the .NET version of Ryuk despite sharing no such overlaps with the notorious counterpart. The fact that it's offered for sale also means that any malicious actor can purchase the builder and develop their own ransomware strains, turning it into a potent threat. It has since undergone five successive iterations aimed at improving its functionalities: version 2.0 on June 17, version 3.0 on July 5, version 4.0 on August 5, and version 5.0 in early 2022. While the first three variants of Chaos functioned more lThe Hacker News
May 20, 2022
The Week in Ransomware - May 20th 2022 - Another one bites the dust Full Text
Abstract
Ransomware attacks continue to slow down, likely due to the invasion of Ukraine, instability in the region, and subsequent worldwide sanctions against Russia.BleepingComputer
May 18, 2022
Chaos Ransomware Variant Sides with Russia Full Text
Abstract
Such actions have created tension internally within the threat actor groups as it has caused dissension, and externally, as organizations fear being targeted due to the political nature of the war.Fortinet
May 16, 2022
US links Thanos and Jigsaw ransomware to 55-year-old doctor Full Text
Abstract
The US Department of Justice today said that Moises Luis Zagala Gonzalez (Zagala), a 55-year-old cardiologist with French and Venezuelan citizenship residing in Ciudad Bolivar, Venezuela, created and rented Jigsaw and Thanos ransomware to cybercriminals.BleepingComputer
May 13, 2022
The Week in Ransomware - May 13th 2022 - A National Emergency Full Text
Abstract
While ransomware attacks have slowed during Russia's invasion of Ukraine and the subsequent sanctions, the malware threat continues to affect organizations worldwide.BleepingComputer
May 9, 2022
DarkAngels: A Rebranded Version of Babuk? Full Text
Abstract
Researchers have identified DarkAngels, a new ransomware, that bears an uncanny resemblance between it and the Babuk ransomware. It excludes file extensions such as .exe, .dll, and .babyk from encryption. Organizations are recommended to use reliable anti-malware and internet security solutions.Cyware Alerts - Hacker News
May 07, 2022
US offers $15 million reward for info on Conti ransomware gang Full Text
Abstract
The US Department of State is offering up to $15 million for information that helps identify and locate leadership and co-conspirators of the infamous Conti ransomware gang.BleepingComputer
May 06, 2022
The Week in Ransomware - May 6th 2022 - An evolving landscape Full Text
Abstract
Ransomware operations continue to evolve, with new groups appearing and others quietly shutting down their operations or rebranding as new groups.BleepingComputer
May 4, 2022
An expert shows how to stop popular ransomware samples via DLL hijacking Full Text
Abstract
A security researcher discovered that samples of Conti, REvil, LockBit ransomware were vulnerable to DLL hijacking. The security researcher John Page aka (hyp3rlinx) discovered that malware from multiple ransomware operations, including Conti, REvil,...Security Affairs
May 03, 2022
New ransomware strains linked to North Korean govt hackers Full Text
Abstract
Several ransomware strains have been linked to APT38, a North Korean-sponsored hacking group known for its focus on targeting and stealing funds from financial institutions worldwide.BleepingComputer
May 3, 2022
Black Basta and Onyx Leading the New Waves of Ransomware Attacks Full Text
Abstract
Two new ransomware strains have been doing the rounds. The first, tracked as Black Basta, has infiltrated at least a dozen companies in a matter of weeks. Another one, dubbed Onyx, has also managed to hit six organizations. The latter destroys large files instead of locking them, hence preventing d ... Read MoreCyware Alerts - Hacker News
May 02, 2022
AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection Full Text
Abstract
Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws. "This is the first sample we observed from the U.S. with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys)," Trend Micro researchers, Christoper Ordonez and Alvin Nieto, said in a Monday analysis. "In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability (Log4shell) using Nmap NSE script ." AvosLocker , one of the newer ransomware families to fill the vacuum left by REvil , has been linked to a number of attacks that targeted critical infrastructure in the U.S., including financial services and government facilities. A ransomware-as-a-service (RaaS) affiliate-based group first spotted in July 2021, AvosLocker goes beyond double extortionThe Hacker News
May 2, 2022
New Black Basta Ransomware Possibly Linked to Conti Group Full Text
Abstract
A new ransomware operation named Black Basta has targeted at least a dozen companies and some researchers believe there may be a connection to the notorious Conti ransomware group.Security Week
May 2, 2022
AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell Full Text
Abstract
While previous AvosLocker infections employ similar routines, this is the first sample researchers observed from the US with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys).Trend Micro
April 30, 2022
Fake Windows 10 updates infect you with Magniber ransomware Full Text
Abstract
Fake Windows 10 updates on crack sites are being used to distribute the Magniber ransomware in a massive campaign that started earlier this month.BleepingComputer
April 29, 2022
The Week in Ransomware - April 29th 2022 - New operations emerge Full Text
Abstract
This week we have discovered numerous new ransomware operations that have begun operating, with one appearing to be a rebrand of previous operations.BleepingComputer
April 29, 2022
Expanding the Conti Ransomware IoCs Using WHOIS and IP Clues Full Text
Abstract
A majority of the domain IoCs of Conti ransomware share the same lexical features in that they don’t seem to be English words and follow a succession of consonant-vowel patterns.CircleID
April 28, 2022
Quantum Ransomware Stuns Researchers with Blazing Fast Attack Speed Full Text
Abstract
According to the DFIR Report, Quantum ransomware has upped its encryption game as it now encrypts systems within a few hours of penetration within a network. Rapid attacks are concerning as they offer less time for analysts to defend their systems.Cyware Alerts - Hacker News
April 28, 2022
Detecting Ransomware’s Stealthy Boot Configuration Edits Full Text
Abstract
The hypothesis used by researchers is that threat actors don’t necessarily have to use bcdedit to modify bootloader configurations but could implement code that directly modifies the Windows registry keys that determine those configurations.Binary Defense
April 27, 2022
Beware: Onyx ransomware destroys files instead of encrypting them Full Text
Abstract
A new Onyx ransomware operation is destroying large files instead of encrypting them, preventing those files from being decrypted even if a ransom is paid.BleepingComputer
April 27, 2022
PSA: Onyx ransomware destroys large files instead of encrypting them Full Text
Abstract
A new Onyx ransomware operation is destroying large files instead of encrypting them, preventing those files from being decrypted even if a ransom is paid.BleepingComputer
April 26, 2022
Researchers Share New Insights on Nokoyawa Ransomware Full Text
Abstract
Researchers from SentinelLabs claimed that Nokoyawa is clearly a variant of Nemty (Karma) ransomware. Previously, Trend Micro had highlighted similarities in the attack chain between Nokoyawa and Hive ransomware.Cyware Alerts - Hacker News
April 26, 2022
BlackByte Ransomware - Wilder And Scarier Than Ever Full Text
Abstract
Researchers released a report on BlackByte ransomware describing new variants written in Go and DotNET, with one variant written with a mix of Go and C languages. The ransomware actors were observed making changes to the registry in an attempt to escalate privileges. Organizations are suggested to ... Read MoreCyware Alerts - Hacker News
April 26, 2022
Inside a ransomware incident: How a single mistake left a door open for attackers Full Text
Abstract
The BlackCat ransomware attack against the undisclosed organization took place in March 2022 and has been detailed by cybersecurity researchers at Forescout who investigated the incident.ZDNet
April 25, 2022
Quantum ransomware seen deployed in rapid network attacks Full Text
Abstract
The Quantum ransomware, a strain first discovered in August 2021, were seen carrying out speedy attacks that escalate quickly, leaving defenders little time to react.BleepingComputer
April 21, 2022
New Incident Report Reveals How Hive Ransomware Targets Organizations Full Text
Abstract
A recent Hive ransomware attack carried out by an affiliate involved the exploitation of "ProxyShell" vulnerabilities in the Microsoft Exchange Server that were disclosed last year to encrypt an unnamed customer's network. "The actor managed to achieve its malicious goals and encrypt the environment in less than 72 hours from the initial compromise," Varonis security researcher, Nadav Ovadia, said in a post-mortem analysis of the incident. Hive, which was first observed in June 2021, follows the lucrative ransomware-as-a-service (RaaS) scheme adopted by other cybercriminal groups in recent years, enabling affiliates to deploy the file-encrypting malware after gaining a foothold into their victims' networks. ProxyShell — tracked as CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473 — involves a combination of security feature bypass, privilege escalation, and remote code execution in the Microsoft Exchange Server, effectively granting the attackerThe Hacker News
April 20, 2022
Night Sky Ransomware’s Ride From Dusk Till Dawn Full Text
Abstract
A recent report by Vedere Labs provides several details about Night Sky, whose samples were first spotted in January during a short campaign that targeted two victims from Bangladesh and Japan.Cyware Alerts - Hacker News
April 19, 2022
Kaspersky releases a free decryptor for Yanluowang ransomware Full Text
Abstract
Kaspersky discovered a flaw in the encryption process of the Yanluowang ransomware that allows victims to recover their files for free. Researchers from Kaspersky discovered a vulnerability in the encryption process of the Yanluowang ransomware that...Security Affairs
April 19, 2022
Night Sky: A Short-Lived Threat from a Long-Lived Threat Actor Full Text
Abstract
Night Sky was discovered to be a fork of a ransomware family called Rook, which was itself derived from the leaked source code of Babuk and deployed by the same threat actor that used LockFile and AtomSilo, which share the same decryption tool.Forescout
April 19, 2022
Conti Ransomware’s Toll on the Healthcare Industry – Krebs on Security Full Text
Abstract
According to recently revealed information, Conti has launched more than 200 attacks against hospitals and other healthcare facilities since first surfacing in 2018 under its earlier name, “Ryuk.”Krebs on Security
April 18, 2022
Free decryptor released for Yanluowang ransomware victims Full Text
Abstract
Kaspersky today revealed it found a vulnerability in Yanluowang ransomware's encryption algorithm, which makes it possible to recover files it encrypts.BleepingComputer
April 15, 2022
The Week in Ransomware - April 15th 2022 - Encrypting Russia Full Text
Abstract
While countries worldwide have been the frequent target of ransomware attacks, Russia and CIS countries have been avoided by threat actors. The tables have turned with the NB65 hacking group modifying the leaked Conti ransomware to use in attacks on Russian entities.BleepingComputer
April 15, 2022
Analysis of the SunnyDay ransomware Full Text
Abstract
Segurança-Informatica published an analysis of a recent sample of SunnyDay ransomware. As a result of the work, some similarities between other ransomware samples such as Ever101, Medusa Locker, Curator, and Payment45 were found.Security Affairs
April 15, 2022
Analysis of the SunnyDay ransomware Full Text
Abstract
The analysis of a recent sample SunnyDay ransomware revealed some similarities with other ransomware, such as Ever101, Medusa Locker, Curator, and Payment45. Segurança-Informatica published an analysis of a recent sample of SunnyDay ransomware. As a result...Security Affairs
April 10, 2022
NB65 group targets Russia with a modified version of Conti’s ransomware Full Text
Abstract
NB65 hacking group created its ransomware based on the leaked source code of the Conti ransomware and targets Russia. According to BleepingComputer, NB65 hacking group is targeting Russian organizations with ransomware that they have developed using...Security Affairs
April 08, 2022
Researchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity Full Text
Abstract
Cybersecurity researchers have uncovered further links between BlackCat (aka AlphaV) and BlackMatter ransomware families, the former of which emerged as a replacement following international scrutiny last year. "At least some members of the new BlackCat group have links to the BlackMatter group, because they modified and reused a custom exfiltration tool [...] and which has only been observed in BlackMatter activity," Kaspersky researchers said in a new analysis. The tool, dubbed Fendr, has not only been upgraded to include more file types but also used by the gang extensively to steal data from corporate networks in December 2021 and January 2022 prior to encryption, in a popular tactic called double extortion. The findings come less than a month after Cisco Talos researchers identified overlaps in the tactics, techniques, and procedures (TTPs) between BlackCat and BlackMatter, describing the new ransomware variant as a case of "vertical business expansion.&qThe Hacker News
April 5, 2022
IPfuscation is Hive’s New Technique to Evade Detection Full Text
Abstract
Hive ransomware gang is using a new IPfuscation tactic to hide its payload wherein they hide 64-bit Windows executables in the form of an array of ASCII IPv4 addresses. Additionally, the researchers spotted additional IPfuscation variants using IPv6 instead of IPv4 addresses, UUIDs, and MAC addres ... Read MoreCyware Alerts - Hacker News
April 2, 2022
Hive Ransomware Evolves to Add Many New Features Full Text
Abstract
Hive is a relatively new ransomware outfit that made its appearance in late June 2021. It gained notoriety through over 350 attacks on organizations across several sectors.Cyware Alerts - Hacker News
April 2, 2022
Scammers are Exploiting Ukraine Donations Full Text
Abstract
Scammers are exploiting the current events in Ukraine especially after the official Ukrainian Twitter account tweeted Bitcoin and Ethereum wallet addresses for donations.McAfee
April 01, 2022
The Week in Ransomware - April 1st 2022 - ‘I can fight with a keyboard’ Full Text
Abstract
While ransomware is still conducting attacks and all companies must stay alert, ransomware news has been relatively slow this week. However, there were still some interesting stories that we outline below.BleepingComputer
April 1, 2022
Hive Ransomware Ported to Rust, Encryptor Updated Full Text
Abstract
Hive ransomware actors ported its Linux encryptor to Rust programming language to target VMware ESXi servers. Additionally, they have added new features to make it difficult for security researchers to snoop on victim’s ransom negotiations, which it appears to have copied from BlackCat. Organizatio ... Read MoreCyware Alerts - Hacker News
March 31, 2022
SunCrypt Ransomware Now Comes With Upgraded Features Full Text
Abstract
SunCrypt—a RaaS that came to prominence in mid-2020—was one of the first threat actors to implement triple extortion in its campaigns. It is a small RaaS, operating with a close circle of affiliates.Cyware Alerts - Hacker News
March 31, 2022
New Python-based Ransomware Targeting JupyterLab Web Notebooks Full Text
Abstract
Researchers have disclosed what they say is the first-ever Python-based ransomware strain specifically designed to target exposed Jupyter notebooks, a web-based interactive computing platform that allows editing and running programs via a browser. "The attackers gained initial access via misconfigured environments, then ran a ransomware script that encrypts every file on a given path on the server and deletes itself after execution to conceal the attack," Assaf Morag, a data analyst at Aqua Security, said in a report. The new ransomware sample, which the cloud security firm detected after it was trapped in one of its honeypot servers, is said to have been executed after the unnamed adversary gained access to the server and downloaded the necessary tools required to carry out the encryption process by opening a terminal. Aqua Security characterized the attack as "simple and straightforward," unlike other traditional ransomware-as-a-service (RaaS) schemes, addThe Hacker News
March 30, 2022
Hive ransomware uses new ‘IPfuscation’ trick to hide payload Full Text
Abstract
Threat analysts have discovered a new obfuscation technique used by the Hive ransomware gang, involving IPv4 addresses and a series of conversions that eventually lead to downloading Cobalt Strike beacons.BleepingComputer
March 29, 2022
Lockbit Beats Conti and Ryuk in Encryption Speed Test Full Text
Abstract
A new study by Splunk has found that modern-day ransomware, such as LockBit, is capable of encrypting around 25,000 files in just one minute. The time window is so small that before an organization realizes the effect, the ransomware would have done its job.Cyware Alerts - Hacker News
March 28, 2022
Hive ransomware ports its encryptor to Rust programming language Full Text
Abstract
The Hive ransomware gang ported its encryptor to the Rust programming language and implemented new features. The Hive ransomware operation has developed a Rust version of their encryptor and added new features to prevent curious from snooping on the victim's...Security Affairs
March 28, 2022
SunCrypt ransomware is still alive and kicking in 2022 Full Text
Abstract
SunCrypt, a ransomware as service (RaaS) operation that reached prominence in mid-2020, is reportedly still active, even if barely, as its operators continue to work on giving its strain new capabilities.BleepingComputer
March 27, 2022
Hive ransomware ports its Linux VMware ESXi encryptor to Rust Full Text
Abstract
The Hive ransomware operation has converted their VMware ESXi Linux encryptor to the Rust programming language and added new features to make it harder for security researchers to snoop on victim's ransom negotiations.BleepingComputer
March 26, 2022
Conti Ransomware Attacks Persist With an Updated Version Despite Leaks Full Text
Abstract
The most recent Conti ransomware update introduced a number of new features and changes to the ransomware code. Some of these modifications include new command-line arguments.Security Boulevard
March 26, 2022
Ransomware infections follow precursor malware Full Text
Abstract
A ransomware infection is usually preceded by what Lumu founder and CEO Ricardo Villadiego calls "precursor malware," essentially reconnaissance malicious code that has been around for a while.The Register
March 23, 2022
DeadBolt Ransomware Resurfaces to Hit QNAP Again Full Text
Abstract
A new steady stream of attacks against network-attached storage devices from the Taiwan-based vendor is similar to a wave that occurred in January.Threatpost
March 23, 2022
Ten notorious ransomware strains put to the encryption speed test Full Text
Abstract
Researchers have conducted a technical experiment, testing ten ransomware variants to determine how fast they encrypt files and evaluate how feasible it would be to timely respond to their attacks.BleepingComputer
March 22, 2022
Another Source Code Leak for Conti Ransomware Full Text
Abstract
New source code for the Russian-based Conti ransomware operation has been leaked on Twitter—as revenge for the ongoing war—by the Ukrainian researcher named Conti Leaks. The source code leak is a Visual Studio solution that can be decompiled easily, thus allowing anyone to compile the code and the ... Read MoreCyware Alerts - Hacker News
March 20, 2022
Newer Conti ransomware source code leaked out of revenge Full Text
Abstract
A Ukrainian security researcher has leaked newer malware source code from the Conti ransomware operation in revenge for the cybercriminals siding with Russia on the invasion of Ukraine.BleepingComputer
March 19, 2022
Emsisoft releases free decryptor for the victims of the Diavol ransomware Full Text
Abstract
Cybersecurity firm Emsisoft released a free decryptor that allows the victims of the Diavol ransomware to recover their files without paying a ransom. Cybersecurity firm Emsisoft has released a free decryption tool to help Diavol ransomware victims...Security Affairs
March 18, 2022
The Week in Ransomware - March 18th 2022 - Targeting the auto industry Full Text
Abstract
This week, the automotive industry has been under attack, with numerous companies exhibiting signs of breaches or ransomware activity.BleepingComputer
March 18, 2022
Free decryptor released for TrickBot gang’s Diavol ransomware Full Text
Abstract
Cybersecurity firm Emsisoft has released a free decryption tool to help Diavol ransomware victims recover their files without paying a ransom.BleepingComputer
March 18, 2022
These four types of ransomware make up nearly three-quarters of reported incidents Full Text
Abstract
Ransomware causes problems no matter what brand it is, but some forms are noticeably more prolific than others, with four strains of the malware accounting for a combined total of almost 70% of all attacks.ZDNet
March 17, 2022
Around 34 Ransomware Variants Detected In Q4 2021 Full Text
Abstract
The ransomware landscape witnessed 34 different variants in approximately 722 distinct attacks, with LockBit 2.0, Conti, and PYSA occupying the top three places. In comparison to Q3 2021 data, the attacks on the manufacturing sector have declined while consumer and industrial products rose by ... Read MoreCyware Alerts - Hacker News
March 15, 2022
Nearly 34 Ransomware Variants Observed in Hundreds of Cyberattacks in Q4 2021 Full Text
Abstract
As many as 722 ransomware attacks were observed during the fourth quarter of 2021, with LockBit 2.0, Conti, PYSA, Hive, and Grief emerging as the most prevalent strains, according to new research published by Intel 471. The attacks mark an increase of 110 and 129 attacks from the third and second quarters of 2021, respectively. In all, 34 different ransomware variants were detected during the three-month-period between October and December 2021. "The most prevalent ransomware strain in the fourth quarter of 2021 was LockBit 2.0, which was responsible for 29.7% of all reported incidents, followed by Conti at 19%, PYSA at 10.5%, and Hive at 10.1%," the researchers said in a report shared with The Hacker News. Some of the most impacted sectors during the quarterly period were consumer and industrial products; manufacturing; professional services and consulting; real estate; life sciences and health care; technology, media and telecommunications; energy, resources and agricThe Hacker News
March 04, 2022
The Week in Ransomware - March 4th 2022 - The Conti Leaks Full Text
Abstract
This week's biggest story is the massive data leak from the Conti ransomware operation, including over 160,000 internal messages between members and source code for the ransomware and TrickBot operation.BleepingComputer
March 3, 2022
Avast released a free decryptor for the HermeticRansom that hit Ukraine Full Text
Abstract
Avast released a decryptor for the HermeticRansom ransomware used in recent targeted attacks against Ukrainian entities. Avast has released a free decryptor for the HermeticRansom ransomware employed in targeted attacks against Ukrainian systems since...Security Affairs
March 03, 2022
Free decryptor released for HermeticRansom victims in Ukraine Full Text
Abstract
Avast Threat Labs has released a decryptor for the HermeticRansom ransomware strain used predominately in targeted attacks against Ukrainian systems in the past ten days.BleepingComputer
March 01, 2022
Conti Ransomware source code leaked by Ukrainian researcher Full Text
Abstract
A Ukrainian researcher continues to deal devastating blows to the Conti ransomware operation, leaking further internal conversations, as well as the source for their ransomware, administrative panels, and more.BleepingComputer
February 28, 2022
DeadBolt Ransomware Eyeing ASUSTOR Devices Full Text
Abstract
Deadbolt ransomware hackers crippled the networks of Asustor NAS drives users and attempted to extort 0.03 BTC for the release of a decryption key. Multiple reports indicate that the AS6102T, AS6602T, AS5304T, AS5304T, and AS-6210T-4K models are unaffected. Meanwhile, ASUSTOR is planning to release ... Read MoreCyware Alerts - Hacker News
February 27, 2022
Researchers Find Similarities Between Dridex Trojan and Entropy Ransomware Full Text
Abstract
A pair of recent cyberattacks targeting a North American media organization and a regional government entity, had deployed the Dridex trojan on targeted systems before launching the Entropy ransomware.Cyware Alerts - Hacker News
February 24, 2022
Warning — Deadbolt Ransomware Targeting ASUSTOR NAS Devices Full Text
Abstract
ASUSTOR network-attached storage (NAS) devices have become the latest victim of Deadbolt ransomware, less than a month after similar attacks singled out QNAP NAS appliances . In response to the infections, the company has released firmware updates ( ADM 4.0.4.RQO2 ) to "fix related security issues." The company is also urging users to take the following actions to keep data secure – Change your password Use a strong password Change default HTTP and HTTPS ports. Default ports are 8000 and 8001 respectively Change web server ports (Default ports are 80 and 443) Turn off Terminal/SSH and SFTP services and other services you do not use, and Make regular backups and ensure backups are up to date The attacks primarily affect internet-exposed ASUSTOR NAS models running ADM operating systems including, but not limited to, AS5104T, AS5304T, AS6404T, AS7004T, AS5202T, AS6302T, and AS1104T. Much like the intrusions targeting QNAP NAS devices, the threat actors claim tThe Hacker News
February 23, 2022
Sophos linked Entropy ransomware to Dridex malware. Are both linked to Evil Corp? Full Text
Abstract
The code of the recently-emerged Entropy ransomware has similarities with the one of the infamous Dridex malware. The recently-emerged Entropy ransomware has code similarities with the popular Dridex malware. Experts from Sophos analyzed the code...Security Affairs
February 23, 2022
Ransomware extortion doesn’t stop after paying the ransom Full Text
Abstract
A global survey that looked into the experience of ransomware victims highlights the lack of trustworthiness of ransomware actors, as in most cases of paying the ransom, the extortion simply continues.BleepingComputer
February 23, 2022
Entropy ransomware linked to Evil Corp’s Dridex malware Full Text
Abstract
Analysis of the recently-emerged Entropy ransomware reveals code-level similarities with the general purpose Dridex malware that started as a banking trojan.BleepingComputer
February 23, 2022
LockBit, Conti most active ransomware targeting industrial sector Full Text
Abstract
Ransomware attacks extended into the industrial sector last year to such a degree that this type of incident became the number one threat in the industrial sector.BleepingComputer
February 21, 2022
A flaw in the encryption algorithm of Hive Ransomware allows retrieving encrypted files Full Text
Abstract
Researchers discovered a flaw in the encryption algorithm used by Hive ransomware that allowed them to decrypt data. Researchers discovered a flaw in the encryption algorithm used by Hive ransomware that allowed them to decrypt data without knowing...Security Affairs
February 19, 2022
Master Key for Hive Ransomware Retrieved Using a Flaw in its Encryption Algorithm Full Text
Abstract
Researchers have detailed what they call the "first successful attempt" at decrypting data infected with Hive ransomware without relying on the private key used to lock access to the content. "We were able to recover the master key for generating the file encryption key without the attacker's private key, by using a cryptographic vulnerability identified through analysis," a group of academics from South Korea's Kookmin University said in a new paper analyzing its encryption process. Hive, like other cybercriminals groups, operates a ransomware-as-a-service that uses different mechanisms to compromise business networks, exfiltrate data, and encrypt data on the networks, and attempt to collect a ransom in exchange for access to the decryption software. It was first observed in June 2021, when it struck a company called Altus Group. Hive leverages a variety of initial compromise methods, including vulnerable RDP servers, compromised VPN credentials,The Hacker News
February 18, 2022
Master Decryption Keys Released for Multiple Ransomware Full Text
Abstract
The master decryption keys for Maze, Egregor, and Sekhmet ransomware victims were released, as claimed, by one of the developers of the three ransomware. The poster on the forum said that this was a planned leak and did not have any relation to law enforcement operations. Though, experts suspect th ... Read MoreCyware Alerts - Hacker News
February 11, 2022
The Week in Ransomware - February 11th 2022 - Maze, Egregor decryptors Full Text
Abstract
We saw the Maze ransomware developers reemerge briefly this week as they shared the master decryption keys for the Egregor, Maze, and Sekhmet ransomware operations.BleepingComputer
February 10, 2022
Decryptor Keys Published for Maze, Egregor, Sekhmet Ransomwares Full Text
Abstract
The Maze gang are purportedly never going back to ransomware and have destroyed all of their ransomware source code, said somebody claiming to be the developer.Threatpost
February 9, 2022
Master decryption keys for Maze, Egregor, and Sekhmet ransomware leaked online Full Text
Abstract
The master decryption keys for the Maze, Egregor, and Sekhmet ransomware operations were released last night on the BleepingComputer forums. The master decryption keys for the Maze, Egregor, and Sekhmet ransomware families were released on the BleepingComputer...Security Affairs
February 09, 2022
Ransomware dev releases Egregor, Maze master decryption keys Full Text
Abstract
The master decryption keys for the Maze, Egregor, and Sekhmet ransomware operations were released last night on the BleepingComputer forums by the alleged malware developer.BleepingComputer
February 7, 2022
LockBit, BlackCat, Swissport, Oh My! Ransomware Activity Stays Strong Full Text
Abstract
However, groups are rebranding and recalibrating their profiles and tactics to respond to law enforcement and the security community’s focus on stopping ransomware attacks.Threatpost
February 7, 2022
Newly Found Sugar Ransomware is Now Being Offered as RaaS Full Text
Abstract
The cyber threat team at retail giant Walmart has uncovered the new ransomware family Sugar, which is now being made available to cybercriminals as a Ransomware-as-a-Service (RaaS).Cyware Alerts - Hacker News
February 05, 2022
BlackCat (ALPHV) ransomware linked to BlackMatter, DarkSide gangs Full Text
Abstract
The Black Cat ransomware gang, also known as ALPHV, has confirmed they are former members of the notorious BlackMatter/DarkSide ransomware operation.BleepingComputer
February 04, 2022
The Week in Ransomware - February 4th 2022 - Critical Infrastructure Full Text
Abstract
Critical infrastructure suffered ransomware attacks, with threat actors targeting an oil petrol distributor and oil terminals in major ports in different attacks.BleepingComputer
February 04, 2022
A look at the new Sugar ransomware demanding low ransoms Full Text
Abstract
A new Sugar Ransomware operation actively targets individual computers, rather than corporate networks, with low ransom demands.BleepingComputer
February 2, 2022
Sugar Ransomware, a new RaaS in the threat landscape Full Text
Abstract
Cyber security team at retail giant Walmart dissected a new ransomware family dubbed Sugar, which implements a ransomware-as-a-service model. The cyber threat team at retail giant Walmart has analyzed a new ransomware family dubbed Sugar, which is offered...Security Affairs
January 31, 2022
LockBit Ransomware Gets a Linux Version Full Text
Abstract
The new version uses a combination of AES and ECC algorithms for encryption. It includes commands for encrypting VM images on ESXi servers. However, the ransom note is similar to the ones associated with LockBit.Cyware Alerts - Hacker News
January 31, 2022
QNAP: DeadBolt ransomware exploits a bug patched in December Full Text
Abstract
Taiwan-based network-attached storage (NAS) maker QNAP urges customers to enable firmware auto-updating on their devices to defend against active attacks.BleepingComputer
January 28, 2022
The Week in Ransomware - January 28th 2022 - Get NAS devices off the Internet Full Text
Abstract
It's been a busy week with ransomware attacks tied to political protests, new attacks on NAS devices, amazing research released about tactics, REvil's history, and more.BleepingComputer
January 27, 2022
QNAP Warns of DeadBolt Ransomware Targeting Internet-Facing NAS Devices Full Text
Abstract
Taiwanese company QNAP has warned customers to secure network-attached storage (NAS) appliances and routers against a new ransomware variant called DeadBolt . "DeadBolt has been widely targeting all NAS exposed to the Internet without any protection and encrypting users' data for Bitcoin ransom," the company said . "QNAP urges all QNAP NAS users to […] immediately update QTS to the latest available version." A query on IoT search engine Censys shows that at least 3,687 devices have been encrypted by the DeadBolt ransomware so far, with most NAS devices located in the U.S., Taiwan, France, Italy, the U.K., Hong Kong, Germany, the Netherlands, Poland, and South Korea. In addition, QNAP is also urging users to check if their NAS devices are public-facing, and if so, take steps to turn off the port forwarding function of the router and disable the Universal Plug and Play ( UPnP ) function of the QNAP NAS. The advisory comes as Bleeping Computer revealed tThe Hacker News
January 27, 2022
Experts analyze first LockBit ransomware for Linux and VMware ESXi Full Text
Abstract
LockBit expands its operations by implementing a Linux version of LockBit ransomware that targets VMware ESXi servers. LockBit is the latest ransomware operation to add the support for Linux systems, experts spotted a new version that targets VMware...Security Affairs
January 26, 2022
Linux version of LockBit ransomware targets VMware ESXi servers Full Text
Abstract
LockBit is the latest ransomware gang whose Linux encryptor has been discovered to be focusing on the encryption of VMware ESXi virtual machines.BleepingComputer
January 26, 2022
New DeadBolt ransomware targets QNAP NAS devices Full Text
Abstract
New malware is targeting targets QNAP NAS devices, it is the DeadBolt ransomware and ask 50 BTC for master key DeadBolt ransomware is targeting QNAP NAS devices worldwide, its operators claim the availability of a zero-day exploit that allows them...Security Affairs
January 26, 2022
QNAP warns of new DeadBolt ransomware encrypting NAS devices Full Text
Abstract
QNAP is warning customers again to secure their Internet-exposed Network Attached Storage (NAS) devices to defend against ongoing and widespread attacks targeting their data with the new DeadBolt ransomware strain.BleepingComputer
January 25, 2022
New DeadBolt ransomware targets QNAP devices, asks 50 BTC for master key Full Text
Abstract
A new DeadBolt ransomware group is encrypting QNAP NAS devices worldwide using what they claim is a zero-day vulnerability in the device's software.BleepingComputer
January 21, 2022
The Week in Ransomware - January 21st 2022 - Arrests, Wipers, and More Full Text
Abstract
It has been quite a busy week with ransomware, with law enforcement making arrests, data-wiping attacks, and the return of the Qlocker ransomware.BleepingComputer
January 19, 2022
Is White Rabbit ransomware linked to FIN8 financially motivated group? Full Text
Abstract
A new ransomware gang named White Rabbit appeared in the threat landscape, experts believe it is linked to the FIN8 hacking group. A new ransomware gang called 'White Rabbit' launched its operations and according to the experts, it is likely linked...Security Affairs
January 18, 2022
‘White Rabbit’ Ransomware May Be FIN8’s Latest Tool Full Text
Abstract
It’s a double-extortion play that uses the command-line password ‘KissMe’ to hide its nasty acts and adorns its ransom note with cutesy ASCII bunny art.Threatpost
January 18, 2022
TellYouThePass Uses Golang to Expand its Attack Surface Full Text
Abstract
A relatively inactive TellYouThePass ransomware has re-emerged as a Golang-compiled malware, making it easier for threat actors to target a wide range of operating systems, including macOS and Linux. Hackers demand 0.05 Bitcoin, presently converting to around $2,150, for the decryption tool. Tell ... Read MoreCyware Alerts - Hacker News
January 18, 2022
New White Rabbit ransomware linked to FIN8 hacking group Full Text
Abstract
A new ransomware family called 'White Rabbit' appeared in the wild recently, and according to recent research findings, could be a side-operation of the FIN8 hacking group.BleepingComputer
January 18, 2022
Europol shuts down VPN service used by ransomware groups Full Text
Abstract
Law enforcement authorities from 10 countries took down VPNLab.net, a VPN service provider used by ransomware operators and malware actors.BleepingComputer
January 18, 2022
White Rabbit Ransomware Borrows Technique Used by Egregor to Hide from Malware Analysis Full Text
Abstract
One of the most notable aspects of White Rabbit is how its payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine.Trend Micro
January 17, 2022
New Night Sky Ransomware Enters Corporate Ransom Attack Scene Full Text
Abstract
A newly launched Night Sky ransomware has started exploiting one of the critical flaws in the Log4j logging library to circumvent VMware Horizon servers. Its Tor leak site shows one victim from Bangladesh and another from Japan. Ransomware operators continue to grow as multiple new ransomwa ... Read MoreCyware Alerts - Hacker News
January 15, 2022
Qlocker ransomware returns to target QNAP NAS devices worldwide Full Text
Abstract
Threat actors behind the Qlocker ransomware are once again targeting Internet-exposed QNAP Network Attached Storage (NAS) devices worldwide.BleepingComputer
January 14, 2022
The Week in Ransomware - January 14th 2022 - Russia finally takes action Full Text
Abstract
Today, the Russian government announced that they arrested fourteen members of the REvil ransomware gang on behalf of US authorities.BleepingComputer
January 13, 2022
Ransomware Attack at Maryland Health Agency Leads to Service Outages Full Text
Abstract
Maryland officials confirmed on Wednesday that state's Department of Health is dealing with a devastating ransomware attack, which has left hospitals struggling amid a surge of COVID-19 cases.Security Week
January 12, 2022
TellYouThePass Ransomware Analysis Reveals Modern Reinterpretation Using Golang Full Text
Abstract
TellYouThePass ransomware, discovered in 2019, recently re-emerged compiled using Golang. The popularity of Golang among malware developers makes cross-platform development more accessible.Crowdstrike
January 12, 2022
Magniber ransomware using signed APPX files to infect systems Full Text
Abstract
The Magniber ransomware has been spotted using Windows application package files (.APPX) signed with valid certificates to drop malware pretending to be Chrome and Edge web browser updates.BleepingComputer
January 12, 2022
TellYouThePass ransomware returns as a cross-platform Golang threat Full Text
Abstract
TellYouThePass ransomware has re-emerged as a Golang-compiled malware, making it easier to target major platforms beyond Windows, like macOS and Linux.BleepingComputer
January 11, 2022
Night Sky ransomware operators exploit Log4Shell to target hack VMware Horizon servers Full Text
Abstract
Another gang, Night Sky ransomware operation, started exploiting the Log4Shell vulnerability in the Log4j library to gain access to VMware Horizon systems. The Night Sky ransomware operation started exploiting the Log4Shell flaw (CVE-2021-44228) in the Log4j...Security Affairs
January 11, 2022
AvosLocker ransomware now targets Linux systems, including ESXi servers Full Text
Abstract
AvosLocker is the latest ransomware that implemented the capability to encrypt Linux systems including VMware ESXi servers. AvosLocker expands its targets by implementing the support for encrypting Linux systems, specifically VMware ESXi servers,...Security Affairs
January 11, 2022
Night Sky ransomware uses Log4j bug to hack VMware Horizon servers Full Text
Abstract
The Night Sky ransomware gang has started to exploit the critical CVE-2021-4422 vulnerability in the Log4j logging library, also known as Log4Shell, to gain access to VMware Horizon systems.BleepingComputer
January 10, 2022
Linux version of AvosLocker ransomware targets VMware ESXi servers Full Text
Abstract
AvosLocker is the latest ransomware gang that has added support for encrypting Linux systems to its recent malware variants, specifically targeting VMware ESXi virtual machines.BleepingComputer
January 07, 2022
The Week in Ransomware - January 7th 2022 - Watch out for USB drives Full Text
Abstract
With the holidays these past two weeks, there have been only a few known ransomware attacks and little research released. Here is what we know.BleepingComputer
January 07, 2022
QNAP warns of ransomware targeting Internet-exposed NAS devices Full Text
Abstract
QNAP has warned customers today to secure Internet-exposed network-attached storage (NAS) devices immediately from ongoing ransomware and brute-force attacks.BleepingComputer
January 06, 2022
Night Sky is the latest ransomware targeting corporate networks Full Text
Abstract
It's a new year, and with it comes a new ransomware to keep an eye on called 'Night Sky' that targets corporate networks and steals data in double-extortion attacks.BleepingComputer
January 4, 2022
Newly Discovered Lapsus$ Ransomware Targets Several Organizations in a Month Full Text
Abstract
Ransomware operators are back in business with the advent of 2022. Hardly one week of the year had passed, when researchers raised an alarm about a newly discovered Lapsus$ ransomware.Cyware Alerts - Hacker News
December 28, 2021
A Rookie Ransomware Reflects the Characteristics of Babuk Full Text
Abstract
A new ransomware variant, dubbed Rook, that borrows source code from Babuk has surfaced. It is being primarily delivered via fake torrent downloads as well as phishing emails in some cases. At present, its data leak site shows two victims, a bank and an Indian aviation and aerospace specialist. The ... Read MoreCyware Alerts - Hacker News
December 27, 2021
AvosLocker Ransomware Surprises with New Tactics Full Text
Abstract
AvosLocker ransmware combines the AnyDesk remote administration tool with Windows Safe feature to bypass security protections of computer systems, revealed Sophos Labs. The latest variant as a Linux component that targets VMware ESXi hypervisor servers by terminating any virtual machines. Analysts ... Read MoreCyware Alerts - Hacker News
December 25, 2021
New Rook Ransomware borrows code from Babuk Full Text
Abstract
Recently launched ransomware operation, named Rook, made headlines for its announcement claiming a desperate need a lot of money. A new ransomware operation named Rook appeared in the threat landscape, it was first reported by researcher Zach Allen...Security Affairs
December 24, 2021
The Week in Ransomware - December 24th 2021 - No rest for the weary Full Text
Abstract
The holiday season is here, but there is no rest for our weary admins as ransomware gangs are still conducting attacks over the Christmas and New Years breaks.BleepingComputer
December 24, 2021
Rook ransomware is yet another spawn of the leaked Babuk code Full Text
Abstract
A new ransomware operation named Rook has appeared recently on the cyber-crime space, declaring a desperate need to make "a lot of money" by breaching corporate networks and encrypting devices.BleepingComputer
December 24, 2021
New Ransomware Variants Flourish Amid Law Enforcement Actions Full Text
Abstract
Ransomware groups continue to evolve their tactics and techniques to deploy file-encrypting malware on compromised systems, notwithstanding law enforcement's disruptive actions against the cybercrime gangs to prevent them from victimizing additional companies. "Be it due to law enforcement, infighting amongst groups or people abandoning variants altogether, the RaaS [ransomware-as-a-service] groups dominating the ecosystem at this point in time are completely different than just a few months ago," Intel 471 researchers said in a report published this month. "Yet, even with the shift in the variants, ransomware incidents as a whole are still on the rise." Sweeping law enforcement operations undertaken by government agencies in recent months have brought about rapid shifts in the RaaS landscape and turned the tables on ransomware syndicates like Avaddon, BlackMatter , Cl0p , DarkSide , Egregor, and REvil , forcing the actors to slow down or shut down thThe Hacker News
December 23, 2021
AvosLocker ransomware reboots in Safe Mode and installs tools for remote access Full Text
Abstract
In a recent wave of attacks, AvosLocker ransomware is rebooting systems into Windows Safe Mode to disable endpoint security solutions. Sophos experts monitoring AvosLocker ransomware attacks, noticed that the malware is rebooting compromised systems...Security Affairs
December 21, 2021
PYSA ransomware behind most double extortion attacks in November Full Text
Abstract
Security analysts from NCC Group report that ransomware attacks in November 2021 increased over the past month, with double-extortion continuing to be a powerful tool in threat actors' arsenal.BleepingComputer
December 21, 2021
Hive Ransomware Growing at an Accelerated Pace Full Text
Abstract
A recent report has revealed that the Hive Ransomware-as-a-Service (RaaS) is aggressively expanding its operations, and has targeted hundreds of organizations since its first appearance in June.Cyware Alerts - Hacker News
December 19, 2021
TellYouThePass ransomware resurges and exploits Log4Shell in recent attacks Full Text
Abstract
The TellYouThePass ransomware resurged and exploits the Apache Log4j flaw (Log4Shell) to target both Linux and Windows systems. Researchers from KnownSec 404 Team and Sangfor Threat Intelligence Team reported that the TellYouThePass ransomware resurged...Security Affairs
December 17, 2021
Convergence Ahoy: Get Ready for Cloud-Based Ransomware Full Text
Abstract
Oliver Tavakoli, CTO at Vectra AI, takes us inside the coming nexus of ransomware, supply-chain attacks and cloud deployments.Threatpost
December 17, 2021
Ransomware Attackers Have ‘Industry Standards’ Too Full Text
Abstract
In July 2021, KELA discovered 48 discussion threads on dark web marketplaces. From those threads, KELA determined that ransomware actors look for certain criteria when looking to purchase accesses.Security Intelligence
December 17, 2021
The Week in Ransomware - December 17th 2021 - Enter Log4j Full Text
Abstract
A critical Apache Log4j vulnerability took the world by storm this week, and now it is being used by threat actors as part of their ransomware attacks.BleepingComputer
December 17, 2021
TellYouThePass ransomware revived in Linux, Windows Log4j attacks Full Text
Abstract
Threat actors have revived an old and relatively inactive ransomware family known as TellYouThePass, deploying it in attacks against Windows and Linux devices targeting a critical remote code execution bug in the Apache Log4j library.BleepingComputer
December 17, 2021
Conti ransomware uses Log4j bug to hack VMware vCenter servers Full Text
Abstract
Conti ransomware operation is using the critical Log4Shell exploit to gain rapid access to internal VMware vCenter Server instances and encrypt virtual machines.BleepingComputer
December 16, 2021
Microsoft: Khonsari ransomware hits self-hosted Minecraft servers Full Text
Abstract
Microsoft urges admins of self-hosted Minecraft servers to upgrade to the latest release to defend against Khonsari ransomware attacks exploiting the critical Log4Shell security vulnerability.BleepingComputer
December 16, 2021
Hive ransomware enters big league with hundreds breached in four months Full Text
Abstract
The Hive ransomware gang is more active and aggressive than its leak site shows, with affiliates attacking an average of three companies every day since the operation became known in late June.BleepingComputer
December 15, 2021
The Strategic Intelligence Value of Ransomware Full Text
Abstract
Foreign intelligence services can siphon a wealth of information from ransomware operations that are of operational and strategic value.Lawfare
December 14, 2021
New ransomware now being deployed in Log4Shell attacks Full Text
Abstract
The first public case of the Log4j Log4Shell vulnerability used to download and install ransomware has been discovered by researchers.BleepingComputer
December 14, 2021
Hackers exploit Log4Shell to drop Khonsari Ransomware on Windows systems Full Text
Abstract
Bitdefender researchers discovered that threat actors are attempting to exploit the Log4Shell flaw to deliver the new Khonsari ransomware on Windows machines. Bitdefender researchers discovered that threat actors are attempting to exploit the Log4Shell...Security Affairs
December 14, 2021
Inside Ireland’s Public Healthcare Ransomware Scare – Krebs on Security Full Text
Abstract
The consulting firm PricewaterhouseCoopers recently published lessons learned from the disruptive and costly ransomware attack in May 2021 on Ireland’s public health system.Krebs on Security
December 13, 2021
Kronos ransomware attack may cause weeks of HR solutions downtime Full Text
Abstract
Workforce management solutions provider Kronos has suffered a ransomware attack that will likely disrupt many of their cloud-based solutions for weeks.BleepingComputer
December 11, 2021
BlackCat: A New Sophisticated Ransomware in Rust Full Text
Abstract
Researchers unearth the first professional ransomware variant written in Rust dubbed BlackCat. It can target Windows, Linux, and VMWare ESXi systems. The threat group uses a double extortion model and looks for partners to whom it offers a huge 80%–90% ransom cut. As per claims, the author of Bl ... Read MoreCyware Alerts - Hacker News
December 10, 2021
BlackCat: A New Rust-based Ransomware Malware Spotted in the Wild Full Text
Abstract
Details have emerged about what's the first Rust-language-based ransomware strain spotted in the wild that has already amassed "some victims from different countries" since its launch last month. The ransomware, dubbed BlackCat , was disclosed by MalwareHunterTeam. "Victims can pay with Bitcoin or Monero," the researchers said in a series of tweets detailing the file-encrypting malware. "Also looks they are giving credentials to intermediaries" for negotiations. BlackCat, akin to many other variants that have sprung before it, operates as a ransomware-as-a-service (RaaS), wherein the core developers recruit affiliates to breach corporate environments and encrypt files, but not before stealing the said documents in a double extortion scheme to pressure the targets into paying the requested amount or risk exposure of the stolen data should the companies refuse to pay up. Security researcher Michael Gillespie called it a "very sophisticatedThe Hacker News
December 10, 2021
The Week in Ransomware - December 10th 2021 - Project CODA Full Text
Abstract
This week has quite a bit of ransomware news, including arrests, a new and sophisticated ransomware, and an attack bringing down 300 supermarkets in England.BleepingComputer
December 09, 2021
ALPHV BlackCat - This year’s most sophisticated ransomware Full Text
Abstract
The new ALPHV ransomware operation, aka BlackCat, launched last month and could be the most sophisticated ransomware of the year, with a highly-customizable feature set allowing for attacks on a wide range of corporate environments.BleepingComputer
December 9, 2021
Revived Cerber Targets Confluence and GitLab Servers Full Text
Abstract
Cerber ransomware is active again with new attack tactics. This time it has been observed targeting remote code execution vulnerabilities in Atlassian Confluence and GitLab servers.Cyware Alerts - Hacker News
December 8, 2021
Emotet’s Behavior & Spread Are Omens of Ransomware Attacks Full Text
Abstract
The botnet, which resurfaced last month on the back of TrickBot, can now directly install Cobalt Strike on infected devices, giving threat actors direct access to targets.Threatpost
December 07, 2021
New Cerber ransomware targets Confluence and GitLab servers Full Text
Abstract
Cerber ransomware is back, as a new ransomware family adopts the old name and targets Atlassian Confluence and GitLab servers using remote code execution vulnerabilities.BleepingComputer
December 4, 2021
Thieflock and Yanluowang Ransomware Share Same Genes Full Text
Abstract
Symantec has reported a link between Thieflock and Yanluowang ransomware operations. The latter recently picked up its pace to target financial companies in the U.S. Researchers believe that the attackers are highly attack-oriented because the ransomware behavior hasn’t altered since its discovery ... Read MoreCyware Alerts - Hacker News
December 03, 2021
The Week in Ransomware - December 3rd 2021 - Seizing Bitcoin Full Text
Abstract
For this week's 'Week in Ransomware' article we have included the latest ransomware news over the past two weeks.BleepingComputer
December 2, 2021
Hospital Ransomware Attacks Go Beyond Health Care Data Full Text
Abstract
In a 2021 survey conducted of 597 health delivery organizations (HDOs), 42% had faced two ransomware attacks in the past couple of years. Over a third (36%) attributed those ransomware incidents to a third party.Security Intelligence
December 1, 2021
Sabbath Ransomware target critical infrastructure in the US and Canada Full Text
Abstract
Sabbath ransomware is a new threat that has been targeting critical infrastructure in the United States and Canada since June 2021. A new ransomware group called Sabbath (aka UNC2190) has been targeting critical infrastructure in the United States...Security Affairs
December 01, 2021
Microsoft Exchange servers hacked to deploy BlackByte ransomware Full Text
Abstract
BlackByte ransomware actors were observed exploiting the ProxyShell set of vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to compromise Microsoft Exchange servers.BleepingComputer
November 30, 2021
Yanluowang Ransomware Tied to Thieflock Threat Actor Full Text
Abstract
Links between the tactics and tools demonstrated in attacks suggest a former affiliate has switched loyalties, according to new research.Threatpost
November 30, 2021
Yanluowang ransomware operation matures with experienced affiliates Full Text
Abstract
An affiliate of the recently discovered Yanluowang ransomware operation is focusing its attacks on U.S. organizations in the financial sector using BazarLoader malware in the reconnaissance stage.BleepingComputer
November 26, 2021
Marine services provider Swire Pacific Offshore hit by ransomware Full Text
Abstract
Swire Pacific Offshore (SPO) has discovered an unauthorized network infiltration onto its IT systems, resulting in the compromise of some employee data.BleepingComputer
November 19, 2021
The Week in Ransomware - November 19th 2021 - Targeting Conti Full Text
Abstract
While last week was full of arrests and law enforcement actions, this week has been much quieter, with mostly new research released.BleepingComputer
November 19, 2021
Ransomware is now a giant black hole that is sucking in all other forms of cybercrime Full Text
Abstract
Ransomware is considered by many experts to be most pressing security risk facing businesses – and its extremely lucrative for the gangs involved, with ransom payouts increasing significantly.ZDNet
November 18, 2021
New Memento ransomware switches to WinRar after failing at encryption Full Text
Abstract
A new ransomware group called Memento takes the unusual approach of locking files inside password-protected archives after their encryption method kept being detected by security software.BleepingComputer
November 15, 2021
The Best Ransomware Response, According to the Data Full Text
Abstract
An analysis of ransomware attack negotiation-data offers best practices.Threatpost
November 15, 2021
Looking at The Future of Ransomware Threats Full Text
Abstract
Multiple extortion tactics are expected to rise in intensity and range. Sophos cataloged 10 different types of pressure tactics. Cryptomining activity is also expected to continue as cryptocurrency rises in popularity.Cyware Alerts - Hacker News
November 12, 2021
The Week in Ransomware - November 12th 2021 - Targeting REvil Full Text
Abstract
This week, law enforcement struck a massive blow against the REvil ransomware operation, with multiple arrests announced and the seizure of cryptocurrency.BleepingComputer
November 11, 2021
Invest in These 3 Key Security Technologies to Fight Ransomware Full Text
Abstract
Ransomware volumes are up 1000%. Aamir Lakhani, cybersecurity researcher and practitioner at FortiGuard Labs , discusses secure email, network segmentation and sandboxing for defense.Threatpost
November 11, 2021
Designing a Proactive Ransomware Playbook for Today’s Threat Landscape Full Text
Abstract
Asset inventories and risk assessments are critical tools in defending against the increasing scourge of ransomware.Threatpost
November 05, 2021
The Week in Ransomware - November 5th 2021 - Placing bounties Full Text
Abstract
Law enforcement continues to keep up the pressure on ransomware operations with infrastructure hacks and million-dollar rewards, leading to the shut down of criminal operations.BleepingComputer
November 04, 2021
US targets DarkSide ransomware, rebrands with $10 million reward Full Text
Abstract
The US government is targeting the DarkSide ransomware and its rebrands with up to a $10,000,000 reward for information leading to the identification or arrest of members of the operation.BleepingComputer
November 4, 2021
Exmatter Tool Expedites BlackMatter’s Data Exfiltration Full Text
Abstract
BlackMatter ransomware group included a new data exfiltration tool called Exmatter to hasten its information-stealing process from victims' networks. The tool has been developed using the DotNet framework. Organizations are suggested to use robust anti-ransomware solutions to stay protected and sta ... Read MoreCyware Alerts - Hacker News
November 03, 2021
BlackMatter Ransomware Reportedly Shutting Down; Latest Analysis Released Full Text
Abstract
An analysis of new samples of BlackMatter ransomware for Windows and Linux has revealed the extent to which the operators have continually added new features and encryption capabilities in successive iterations over a three-month period. No fewer than 10 Windows and two Linux versions of the ransomware have been observed in the wild to date, Group-IB threat researcher Andrei Zhdanov said in a report shared with The Hacker News, pointing out the changes in the implementation of the ChaCha20 encryption algorithm used to encrypt the contents of the files. BlackMatter emerged in July 2021 boasting of incorporating the "best features of DarkSide, REvil, and LockBit" and is considered the successor to DarkSide, which has since shut down alongside REvil in the wake of law enforcement scrutiny. Operating as a ransomware-as-a-service (RaaS) model, the BlackMatter is believed to have hit more than 50 companies in the U.S., Austria, Italy, France, Brazil, among others. What&The Hacker News
November 3, 2021
Chaos Ransomware Targeting Minecraft Gamers in Japan Full Text
Abstract
FortiGuard Labs found a Chaos ransomware variant being circulated on Japanese Minecraft forums. While this variant encrypts certain files, it completely destroys some. Gamers are recommended to stay alert while being offered such commodities on gaming forums.Cyware Alerts - Hacker News
November 03, 2021
BlackMatter ransomware moves victims to LockBit after shutdown Full Text
Abstract
With the BlackMatter ransomware operation shutting down, existing affiliates are moving their victims to the competing LockBit ransomware site for continued extortion.BleepingComputer
November 3, 2021
How Ransomware Operations Continue to Evolve Full Text
Abstract
Ransomware threats continue to be many criminals' weapon of choice for reliably shaking down victims small, medium, and large, in pursuit of a safe, easy and reliable payday.Gov Info Security
November 2, 2021
Hive Ransomware’s New Variants Target Linux and FreeBSD Systems Full Text
Abstract
ESET reported a new variant of the Hive ransomware that is targeting Linux and FreeBSD operating systems. W ritten in Go, the malware appears to be under development. Hive is known to target processes related to backups and antivirus or anti-spyware and terminates them.Cyware Alerts - Hacker News
November 2, 2021
From Thanos to Prometheus: When Ransomware Encryption Goes Wrong Full Text
Abstract
While rare, ransomware developers can make mistakes in implementing encryption, causing unintended flaws. Mistakes can occur when developers use patchwork code and lack appropriate expertise.Security Intelligence
November 1, 2021
The Pros and Cons of Mandating Reporting From Ransomware Victims Full Text
Abstract
The proposed reporting mandates are an insufficient solution to the right problem.Lawfare
October 30, 2021
Chaos ransomware targets gamers via fake Minecraft alt lists Full Text
Abstract
The Chaos Ransomware gang encrypts gamers' Windows devices through fake Minecraft alt lists promoted on gaming forums.BleepingComputer
October 29, 2021
Hive ransomware now encrypts Linux and FreeBSD systems Full Text
Abstract
The Hive ransomware gang now also encrypts Linux and FreeBSD using new malware variants specifically developed to target these platforms.BleepingComputer
October 29, 2021
ESET found a variant of the Hive ransomware that encrypts Linux and FreeBSD Full Text
Abstract
The Hive ransomware operators have developed a new variant of their malware that can encrypt Linux and FreeBSD. ESET researchers discovered a new Hive ransomware variant that was specifically developed to encrypt Linux and FreeBSD. Researchers at the cybersecurity...Security Affairs
October 27, 2021
Avast releases free decrypters for AtomSilo and LockFile ransomware families Full Text
Abstract
Security firm Avast released today decryptors for AtomSilo and LockFile ransomware that allow victims to recover their files for free. Cyber security firm Avast has released today decryption utilities for AtomSilo and LockFile ransomware that allow...Security Affairs
October 27, 2021
Free decryptor released for Atom Silo and LockFile ransomware Full Text
Abstract
Avast has just released a decryption tool that will help AtomSilo and LockFile ransomware victims recover some of their files for free, without having to pay a ransom.BleepingComputer
October 27, 2021
Avast released a free decryptor for Babuk ransomware Full Text
Abstract
Researchers from cybersecurity firm Avast released a decryption tool for Babuk ransomware that allows victims to recover their files for free. Cybersecurity firm Avast has released a decryption tool for Babuk ransomware that allows victims to recover...Security Affairs
October 26, 2021
Ranzy Locker Ransomware Attacked Over 30 U.S. Organizations in 2021 Full Text
Abstract
The gang has been active since at least 2020 and hit organizations from various industries. The attack vector most used by the ransomware operators are brute force attempts on RDP endpoints.Security Affairs
October 25, 2021
Emsisoft created a free decryptor for past victims of the BlackMatter ransomware Full Text
Abstract
Experts from cybersecurity firm Emsisoft announced the availability of a free decryptor for past victims of the BlackMatter ransomware. Cybersecurity firm Emsisoft has released a free decryption tool for past victims of the BlackMatter ransomware....Security Affairs
October 24, 2021
BlackMatter ransomware victims quietly helped using secret decryptor Full Text
Abstract
Cybersecurity firm Emsisoft has been secretly decrypting BlackMatter ransomware victims since this summer, saving victims millions of dollars.BleepingComputer
October 22, 2021
The Week in Ransomware - October 22nd 2021 - Striking back Full Text
Abstract
Between law enforcement operations, REvil's second shut down, and ransomware gangs' response to the hacking of their servers, it has been quite the week.BleepingComputer
October 22, 2021
DarkSide ransomware rushes to cash out $7 million in Bitcoin Full Text
Abstract
Almost $7 million worth of Bitcoin in a wallet controlled by DarkSide ransomware operators has been moved in what looks like a money laundering rollercoaster.BleepingComputer
October 21, 2021
TA551 Shifts Tactics to Install Sliver Red-Teaming Tool Full Text
Abstract
A new email campaign from the threat group uses the attack-simulation framework in a likely leadup to ransomware deployment.Threatpost
October 21, 2021
Evil Corp rebrands their ransomware, this time is the Macaw Locker Full Text
Abstract
Evil Corp cybercrime gang is using a new ransomware called Macaw Locker to evade US sanctions that prevent victims from paying the ransom. Evil Corp has launched a new ransomware called Macaw Locker to evade US sanctions that prevent victims from...Security Affairs
October 20, 2021
Yanluowang: New Player in the Ransomware Scene Full Text
Abstract
Symantec uncovered a new strain of ransomware, dubbed Yanluowang, targeting virtual machines in enterprises. The attackers behind the ransomware have used the genuine AdFind command line Active Directory query tool. Hackers further warned not to approach law enforcement for help.Cyware Alerts - Hacker News
October 19, 2021
Experts found many similarities between the new Karma Ransomware and Nemty variants Full Text
Abstract
Sentinel Labs experts have analyzed the new Karma ransomware and speculate it represents an evolution of the Nemty ransomware operation. Karma ransomware is a new threat that was first spotted in June of 2021, it is important to distinguish it from...Security Affairs
October 19, 2021
Trustwave released a free decryptor for the BlackByte ransomware Full Text
Abstract
Trustwave’s SpiderLabs researchers have released a free decryptor for the BlackByte ransomware that can allow victims to recover their files. Researchers from Trustwave’s SpiderLabs have released a decryptor that can allow victims of the BlackByte...Security Affairs
October 19, 2021
BlackByte ransomware decryptor released to recover files for free Full Text
Abstract
A free decryptor for the BlackByte ransomware has been released, allowing past victims to recover their files for free.BleepingComputer
October 18, 2021
Agencies say agriculture groups being targeted by BlackMatter ransomware Full Text
Abstract
A trio of federal agencies on Monday sounded the alarm about critical infrastructure groups, particularly agricultural organizations, being targeted by a prolific ransomware group.The Hill
October 15, 2021
BlackByte: Free Decryptor Released for Ransomware Strain Full Text
Abstract
Trustwave, a Chicago-based cybersecurity and managed security services provider owned by Singaporean telecommunications company Singtel Group Enterprise, on Friday announced the release of the free decryptor, available for download from GitHub.Gov Info Security
October 08, 2021
The Week in Ransomware - October 8th 2021 - Making arrrests Full Text
Abstract
This week's big news is the arrests of two ransomware operators in Ukraine responsible for hundreds of attacks targeting organizations worldwide.BleepingComputer
October 08, 2021
Russian orgs heavily targeted by smaller tier ransomware gangs Full Text
Abstract
Even though American and European companies enjoy the lion's share in ransomware attacks launched from Russian ground, companies in the country aren't spared from having to deal with file encryption and double-extortion troubles.BleepingComputer
October 7, 2021
Roundup of ransomware in the CIS Full Text
Abstract
Although there are different vectors of malware distribution, most of the current crop of ransomware threats targeting businesses in the CIS penetrate the victim’s network via RDP.Kaspersky Labs
October 5, 2021
New Ransomware Aims at Virtual Machines, ESXi Hypervisors to Encrypt Disks Full Text
Abstract
The attack, one of the fastest recorded by Sophos researchers, was achieved by operators who "precision-targeted the ESXi platform" in order to encrypt the virtual machines of the victim.ZDNet
October 04, 2021
New Atom Silo ransomware targets vulnerable Confluence servers Full Text
Abstract
Atom Silo, a newly spotted ransomware group, is targeting a recently patched and actively exploited Confluence Server and Data Center vulnerability to deploy their ransomware payloads.BleepingComputer
October 01, 2021
The Week in Ransomware - October 1st 2021 - “This was preventable” Full Text
Abstract
This week comes with reports of a hospital ransomware attack that led to the death of a baby and new efforts by governments worldwide to combat ransomware.BleepingComputer
September 30, 2021
The Top Ransomware Threats Aren’t Who You Think Full Text
Abstract
Move over REvil, Ragnar Locker, BlackMatter, Conti et al: Three lesser-known gangs account for the vast majority of ransomware attacks in the U.S. and globally.Threatpost
September 30, 2021
RansomEXX ransomware Linux encryptor may damage victims’ files Full Text
Abstract
Cybersecurity firm Profero has discovered that the RansomExx gang does not correctly lock Linux files during encryption, leading to potentially corrupted files.BleepingComputer
September 29, 2021
Karma Ransomware Attempts New Tricks For Quick Ransom Full Text
Abstract
In a tactic to pressure victims into paying up, the lesser-known Karma ransomware group was discovered communicating with journalists about the victims. The attackers claimed to have stolen a few terabytes of internal data from a medical device-making firm. Organizations are recommended to increase ... Read MoreCyware Alerts - Hacker News
September 24, 2021
The Week in Ransomware - September 24th 2021 - Targeting crypto Full Text
Abstract
This week's biggest news is the USA sanctioning a crypto exchange used by ransomware gangs to convert cryptocurrency into fiat currency. By targeting rogue exchanges, the US government is hoping to disrupt ransomware's payment system.BleepingComputer
September 24, 2021
Cring Ransomware Targets a Decade-Old Adobe Flaw Full Text
Abstract
Two ColdFusion 9 bugs patched by Adobe more than a decade ago are under active exploitation by threat actors. Criminals tried to drop Cringe ransomware on the target networks. The attacks originated from an internet address given to Green Floid (a Ukrainian ISP). Lest we forget, the first defense i ... Read MoreCyware Alerts - Hacker News
September 21, 2021
Ransomware Attacks Growing More Sophisticated Full Text
Abstract
In the first half of the year, malicious actors exploited flaws across different types of platforms, leading to major attacks that shut down fuel networks and extracted millions from enterprises.Security Boulevard
September 17, 2021
The Week in Ransomware - September 17th 2021 - REvil decrypted Full Text
Abstract
It has been an interesting week with decryptors released, ransomware gangs continuing to rail against negotiators, and the US government expected to sanction crypto exchanges next week.BleepingComputer
September 16, 2021
REvil/Sodinokibi Ransomware Universal Decryptor Key Is Out Full Text
Abstract
Bitdefender worked with law enforcement to create a key to unlock victims encrypted in ransomware attacks before REvil’s servers went belly-up on July 13.Threatpost
September 16, 2021
Free REvil ransomware master decrypter released for past victims Full Text
Abstract
A free master decryptor for the REvil ransomware operation has been released, allowing all victims encrypted before the gang disappeared to recover their files for free.BleepingComputer
September 16, 2021
Bitdefender released free REvil ransomware decryptor that works for past victims Full Text
Abstract
Researchers from Bitdefender released a free master decryptor for the REvil ransomware operation that allows past victims to recover their files for free. Good news for the victims of REvil ransomware gangs that were infected before the operations...Security Affairs
September 13, 2021
Sodinokibi Ransomware through the Lens of IR and Collaborative Threat Intelligence Full Text
Abstract
Security analysts have used Incident Response (IR) and shared intelligence together for analyzing Sodinokibi ransomware’s behavior and offered a similar collaborative approach to counter threats. IBM researchers have assorted Sodinokibi TTPs from many of its attacks and laid bare its activities in ... Read MoreCyware Alerts - Hacker News
September 10, 2021
The Week in Ransomware - September 10th 2021 - REvil returns Full Text
Abstract
This week marked the return of the notorious REvil ransomware group, who disappeared in July after conducting a massive attack using a Kaseya zero-day vulnerability.BleepingComputer
September 8, 2021
What Ragnar Locker Got Wrong About Ransomware Negotiators – Podcast Full Text
Abstract
There are a lot of "tells" that the ransomware group doesn’t understand how negotiators work, despite threatening to dox data if victims call for help.Threatpost
September 07, 2021
REvil ransomware’s servers mysteriously come back online Full Text
Abstract
The dark web servers for the REvil ransomware operation have suddenly turned back on after an almost two-month absence. It is unclear if this marks their ransomware gang's return or the servers being turned on by law enforcement.BleepingComputer
September 5, 2021
Deciphering the Leaked Conti Ransomware Playbook Full Text
Abstract
Researchers recently obtained a leaked playbook linked to the Conti RaaS group, disclosing a heap of information about operations by them. The sensitive playbook documents are believed to be leaked by a partner not happy with Conti. For researchers and security analysts, this is an opportunity to d ... Read MoreCyware Alerts - Hacker News
September 4, 2021
Source code for the Babuk is available on a hacking forum Full Text
Abstract
The complete source code for the Babuk ransomware is available for sale on a Russian-speaking hacking forum. A threat actor has leaked the source code for the Babuk ransomware on a Russian-speaking hacking forum. The Babuk Locker operators halted...Security Affairs
September 03, 2021
The Week in Ransomware - September 3rd 2021 - Targeting Exchange Full Text
Abstract
Over the past two weeks, it has been busy with ransomware news ranging from a gang shutting down and releasing a master decryption key to threat actors turning to Microsoft Exchange exploits to breach networks.BleepingComputer
September 03, 2021
Babuk ransomware’s full source code leaked on hacker forum Full Text
Abstract
A threat actor has leaked the complete source code for the Babuk ransomware on a Russian-speaking hacking forum.BleepingComputer
September 03, 2021
Conti ransomware now hacking Exchange servers with ProxyShell exploits Full Text
Abstract
The Conti ransomware gang is hacking into Microsoft Exchange servers and breaching corporate networks using recently disclosed ProxyShell vulnerability exploits.BleepingComputer
September 02, 2021
Translated Conti ransomware playbook gives insight into attacks Full Text
Abstract
Almost a month after a disgruntled Conti affiliate leaked the gang's attack playbook, security researchers shared a translated variant that clarifies on any misinterpretation caused by automated translation.BleepingComputer
September 2, 2021
The Evolving Ransomware-as-a-Service Threat Full Text
Abstract
With RaaS evolving into a corporate structure, gangs are looking for negotiators. The role of negotiators is to extort victims into paying the ransom.Cyware Alerts - Hacker News
September 2, 2021
Translated: Talos’ insights from the recently leaked Conti ransomware playbook Full Text
Abstract
It is unclear whether the document was originally written entirely in Russian or they machine-translated some English-language documents and included them in the playbook.Cisco Talos
September 1, 2021
Lockfile Ransomware Embraces Offensive Updates Full Text
Abstract
LockFile, unlike other ransomware, doesn't encrypt the first few blocks. Instead, it encrypts every other 16 bytes of a document. This technique is called intermittent encryption.Cyware Alerts - Hacker News
August 31, 2021
LockFile Ransomware uses a new intermittent encryption technique Full Text
Abstract
Recently emerged LockFile ransomware family LockFile leverages a novel technique called intermittent encryption to speed up encryption. LockFile ransomware gang started its operations last month, recently it was spotted targeting Microsoft Exchange...Security Affairs
August 28, 2021
LockFile Ransomware Bypasses Protection Using Intermittent File Encryption Full Text
Abstract
A new ransomware family that emerged last month comes with its own bag of tricks to bypass ransomware protection by leveraging a novel technique called "intermittent encryption." Called LockFile , the operators of the ransomware have been found exploiting recently disclosed flaws such as ProxyShell and PetitPotam to compromise Windows servers and deploy file-encrypting malware that scrambles only every alternate 16 bytes of a file, thereby giving it the ability to evade ransomware defences. "Partial encryption is generally used by ransomware operators to speed up the encryption process and we've seen it implemented by BlackMatter, DarkSide and LockBit 2.0 ransomware," Mark Loman, Sophos director of engineering, said in a statement. "What sets LockFile apart is that, unlike the others, it doesn't encrypt the first few blocks. Instead, LockFile encrypts every other 16 bytes of a document." "This means that a file such as a text documenThe Hacker News
August 27, 2021
The FBI issued a flash alert for Hive ransomware operations Full Text
Abstract
The Federal Bureau of Investigation (FBI) published a flash alert related to the operations of the Hive ransomware gang. The Federal Bureau of Investigation (FBI) has released a flaw alert on the Hive ransomware attacks that includes technical details...Security Affairs
August 26, 2021
Ragnarok ransomware releases master decryptor after shutdown Full Text
Abstract
Ragnarok ransomware gang appears to have called it quits and released the master key that can decrypt files locked with their malware.BleepingComputer
August 23, 2021
ProxyShell vulnerabilities actively exploited to deliver web shells and ransomware Full Text
Abstract
Three so-called “ProxyShell” vulnerabilities are being actively exploited by various attackers to compromise Microsoft Exchange servers around the world, the Cybersecurity and Infrastructure Security Agency (CISA) warned over the weekend.Help Net Security
August 20, 2021
The Week in Ransomware - August 20th 2021 - Exploiting Windows Full Text
Abstract
Ransomware gangs continue to attack schools, companies, and even hospitals worldwide with little sign of letting up. Below we have tracked some of the ransomware stories that we are following this week.BleepingComputer
August 20, 2021
LockFile ransomware uses PetitPotam attack to hijack Windows domains Full Text
Abstract
At least one ransomware threat actor has started to leverage the recently discovered PetitPotam NTLM relay attack method to take over the Windows domain on various networks worldwide.BleepingComputer
August 20, 2021
SynAck ransomware decryptor lets victims recover files for free Full Text
Abstract
Emsisoft has released a decryptor for the SynAck Ransomware, allowing victims to decrypt their encrypted files for free.BleepingComputer
August 18, 2021
Diavol ransomware sample shows stronger connection to TrickBot gang Full Text
Abstract
A new analysis of a Diavol ransomware sample shows a more clear connection with the gang behind the TrickBot botnet and the evolution of the malware.BleepingComputer
August 17, 2021
Conti ransomware prioritizes revenue and cyberinsurance data theft Full Text
Abstract
Training material used by Conti ransomware affiliates was leaked online this month, allowing an inside look at how attackers abuse legitimate software seek out cyber insurance policies.BleepingComputer
August 16, 2021
SynAck Ransomware Rebrands, Releases Old Decryption Keys Full Text
Abstract
El_Cometa ransomware group, formerly known as SynAck, released master decryption keys for the victims they targeted between July 2017 and early 2021. Emsisoft would be creating its own decryption tool that will be easy to use and safe. The tool will be released for public use within a few days.Cyware Alerts - Hacker News
August 13, 2021
The Week in Ransomware - August 13th 2021 - The rise of LockBit Full Text
Abstract
This week we saw an existing operation rise in attacks while existing ransomware operations turn to Windows vulnerabilities to elevate their privileges.BleepingComputer
August 13, 2021
SynAck ransomware gang releases master decryption keys for old victims Full Text
Abstract
The SynAck ransomware gang released the master decryption keys for their operations and rebranded as a new group dubbed El_Cometa group. Good news for the victims of the SynAck ransomware gang, the group released the master decryption keys to allow...Security Affairs
August 13, 2021
Vice Society ransomware also exploits PrintNightmare flaws in its attack Full Text
Abstract
Another ransomware gang, the Vice Society ransomware operators, is using Windows print spooler PrintNightmare exploits in its attacks. The Vice Society ransomware operators are actively exploiting Windows print spooler PrintNightmare vulnerability...Security Affairs
August 13, 2021
Vice Society ransomware joins ongoing PrintNightmare attacks Full Text
Abstract
The Vice Society ransomware gang is now also actively exploiting Windows print spooler PrintNightmare vulnerability for lateral movement through their victims' networks.BleepingComputer
August 13, 2021
New DeepBlueMagic Ransomware Strain Ransomware Discovered Using Third-party Disk Encryption Tool Full Text
Abstract
By cleverly making use of a legitimate third-party disk encryption tool, the DeepBlueMagic ransomware encryption process targets the different disk drives on the endpoint.Heimdal Security
August 10, 2021
New eCh0raix ransomware variant targets NAS devices from both QNAP and Synology vendors Full Text
Abstract
A new variant of the eCh0raix ransomware is able to target Network-Attached Storage (NAS) devices from both QNAP and Synology vendors. A newly variant of the eCh0raix ransomware is able to infect Network-Attached Storage (NAS) devices from...Security Affairs
August 10, 2021
eCh0raix ransomware now targets both QNAP and Synology NAS devices Full Text
Abstract
A newly discovered eCh0raix ransomware variant has added support for encrypting both QNAP and Synology Network-Attached Storage (NAS) devices.BleepingComputer
August 06, 2021
The Week in Ransomware - August 6th 2021 - Insider threat edition Full Text
Abstract
If there is one thing we learned this week, it's that not only are corporations vulnerable to insider threats but so are ransomware operations.BleepingComputer
August 6, 2021
RansomEXX ransomware leaks files stolen from Italian luxury brand Zegna Full Text
Abstract
RansomEXX ransomware operators hit the popular Italian luxury fashion house Ermenegildo Zegna Holding and started leaking stolen files. Zegna is one of the most famous Italian luxury fashion houses. It was founded in 1910 by Ermenegildo Zegna in Trivero, Biella...Security Affairs
August 6, 2021
BlackMatter ransomware also targets VMware ESXi servers Full Text
Abstract
BlackMatter gang rapidly evolves, the group has developed a Linux version that allows operators to targets VMware's ESXi VM platform. The BlackMatter ransomware gang has implemented a Linux encryptor to targets VMware ESXi virtual machine platform....Security Affairs
August 05, 2021
Linux version of BlackMatter ransomware targets VMware ESXi servers Full Text
Abstract
The BlackMatter gang has joined the ranks of ransomware operations to develop a Linux encryptor that targets VMware's ESXi virtual machine platform.BleepingComputer
August 5, 2021
Ransomware Evolution Full Text
Abstract
Ransomware attacks have evolved and the ransomware-as-a-service (RaaS) model became popular because the use of affiliates enables ransomware operators to attack more victims with little effort.Secure Works
August 04, 2021
LockBit ransomware recruiting insiders to breach corporate networks Full Text
Abstract
The LockBit 2.0 ransomware gang is actively recruiting corporate insiders to help them breach and encrypt networks. In return, the insider is promised million-dollar payouts.BleepingComputer
August 2, 2021
DoppelPaymer’s Rebranding as Grief Full Text
Abstract
The DoppelPaymer ransomware operation was rebranded as Grief with identical encryption algorithms, i.e. 2048-bit RSA and 256-bit AES and other minor code changes. The new effort by DoppelPaymer appears to be more about staying low profile than going sophisticated in nature.Cyware Alerts - Hacker News
July 31, 2021
DarkSide ransomware gang returns as new BlackMatter operation Full Text
Abstract
Encryption algorithms found in a decryptor show that the notorious DarkSide ransomware gang has rebranded as a new BlackMatter ransomware operation and is actively performing attacks on corporate entities.BleepingComputer
July 30, 2021
The Week in Ransomware - July 30th 2021 - €1 billion saved Full Text
Abstract
Ransomware continues to be active this week, with new threat actors releasing new features, No More Ransom turning five, and a veteran group rebrands.BleepingComputer
July 30, 2021
Beware of AvosLocker, It’s Hiring! Full Text
Abstract
The ransomware first came to light in late June after an attack on the City of Geneva. Its operators are now searching for affiliates via several underground forums.Cyware Alerts - Hacker News
July 30, 2021
Ransomware can penetrate quickly, significantly damaging an organization Full Text
Abstract
A Cloudian survey found that traditional ransomware defenses are failing, with 54% of all victims having anti-phishing training and 49% having perimeter defenses in place at the time of attack.Help Net Security
July 29, 2021
LockBit 2.0, the first ransomware that uses group policies to encrypt Windows domains Full Text
Abstract
A new variant of the LockBit 2.0 ransomware is now able to encrypt Windows domains by using Active Directory group policies. Researchers from MalwareHunterTeam and BleepingComputer, along with the malware expert Vitali Kremez reported spotted...Security Affairs
July 27, 2021
LockBit ransomware now encrypts Windows domains using group policies Full Text
Abstract
An new version of the LockBit 2.0 ransomware has been found that automates the encryption of a Windows domain using Active Directory group policies.BleepingComputer
July 27, 2021
LockBit ransomware automates Windows domain encryption via group policies Full Text
Abstract
An new version of the LockBit 2.0 ransomware has been found that automates the encryption of a Windows domain using Active Directory group policies.BleepingComputer
July 27, 2021
Double Encryption: When Ransomware Recovery Gets Complicated Full Text
Abstract
In the Double extortion tactic, the cybercriminals demand two ransoms — one for a decryption utility and the other for the deletion of the victim’s stolen information from their servers.Security Intelligence
July 23, 2021
The Week in Ransomware - July 23rd 2021 - Kaseya decrypted Full Text
Abstract
This week has quite a bit of news ranging from the USA formally accusing China of the recent ProxyLogon vulnerability and Kaseya mysteriously obtaining the universal decryption key.BleepingComputer
July 22, 2021
Kaseya obtains key to decrypt systems weeks after ransomware attack Full Text
Abstract
Software company Kaseya on Thursday obtained a key to decrypt its systems and that of customers, which were locked down by a ransomware attack earlier this month.The Hill
July 21, 2021
Experts Confirm Diavol Ransomware Steals Data Full Text
Abstract
Security analysts provide proof of Diavol ransomware stealing data from infected systems as opposed to previous claims by the FortiGuard Labs’s researchers. The Diavol group is resilient and evasive in nature. Security professionals need to erect a robust security infra to avoid any unpleasant ... Read MoreCyware Alerts - Hacker News
July 19, 2021
REvil Ransomware Uses DLL Sideloading Full Text
Abstract
The infamous REvil malware uses DLL side-loading to execute the ransomware code. This attack technique allows the attacker to execute malicious DLLs that spoof legitimate ones.McAfee
July 17, 2021
HelloKitty ransomware is targeting vulnerable SonicWall devices Full Text
Abstract
CISA is warning of threat actors targeting "a known, previously patched, vulnerability" found in SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products with end-of-life firmware.BleepingComputer
July 16, 2021
Linux Variant of HelloKitty Ransomware Targets VMware ESXi Servers Full Text
Abstract
HelloKitty joins the growing list of ransomware bigwigs going after the juicy target of VMware ESXi, where one hit gets scads of VMs.Threatpost
July 16, 2021
The Week in Ransomware - July 16th 2021 - REvil disappears Full Text
Abstract
Ransomware operations have been quieter this week as the White House engages in talks with the Russian government about cracking down on cybercriminals believed to be operating in Russia.BleepingComputer
July 16, 2021
New Diavol Ransomware by the Wizard Spider Threat Group Steal Victims’ Data Full Text
Abstract
Diavol ransomware does not prevent their payloads from running on Russian targets by doing a locale check. This is notable because most ransomware will avoid Russian systems.Security Affairs
July 15, 2021
PYSA Ransomware Gang Using New Gasket Backdoor to Target U.S. Organizations Full Text
Abstract
As with other ransomware attacks, Mespinoza originates through exposed RDP servers, eliminating the need to craft phishing emails, perform social engineering, or exploit software vulnerabilities.The Register
July 15, 2021
HelloKitty ransomware now targets VMware ESXi servers Full Text
Abstract
HelloKitty ransomware gang is using a Linux variant of their malware to target VMware ESXi virtual machine platform. A Linux variant of the HelloKitty ransomware was employed in attacks against VMware ESXi systems. The move of the ransomware gang...Security Affairs
July 15, 2021
Linux version of HelloKitty ransomware targets VMware ESXi servers Full Text
Abstract
The ransomware gang behind the highly publicized attack on CD Projekt Red uses a Linux variant that targets VMware's ESXi virtual machine platform for maximum damage.BleepingComputer
July 14, 2021
Detonating Ransomware on My Own Computer (Don’t Try This at Home) Full Text
Abstract
Ransomware attacks are a daily occurrence, announcing new levels of danger and confusion to an already complicated business of protecting data. How it behaves can tell us lot about a ransomware attack - so I recently detonated Conti ransomware in a controlled environment to demonstrate the importance of proper cyber protection.BleepingComputer
July 14, 2021
The infrastructure and websites used by REvil ransomware gang are not reachable Full Text
Abstract
The infrastructure and leak sites used by the REvil ransomware gang for its operations went offline last night. Starting last night, the infrastructure and the websites used by the REvil ransomware gang were mysteriously unreachable, BleepingComputer...Security Affairs
July 14, 2021
There’s a Clear Line From the REvil Ransomware to Russia Full Text
Abstract
A look at part of the REvil group's online infrastructure shows clear lines to Russian and U.K. service providers that, in theory, could help law enforcement agencies but don't appear eager to help.Gov Info Security
July 13, 2021
Ransomware Landscape: REvil Is One of Many Operators Full Text
Abstract
Ransomware-as-a-service operations have grown rapidly, with cybersecurity firm Intel 471 late last year counting five major players, nine up-and-coming operations and 10 newcomers.Gov Info Security
July 12, 2021
Could allowlisting reduce the impact of ransomware, cyberattacks on health care? Full Text
Abstract
Given health care’s reliance on tech, cyberattacks and ransomware can cause massive disruptions. PCMatic CEO thinks allowlisting could reduce the risk to patient safety.SCMagazine
July 12, 2021
Ransomware shows the power and weakness of the web Full Text
Abstract
Ransomware reflects the complexities and limitations of the web. We increasingly rely on computer systems that often have pretty shallow foundations when it comes to security and reliability.ZDNet
July 09, 2021
The Week in Ransomware - July 9th 2021 - A flawed attack Full Text
Abstract
This week's news focuses on the aftermath of REvil's ransomware attack on MSPs and customers using zero-day vulnerabilities in Kaseya VSA. The good news is that it has not been as disruptive as we initially feared.BleepingComputer
July 9, 2021
Conti Unpacked | Understanding Ransomware Development As a Response to Detection Full Text
Abstract
Conti is developed and maintained by the so-called TrickBot gang, and it is mainly operated through a RaaS affiliation model. The Conti ransomware is derived from the codebase of Ryuk.Sentinel One
July 07, 2021
Ransomware code in Kaseya attack bypasses systems using Russian, related languages: report Full Text
Abstract
The Russian-linked cybercrime gang associated with carrying out a major ransomware attack against a software company used a code that avoids targeting systems that use Russian and other former Soviet-era languages as a default, according to a new report.The Hill
July 05, 2021
CISA, FBI share guidance for victims of Kaseya ransomware attack Full Text
Abstract
CISA and the Federal Bureau of Investigation (FBI) have shared guidance for managed service providers (MSPs) and their customers impacted by the REvil supply-chain ransomware attack that hit the systems of Kaseya's cloud-based MSP platform.BleepingComputer
July 5, 2021
REvil ransomware gang demanded $70M for universal decryptor for Kaseya victims Full Text
Abstract
REvil ransomware is demanding $70 million for decrypting all systems locked during the Kaseya supply-chain ransomware attack. REvil ransomware is asking $70 million worth of Bitcoin for decrypting all systems impacted in the Kaseya supply-chain ransomware...Security Affairs
July 03, 2021
The Week in Ransomware - July 2nd 2021 - MSPs under attack Full Text
Abstract
Friday afternoon, we saw the largest ransomware attack ever conducted after the REvil ransomware gang used a zero-day vulnerability in the Kaseya VSA management software to encrypt MSPs and their customers worldwide.BleepingComputer
July 3, 2021
Diavol ransomware appears in the threat landscape. Is it the work of the Wizard Spider gang? Full Text
Abstract
Wizard Spider, the cybercrime gang behind the TrickBot botnet, is believed to be the author of a new ransomware family dubbed Diavol, Fortinet researchers report. Researchers from Fortinet reported that a new ransomware family, tracked as Diavol,...Security Affairs
July 03, 2021
US chemical distributor shares info on DarkSide ransomware data theft Full Text
Abstract
World-leading chemical distribution company Brenntag has shared additional info on what data was stolen from its network by DarkSide ransomware operators during an attack from late April 2021 that targeted its North America division.BleepingComputer
July 3, 2021
Babuk Ransomware Is Back Targeting Corporate Networks With A New Version Full Text
Abstract
After the Babuk ransomware operators have announced that they decided to close the affiliate program and move to data theft extortion, the group seems to have returned to their previous methods of encrypting corporate systems.Heimdal Security
July 1, 2021
Babuk Ransomware Builder Mysteriously Appears in VirusTotal Full Text
Abstract
The gang’s source code is now available to rivals and security researchers alike – and a decryptor likely is not far behind.Threatpost
July 01, 2021
Babuk ransomware is back, uses new version on corporate networks Full Text
Abstract
After announcing their exit from the ransomware business in favor of data theft extortion, the Babuk gang appears to have slipped back into their old habit of encrypting corporate networks.BleepingComputer
July 1, 2021
Defeating Ransomware-as-a-Service? Think Intel-Sharing Full Text
Abstract
Aamir Lakhani, cybersecurity researcher and practitioner at FortiGuard Labs, explains the rise of RaaS and the critical role of threat intel in effectively defending against it.Threatpost
June 30, 2021
Leaked Babuk Locker ransomware builder used in new attacks Full Text
Abstract
A leaked tool used by the Babuk Locker operation to create custom ransomware executables is now being used by another threat actor in a very active campaign targeting victims worldwide.BleepingComputer
June 30, 2021
Epsilon Red Ransomware is Hunting Full Text
Abstract
According to researchers, Epsilon Red operations are ongoing and more than 3,500 Microsoft Exchange servers are still vulnerable. Written in Go, the latest Epsilon Red strain launches mass server exploitation campaigns and tries to expose companies’ information for revenue. Therefore, for ampl ... Read MoreCyware Alerts - Hacker News
June 29, 2021
New Ransomware Variant Uses Golang Packer Full Text
Abstract
CrowdStrike recently observed a ransomware sample borrowing implementations from previous HelloKitty and FiveHands variants and using a Golang packer compiled with the most recent version of Golang.Crowdstrike
June 29, 2021
Linux version of REvil ransomware targets ESXi VM Full Text
Abstract
The REvil ransomware operators added a Linux encryptor to their arsenal to encrypt Vmware ESXi virtual machines. The REvil ransomware operators are now using a Linux encryptor to encrypts Vmware ESXi virtual machines which are widely adopted by enterprises. The...Security Affairs
June 28, 2021
REvil ransomware’s new Linux encryptor targets ESXi virtual machines Full Text
Abstract
The REvil ransomware operation is now using a Linux encryptor that targets and encrypts Vmware ESXi virtual machines.BleepingComputer
June 28, 2021
Leaked Builder for Babuk Locker Ransomware Can be Used to Create Custom Ransomware Variants Full Text
Abstract
The leak of the Babuk Locker builder comes two months after the Babuk Locker ransomware gang announced that it was retiring after an attack on the Washington, DC police department in late April.The Record
June 25, 2021
The Week in Ransomware - June 25th 2021 - Back in Business Full Text
Abstract
It has been relatively quiet this week, with few attacks revealed and few new ransomware variants released. However, some interesting information came out that we have summarized below.BleepingComputer
June 24, 2021
The Linux Version of DarkSide Ransomware Full Text
Abstract
Experts analyzed a Linux version of the DarkSide ransomware, the group responsible for the Colonial Pipeline attack, and claimed that it targeted VMware virtual machines. Though DarkSide has purportedly shut down its operations, organizations are recommended to implement adequate security measures ... Read MoreCyware Alerts - Hacker News
June 23, 2021
Senator: Is it time to treat ransomware like piracy, using military to make operators walk the plank? Full Text
Abstract
Said Sen. Mike Rounds, R-S.D.: “The Department of Defense clearly has a role to play” in addressing the threat of ransomware.SCMagazine
June 23, 2021
REvil Ransomware Code Ripped Off by Rivals Full Text
Abstract
The LV ransomware operators likely used a hex editor to repurpose a REvil binary almost wholesale, for their own nefarious purposes.Threatpost
June 23, 2021
Clop ransomware is back into action after the recent police operation Full Text
Abstract
A week after the law enforcement operation that targeted the Clop ransomware operators, the gang is back into action. A week after the international operation conducted by law enforcement that targeted several members of the Clop ransomware gang,...Security Affairs
June 23, 2021
New LV Ransomware Variant Hijacks Malicious Binaries Used by REvil Operators Full Text
Abstract
The LV variant operators have been observed in the wild since October 2020, deploying a tweaked version of REvil’s binary with references to REvil’s C2 and data exfiltration infrastructure removed.The Register
June 22, 2021
Wormable bash DarkRadiation Ransomware targets Linux distros and docker containers Full Text
Abstract
DarkRadiation is a new strain of ransomware implemented in Bash that targets Linux and Docker cloud containers and leverages Telegram for C2. Trend Micro researchers spotted a new strain of ransomware, dubbed DarkRadiation, which is writted in Bash...Security Affairs
June 22, 2021
DarkRadiation Ransomware and an SSH Worm Full Text
Abstract
DarkRadiation ransomware has started targeting Linux and Docker containers. It relies on messaging service Telegram for C2C communications. Experts suggest attackers are probably trying to use low-profile tools to stay hidden from security agencies.Cyware Alerts - Hacker News
June 22, 2021
Darkside RaaS in Linux version Full Text
Abstract
Unlike the Windows version of the malware that targets any Windows endpoint, Darkside Linux version is mostly targeting ESXi servers and is believed to be deployed manually.AT&T Cybersecurity
June 22, 2021
Wormable DarkRadiation Ransomware Targets Linux and Docker Instances Full Text
Abstract
Cybersecurity researchers have disclosed a new ransomware strain called " DarkRadiation " that's implemented entirely in Bash and targets Linux and Docker cloud containers, while banking on messaging service Telegram for command-and-control (C2) communications. "The ransomware is written in Bash script and targets Red Hat/CentOS and Debian Linux distributions," researchers from Trend Micro said in a report published last week. "The malware uses OpenSSL's AES algorithm with CBC mode to encrypt files in various directories. It also uses Telegram's API to send an infection status to the threat actor(s)." As of writing, there's no information available on the delivery methods or evidence that the ransomware has been deployed in real-world attacks. The findings come from an analysis of a collection of hacking tools hosted on the unidentified threat actor's infrastructure (IP address "185.141.25.168") in a directory calledThe Hacker News
June 21, 2021
Evolving Ransomware Strategies to be Wary of Full Text
Abstract
Ransomware campaigns are now rarely being propagated via emails due to improved detection capabilities. The shift to downloaders as the first-stage payload offers ransomware operators better flexibility and choice.Cyware Alerts - Hacker News
June 19, 2021
Conti Ransomware Gang: An Overview Full Text
Abstract
The Conti ransomware group has spent more than a year attacking organizations where IT outages can have life-threatening consequences such as hospitals, 911 dispatch carriers, emergency medical services, and law enforcement agencies.Palo Alto Networks
June 18, 2021
The Week in Ransomware - June 18th 2021 - Law enforcement strikes back Full Text
Abstract
Compared to the last few weeks, it has been a relatively quiet week with no ransomware attacks causing widespread disruption.BleepingComputer
June 16, 2021
Paradise Ransomware’s Source Code Now Available on a Hacker Forum Full Text
Abstract
Experts are concerned as the source code of the .NET version of Paradise ransomware was found to have been leaked on a hacker forum. Such leaks could prove to be devastating as any interested attacker can create their own ransomware version to target victims.Cyware Alerts - Hacker News
June 16, 2021
CISA Warns of Threat Posed by Ransomware to Industrial Systems Full Text
Abstract
The fact sheet released by CISA provides a summary of the steps organizations should take to improve their resilience against ransomware attacks and gives links to more detailed guidance.Security Week
June 15, 2021
Avaddon ransomware’s exit sheds light on victim landscape Full Text
Abstract
A new report analyzes the recently released Avaddon ransomware decryption keys to shed light on the types of victims targeted by the threat actors and potential revenue they generated throughout their operation.BleepingComputer
June 15, 2021
The source code of the Paradise Ransomware was leaked on XSS hacking forum Full Text
Abstract
The source code for the Paradise Ransomware has been released on a hacking forum allowing threat actors to develop their customized variant. The source code for the Paradise Ransomware has been released on the hacking forum XSS allowing threat actors...Security Affairs
June 15, 2021
Source code for Paradise ransomware leaked on hacking forums Full Text
Abstract
The code, which was shared on a Russian-speaking forum called XSS, represents the second major ransomware strain whose source code was leaked in recent years after the Dharma code leak in early 2020.The Record
June 15, 2021
Paradise Ransomware source code released on a hacking forum Full Text
Abstract
The complete source code for the Paradise Ransomware has been released on a hacking forum allowing any would-be cyber criminal to develop their own customized ransomware operation.BleepingComputer
June 15, 2021
Experts Shed Light On Distinctive Tactics Used by Hades Ransomware Full Text
Abstract
Cybersecurity researchers on Tuesday disclosed "distinctive" tactics, techniques, and procedures (TTPs) adopted by operators of Hades ransomware that set it apart from the rest of the pack, attributing it to a financially motivated threat group called GOLD WINTER . "In many ways, the GOLD WINTER threat group is a typical post-intrusion ransomware threat group that pursues high-value targets to maximize how much money it can extort from its victims," researchers from SecureWorks Counter Threat Unit (CTU) said in an analysis shared with The Hacker News. "However, GOLD WINTER's operations have quirks that distinguish it from other groups." The findings come from a study of incident response efforts the Atlanta-based cybersecurity firm engaged in the first quarter of 2021. Since first emerging in the threat landscape in December 2020, Hades has been classified as INDRIK SPIDER's successor to WastedLocker ransomware with "additional code oThe Hacker News
June 15, 2021
Unique TTPs link Hades ransomware to new threat group Full Text
Abstract
Researchers claim to have discovered the identity of the operators of Hades ransomware, exposing the distinctive tactics, techniques, and procedures (TTPs) they employ in their attacks.CSO Online
June 14, 2021
G7 leaders ask Russia to hunt down ransomware gangs within its borders Full Text
Abstract
G7 (Group of 7) leaders have asked Russia to urgently disrupt ransomware gangs believed to be operating within its borders, following a stream of attacks targeting organizations from critical sectors worldwide.BleepingComputer
June 11, 2021
The Week in Ransomware - June 11th 2021 - Under Pressure Full Text
Abstract
It has been quite the week when it comes to ransomware, with ransoms being paid, ransoms being taken back, and a ransomware gang shutting down.BleepingComputer
June 10, 2021
JBS paid $11 million to REvil ransomware, $22.5M first demanded Full Text
Abstract
JBS, the world's largest beef producer, has confirmed that they paid an $11 million ransom after the REvil ransomware operation initially demanded $22.5 million.BleepingComputer
June 10, 2021
Emerging Ransomware Targets Dozens of Businesses Worldwide Full Text
Abstract
An emerging ransomware strain in the threat landscape claims to have breached 30 organizations in just four months since it went operational, riding on the coattails of a notorious ransomware syndicate. First observed in February 2021, " Prometheus " is an offshoot of another well-known ransomware variant called Thanos , which was previously deployed against state-run organizations in the Middle East and North Africa last year. The affected entities are believed to be government, financial services, manufacturing, logistics, consulting, agriculture, healthcare services, insurance agencies, energy and law firms in the U.S., U.K., and a dozen more countries in Asia, Europe, the Middle East, and South America, according to new research published by Palo Alto Networks' Unit 42 threat intelligence team. Like other ransomware gangs, Prometheus takes advantage of double-extortion tactics and hosts a dark web leak site, where it names and shames new victims and makes stolenThe Hacker News
June 9, 2021
BlackCocaine: Another New Golang Ransomware in Play Full Text
Abstract
A ransomware group targeted an India-based IT company in the banking and financial services sector, Nucleus Software Exports. The malware is the latest addition to the ransomware family and has displayed exceptional sophistication in its tactics, techniques, and procedures.Cyware Alerts - Hacker News
June 08, 2021
Computer memory maker ADATA hit by Ragnar Locker ransomware Full Text
Abstract
Taiwan-based leading memory and storage manufacturer ADATA says that a ransomware attack forced it to take systems offline after hitting its network in late May.BleepingComputer
June 08, 2021
Capitol Hill vendor hit by ransomware attack: report Full Text
Abstract
A tech vendor used by dozens of House offices on Capitol Hill for constituent outreach services has reportedly been hit by a ransomware attack, becoming the latest victim in a series of cyberattacks to target U.S.-based entities.The Hill
June 7, 2021
Warning of New Ransomware Surge in Education Sector Full Text
Abstract
Ransomware has led to the loss of student coursework, school financial records and data relating to COVID-19 testingInfosecurity Magazine
June 7, 2021
EpsilonRed Ransomware Group Targets India-based Financial Software Provider Nucleus Software Exports Full Text
Abstract
An Indian company that provides lending software to banks and retail stores suffered a major ransomware attack that crippled some of its internal networks and encrypted sensitive business information.The Record
June 06, 2021
New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions Full Text
Abstract
The new PayloadBIN ransomware has been attributed to the Evil Corp cybercrime gang, rebranding to evade sanctions imposed by the US Treasury Department's Office of Foreign Assets Control (OFAC).BleepingComputer
June 6, 2021
REvil Ransomware spokesman releases an interview on recent attacks Full Text
Abstract
The REvil ransomware operators said in an interview on the "Russian OSINT" Telegram channel that they accidentally targeted United States-based firms. The recent attack against JBS Foods conducted by REvil ransomware gang (aka Sodinokibi) triggered...Security Affairs
June 6, 2021
A favor from Russian ransomware hackers Full Text
Abstract
When President Joe Biden meets with Russian President Vladimir Putin later this month, he will undoubtedly bring up -- as he should -- the matter of repeated ransomware attacks against US targets by Russian-based hackers.CNN Money
June 5, 2021
BlackCocaine Ransomware, a new malware in the threat landscape Full Text
Abstract
Cyble researchers investigated a recent attack on an India-based IT firm that was hit by the BlackCocaine Ransomware gang. Recently Cyber researchers for Cyble investigated an attack suffered by on May 30, 2021,...Security Affairs
June 04, 2021
The Week in Ransomware - June 4th 2021 - Where’s the beef? Full Text
Abstract
Ransomware has continued to be part of the 24-hour news cycle as another significant attack against critical infrastructure took place this week.BleepingComputer
June 4, 2021
Fujifilm confirms ransomware attack on systems in Japan Full Text
Abstract
In a statement today, the company also said that the impact of the unauthorized access was confined to a specific network in Japan and that they had started to bring network, servers and computers confirmed as safe back into operation.SCMagazine
June 04, 2021
Meat giant JBS now fully operational after ransomware attack Full Text
Abstract
JBS, the world's largest beef producer, has confirmed that all its global facilities are fully operational and operate at normal capacity after the REvil ransomware attack that hit its systems last weekend.BleepingComputer
June 2, 2021
Podcast: The State of Ransomware Full Text
Abstract
In this Threatpost podcast, Fortinet’s top researcher sketches out the ransom landscape, with takeaways from the DarkSide attack on Colonial Pipeline.Threatpost
June 02, 2021
Massachusetts ferry operator hit by ransomware attack Full Text
Abstract
The largest ferry service operator to Martha’s Vineyard and Nantucket was hit by a ransomware attack Wednesday that hampered some operations, the latest in a string of cyberattacks in recent weeks.The Hill
June 2, 2021
Are Ransomware Attacks Impeding Criminal Prosecutions? Full Text
Abstract
Any information related to a criminal investigation that is stolen and publicly posted not only endangers those involved but can result in failed prosecutions, says Brett Callow, analyst at Emsisoft.Gov Info Security
June 1, 2021
New Epsilon Red Ransomware appears in the threat landscape Full Text
Abstract
Researchers spotted a new piece of ransomware named Epsilon Red that was employed at least in an attack against a US company. Researchers from Sophos spotted a new piece of ransomware, named Epsilon Red, that infected at least one organization in the hospitality...Security Affairs
June 1, 2021
Privateers: A New Type of Ransomware Syndicate Full Text
Abstract
Researchers identified a new type of cybercrime groups, dubbed privateers, that have partial support from global governments as they remain financially motivated and act upon their own agendas. Though these groups fall below those tier1 APT groups sponsored by governments, they have the potential t ... Read MoreCyware Alerts - Hacker News
June 1, 2021
Epsilon Red: A New Ransomware in the Threat Landscape Full Text
Abstract
Security experts are warning about new ransomware written in the Go language called Epsilon Red. It reportedly targeted a U.S.-based business in the hospitality industry. It is expected to expand to other countries and sectors as well.Cyware Alerts - Hacker News
May 29, 2021
New Epsilon Red ransomware hunts unpatched Microsoft Exchange servers Full Text
Abstract
A new ransomware threat calling itself Red Epsilon has been seen leveraging Microsoft Exchange server vulnerabilities to encrypt machines across the network.BleepingComputer
May 28, 2021
It’s Time We Talk About JSWorm Ransomware Full Text
Abstract
First discovered in 2019, the JSWorm ransomware gained infamy under several other names such as Nemty, Offwhite, and Nefilim, among others.Cyware Alerts - Hacker News
May 28, 2021
Ransomware gangs’ slow decryptors prompt victims to seek alternatives Full Text
Abstract
Recently, two highly publicized ransomware victims received a decryptor that was too slow to make it effective in quickly restoring the victim's network.BleepingComputer
May 28, 2021
New Golang-based Epsilon Red Ransomware Leverages PowerShell Scripts for Malicious Objectives Full Text
Abstract
The malware was delivered as the final executable payload in a hand-controlled attack against a US-based business in the hospitality industry with early-stage components in form of PowerShell scripts.Sophos
May 27, 2021
Zeppelin Ransomware Begins a New Ride Full Text
Abstract
After a hiatus, Zeppelin ransomware, a possible variant of the Vega Ransomware-as-a-Service (RaaS), is active again. Without stepping into the trend of double extortion, it can still cause serious damage to victims' systems.Cyware Alerts - Hacker News
May 26, 2021
A Peek Inside the Underground Ransomware Economy Full Text
Abstract
Threat hunters weigh in on how the business of ransomware, the complex relationships between cybercriminals, and how they work together and hawk their wares on the Dark Web.Threatpost
May 26, 2021
Double Encryption: A New Ransomware Trend Full Text
Abstract
This is not the first time researchers spotted double encryption. It usually happens when two distinct ransomware groups compromise the same victim at the same time.Cyware Alerts - Hacker News
May 25, 2021
Iranian hacking group Agrius pretends to encrypt files for a ransom, destroys them instead Full Text
Abstract
The group uses a combination of its own custom toolsets and readily available offensive security software to deploy either a destructive wiper or a custom wiper-turned-ransomware variant.ZDNet
May 25, 2021
Iranian hacking group targets Israel with wiper disguised as ransomware Full Text
Abstract
An Iranian hacking group has been observed camouflaging destructive attacks against Israeli targets as ransomware attacks while maintaining access to victims' networks for months in what looks like an extensive espionage campaign.BleepingComputer
May 25, 2021
Evolution of JSWorm ransomware Full Text
Abstract
Several versions of JSWorm were released as part of each “rebranded” variant that altered different aspects of the code, renamed file extensions, cryptographic schemes, and encryption keys.Kaspersky Labs
May 24, 2021
Double Extortion Becomes Old, Triple Extortion is the New Threat Full Text
Abstract
This technique involves third parties linked to the victims, including service providers, company clients, and external colleagues, as they are massively impacted by data breaches resulting from ransomware attacks.Cyware Alerts - Hacker News
May 24, 2021
Zeppelin ransomware comes back to life with updated versions Full Text
Abstract
The developers of Zeppelin ransomware have resumed their activity after a period of relative silence that started last Fall and started to advertise new versions of the malware.BleepingComputer
May 23, 2021
Firm tracked DarkSide gang ransomware payments and the massive sums paid Full Text
Abstract
The gang’s wallet received a 75 BTC (bitcoin) payment, or roughly $5 million, made by Colonial Pipeline on May 8 following the cyberattack on its operations, according to a report from blockchain analytics firm Elliptic.Fox Business
May 22, 2021
FBI Warns Conti Ransomware Hit 16 U.S. Health and Emergency Services Full Text
Abstract
The adversary behind Conti ransomware targeted no fewer than 16 healthcare and first responder networks in the U.S. within the past year, totally victimizing over 400 organizations worldwide, 290 of which are situated in the country. That's according to a new flash alert issued by the U.S. Federal Bureau of Investigation (FBI) on Thursday. "The FBI identified at least 16 Conti ransomware attacks targeting U.S. healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year," the agency said. Ransomware attacks have worsened over the years, with recent targets as varied as state and local governments, hospitals, police departments, and critical infrastructure. Conti is one of many ransomware strains that have capitulated on that trend, commencing its operations in July 2020 as a private Ransomware-as-a-Service (RaaS), in addition to jumping on the double extortThe Hacker News
May 22, 2021
Qlocker ransomware leverages HBS flaw to infect QNAP NAS devices Full Text
Abstract
QNAP warns customers of updating the HBS 3 disaster recovery app to prevent Qlocker ransomware attack. Taiwanese vendor QNAP is warning its customers of updating the HBS 3 disaster recovery app running on their Network Attached Storage (NAS) devices...Security Affairs
May 22, 2021
FBI says Conti Ransomware Gang has Hit 16 U.S. Health and Emergency Networks Full Text
Abstract
The Federal Bureau of Investigation said that the same group of online extortionists blamed for striking the Irish health system last week have also hit at least 16 U.S. medical and first response networks in the past year.Reuters
May 22, 2021
Conti Ransomware hit 16 US health and emergency Services, said FBI Full Text
Abstract
Conti ransomware targeted over 400 organizations worldwide, 290 in the US, and at least 16 healthcare and first responder networks. The Federal Bureau of Investigation (FBI) revealed that the Conti ransomware gang has hit at least 16 healthcare and first...Security Affairs
May 22, 2021
Avaddon Targets Insurer AXA with Ransomware Full Text
Abstract
Avaddon ransomware group targeted Asia-based insurer AXA with DDoS attacks and ransomware just a week after the insurance company announced it was dropping support for ransomware payments in France.Avast
May 21, 2021
The Week in Ransomware - May 21st 2021 - Healthcare under attack Full Text
Abstract
This week's ransomware news has been dominated by the attack on Ireland's Health Service Executive (HSE) that has severely disrupted Ireland's healthcare system.BleepingComputer
May 21, 2021
QNAP confirms Qlocker ransomware used HBS backdoor account Full Text
Abstract
QNAP is advising customers to update the HBS 3 disaster recovery app to block Qlocker ransomware attacks targeting their Internet-exposed Network Attached Storage (NAS) devices.BleepingComputer
May 20, 2021
US insurer paid $40 million ransom after March cyber attack: report Full Text
Abstract
One of the largest insurance companies in the U.S. reportedly paid $40 million in ransom in March to regain control of its network following a ransomware attack.The Hill
May 20, 2021
Colonial Pipeline confirms it paid $4.4m ransom to hacker gang after attack Full Text
Abstract
Joseph Blount, Colonial Pipeline’s CEO, told the Wall Street Journal he authorized the payment because the firm didn’t know the extent of the damage and wasn’t sure how long it would take to recover.The Guardian
May 20, 2021
Conti ransomware gives HSE Ireland free decryptor, still selling data Full Text
Abstract
The Conti ransomware gang has released a free decryptor for Ireland's health service, the HSE, but warns that they will still sell or release the stolen data.BleepingComputer
May 20, 2021
Money-go-round: The booming cottage industry behind ransomware Full Text
Abstract
As policymakers try to respond to incidents, they're finding out that the problem is larger than cybercriminals extorting corporations and governments to regain access to their own data.Politico
May 20, 2021
It’s Time to Surge Resources Into Prosecuting Ransomware Gangs Full Text
Abstract
The Justice Department needs a “troop surge” of cyber prosecutors and agents to conduct long-term, proactive investigations into ransomware gangs and the organizations that enable them.Lawfare
May 20, 2021
This is how long hackers will hide in your network before deploying ransomware or being spotted Full Text
Abstract
Cyberattackers on average have 11 days after breaching a target network before they're being detected, according to Sophos – and often when they are spotted it's because they've deployed ransomware.ZDNet
May 20, 2021
Colonial CEO Reportedly Confirms $4.4 Million Ransom Payment Full Text
Abstract
Firm speaks out about attackInfosecurity Magazine
May 19, 2021
Qlocker ransomware shuts down after extorting hundreds of QNAP users Full Text
Abstract
The Qlocker ransomware gang has shut down their operation after earning $350,000 in a month by exploiting vulnerabilities in QNAP NAS devices.BleepingComputer
May 19, 2021
How the ransomware explosion is reshaping the cyber insurance market Full Text
Abstract
After the NotPetya attacks, insurance companies started applying far more scrutiny to efforts by customers to protect themselves from ransomware. In the wake of Colonial Pipeline and other recent incidents, more shifts in coverage could emerge – and priorities of the insurers might not match up with those of victims.SCMagazine
May 19, 2021
School districts struggle to defend against rising ransomware attacks Full Text
Abstract
Cyber criminals are stepping up their efforts to hack into vulnerable school districts, often launching ransomware attacks like the kind that shut down the Colonial Pipeline earlier this month.The Hill
May 19, 2021
DarkSide Ransomware Gang Extorted $90 Million from Several Victims in 9 Months Full Text
Abstract
DarkSide, the hacker group behind the Colonial Pipeline ransomware attack earlier this month, received $90 million in bitcoin payments following a nine-month ransomware spree, making it one of the most profitable cybercrime groups. "In total, just over $90 million in bitcoin ransom payments were made to DarkSide, originating from 47 distinct wallets," blockchain analytics firm Elliptic said . "According to DarkTracer , 99 organisations have been infected with the DarkSide malware - suggesting that approximately 47% of victims paid a ransom, and that the average payment was $1.9 million." Of the total $90 million haul, the DarkSide's developer is said to have received $15.5 million in bitcoins, while the remaining $74.7 million was split among its various affiliates. FireEye's research into DarkSide's affiliate program had previously revealed that its creators take a 25% cut for payments under $500,000 and 10% for ransoms above $5 million, with tThe Hacker News
May 19, 2021
Conti ransomware gang also breached Ireland Department of Health (DoH) Full Text
Abstract
Conti ransomware also breached the network of Ireland's Department of Health (DoH) but the ransomware failed to encrypt the systems. Last week, Conti ransomware gang targeted the Ireland’s Health Service Executive that was forced to shut down its IT systems...Security Affairs
May 19, 2021
Ransomware Attackers Target New Zealand District Hospitals, Causing Outages and Surgery Canellations Full Text
Abstract
New Zealand's Waikato District Health Board (DHB) has been hit with a ransomware that took down most IT services Tuesday morning and drastically reduced services at six of its affiliate hospitals.The Register
May 19, 2021
MountLocker ransomware uses Windows API to worm through networks Full Text
Abstract
The MountLocker ransomware operation now uses enterprise Windows Active Directory APIs to worm through networks.BleepingComputer
May 19, 2021
DarkSide ransomware made $90 million since October 2020 Full Text
Abstract
Researchers from blockchain analysis firm Elliptic estimated that Darkside ransomware gang has made over $90 million from its attacks. Experts from blockchain analysis firm Elliptic estimated that the Darkside ransomware gang has earned over $90 million...Security Affairs
May 18, 2021
DarkSide ransomware made $90 million in just nine months Full Text
Abstract
The DarkSide ransomware gang has collected at least $90 million in ransoms paid by its victims over the past nine months to multiple Bitcoin wallets.BleepingComputer
May 18, 2021
Double-extortion ransomware attacks on the rise Full Text
Abstract
As the rewards that result from this type of crime increase, risks to government entities, company bottom lines, reputation, data integrity, customer confidence, and business continuity also grow.Help Net Security
May 18, 2021
Unsuccessful Conti Ransomware Attack Still Packs Costly Punch Full Text
Abstract
Separate attacks last week on the country’s Department of Health and Health Service Executive forced the shutdown of networks and services that still haven’t been fully restored.Threatpost
May 18, 2021
Analysis of NoCry ransomware: A variant of the Judge ransomware Full Text
Abstract
Researchers at Tesorion released a decryptor for Judge ransomware that also decrypts files encrypted by the NoCry ransomware. In January this year, we published a blog post on our analysis of the Judge ransomware. We announced a free decryptor...Security Affairs
May 18, 2021
Newly Discovered Function in DarkSide Ransomware Variant Targets Disk Partitions Full Text
Abstract
At the time of discovery, FortiGuard Labs researchers believed the ransomware was seeking out partitions to find possible hidden partitions setup by systems administrators to hide backup files.Fortinet
May 18, 2021
Breaking Down the Ransomware Trends in 2021 Full Text
Abstract
It is to be expected that threat actors are not going to keep up their end of the bargain, even after paying the ransom. All or some part of the exfiltrated data has ended up online even after payment.Cyware Alerts - Hacker News
May 18, 2021
AXA Faces DDoS After Ransomware Attack Full Text
Abstract
Avaddon group warns of more damage aheadInfosecurity Magazine
May 18, 2021
Irish health service may take weeks to recover from ransomware attack Full Text
Abstract
“While it may take weeks to get all systems back, steady progress is being made, starting with services for the most urgent patients,” Health Minister Stephen Donnelly said on Twitter.Reuters
May 18, 2021
Lorenz: A New Ransomware Making Rounds Full Text
Abstract
A ransomware gang that began operating a month ago and shares similarity with ThunderCrypt operation has launched a double-extortion attack on its victims. Security agencies and professionals need to keep an eye on this threat and beef up defenses.Cyware Alerts - Hacker News
May 17, 2021
Conti ransomware also targeted Ireland’s Department of Health Full Text
Abstract
The Conti ransomware gang failed to encrypt the systems of Ireland's Department of Health (DoH) despite breaching its network and dropping Cobalt Strike beacons to deploy their malware across the network.BleepingComputer
May 17, 2021
Ransomware victim shows why transparency in attacks matters Full Text
Abstract
As devastating ransomware attacks continue to have far-reaching consequences, companies still try to hide the attacks rather than be transparent. Below we highlight a company's response to an attack that should be used as a model for all future disclosures.BleepingComputer
May 17, 2021
Three Ransomware Sites Go Dark and Three Major Hacking Forums Ban Ransomware Ads Full Text
Abstract
Three hacking forums have now banned ransomware ads, three ransomware leak sites have gone down, and two other ransomware groups have announced plans to stop operating in public and go “private.”The Record
May 17, 2021
Update: Conti ransomware demanded $20M ransom to Ireland Health Service Executive Full Text
Abstract
The incident caused cancellations and disruption to services at multiple hospitals in the country, fortunately, the ongoing coronavirus vaccination campaign was not affected.Security Affairs
May 17, 2021
Cybercrime Forum Bans Ransomware Activity Full Text
Abstract
XSS complains of “too much PR” from recent incidentsInfosecurity Magazine
May 17, 2021
The new digital extortion Full Text
Abstract
Payments to ransomware attackers rose 337% from 2019 to 2020, reaching more than $400 million worth of cryptocurrency, according to figures just released by Chainalysis, a blockchain analysis company.Axios
May 17, 2021
U.S. Pipeline Ransomware Attackers Go Dark After Servers and Bitcoin Are Seized Full Text
Abstract
Just as Colonial Pipeline restored all of its systems to operational status in the wake of a crippling ransomware incident a week ago, DarkSide, the cybercrime syndicate behind the attack, claimed it lost control of its infrastructure, citing a law enforcement seizure. All the dark web sites operated by the gang, including its DarkSide Leaks blog, ransom collection site, and breach data content delivery network (CDN) servers, have gone dark and remain inaccessible as of writing. In addition, the funds from their cryptocurrency wallets were allegedly exfiltrated to an unknown account, according to a note passed by DarkSide operators to its affiliates. "At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked," the announcement obtained by Intel 471 read. The development comes as DarkSide closed its Ransomware-as-a-Service (RaaS) affiliate program for good "due to the pressure from the U.S.", with the group stating thThe Hacker News
May 17, 2021
Toshiba Business Reportedly Hit by DarkSide Ransomware Full Text
Abstract
Ransomware group said to have stolen over 700GB of dataInfosecurity Magazine
May 17, 2021
Conti ransomware demanded $20M ransom to Ireland Health Service Executive Full Text
Abstract
Ireland Health Service Executive (HSE) refuses to pay a $20 million ransom demand after its systems were hit by the Conti ransomware gang. Ireland’s Health Service Executive that was forced to shut down its IT systems on Friday after being...Security Affairs
May 17, 2021
The bizarre story of the inventor of ransomware Full Text
Abstract
Although it was a pretty basic malware, it was the first time many people had ever heard of the concept — or of digital extortion. It's unclear if any people or organizations paid the ransom.CNN Money
May 17, 2021
Avaddon Ransomware gang hacked France-based Acer Finance Full Text
Abstract
Avaddon ransomware gang made the headlines again, the cybercrime gang has breached the France-based financial consultancy firm Acer Finance and gave the firm 240 hours to cooperate with their demands.Security Affairs
May 16, 2021
Insurer AXA hit by ransomware after dropping support for ransom payments Full Text
Abstract
Branches of insurance giant AXA based in Thailand, Malaysia, Hong Kong, and the Philippines have been struck by a ransomware cyber attack. As seen by BleepingComputer yesterday, the Avaddon ransomware group claimed on their leak site that they had stolen over 3 TB of sensitive data from AXA's Asian operations.BleepingComputer
May 16, 2021
Avaddon Ransomware gang hacked France-based Acer Finance and AXA Asia Full Text
Abstract
Avaddon ransomware gang has breached the France-based financial consultancy firm Acer Finance. Avaddon ransomware gang made the headlines again, the cybercrime gang has breached the France-based financial consultancy firm Acer Finance. Acer Finance...Security Affairs
May 15, 2021
Ireland’s Health Services hit with $20 million ransomware demand Full Text
Abstract
Ireland's health service, the HSE, says they are refusing to pay a $20 million ransom demand to the Conti ransomware gang after the hackers encrypted computers and disrupted health care in the country.BleepingComputer
May 15, 2021
Major hacking forums XSS and Exploit ban ads from ransomware gangs Full Text
Abstract
XSS forum (previously known as DaMaGeLab) one of the most popular hacking forums, announced that it would ban the ads published by ransomware gangs. The popular hacking forum XSS forum, previously known as DaMaGeLab, announced that that it would ban the ads published...Security Affairs
May 15, 2021
Toshiba subsidiary confirms ransomware attack, as reports suggest possible DarkSide involvement Full Text
Abstract
European units of Japanese tech giant Toshiba are investigating a security incident in which scammers may have used a similar hacking tool to the malware used against IT systems at Colonial Pipeline.Cyberscoop
May 15, 2021
QNAP warns of eCh0raix ransomware and Roon Server zero-day attacks Full Text
Abstract
QNAP warns of an actively exploited Roon Server zero-day flaw and eCh0raix ransomware attacks on its NAS devices. QNAP warns customers of threat actors that are targeting its Network Attached Storage (NAS) devices with eCh0raix ransomware attacks...Security Affairs
May 15, 2021
Lorenz Ransomware Uses Customized Malware to Target Organizations Full Text
Abstract
Dubbed Lorenz, the ransomware gang began operating a month ago and has since compiled a growing list of victims whose stolen data has been published on a data leak site, as reported by BleepingComputer.Heimdal Security
May 14, 2021
Ransomware ads now also banned on Exploit cybercrime forum Full Text
Abstract
The team behind Exploit, a major cybercrime forum used by ransomware gangs to hire affiliates and advertise their Ransomware-as-a-Service (RaaS) services, has announced that ransomware ads are now banned and will be removed.BleepingComputer
May 14, 2021
The Week in Ransomware - May 14th 2021 - One down, many more to go Full Text
Abstract
Ransomware took the media spotlight this week after a ransomware gang known as DarkSide targeted critical infrastructure in the USA.BleepingComputer
May 14, 2021
Ransomware Gangs Are Now Leaking Stolen Data More Often Full Text
Abstract
Researchers say more than 2,100 companies had their data leaked over data leak sites hosted by ransomware groups since 2019, suggesting cybercriminals are doing it more frequently to extort from their victims. Other cybercriminals are expected to follow the suit in the future.Cyware Alerts - Hacker News
May 14, 2021
DarkSide ransomware servers reportedly seized, operation shuts down Full Text
Abstract
The DarkSide ransomware operation has allegedly shut down after the threat actors lost access to servers and their cryptocurrency was transferred to an unknown wallet.BleepingComputer
May 14, 2021
QNAP warns of eCh0raix ransomware attacks, Roon Server zero-day Full Text
Abstract
QNAP warns customers of an actively exploited Roon Server zero-day bug and eCh0raix ransomware attacks targeting their Network Attached Storage (NAS) devices, just two weeks after alerting them of an ongoing AgeLocker ransomware outbreak.BleepingComputer
May 14, 2021
Irish health service forced to shut down IT systems after ransomware attack Full Text
Abstract
Ireland’s health care system was forced to shut down its IT systems Friday following what it described as a "significant" ransomware attack that disrupted operations.The Hill
May 14, 2021
Ireland’s Healthcare System’s IT Offline Following Ransomware Attack Full Text
Abstract
HSE Ireland reveals it has taken its IT systems offline due to a "significant ransomware attack"Infosecurity Magazine
May 14, 2021
Ireland’s Health Service Executive hit by ransomware attack Full Text
Abstract
Ireland’s Health Service Executive service shut down its IT systems after they were hit with a “significant ransomware attack.” Another major ransomware attack made the headlines, this time the victim is Ireland’s Health Service Executive...Security Affairs
May 14, 2021
Irish healthcare shuts down IT systems after Conti ransomware attack Full Text
Abstract
Ireland's Health Service Executive(HSE), the country's publicly funded healthcare system, has shut down all IT systems after its network was breached in a ransomware attack.BleepingComputer
May 14, 2021
Colonial Pipeline likely paid a $5M ransom to DarkSide Full Text
Abstract
DarkSide demanded a $5 million ransom to Colonial Pipeline, which has quickly recovered operations, did it pay? The Colonial Pipeline facility in Pelham, Alabama, was hit by a cybersecurity attack on Friday and its operators were forced to shut down...Security Affairs
May 14, 2021
Attacks by Avaddon Ransomware are Escalating Full Text
Abstract
Ransomware attacks by the Avaddon group are targeting organizations from several sectors based in the U.S. and worldwide. According to the FBI, the ransomware associates are breaching the networks of healthcare, manufacturing, and other private sector organizations worldwide.Cyware Alerts - Hacker News
May 14, 2021
US pipeline ransomware attack serves as fair warning to persistent corporate inertia over security Full Text
Abstract
That companies continue to disregard the need for basic cybersecurity hygiene signals the need for firmer action, especially as cybercriminals turn their focus to operational technology sectors.ZDNet
May 14, 2021
Colonial Pipeline Paid Nearly $5 Million in Ransom to Cybercriminals Full Text
Abstract
Colonial Pipeline on Thursday restored operations to its entire pipeline system nearly a week following a ransomware infection targeting its IT systems, forcing it to reportedly shell out nearly $5 million to restore control of its computer networks. "Following this restart, it will take several days for the product delivery supply chain to return to normal," the company said in a statement on Thursday evening. "Some markets served by Colonial Pipeline may experience, or continue to experience, intermittent service interruptions during this start-up period. Colonial will move as much gasoline, diesel, and jet fuel as is safely possible and will continue to do so until markets return to normal." The company's official website , however, has been taken offline as of writing with an access denied message "This request was blocked by the security rules." Bloomberg, citing "two people familiar with the transaction," said the company made tThe Hacker News
May 13, 2021
Popular Russian hacking forum XSS bans all ransomware topics Full Text
Abstract
One of the most popular Russian-speaking hacker forums, XSS, has banned all topics promoting ransomware to prevent unwanted attention.BleepingComputer
May 13, 2021
Chemical distributor pays $4.4 million to DarkSide ransomware Full Text
Abstract
Chemical distribution company Brenntag paid a $4.4 million ransom in Bitcoin to the DarkSide ransomware gang to receive a decryptor for encrypted files and prevent the threat actors from publicly leaking stolen data.BleepingComputer
May 13, 2021
Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom Full Text
Abstract
Colonial Pipeline Co. paid nearly $5 million to Eastern European hackers on Friday, contradicting reports earlier this week that the company had no intention of paying an extortion fee.Bloomberg
May 13, 2021
Colonial Pipeline restores operations, $5 million ransom demanded Full Text
Abstract
Colonial Pipeline Company has recovered quickly from the ransomware attack suffered less than a week ago and expects all its infrastructure to be fully operational today.BleepingComputer
May 13, 2021
Colonial paid hackers almost $5M in ransom: report Full Text
Abstract
Colonial Pipeline paid almost $5 million in ransom to hackers last Friday despite reports that said the company had no intention of paying, Bloomberg news reported.The Hill
May 13, 2021
Meet Lorenz — A new ransomware gang targeting the enterprise Full Text
Abstract
A new ransomware operation known as Lorenz targets organizations worldwide with customized attacks demanding hundreds of thousands of dollars in ransoms.BleepingComputer
May 13, 2021
Norwegian Green Energy Company Volue Hit by Ransomware Attack Full Text
Abstract
Norway-based green energy solutions provider Volue has been working on restoring systems after being targeted in a ransomware attack by the Ryuk operators which was detected on May 5.Security Week
May 13, 2021
Insurance giant CNA fully restores systems after ransomware attack Full Text
Abstract
Leading US-based insurance company CNA Financial has fully restored systems following a Phoenix CryptoLocker ransomware attack that disrupted its online services and business operations during late March.BleepingComputer
May 13, 2021
Ransomware Attackers Now Using Triple Extortion Tactics Against Victims’ Customers, Partners, and Other Third-Parties Full Text
Abstract
In this tactic, the criminals send ransom demands not only to the attacked organization but to any customers, users, or other third parties that would be hurt by the leaked data.Tech Republic
May 12, 2021
Colonial Pipeline has no plans to pay ransom for files: report Full Text
Abstract
Colonial Pipeline has no plans to pay the ransom after a cyber attack on their operations, two people familiar with the matter told The Washington Post on Wednesday.The Hill
May 12, 2021
CISA Analysis on FiveHands Ransomware Full Text
Abstract
The CISA has published a report on the FiveHands ransomware deployed by an aggressively financially motivated group - UNC2447. The campaign involved extortion incidents between January and February.Cyware Alerts - Hacker News
May 12, 2021
A Dive into the Consequences of Ransomware Payoffs Full Text
Abstract
While ransomware operators have adopted various extortion tactics to make their victims pay up, it's important to take a look at key statistics on victims paying or not paying the ransom.Cyware Alerts - Hacker News
May 12, 2021
Police Doxxed After Ransom Dispute Full Text
Abstract
Washington DC Metropolitan Police records allegedly leaked online during National Policing WeekInfosecurity Magazine
May 12, 2021
Shining a Light on DARKSIDE Ransomware Operations Full Text
Abstract
In addition to providing builds of DARKSIDE ransomware, the operators of this service also maintain a blog accessible via TOR. This site is also used to pressure victims into paying ransoms.FireEye
May 12, 2021
UK’s Computer Misuse Act to be reviewed, says Home Secretary as she condemns ransomware payoffs Full Text
Abstract
UK Home Secretary Priti Patel has promised a government review of the UK's 30-year-old Computer Misuse Act "this year" as well as condemning companies that buy off ransomware criminals.The Register
May 12, 2021
Ransomware Gang Leaks Metropolitan Police Data After Failed Negotiations Full Text
Abstract
The cybercrime syndicate behind Babuk ransomware has leaked more personal files belonging to the Metropolitan Police Department (MPD) after negotiations with the DC Police broke down, warning that they intend to publish all data if their ransom demands are not met. "The negotiations reached a dead end, the amount we were offered does not suit us, we are posting 20 more personal files on officers, you can download this archive, the password will be released tomorrow. if during tomorrow they do not raise the price, we will release all the data," the gang said in a statement on their data leak site. "You still have the ability to stop it," it added. The Babuk group is said to have stolen 250GB of data , including investigation reports, arrests, disciplinary actions, and other intelligence briefings. Like other ransomware platforms, DarkSide adheres to a practice called double extortion, which involves demanding money in return for unlocking files and servers enThe Hacker News
May 11, 2021
Cuba Ransomware Joining Hands with Hancitor Malware Full Text
Abstract
The Cuba Ransomware group and the operators behind the Hancitor downloader have reportedly united for easy access to compromised corporate networks. For years, Cuba ransomware has been in and out of the ransomware game; it came to the limelight after the ATFS attack.Cyware Alerts - Hacker News
May 11, 2021
Project Signal: A Ransomware Operation Sponsored by Iran Full Text
Abstract
Iran's Islamic Revolutionary Guard Corps has been accused of running a state-sponsored ransomware operation through a contracting company known as Emen Net Pasargard.Cyware Alerts - Hacker News
May 11, 2021
Is It Really 85 Percent? Full Text
Abstract
A commonly cited statistic about private ownership of U.S. infrastructure has popped up again after the Colonial Pipeline ransomware report. But where does it actually come from?Lawfare
May 11, 2021
WATCH: FBI cyber division chief details how his team will support businesses in the ransomware battle Full Text
Abstract
As Colonial Pipeline struggles to return to operations amid a crippling ransomware attack, how will law enforcement leverage tech, partnership with industry, and policy to manage the threat? During a recent SC Media eSummit on ransomware, Herb Stapleton, cyber division section chief at the FBI, offered details on lessons that emerged during 2020, and how they will shape efforts in 2021 to respond to attacks.SCMagazine
May 11, 2021
200K Veterans’ Medical Records Likely Stolen by Ransomware Gang Full Text
Abstract
Analyst finds ransomware evidence, despite a contractor’s denial of compromise.Threatpost
May 11, 2021
Ransomware gang leaks data from Metropolitan Police Department Full Text
Abstract
Babuk ransomware operators have leaked what they claim are personal files belongin to police officers from the Metropolitan Police Department after negotiations went stale.BleepingComputer
May 11, 2021
DarkSide Wanted Money, Not Disruption from Colonial Pipeline Attack Full Text
Abstract
Statement by the ransomware gang suggests that the incident that crippled a major U.S. oil pipeline may not have exactly gone to plan for overseas threat actors.Threatpost
May 11, 2021
FBI and Australia ACSC agencies warn of ongoing Avaddon ransomware attacks Full Text
Abstract
The FBI and Australian Australian Cyber Security Centre (ACSC) warn of an ongoing Avaddon ransomware campaign targeting organizations worldwide. The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) are warning...Security Affairs
May 11, 2021
AXA to Stop Reimbursing Ransom Payments Full Text
Abstract
Insurer's move in France could drive cybersecurity improvementsInfosecurity Magazine
May 11, 2021
Biden: No evidence Russian government is involved in Colonial ransomware attack Full Text
Abstract
At a press conference today, President Joe Biden said the US intelligence community has no evidence that the Russian government had any kind of involvement in the Colonial Pipeline hack.The Record
May 11, 2021
Japanese Manufacturer Yamabiko Targeted by Babuk Ransomware Full Text
Abstract
Report suggests threat actors have already come out of retirementInfosecurity Magazine
May 10, 2021
City of Tulsa’s online services disrupted in ransomware incident Full Text
Abstract
The City of Tulsa, Oklahoma, has suffered a ransomware attack that forced the City to shut down its systems to prevent the further spread of the malware.BleepingComputer
May 10, 2021
FBI confirmed that Darkside ransomware gang hit Colonial Pipeline Full Text
Abstract
The U.S. FBI confirmed that the attack against the Colonial Pipeline over the weekend was launched by the Darkside ransomware gang. The U.S. Federal Bureau of Investigation confirmed that the Colonial Pipeline was shut down due to a cyber attack carried...Security Affairs
May 10, 2021
N3TW0RM Ransomware Targeting Israeli Organizations Full Text
Abstract
Iranian hackers recently compromised the networks of H&M Israel and other Israeli firms. It has threatened to leak 110GB of customer data if the ransom requirement of 3BTC isn’t met. N3TW0RM has not been attributed to any group at present.Cyware Alerts - Hacker News
May 10, 2021
FBI confirms DarkSide ransomware group behind pipeline hack Full Text
Abstract
The FBI confirmed on Monday that criminal ransomware gang Darkside is responsible for the cyberattack on the Colonial Pipeline network.The Hill
May 10, 2021
US and Australia warn of escalating Avaddon ransomware attacks Full Text
Abstract
The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) are warning of an ongoing Avaddon ransomware campaign targeting organizations from an extensive array of sectors in the US and worldwide.BleepingComputer
May 10, 2021
DarkSide ransomware will now vet targets after pipeline cyberattack Full Text
Abstract
The DarkSide ransomware gang posted a new "press release" today stating that they are apolitical and will vet all targets before they are attacked.BleepingComputer
May 10, 2021
DarkSide ransomware will start vetting targets after pipeline cyberattack Full Text
Abstract
The DarkSide ransomware gang posted a new "press release" today stating that they are apolitical and will vet all targets before they are attacked.BleepingComputer
May 10, 2021
Ransomware gangs get more aggressive against law enforcement Full Text
Abstract
Criminal hackers are increasingly using brazen methods to increase pressure on law enforcement agencies to pay ransoms, including threatening to leak highly sensitive information.AP News
May 10, 2021
US declares state of emergency after ransomware hits largest pipeline Full Text
Abstract
After a ransomware attack on Colonial Pipeline forced the company to shut down 5,500 miles of fuel pipeline, the Federal Motor Carrier Safety Administration (FMCSA) issued a regional emergency declaration affecting 17 states and the District of Columbia.BleepingComputer
May 10, 2021
City of Tulsa, is the last US city hit by ransomware attack Full Text
Abstract
The city of Tulsa, Oklahoma, has been hit by a ransomware attack over the weekend that impacted its government’s network and shut down its websites. One of the biggest cities in the US by population size, the City of Tulsa, was victim of a ransomware...Security Affairs
May 10, 2021
Reported ransomware attack leads to weeks of Aprima EHR outages Full Text
Abstract
A reported ransomware attack on the CompuGroup Medical data center partner, MedNetwoRX, has impeded some customers' access to their Aprima electronic health record systems for more than two weeks.Healthcare IT News
May 10, 2021
City of Tulsa Hit by Ransomware Attack Over the Weekend Full Text
Abstract
The city of Tulsa, Oklahoma, one of the largest cities in the US, has been hit by a ransomware attack over the weekend that affected the city government’s network and brought down official websites.The Record
May 10, 2021
Ransomware Takes Down East Coast Fuel Pipeline Full Text
Abstract
Emergency legislation issued after critical infrastructure attackInfosecurity Magazine
May 9, 2021
CISA MAR report provides technical details of FiveHands Ransomware Full Text
Abstract
U.S. CISA has published an analysis of the FiveHands ransomware, the same malware that was analyzed a few days ago by researchers from FireEye’s Mandiant experts. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis...Security Affairs
May 8, 2021
Major U.S. Pipeline Crippled in Ransomware Attack Full Text
Abstract
Colonial Pipeline Company says it is the victim of a cyberattack that forced the major provider of liquid fuels to the East Coast to temporarily halted all pipeline operations.Threatpost
May 8, 2021
CaptureRx Hit with Ransomware Attack Full Text
Abstract
An investigation revealed that certain files were accessed without permission, including first and last names, dates of birth, prescription information, and medical record numbers.Heimdal Security
May 07, 2021
The Week in Ransomware - May 7th 2021 - Attacking healthcare Full Text
Abstract
While ransomware attacks continued throughout the week, for the most part, it has been quieter than usual, with only a few new variants released.BleepingComputer
May 7, 2021
US defense contractor BlueForce apparently hit by ransomware Full Text
Abstract
The Conti ransomware operators demanded nearly $1 million in bitcoin during ransomware negotiations and threatened to publish the defense contractor's data on its leak site.Tech Target
May 7, 2021
CISA Warns of Attacks Using FiveHands Ransomware and SombRAT Full Text
Abstract
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of a recent successful cyberattack against an organization using a new ransomware variant, which CISA refers to as FiveHands.ICSA
May 7, 2021
#COVID19 Researchers Lose a Week’s Work to Ryuk Ransomware Full Text
Abstract
Sophos traces attack back to a stolen passwordInfosecurity Magazine
May 7, 2021
Connecting the Bots – Hancitor fuels Cuba Ransomware Operations Full Text
Abstract
The Cuba Ransomware gang has partnered with the crooks behind the Hancitor malware in attacks aimed at corporate networks. The Hancitor downloader has been around for quite some time already. It is known since at least 2016 for dropping...Security Affairs
May 07, 2021
Cuba Ransomware partners with Hancitor for spam-fueled attacks Full Text
Abstract
The Cuba Ransomware gang has teamed up with the spam operators of the Hancitor malware to gain easier access to compromised corporate networks.BleepingComputer
May 7, 2021
DHS Secretary: Small Businesses Hard-Hit by Ransomware Full Text
Abstract
"The losses from ransomware are staggering. And the pace at which those losses are being realized is equally staggering," Mayorkas said, noting this is why DHS has made battling ransomware a priority.Bank Info Security
May 06, 2021
A student pirating software led to a full-blown Ryuk ransomware attack Full Text
Abstract
A student's attempt to pirate an expensive data visualization software led to a full-blown Ryuk ransomware attack at a European biomolecular research institute.BleepingComputer
May 6, 2021
Update: REvil ransomware to blame for UnitingCare Queensland’s April attack Full Text
Abstract
The organization, which provides aged care, disability supports, health care, and crisis response services throughout the Australian state, suffered the attack on Sunday, 25 April 2021.ZDNet
May 6, 2021
Cyberattackers Behind Avaddon Ransomware Give Australia’s NSW Labor 240 Hours to Pay Ransom Full Text
Abstract
Avaddon, which originated in Russia, is behind the breach and is threatening to release a trove of sensitive information including images of passports, driver’s licenses, and employment contracts.Sydney Morning Herald
May 4, 2021
Scripps Health Knocked Offline by Ransomware Full Text
Abstract
Healthcare non-profit postpones appointments after attackInfosecurity Magazine
May 4, 2021
Project Signal: a second Iranian State-Sponsored Ransomware Operation Full Text
Abstract
Iran-linked ATP group carried out a ransomware operation through a contracting company based in the country, Flashpoint researchers warn. Researchers from Flashpoint have uncovered a state-sponsored ransomware campaign conducted by Iran’s Islamic...Security Affairs
May 4, 2021
Suspected Iranian Ransomware Group Targets Israeli Firms Full Text
Abstract
Report suggests “Networm” group has hit H&M IsraelInfosecurity Magazine
May 03, 2021
Health care giant Scripps Health hit by ransomware attack Full Text
Abstract
Nonprofit health care provider Scripps Health in San Diego is currently dealing with a ransomware attack that forced the organization to suspend user access to its online portal and switch to alternative methods for patient care operations.BleepingComputer
May 03, 2021
N3TW0RM ransomware emerges in wave of cyberattacks in Israel Full Text
Abstract
A new ransomware gang known as 'N3TW0RM' is targeting Israeli companies in a wave of cyberattacks starting last week.BleepingComputer
May 3, 2021
Ryuk Ransomware Operators have Updated their Attack Techniques Full Text
Abstract
Security researchers from AdvIntel discovered that Ryuk ransomware attacks are now mostly using exposed RDP connections to gain an initial foothold inside a targeted network.Cyware Alerts - Hacker News
May 03, 2021
Researchers Uncover Iranian State-Sponsored Ransomware Operation Full Text
Abstract
Iran has been linked to yet another state-sponsored ransomware operation through a contracting company based in the country, according to new analysis. "Iran's Islamic Revolutionary Guard Corps ( IRGC ) was operating a state-sponsored ransomware campaign through an Iranian contracting company called 'Emen Net Pasargard' (ENP)," cybersecurity firm Flashpoint said in its findings summarizing three documents leaked by an anonymous entity named Read My Lips or Lab Dookhtegan between March 19 and April 1 via its Telegram channel. Dubbed "Project Signal," the initiative is said to have kickstarted sometime between late July 2020 and early September 2020, with ENP's internal research organization, named the "Studies Center," putting together a list of unspecified target websites. A second spreadsheet validated by Flashpoint explicitly spelled out the project's financial motivations, with plans to launch the ransomware operations in lateThe Hacker News
May 2, 2021
Cloud hosting provider Swiss Cloud suffered a ransomware attack Full Text
Abstract
Swiss cloud hosting provider Swiss Cloud has suffered a ransomware attack that seriously impacted its server infrastructure. On April 27 the Swiss cloud hosting provider was hit by a ransomware attack that brought down the company’s server infrastructure. The...Security Affairs
May 1, 2021
Babuk - A Growing Ransomware Threat Full Text
Abstract
The rapidly emerging Babuk ransomware is becoming a serious threat as it has compromised the networks of sports, communication sectors, and government entities - all within a month.Cyware Alerts - Hacker News
May 01, 2021
Python also impacted by critical IP address validation vulnerability Full Text
Abstract
Python 3.3 standard library 'ipaddress' suffers from a critical IP address vulnerability (CVE-2021-29921) identical to the flaw that was reported in the "netmask" library earlier this year.BleepingComputer
May 1, 2021
Mount Locker Ransomware Learns New Tricks to Evade Detection Full Text
Abstract
Researchers have found Mount Locker ransomware using sophisticated scripting and anti-prevention features in recent campaigns, and the change in tactics may be accompanied by the AstroLocker rebranding.Cyware Alerts - Hacker News
May 1, 2021
AgeLocker ransomware operation targets QNAP NAS devices Full Text
Abstract
Taiwanese vendor QNAP is warning its customers of AgeLocker ransomware attacks on their NAS devices. Crooks behind the AgeLocker ransomware operation are targeting QNAP NAS devices, the Taiwanese vendor warns. The vendor doesn't provide technical...Security Affairs
May 1, 2021
Babuk crew announced it will stop ransomware attacks Full Text
Abstract
Babuk ransomware operators shut down their affiliate program and announced to stop using ransomware, the group plans to move on data theft. Recently the Babuk ransomware operators made the headlines for the ransomware attack against the DC Police...Security Affairs
May 1, 2021
In The Ransomware Battle, Cybercriminals Have The Upper Hand Full Text
Abstract
The NBA's Houston Rockets were hit by a ransomware attack earlier this month. Now it's the Washington, D.C., police department. The common thread is an unknown ransomware group called Babuk.NPR
April 30, 2021
The Week in Ransomware - April 30th 2021 - Attacks Escalate Full Text
Abstract
Ransomware gangs continue to target organizations large and small, including a brazen attack on the Washington DC police department.BleepingComputer
April 30, 2021
Babuk quits ransomware encryption, focuses on data-theft extortion Full Text
Abstract
A new message today from the operators of Babuk ransomware clarifies that the gang has decided to close the affiliate program and move to an extortion model that does not rely on encrypting victim computers.BleepingComputer
April 30, 2021
Hackers Exploit SonicWall Zero-Day Bug in FiveHands Ransomware Attacks Full Text
Abstract
An "aggressive" financially motivated threat group tapped into a zero-day flaw in SonicWall VPN appliances prior to it being patched by the company to deploy a new strain of ransomware called FIVEHANDS. The group, tracked by cybersecurity firm Mandiant as UNC2447, took advantage of an "improper SQL command neutralization" flaw in the SSL-VPN SMA100 product ( CVE-2021-20016 , CVSS score 9 .8) that allows an unauthenticated attacker to achieve remote code execution. "UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums," Mandiant researchers said . "UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics." CVE-2021-20016 is the same zero-day that theThe Hacker News
April 30, 2021
Ransomware Task Force Urges Tighter Crypto Regulation Full Text
Abstract
Long-awaited document calls for closer international co-operationInfosecurity Magazine
April 30, 2021
DC Officer Info Leaked Online by Ransomware Group: Report Full Text
Abstract
Babuk says this is its last big job before closing downInfosecurity Magazine
April 30, 2021
Darkside Ransomware Returns with a Vengeance Full Text
Abstract
In March, threat intelligence experts warned of a new version of the ransomware that featured a faster encryption process, VoIP calling, and modules to target virtual machines.Cyware Alerts - Hacker News
April 29, 2021
Brazil’s Rio Grande do Sul court system hit by REvil ransomware Full Text
Abstract
Brazil's Tribunal de Justiça do Estado do Rio Grande do Sul was hit with an REvil ransomware attack yesterday that encrypted employee's files and forced the courts to shut down their network.BleepingComputer
April 29, 2021
Babuk Ransomware Gang Mulls Retirement Full Text
Abstract
The RaaS operators have been posting, tweaking and taking down a goodbye note, saying that they’ll be open-sourcing their data encryption malware for other crooks to use.Threatpost
April 29, 2021
QNAP warns of AgeLocker ransomware attacks on NAS devices Full Text
Abstract
QNAP customers are once again urged to secure their Network Attached Storage (NAS) devices to defend against Agelocker ransomware attacks targeting their data.BleepingComputer
April 29, 2021
Ransomware group targeted SonicWall vulnerability pre-patch Full Text
Abstract
A ransomware group caught targeting a recently patched SonicWall vulnerability leveraged that vulnerability before the patch became available, Mandiant reported Thursday.SCMagazine
April 29, 2021
New ransomware group uses SonicWall zero-day to breach networks Full Text
Abstract
A financially motivated threat actor exploited a zero-day bug in Sonicwall SMA 100 Series VPN appliances to deploy new ransomware known as FiveHands on the networks of North American and European targets.BleepingComputer
April 29, 2021
Ransomware gang Babuk claims DC’s Metropolitan Police was last caper – then goes dark Full Text
Abstract
The move was a surprising one after infiltrating such a high-value target, leaving some security experts skeptical that the group won’t reemerge anew.SCMagazine
April 29, 2021
QNAP finds evidence of AgeLocker ransomware activity in the wild Full Text
Abstract
QNAP customers are once again urged to secure their Network Attached Storage (NAS) devices following a massive Qlocker ransomware campaign earlier this month.BleepingComputer
April 29, 2021
An alleged ransomware attack hit the Italian Banca di Credito Cooperativo causing chaos Full Text
Abstract
Banca di Credito Cooperativo (BCC), one of the largest Italian cooperative credit banks was hit by a ransomware attack. Banca di Credito Cooperativo (BCC), one of the largest Italian cooperative credit banks, was hit by a cyberattack allegedly...Security Affairs
April 29, 2021
Babuk ransomware readies ‘shut down’ post, plans to open source malware Full Text
Abstract
After just a few months of activity, the operators of Babuk ransomware briefly posted a short message about their intention to quit the extortion business after having achieved their goal.BleepingComputer
April 29, 2021
Multi-Gov Task Force Plans to Take Down the Ransomware Economy Full Text
Abstract
A coalition of 60 global entities (including the DoJ) has proposed a sweeping plan to hunt down and disrupt ransomware gangs by going after their financial operations.Threatpost
April 29, 2021
Whistler resort municipality hit by new ransomware operation Full Text
Abstract
The Whistler municipality in British Columbia, Canada, has suffered a cyberattack at the hands of a new ransomware operation.BleepingComputer
April 29, 2021
Security expert coalition shares actions to disrupt ransomware Full Text
Abstract
The Ransomware Task Force, a public-party coalition of more than 50 experts, has shared a framework of actions to disrupt the ransomware business model.BleepingComputer
April 29, 2021
Ransomware Task Force releases long-awaited recommendations Full Text
Abstract
More than 60 stakeholders contributed to a ransomware framework released Thursday morning, which advocates for nearly 50 interlocking government and private sector strategies to tackle the criminal scourge.SCMagazine
April 29, 2021
Coalition unveils plan to help government, industry confront ransomware attacks Full Text
Abstract
A coalition of experts on Thursday unveiled a road map for the federal government and industry to potentially use in combating ransomware attacks, which have spiked over the past year as hackers targeted organizations including hospitals and schools.The Hill
April 29, 2021
DoppelPaymer Ransomware Gang Releases Court and Prisoner Files Stolen from Illinois Attorney General Office Full Text
Abstract
The files were published on a dark web portal managed by the DopplePaymer ransomware gang and also include personally identifiable information about state prisoners, their grievances, and cases.The Record
April 28, 2021
Ransomware Payment Demands Rose by 43% So Far in 2021 Full Text
Abstract
The average demand for a digital extortion payment shot up in the first quarter of this year to $220,298, up 43% from the previous quarter, according to a quarterly report from Coveware.Cyberscoop
April 28, 2021
UK rail network Merseyrail hit by ransomware gang Full Text
Abstract
UK rail network Merseyrail was hit by a cyberattack, ransomware operators breached the corporate email system to disclose the attack to employees and journalists. UK rail network Merseyrail, which operates rail services across Merseyside, announced...Security Affairs
April 28, 2021
UK rail network Merseyrail likely hit by Lockbit ransomware Full Text
Abstract
UK rail network Merseyrail has confirmed a cyberattack after a ransomware gang used their email system to email employees and journalists about the attack.BleepingComputer
April 28, 2021
Average Ransom Surges 43% After Accellion Attacks Full Text
Abstract
Coveware claims Clop group drove up cybercrime gains in Q1 2021Infosecurity Magazine
April 28, 2021
New WickrMe Ransomware Targets SharePoint Servers to Infiltrate Corporate Networks Full Text
Abstract
SharePoint now joins a list of network devices used as entry points by threat actors that also includes Citrix gateways, F5 BIG-IP load balancers, Microsoft Exchange email servers, and more.The Record
April 27, 2021
Babuk Ransomware Gang Targets Washington D.C. Police Full Text
Abstract
The RaaS developers thumbed their noses at police, saying “We find 0 day before you.”Threatpost
April 27, 2021
Qlocker Ransomware is Targeting QNAP Devices Full Text
Abstract
The Qlocker group was spotted using 7-Zip to move files on QNAP devices into password-protected archives. It generated about $260,000 within a week by remotely encrypting files.Cyware Alerts - Hacker News
April 27, 2021
Ransomware hit Guilderland Central School District near Albany Full Text
Abstract
Officials revealed that the school district near Albany was hit by a ransomware attack that forced students in grades 7 through 12 into all-remote learning on Monday. The Guilderland Central School District near Albany was hit by a ransomware attack...Security Affairs
April 26, 2021
DC Police confirms cyberattack after ransomware gang leaks data Full Text
Abstract
The Metropolitan Police Department has confirmed that they suffered a cyberattack after the Babuk ransomware gang leaked screenshots of stolen data.BleepingComputer
April 26, 2021
Ransomware gang now warns they will leak new Apple logos, iPad plans Full Text
Abstract
The REvil ransomware gang has mysteriously removed Apple's schematics from their data leak site after privately warning Quanta that they would leak drawings for the new iPad and new Apple logos.BleepingComputer
April 26, 2021
The Mysterious Tale of a Ransomware Cartel Full Text
Abstract
Analysis suggests that four different ransomware groups formed a cartel to leak stolen data via their partners. What surprised the researchers most is the missing element of profit-sharing.Cyware Alerts - Hacker News
April 26, 2021
61% of organizations impacted by ransomware in 2020 Full Text
Abstract
In a Mimecast survey, a full 79% of respondents indicated their companies had experienced a business disruption, financial loss, or other setbacks in 2020 due to a lack of cyber preparedness.Help Net Security
April 26, 2021
Targeted ransomware attacks grow 767%, India among top targets Full Text
Abstract
The ransomware attacks on high-profile targets such as corporations and government agencies globally increased by a whopping 767% in one year from 2019 to 2020, according to a new report.The Times Of India
April 26, 2021
Mining technology company Gyrodata hit by ransomware attack – employee data leaked Full Text
Abstract
The data potentially leaked includes names, addresses, birthdates, drivers’ license numbers, social security numbers, passport numbers, W-2 tax forms, and information related to health plan enrolment.The Daily Swig
April 24, 2021
A ransomware gang made $260,000 in 5 days using the 7zip utility Full Text
Abstract
A ransomware gang has made $260,000 in just five days simply by remotely encrypting files on QNAP devices using the 7zip archive program.BleepingComputer
April 24, 2021
NitroRansomware Demands Discord Gift Codes Full Text
Abstract
A new ransomware strain dubbed NitroRansomware is encrypting victim's files and then asking for a $9.99 Discord Nitro gift code to decrypt files. It gives a .givemenitro extension to encrypted files.Cyware Alerts - Hacker News
April 23, 2021
The Week in Ransomware - April 23rd 2021 - A brutal week Full Text
Abstract
This week has been brutal, not because of many ransomware variants released but due to a single ransomware campaign that affected thousands of people.BleepingComputer
April 23, 2021
New Qlocker ransomware infected hundreds of QNAP NAS devices in a few days Full Text
Abstract
A new ransomware strain dubbed Qlocker is infecting hundreds of QNAP NAS devices every day and demanding a $550 ransom payment. Experts are warning of a new strain of ransomware named Qlocker that is infecting hundreds of QNAP NAS devices on daily...Security Affairs
April 23, 2021
Ransomware gang offers traders inside scoop on attack victims so they can short sell their stocks Full Text
Abstract
The latest fallout of ransomware attacks may involve stock manipulation, with one group openly coaxing stock traders to reach out and receive the inside scoop on the gang’s latest corporate victims, so they can short sell their stock before data is leaked and the news goes public.SCMagazine
April 23, 2021
Darkside Ransomware Gang Plans to Extort NASDAQ-listed Victims by Shorting Their Stock Prices Full Text
Abstract
The operators of the Darkside ransomware are expanding their extortion tactics with a new technique aimed at companies that are listed on NASDAQ or other stock markets globally.The Record
April 23, 2021
Stanford student finds glitch in ransomware payment system to save victims $27,000 Full Text
Abstract
The hackers behind a nascent strain of ransomware hit a snag this week when a security researcher found a flaw in the payment system and, he says, helped victims save $27,000 in potential losses.Cyberscoop
April 23, 2021
Darkside Ransomware gang aims at influencing the stock price of their victims Full Text
Abstract
The Darkside ransomware gang is enhancing its extortion tactics to interfere with the valuation of stocks of companies that are listed on NASDAQ or other stock markets. The Darkside ransomware operators are stepping up their extortion tactics targeting...Security Affairs
April 22, 2021
Mount Locker Ransomware Aggressively Changes Up Tactics Full Text
Abstract
The ransomware is upping its danger quotient with new features while signaling a rebranding to “AstroLocker.”Threatpost
April 22, 2021
DoJ Launches Ransomware Taskforce as Apple Hit by Extortion Attempt Full Text
Abstract
REvil group claims to have secret Macbook plans stolen from supplierInfosecurity Magazine
April 22, 2021
Million-dollar deposits and friends in high places: how we applied for a job with a ransomware gang Full Text
Abstract
During an undercover interview, a CyberNews researcher tricked ransomware operators affiliated with Ragnar Locker into revealing their ransom payout structure, cash out schemes, and target acquisition strategies. From a relatively rare threat just...Security Affairs
April 22, 2021
New US Justice Department Task Force Formed to Disrupt Ransomware Operations Full Text
Abstract
In an internal memo, the DoJ outlines the creation of a new initiative that will bring together current efforts in the federal government to "pursue and disrupt" ransomware operations.ZDNet
April 21, 2021
Massive QLocker ransomware attack uses 7zip to encrypt QNAP devices Full Text
Abstract
A massive ransomware campaign targeting QNAP devices worldwide is underway, and users are finding their files now stored in password-protected 7zip archives.BleepingComputer
April 21, 2021
Hackers threaten to leak stolen Apple blueprints if $50 million ransom isn’t paid Full Text
Abstract
Prominent Apple supplier Quanta on Wednesday said it suffered a ransomware attack from the REvil ransomware group, which is now demanding the iPhone maker pay a ransom of $50 million to prevent leaking sensitive files on the dark web. In a post shared on its deep web "Happy Blog" portal, the threat actor said it came into possession of schematics of the U.S. company's products such as MacBooks and Apple Watch by infiltrating the network of the Taiwanese manufacturer, claiming it's making a ransom demand to Apple after Quanta expressed no interest in paying to recover the stolen blueprints. "Our team is negotiating the sale of large quantities of confidential drawings and gigabytes of personal data with several major brands," the REvil operators said. "We recommend that Apple buy back the available data by May 1." Since first detected in June 2019, REvil (aka Sodinokibi or Sodin) has emerged as one of the most prolific ransomware-as-a-servicThe Hacker News
April 21, 2021
REvil ransomware gang recommends that Apple buy back its data stolen in Quanta hack Full Text
Abstract
The REvil ransomware operators are attempting to blackmail Apple after they has allegedly stolen product blueprints of the IT giant from its business partner. REvil ransomware gang is attempting to extort Apple ahead of the Apple Spring Loaded...Security Affairs
April 21, 2021
REvil Ransomware Gang Claims to Steal Confidential Designs of Apple Devices from Quanta Computer Full Text
Abstract
REvil said it is "negotiating the sale" of the trove "with several major brands" and is sitting on data describing Apple's Watch, MacBook Air, and MacBook Pro, plus the Lenovo ThinkPad Z60m.The Register
April 20, 2021
School District’s Files Leaked in $40m Ransomware Attack Full Text
Abstract
Hackers leak Florida school district’s files online when their ransom demand isn’t metInfosecurity Magazine
April 20, 2021
New Tactics Provide Invisibility Cloak to Ransomware Attacks Full Text
Abstract
Security experts recently discovered that ransomware groups have now upgraded to newer tools and strategies to hinder and complicate forensic investigations.Cyware Alerts - Hacker News
April 19, 2021
NitroRansomware Asks for $9.99 Discord Gift Codes, Steals Access Tokens Full Text
Abstract
The malware seems like a silly coding lark at first, but further exploration shows it can wreak serious damage in follow-on attacks.Threatpost
April 19, 2021
ICS Computers Face Increased Ransomware Attacks - Kaspersky Report Full Text
Abstract
In a new report, Kaspersky noted that developed countries faced a large number of ransomware attacks on ICS systems during the pandemic owing to their consistency in keeping businesses up and running.Cyware Alerts - Hacker News
April 19, 2021
Ryuk Ransomware Anatomy of an Attack in 2021 Full Text
Abstract
Advintel observed actors conducting OSINT research related to the compromised host domain to identify the infected victim company and evaluate their revenue to assess what the ransom amount will be.Advanced Intelligence
April 19, 2021
Ransomware micro-criminals are still out here (and growing) Full Text
Abstract
The conventional ransomware operation model is still very active: victims keep receiving e-mails with malicious attachments that automatically execute the ransomware payload on the unlucky machine.Yoroi
April 19, 2021
Not just ransomware: Schools and universities are increasingly targeted by impersonation scams Full Text
Abstract
School districts and universities, which were once seen as poor targets for financially motivated cybercrime attacks, are now awash in impersonation scams and other attacks.The Record
April 18, 2021
Discord Nitro gift codes now demanded as ransomware payments Full Text
Abstract
In a novel approach to ransom demands, a new ransomware calling itself 'NitroRansomware' encrypts victim's files and then demands a Discord Nitro gift code to decrypt files.BleepingComputer
April 17, 2021
Ryuk ransomware operation updates hacking techniques Full Text
Abstract
Recent attacks from Ryuk ransomware operators show that the actors have a new preference when it comes to gaining initial access to the victim network.BleepingComputer
April 16, 2021
The Week in Ransomware - April 16th 2021 - The Houston Rockets Full Text
Abstract
It has been a pretty quiet week with only a few large attacks disclosed and only a few new ransomware variants released. The highest-profile attack this week is the NBA's Houston Rockets who were transparent about their ransomware attack.BleepingComputer
April 16, 2021
The Rise and Fall of Maze Cartel Full Text
Abstract
From being a lone warrior to becoming an influencer, the Maze group has carved its way to becoming one of the most infamous ransomware groups by establishing the first-ever cartel.Cyware Alerts - Hacker News
April 16, 2021
How the Kremlin provides a safe harbor for ransomware Full Text
Abstract
A global epidemic of digital extortion known as ransomware is crippling local governments, hospitals, school districts, and businesses by scrambling their data files until they pay up. Law enforcement has been largely powerless to stop it.NBC News
April 15, 2021
The Tale of a New Ransomware Cartel Full Text
Abstract
Though it's normal for victims to remain unaware of how their stolen data is being put to use by cybercriminals, there's are gangs in ransomware cartels who have made millions of dollars exploiting stolen data.Cyware Alerts - Hacker News
April 14, 2021
Ransomware Attack Creates Cheese Shortages in Netherlands Full Text
Abstract
Not a Gouda situation: An attack on a logistics firm is suspected to be related to Microsoft Exchange server flaw.Threatpost
April 13, 2021
Capcom: Ransomware gang used old VPN device to breach the network Full Text
Abstract
Capcom has released a new update about the ransomware attack it suffered last year, detailing how the hackers gained access to the network, compromised devices, and stole personal information belonging to thousands of individuals.BleepingComputer
April 13, 2021
Food Shortages at Dutch Supermarkets After Ransomware Outage Full Text
Abstract
Logistics provider Bakker Logistiek suffered attack over EasterInfosecurity Magazine
April 12, 2021
REvil Breaks Safe Mode Again with Auto-login Feature Full Text
Abstract
Recent research found that REvil ransomware has repurposed its attack technique that involves modifying the user’s system login password and force a system reboot to allow the malware to encrypt the files.Cyware Alerts - Hacker News
April 12, 2021
Ransomware’s evolving tools and technical tactics confuse forensic analysis Full Text
Abstract
Adversaries attempt to gain an upper hand by compromising the Active Directory, encrypting VM environments, and abusing Rclone.SCMagazine
April 12, 2021
Dutch supermarkets run out of cheese after ransomware attack Full Text
Abstract
A ransomware attack against conditioned warehousing and transportation provider Bakker Logistiek has caused a cheese shortage in Dutch supermarkets.BleepingComputer
April 12, 2021
Close Ties Surface Between Mount Locker and Astro Locker Team Ransomware Groups Full Text
Abstract
Researchers are looking at an uncanny resemblance between ransomware groups Mount Locker and Astro Locker Team. Experts imply a possible tie-up to expedite Mount Locker's onboarding as a RaaS operation.Cyware Alerts - Hacker News
April 12, 2021
How ransomware gangs are connected, sharing resources and tactics Full Text
Abstract
In a whitepaper entitled “Ransom Mafia – Analysis of the World’s First Ransomware Cartel”, DiMaggio and his team aimed to provide an analytical assessment on whether there is indeed a ransomware cartel.Malwarebytes Labs
April 10, 2021
New REvil Ransomware Version Automatically Logs Windows into Safe Mode Full Text
Abstract
Once more, the well-known REvil ransomware has elevated its attack vector to change the target victim’s login password in order to reboot the computer into Windows Safe Mode.Heimdal Security
April 9, 2021
To avoid penalties for ransomware payouts, incident response pros press for due diligence Full Text
Abstract
The onus is also on the threat intelligence community, said one IR expert, to practice responsible ransomware attribution, as it can affect companies’ decisions on whether or not to pay.SCMagazine
April 09, 2021
The Week in Ransomware - April 9th 2021 - Massive ransom demands Full Text
Abstract
Ransomware attacks continue over the past two weeks with a continuation of the massive initial ransom demands we have seen recently.BleepingComputer
April 09, 2021
Leading cosmetics group Pierre Fabre hit with $25 million ransomware attack Full Text
Abstract
Leading French pharmaceutical group Pierre Fabre suffered a REvil ransomware attack where the threat actors initially demanded a $25 million ransom, BleepingComputer learned today.BleepingComputer
April 9, 2021
Maze/Egregor ransomware cartel estimated to have made $75 million Full Text
Abstract
The group behind the Maze and Egregor ransomware operations are believed to have earned at least $75 million worth of Bitcoin from ransom payments following intrusions at companies all over the world.The Record
April 8, 2021
Cring ransomware spread through hole in FortiGate VPN Full Text
Abstract
In the early months of 2021 the ransomware operators struck a series of European industrial networks.SCMagazine
April 8, 2021
Did 4 Major Ransomware Groups Truly Form a Cartel? Full Text
Abstract
The four cybercriminal groups — Twisted Spider, Viking Spider, Wizard Spider, and the Lockbit Gang — announced at different times throughout summer 2020 that they would be working together.Dark Reading
April 08, 2021
Hackers Exploit Unpatched VPNs to Install Ransomware on Industrial Targets Full Text
Abstract
Unpatched Fortinet VPN devices are being targeted in a series of attacks against industrial enterprises in Europe to deploy a new strain of ransomware called "Cring" inside corporate networks. At least one of the hacking incidents led to the temporary shutdown of a production site, said cybersecurity firm Kaspersky in a report published on Wednesday, without publicly naming the victim. The attacks happened in the first quarter of 2021, between January and March. "Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the targeted organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage," said Vyacheslav Kopeytsev, a security researcher at Kaspersky ICS CERT. The disclosure comes days after the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warned of advanced persistent threat (APT) actorThe Hacker News
April 8, 2021
Ransomware Attacks Disrupt Production at Two Manufacturing Sites in Italy Full Text
Abstract
A ransomware incident earlier this year temporarily shut down production for two days at a pair of manufacturing facilities in Italy, incident responders at security firm Kaspersky said Wednesday.Cyberscoop
April 8, 2021
New Cring ransomware deployed via unpatched Fortinet VPNs | The Record by Recorded Future Full Text
Abstract
All these attacks happened in Q1 2020, and they were carried out with a new strain of ransomware named Cring (other aliases include Vjiszy1lo, Ghost, Phantom) that was first discovered in January.The Record
April 7, 2021
Ransomware cartel model didn’t fulfill potential, yet, but served as cybercrime proving ground Full Text
Abstract
Competing ransomware actors don’t have enough incentive to collaborate and share profits, but that could change as automated attacks evolve.SCMagazine
April 7, 2021
New Cring ransomware deployed targeting unpatched Fortinet VPN devices Full Text
Abstract
Attackers are actively exploiting the CVE-2018-13379 flaw in Fortinet VPN to deploy the Cring ransomware to organizations in the industrial sector. Threat actors are actively exploiting the CVE-2018-13379 vulnerability in Fortinet VPNs to deploy...Security Affairs
April 07, 2021
REvil ransomware now changes password to auto-login in Safe Mode Full Text
Abstract
A recent change to the REvil ransomware allows the threat actors to automate file encryption via Safe Mode after changing Windows passwords.BleepingComputer
April 07, 2021
New Cring ransomware hits unpatched Fortinet VPN devices Full Text
Abstract
A vulnerability impacting Fortinet VPNs is being exploited by a new human-operated ransomware strain known as Cring to breach and encrypt industrial sector companies' networks.BleepingComputer
April 7, 2021
Ryuk’s Rampage Has Lessons for the Enterprise Full Text
Abstract
Ryuk was among the first high-touch "human-operated" ransomware campaigns that have become prevalent in recent years, affecting both public and private sector organizations with crippling attacks.Dark Reading
April 06, 2021
Windows XP makes ransomware gangs work harder for their money Full Text
Abstract
A recently created ransomware decryptor illustrates how threat actors have to support Windows XP, even when Microsoft dropped supporting it seven years ago.BleepingComputer
April 6, 2021
Florida School District Held to Impossibly High Ransom Full Text
Abstract
Ransomware operators demand $40m from Broward County Public Schools systemInfosecurity Magazine
April 6, 2021
Hackers rush to new doc builder that uses Macro-exploit, posing as DocuSign Full Text
Abstract
It’s use in Trickbot and BazarLoader campaigns puts EtterSilent at the front end of attack chains for two of the most popular ransomware precursors in the world.SCMagazine
April 06, 2021
Ransomware hits TU Dublin and National College of Ireland Full Text
Abstract
The National College of Ireland is working on restoring IT services after being hit by a ransomware attack over the weekend that forced the college to take IT systems offline.BleepingComputer
April 6, 2021
Ransom Gangs Emailing Victim Customers for Leverage - KrebsonSecurity Full Text
Abstract
Ransomware gangs are emailing the victim’s customers and partners directly, warning that their data will be leaked to the dark web unless they can convince the victim firm to pay up.Krebs on Security
April 6, 2021
Ransomware Attacks Grew by 485% in 2020 Full Text
Abstract
Report assesses how cyber-criminals have exploited the COVID-19 crisisInfosecurity Magazine
April 6, 2021
Conti Gang Demands $40M Ransom from Florida School District Full Text
Abstract
New details of negotiation between attackers and officials from Broward County Public Schools emerge after a ransomware attack early last month.Threatpost
April 6, 2021
Sophos Links Mount Locker to Astro Locker Ransomware Full Text
Abstract
Experts suspect branding move to kick-start affiliate programInfosecurity Magazine
April 6, 2021
Browser Locker Ransomware – A Fake Page that Threatens user and demands Ransom Full Text
Abstract
Browser lockers are also known as browlocks, are a class of online threats that prevent the victim from using the browser and...Cyber Security News
April 5, 2021
Conti Ransomware Hits Broward County Public Schools with $40 Million Ransom Full Text
Abstract
Several weeks ago, the Conti ransomware gang targeted Broward County Public Schools and threatened to leak sensitive personal data of students and staff unless the district paid a $40 million ransom.Heimdal Security
April 5, 2021
The “Fair” Upgrade Variant of Phobos Ransomware Full Text
Abstract
Researchers detected the execution of PowerShell scripts that were delivering the ransomware within memory without any executable on disk. It used paste.ee for delivering the loader and ransomware.Morphisec
April 04, 2021
Sierra Wireless resumes production after ransomware attack Full Text
Abstract
Canadian IoT solutions provider Sierra Wireless announced that it resumed production at its manufacturing sites after it halted it due to a ransomware attack that hit its internal network and corporate website on March 20.BleepingComputer
April 4, 2021
Clop Ransomware operators plunder US universities Full Text
Abstract
Clop ransomware gang leaked online data stolen from Stanford Medicine, University of Maryland Baltimore, and the University of California. Clop ransomware operators have leaked the personal and financial information stolen from Stanford Medicine,...Security Affairs
April 03, 2021
University of California victim of ransomware attack Full Text
Abstract
The University of California (UC) said Wednesday that it was the victim of a ransomware attack.The Hill
April 03, 2021
Ransomware gang leaks data from Stanford, Maryland universities Full Text
Abstract
Stolen personal and financial information of students at Stanford Medicine, University of Maryland Baltimore (UMB), and the University of California was leaked online by the Clop ransomware group earlier this week.BleepingComputer
April 3, 2021
Evolution and rise of the Avaddon Ransomware-as-a-Service Full Text
Abstract
The Avaddon ransomware operators updated their malware after security researchers released a public decryptor in February 2021. The Avaddon ransomware family first appeared in the threat landscape in February 2020, and its authors started offering...Security Affairs
April 3, 2021
As ransomware stalks the manufacturing sector, victims are still keeping quiet Full Text
Abstract
Two years later, Norsk Hydro’s transparency remains an outlier in a manufacturing sector that is increasingly dogged by ransomware attacks during the coronavirus pandemic.Cyberscoop
April 3, 2021
CNA shares details about ransomware attack, recovery effort Full Text
Abstract
The company, one of the biggest players in cybersecurity insurance specifically, had previously acknowledged an attack, but stopped short of specifying exactly what kind.Cyberscoop
April 3, 2021
Inside the Ransomware Campaigns Targeting Exchange Servers Full Text
Abstract
As organizations around the world scrambled to patch critical Microsoft Exchange Server flaws patched last month, criminals upped the ante with multiple ransomware campaigns targeting vulnerable servers.Dark Reading
April 2, 2021
Conti ransomware gang hits Broward County Schools with $40M demand Full Text
Abstract
Coral Glades High School, part of Broward County Public Schools. The $40 million ransomware attack on the district was one of a wave of cases targeting educational institutions over the last couple of weeks. (Formulanone, Public domain, via Wikimedia Commons) The Conti ransomware gang encrypted the systems at Broward County Public Schools several weeks ago and threatened to…SCMagazine
April 02, 2021
Asteelflash electronics maker hit by REvil ransomware attack Full Text
Abstract
Asteelflash, a leading French electronics manufacturing services company, has suffered a cyberattack by the REvil ransomware gang who is demanding a $24 million ransom.BleepingComputer
April 2, 2021
Conti Ransomware gang demanded $40 million ransom to Broward County Public Schools Full Text
Abstract
Ransomware gang demanded a $40,000,000 ransom to the Broward County Public Schools district, Florida. It is just the last attack of a long string against the sector. Ransomware operators continue to target organizations worldwide and school districts...Security Affairs
April 2, 2021
Ransomware Declared As a National Security Threat by DHS Full Text
Abstract
In an RSA conference webcast, Alejandro Mayorkas, the U.S. Secretary of Homeland Security, stated that fighting ransomware attacks is now the Department of Homeland Security's number one priority, and a plan to be more proactive is already in place.Tech Target
April 02, 2021
Ransomware gang wanted $40 million in Florida schools cyberattack Full Text
Abstract
Fueled by large payments from victims, ransomware gangs have started to demand ridiculous ransoms from organizations that can not afford them. An example of this is a recently revealed ransomware attack on the Broward County Public Schools district where threat actors demanded a $40,000,000 payment.BleepingComputer
April 1, 2021
Hades Ransomware and Hafnium Hacker Group - Peas from the Same Pod? Full Text
Abstract
Researchers surmise that the Hafnium APT group might be operating under the disguise of Hades due to shared IOCs observed in recent attacks.Cyware Alerts - Hacker News
April 1, 2021
Akamai dealt with an 800Gbps ransom DDoS against a gambling company Full Text
Abstract
Akamai has recently involved in the mitigation of two of the largest known ransom DDoS attacks, one of them peaked at 800Gbps. CDN and cybersecurity firm Akamai warns of a worrying escalation in ransom DDoS attacks since the beginning of the year. The...Security Affairs
March 31, 2021
Update: Cl0p ransomware gang leaks sensitive data from 6 US universites Full Text
Abstract
In a recent update, the infamous Cl0p ransomware group claimed to gain access to financial documents and passport information belonging to students and staff from six top universities in the US.Hackread
March 30, 2021
Ziggy Ransomware Gang Offers Refund to Victims Full Text
Abstract
Ziggy joins Fonix ransomware group and shuts down, with apologies to targets.Threatpost
March 30, 2021
Younger Ransomware Victims More Likely to Pay Up Full Text
Abstract
Research finds fewer ransomware victims over the age of 55 pay to recover their dataInfosecurity Magazine
March 30, 2021
Ransomware negotiations: An inside look at the process Full Text
Abstract
Cyber insurance carriers typically have lists or "panels" of approved vendors for various incident response services that address breaches and ransomware attacks, including ransomware negotiations.Tech Target
March 30, 2021
Double-Extortion Ransomware Attacks Surged in 2020 Full Text
Abstract
15 ransomware families were observed using double-extortion tactics last year, compared to just one in 2019Infosecurity Magazine
March 30, 2021
Ransomware Attack at New York-based Personal Touch Holding Corp Affects Over 753,000 Patients, Employees Full Text
Abstract
A home healthcare company says a data breach affecting more than 753,000 patients, employees and former workers stems from a ransomware attack on its private cloud hosted by managed service providers.Info Risk Today
March 30, 2021
Clop Ransomware Group Leaks Data Allegedly Stolen from Universities of Maryland, California Full Text
Abstract
The Clop ransomware group has posted financial documents and passport information allegedly belonging to the University of Maryland and the University of California online.ZDNet
March 29, 2021
London-based academies Harris Federation hit by ransomware attack Full Text
Abstract
Harris Federation, the multi-academy trust of 50 primary and secondary academies in and around London, was hit by a ransomware attack. A ransomware attack hit the IT systems of London-based nonprofit multi-academy trust Harris Federation on Saturday,...Security Affairs
March 29, 2021
Hades Ransomware Gang Exhibits Connections to Hafnium Full Text
Abstract
There could be more than immediately meets the eye with this targeted attack group.Threatpost
March 29, 2021
Beware of Mamba Ransomware - FBI Alerts Full Text
Abstract
Mamba ransomware is being used to target local governments, tech services, legal services, public transportation agencies, and industrial, construction, manufacturing, and commercial businesses.Cyware Alerts - Hacker News
March 29, 2021
Evil Corp is Now Using Hades Ransomware to Evade Sanctions Full Text
Abstract
Operators behind Hades ransomware are getting their hands even dirtier as they attempt to bypass the sanctions put by federal agencies. Recently, it compromised three major companies in the U.S.Cyware Alerts - Hacker News
March 29, 2021
Harris Federation hit by ransomware attack affecting 50 schools Full Text
Abstract
The IT systems and email servers of London-based nonprofit multi-academy trust Harris Federation were taken down by a ransomware attack on Saturday.BleepingComputer
March 29, 2021
Hades Ransomware Linked to Hafnium and Exchange Attacks Full Text
Abstract
Awake Security report claims ransom may not be group’s primary goalInfosecurity Magazine
March 29, 2021
Ziggy ransomware admin announced it will refund victims who paid the ransom Full Text
Abstract
Administrator of Ziggy ransomware recently announced the end of the operation, and now is promising that its victims will have back their money. In an unusual move, the administrator of Ziggy ransomware after the announcement of the end of the operation...Security Affairs
March 28, 2021
Ransomware admin is refunding victims their ransom payments Full Text
Abstract
After recently announcing the end of the operation, the administrator of Ziggy ransomware is now stating that they will also give the money back.BleepingComputer
March 28, 2021
CompuCom MSP expects over $20M in losses after ransomware attack Full Text
Abstract
American managed service provider CompuCom is expecting losses of over $20 million following this month's DarkSide ransomware attack that took down most of its systems.BleepingComputer
March 27, 2021
Clop Ransomware gang now contacts victims’ customers to force victims into pay a ransom Full Text
Abstract
Clop ransomware operators now email victim's customers and ask them to demand a ransom payment to protect their privacy to force victims into paying the ransom. Clop ransomware operators are switching to a new tactic to force victims into paying the ransom...Security Affairs
March 27, 2021
FatFace sends controversial data breach email after ransomware attack Full Text
Abstract
British clothing brand FatFace has sent a controversial 'confidential' data breach notification to customers after suffering a ransomware attack earlier this year.BleepingComputer
March 26, 2021
Ransomware gang urges victims’ customers to demand a ransom payment Full Text
Abstract
A ransomware operation known as 'Clop' is applying maximum pressure on victims by emailing their customers and asking them to demand a ransom payment to protect their privacy.BleepingComputer
March 26, 2021
Microsoft: Black Kingdom ransomware group hacked 1.5K Exchange servers Full Text
Abstract
Microsoft has discovered web shells deployed by Black Kingdom operators on approximately 1,500 Exchange servers vulnerable to ProxyLogon attacks.BleepingComputer
March 26, 2021
The Week in Ransomware - March 26th 2021 - Attacks increase Full Text
Abstract
Ransomware attacks against the enterprise continue in the form of Accellion data leaks, full-fledged ransomware attacks, and more ransomware gangs targeting Microsoft Exchange.BleepingComputer
March 26, 2021
Ransomware gang urges victims’ customers to fight for their privacy Full Text
Abstract
A ransomware operation known as 'Clop' is applying maximum pressure on victims by emailing their customers and asking them to demand a ransom payment to protect their privacy.BleepingComputer
March 26, 2021
Hades ransomware gang targets big organizations in the US Full Text
Abstract
Accenture security researchers published an analysis of the latest Hades campaign, which is ongoing since at least December 2020. Accenture's Cyber Investigation & Forensic Response (CIFR) and Cyber Threat Intelligence (ACTI) teams published an...Security Affairs
March 26, 2021
FBI Issues Mamba Alert Full Text
Abstract
Feds flag danger of ransomware that weaponizes DiskCryptorInfosecurity Magazine
March 26, 2021
Sierra Wireless partially restores network following ransomware attack Full Text
Abstract
The Canadian company Sierra Wireless became the victim of a ransomware attack against its IT systems on March 20, disrupting internal operations and production facilities.ZDNet
March 26, 2021
Microsoft: Black Kingdom ransomware hacked 1.5K Exchange servers Full Text
Abstract
Microsoft has discovered web shells deployed by Black Kingdom operators on approximately 1,500 Exchange servers vulnerable to ProxyLogon attacks.BleepingComputer
March 26, 2021
Hades ransomware operators are hunting big game in the US Full Text
Abstract
Accenture's Cyber Investigation & Forensic Response (CIFR) and Cyber Threat Intelligence (ACTI) teams has published an analysis into the latest Hades campaign which has been operating since at least December 2020 until this month.ZDNet
March 26, 2021
Babuk Locker Ransomware Gang Leaks Data from US Military Contractor PDI Group Full Text
Abstract
The Ohio-based PDI Group, a major supplier of military equipment to the US Air Force and militaries across the globe appears to have fallen victim to a Babuk Locker ransomware attack.The Record
March 26, 2021
Black Kingdom ransomware foiled through Mega password change Full Text
Abstract
Black Kingdom ransomware, which was detected in recent ProxyLogon attacks against Microsoft Exchange servers was, at least temporarily, foiled through a simple password change.Tech Target
March 26, 2021
FBI exposes weakness in Mamba ransomware, DiskCryptor Full Text
Abstract
An alert from the U.S. Federal Bureau of Investigation about Mamba ransomware reveals a weak spot in the encryption process that could help targeted organizations recover from the attack without paying the ransom.BleepingComputer
March 26, 2021
FBI published a flash alert on Mamba Ransomware attacks Full Text
Abstract
The Federal Bureau of Investigation (FBI) issued an alert to warn that the Mamba ransomware is abusing the DiskCryptor open source tool to encrypt entire drives. The Federal Bureau of Investigation (FBI) published an alert to warn that the Mamba ransomware...Security Affairs
March 26, 2021
FBI sends out private industry alert about Mamba ransomware Full Text
Abstract
The US Federal Bureau of Investigations has sent out this week a private industry notification to US organizations warning about attacks carried out by the Mamba ransomware gang.The Record
March 25, 2021
Insurance giant CNA hit by new Phoenix CryptoLocker ransomware Full Text
Abstract
Insurance giant CNA has suffered a ransomware attack using a new variant called Phoenix CryptoLocker that is possibly linked to the Evil Corp hacking group.BleepingComputer
March 25, 2021
Evil Corp switches to Hades ransomware to evade sanctions Full Text
Abstract
Hades ransomware has been linked to the Evil Corp cybercrime gang who uses it to evade sanctions imposed by the Treasury Department's Office of Foreign Assets Control (OFAC).BleepingComputer
March 25, 2021
REvil Ransomware Can Now Reboot Infected Devices Full Text
Abstract
The REvil ransomware gang has added a new malware capability that enables the attackers to reboot an infected device after encryption, security researchers at MalwareHunterTeam report.Gov Info Security
March 25, 2021
Black Kingdom Ransomware Hunting Unpatched Microsoft Exchange Servers Full Text
Abstract
More than a week after Microsoft released a one-click mitigation tool to mitigate cyberattacks targeting on-premises Exchange servers, the company disclosed that patches have been applied to 92% of all internet-facing servers affected by the ProxyLogon vulnerabilities. The development, a 43% improvement from the previous week, caps off a whirlwind of espionage and malware campaigns that hit thousands of companies worldwide, with as many as 10 advanced persistent threat (APT) groups opportunistically moving quickly to exploit the bugs. According to telemetry data from RiskIQ, there are roughly 29,966 instances of Microsoft Exchange servers still exposed to attacks, down from 92,072 on March 10. While Exchange servers were under assault by multiple Chinese-linked state-sponsored hacking groups prior to Microsoft's patch on March 2, the release of public proof-of-concept exploits fanned a feeding frenzy of infections, opening the door for escalating attacks like ransomwarThe Hacker News
March 25, 2021
Federal advisories detail bitcoin payments to ransomware gangs, urgency of threat Full Text
Abstract
Ransomware victims paid attackers at least $144.35 million in bitcoin between 2013 and 2019, according to a recent FBI bulletin that likely fails to account for millions of dollars.Cyberscoop
March 25, 2021
Ransom Paid Just Before Netwalker Gang Disrupted Full Text
Abstract
A third-party claims administrator of health and social services programs for the elderly paid a ransom to Netwalker attackers about a month before law enforcement disrupted the gang in January.Gov Info Security
March 24, 2021
Ransomware Attack Foils IoT Giant Sierra Wireless Full Text
Abstract
The ransomware attack has impacted the IoT manufacturer’s production lines across multiple sites, and other internal operations.Threatpost
March 24, 2021
Black Kingdom ransomware is targeting Microsoft Exchange servers Full Text
Abstract
Security experts reported that a second ransomware gang, named Black Kingdom, is targeting Microsoft Exchange servers. After the public disclosure of ProxyLogon vulnerabilities, multiple threat actors started targeting vulnerable Microsoft Exchange...Security Affairs
March 24, 2021
Ransomware attacks hit event-management, wireless technology firms Full Text
Abstract
Ransomware attackers encrypted the systems of the events firm, Spargo Inc., on March 14, according to a notification sent by the Armed Forces Communications and Electronics Association (AFCEA).Cyberscoop
March 24, 2021
Sierra Wireless Halts Production After Ransomware Attack Full Text
Abstract
IoT giant was hit by unspecified variant on March 20Infosecurity Magazine
March 23, 2021
Sierra Wireless halted production at its manufacturing sites due to ransomware attack Full Text
Abstract
This week, IoT company Sierra Wireless disclosed a ransomware attack that hit its internal IT systems on March 20 and disrupted its production. Sierra Wireless is a Canadian multinational wireless communications equipment designer and manufacturer...Security Affairs
March 23, 2021
Sierra Wireless withdraws financial guidance as ransomware attack takes down plants Full Text
Abstract
Because of the disruptions caused by the ransomware incident, Sierra Wireless withdrew the Q1 2021 financial guidance provided Feb. 23, indicating a potential impact to the bottom line.SCMagazine
March 23, 2021
Ransomware gang leaks data stolen from Colorado, Miami universities Full Text
Abstract
Grades and social security numbers for students at the University of Colorado and University of Miami patient data have been posted online by the Clop ransomware group.BleepingComputer
March 23, 2021
High-availability server maker Stratus hit by ransomware Full Text
Abstract
Stratus Technologies has suffered a ransomware attack that required systems to be taken offline to prevent the attack's spread.BleepingComputer
March 23, 2021
Ransomware attack shuts down Sierra Wireless IoT maker Full Text
Abstract
Sierra Wireless, a world-leading IoT solutions provider, today disclosed a ransomware attack that forced it to halt production at all manufacturing sites.BleepingComputer
March 23, 2021
Update: Ransomwared Bank Tells Customers It Lost Their SSNs Full Text
Abstract
Flagstar, a bank that was hacked by a ransomware gang, has notified several customers that it lost their Social Security Numbers, home address, full name, phone number, and home address.Motherboard Vice
March 22, 2021
Microsoft Exchange exploit a possible factor in $50M ransomware attack on Acer Full Text
Abstract
The company did not confirm whether the ransomware attack was executed via one of its Microsoft Exchange servers, but several cyber leaders commented on a potential connection to the vulnerabilities exploited by multiple actors.SCMagazine
March 22, 2021
Ransom Demands are Growing Faster than You can Imagine Full Text
Abstract
A new report on ransomware actors underlines their boldness with which they have evolved as one of the most precarious threats to organizations worldwide while increasing ransom demands.Cyware Alerts - Hacker News
March 22, 2021
Microsoft Exchange exploit a possible factor in $50M ransomware attack on Acer Full Text
Abstract
Security researchers responded Monday to news of the REvil ransomware attack on computer and electronics manufacturer Acer late last week, mostly expressing shock over the $50 million price tag and advising the computer maker not to pay. The incident was first reported in BleepingComputer. which said the REvil cybercriminal gang (also known as Sodinokibi) announced…SCMagazine
March 22, 2021
PYSA Ransomware Eyeing Educational Institutions Full Text
Abstract
The FBI has recently warned of a surge in attacks against schools in which a new strain of PYSA ransomware is stealing data and threatening to leak it. However, the education sector is not the only target.Cyware Alerts - Hacker News
March 22, 2021
‘The race is on’: CISA raises alarm bells about ransomware attacks against Microsoft Exchange servers Full Text
Abstract
CISA’s acting executive director said “there are literally thousands of compromised [Exchange] servers that are currently patched” and said some systems owners may think they’re in the clear when they’re not.SCMagazine
March 22, 2021
Microsoft Exchange servers now targeted by Black Kingdom ransomware Full Text
Abstract
Another ransomware operation known as 'Black Kingdom' is exploiting the Microsoft Exchange Server ProxyLogon vulnerabilities to encrypt servers.BleepingComputer
March 21, 2021
Tech Gaint Acer Hit by a REvil Ransomware – Attackers Demanding $50,000,000 Ransom Full Text
Abstract
Taiwanese computer manufacturer Acer has been hit by a REvil ransomware attack where the threat actors are demanding the largest known ransom...Cyber Security News
March 20, 2021
REvil ransomware gang hacked Acer and is demanding a $50 million ransom Full Text
Abstract
Taiwanese multinational hardware and electronics corporation Acer was victim of a REvil ransomware attack, the gang demanded a $50,000,000 ransom. Taiwanese computer giant Acer was victim of the REvil ransomware attack, the gang is demanding the payment...Security Affairs
March 19, 2021
The Week in Ransomware - March 19th 2021 - Highest ransom ever! Full Text
Abstract
While the beginning of this week was fairly quiet, it definitely ended with a bang as news came out of the largest ransom demand yet.BleepingComputer
March 19, 2021
Tesla Ransomware Hacker Pleads Guilty; Swiss Hacktivist Charged for Fraud Full Text
Abstract
The U.S. Department of Justice yesterday announced updates on two separate cases involving cyberattacks—a Swiss hacktivist and a Russian hacker who planned to plant malware in the Tesla company. A Swiss hacker who was involved in the intrusion of cloud-based surveillance firm Verkada and exposed camera footage from its customers was charged by the U.S. Department of Justice (DoJ) on Thursday with conspiracy, wire fraud, and identity theft. Till Kottmann (aka "deletescape" and "tillie crimew"), 21, of Lucerne, Switzerland, and his co-conspirators were accused of hacking dozens of companies and government agencies since 2019 by targeting their "git" and other source code repositories and posting the proprietary data of more than 100 entities on a website called git[.]rip, according to the indictment. Kottmann is alleged to have cloned the source code and other confidential files containing hard-coded administrative credentials and access keys, using theThe Hacker News
March 19, 2021
Computer giant Acer hit by $50 million ransomware attack Full Text
Abstract
Computer giant Acer has been hit by a REvil ransomware attack where the threat actors are demanding the largest known ransom to date, $50,000,000.BleepingComputer
March 19, 2021
REvil ransomware has a new ‘Windows Safe Mode’ encryption mode Full Text
Abstract
The REvil ransomware operation has added a new ability to encrypt files in Windows Safe Mode, likely to evade detection by security software and for greater success when encrypting files.BleepingComputer
March 19, 2021
INDRIK SPIDER: WastedLocker Superseded by Hades Ransomware Full Text
Abstract
In June 2020, the trend of moving away from their typical infection chain continued, and INDRIK SPIDER began using fake browser updates to deliver the Cobalt Strike red-teaming tool.Crowdstrike
March 18, 2021
2020 was a golden year for ransomware gangs, with evolving tactics and increasing payouts Full Text
Abstract
The money has never been better, but there are signs that increasingly aggressive responses from law enforcement are taking a toll.SCMagazine
March 18, 2021
Ransomware Soaring Too High Full Text
Abstract
The extent and severity of ransomware attacks witnessed an all-time high in 2020 and there’s no reason to believe that it is going to be any different this year.Cyware Alerts - Hacker News
March 18, 2021
Average Ransom Payment Surged 171% in 2020 Full Text
Abstract
Report claims incident response costs could ruin some firmsInfosecurity Magazine
March 17, 2021
FBI warns of PYSA Ransomware attacks against Education Institutions in US and UK Full Text
Abstract
The FBI has issued an alert to warn about an increase in PYSA ransomware attacks on education institutions in the US and UK. The FBI has issued Tuesday an alert to warn about an increase in PYSA ransomware attacks against education institutions in the United...Security Affairs
March 17, 2021
Ransomware attack on Pimpri Chinchwad Smart City servers managed by Tech Mahindra Full Text
Abstract
Pimpri-Chinchwad Municipal Corporation Smart City said on Monday that it had not suffered any data loss due to a ransomware attack late last month and that it had also not paid ransom to the hackers.The Times Of India
March 16, 2021
PYSA Ransomware Pillages Education Sector, Feds Warn Full Text
Abstract
A major spike of attacks against higher ed, K-12 and seminaries in March has prompted the FBI to issue a special alert.Threatpost
March 16, 2021
New Enhancements in Darkside Ransomware: How Far will it Go? Full Text
Abstract
Threat intelligence experts warn of a new version of the Darkside ransomware variant that its creators claim will feature faster encryption speeds and VoIP calling while exploiting VMware flaws.Cyware Alerts - Hacker News
March 16, 2021
FBI warns of escalating Pysa ransomware attacks on education orgs Full Text
Abstract
The Federal Bureau of Investigation (FBI) Cyber Division has warned system administrators and cybersecurity professionals of increased Pysa ransomware activity targeting educational institutions.BleepingComputer
March 16, 2021
Ransomware and IoT Malware Detections Surge by Over 60% Full Text
Abstract
SonicWall points to a perfect storm for threat actors in 2020Infosecurity Magazine
March 15, 2021
Two Ransomware with Different Modus Operandi are Making Inroads Full Text
Abstract
Researchers recently discovered two new ransomware variants, one of which is a variant of the Thanos ransomware series, which spreads through PDF files that fake the subject of invoices.Cyware Alerts - Hacker News
March 15, 2021
Ransomware Actors Coming After Your Hypervisor Full Text
Abstract
Recently, two retooled ransomware strains were found exploiting vulnerabilities in the VMware ESXi hypervisor system and encrypting virtual hard drives or VMs.Cyware Alerts - Hacker News
March 15, 2021
RTM and Quoter Ransomware - A Deadly Combo Full Text
Abstract
The RTM banking trojan is back with an arsenal of tricks. A new ransomware family—Quoter—has joined the party too.Cyware Alerts - Hacker News
March 15, 2021
HeraSoft Looks To Stop Ransomware Attacks After $5M Series A Full Text
Abstract
HeraSoft announced a $5 million Series A led by United Capital Management of Kansas. It has developed a public protocol index layer that protects organizations from ransomware and other cyberattacks.CrunchBase News
March 15, 2021
NCSC is not aware of ransomware attacks compromising UK orgs through Microsoft Exchange bugs Full Text
Abstract
The UK's National Cyber Security Centre (NCSC) urges UK organizations to install the patches for the recently disclosed vulnerabilities in Microsoft Exchange. The UK's National Cyber Security Centre is urging UK organizations to install security patches...Security Affairs
March 15, 2021
UK: NCSC is not aware of ransomware attacks compromising UK businesses through Microsoft Exchange bugs Full Text
Abstract
The UK’s NCSC is urging UK organizations to install security patches for their Microsoft Exchange installs and run Microsoft Safety Scanner to detect webshells employed in the attacks.Security Affairs
March 13, 2021
No sign of Exchange-related ransomware hitting UK orgs, claims NCSC as it urges admins to scan for compromises Full Text
Abstract
The UK's National Cyber Security Centre has reminded Brits to patch their Microsoft Exchange Server deployments against Hafnium attacks, 10 days after the US and wider infosec industry shouted the house down saying the same thing.The Register
March 12, 2021
The Week in Ransomware - March 12th 2021 - Encrypting Exchange servers Full Text
Abstract
For the past two weeks, the cybersecurity news has been dominated by stories about the Microsoft Exchange ProxyLogon vulnerabilities. One overriding concern has been when will ransomware actors use the vulnerabilities to compromise and encrypt mail servers.BleepingComputer
March 12, 2021
Deep Instinct to offer $3 million ransomware warranty Full Text
Abstract
Deep Instinct announced that it would back its product with a performance guarantee that delivers false positivity rates of less than 1 percent, plus a ransomware warranty of up to $3 million per company for a single breach.SCMagazine
March 12, 2021
REvil Group Claims Slew of Ransomware Attacks Full Text
Abstract
The threat group behind the Sodinokibi ransomware claimed to have recently compromised nine organizations.Threatpost
March 12, 2021
Ransomware may be targeting Microsoft’s Hafnium Exchange Server vulnerabilities Full Text
Abstract
Microsoft confirmed “a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers,” via its Security Intelligence Twitter account. The ransomware, called DoejoCrypt or DearCry, appears to be the latest threat associated with not patching the Hafnium Exchange Server vulnerabilities Microsoft first announced last week. DoejoCrypt was first noticed on…SCMagazine
March 12, 2021
Darkside 2.0 Ransomware Promises Fastest Ever Encryption Speeds Full Text
Abstract
Group releases new features including VoIP calls and VM targetingInfosecurity Magazine
March 12, 2021
Molson Coors Suffers Suspected Ransomware Attack Full Text
Abstract
Trouble brewing for beverage giantInfosecurity Magazine
March 12, 2021
Hackers Are Targeting Microsoft Exchange Servers With Ransomware Full Text
Abstract
It didn't take long. Intelligence agencies and cybersecurity researchers had been warning that unpatched Exchange Servers could open the pathway for ransomware infections in the wake of swift escalation of the attacks since last week. Now it appears that threat actors have caught up. According to the latest reports, cybercriminals are leveraging the heavily exploited ProxyLogon Exchange Server flaws to install a new strain of ransomware called "DearCry." "Microsoft observed a new family of human operated ransomware attack customers – detected as Ransom:Win32/DoejoCrypt.A," Microsoft researcher Phillip Misner tweeted . "Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers." In a joint advisory published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), the agencies warned that "adversaries could exploit these vulnerabiliThe Hacker News
March 11, 2021
Ransomware now attacks Microsoft Exchange servers with ProxyLogon exploits Full Text
Abstract
A new ransomware called 'DEARCRY' is targeting Microsoft Exchange servers, with one victim stating they were infected via the ProxyLogon vulnerabilities.BleepingComputer
March 11, 2021
New DEARCRY Ransomware is targeting Microsoft Exchange Servers Full Text
Abstract
A new ransomware called 'DEARCRY' is targeting Microsoft Exchange servers, with one victim stating they were infected via the ProxyLogon vulnerabilities.BleepingComputer
March 11, 2021
Ransomware Attack Strikes Spain’s Employment Agency Full Text
Abstract
Reports say that the agency in charge of managing Spain’s unemployment benefits has been hit by the Ryuk ransomware.Threatpost
March 11, 2021
Another 210,000 Americans Affected by Netgain Ransomware Attack Full Text
Abstract
Healthcare patients in Washington state impacted by cyber-attack on managed IT services providerInfosecurity Magazine
March 11, 2021
Lazarus Group Using Mata Framework to Deliver TFlower Ransomware Full Text
Abstract
The Lazarus Group was spotted using the MATA framework, which it has been using since 2019, to deploy the TFlower ransomware. It has claimed a dozen victims so far.Cyware Alerts - Hacker News
March 11, 2021
Australia’s answer to thwarting ransomware is good cyber hygiene Full Text
Abstract
The advice was provided in Locked Out: Tackling Australia's ransomware threat, which is a 14-page document [PDF] prepared by the Cyber Security Industry Advisory Committee.ZDNet
March 11, 2021
How Related QNAPCrypt and SunCrypt Are? Full Text
Abstract
Considering the duplication and behavioral differences between the two groups, Intezer researchers argue that QNAPCrypt may have been transferred to the SunCrypt operator and upgraded.Cyware Alerts - Hacker News
March 11, 2021
Ransomware “Paralyzes” Spanish Employment Agency Full Text
Abstract
Attack locks down workstations and remote worker laptopsInfosecurity Magazine
March 11, 2021
Spanish labor agency suffers ransomware attack, union says Full Text
Abstract
The attack affected IT systems at a Spanish government agency that manages unemployment benefits, disrupting “hundreds of thousands” of appointments at the agency, a Spanish labor union said Tuesday.Cyberscoop
March 10, 2021
Fake Ad Blocker Delivers Hybrid Cryptominer/Ransomware Infection Full Text
Abstract
A hybrid Monero cryptominer and ransomware bug has hit 20,000 machines in 60 days.Threatpost
March 10, 2021
Ryuk ransomware hits 700 Spanish government labor agency offices Full Text
Abstract
The systems of SEPE, the Spanish government agency for labor, were taken down following a ransomware attack that hit more than 700 agency offices across Spain.BleepingComputer
March 10, 2021
Why Does EternalBlue-Targeting WannaCry Remain at Large? Full Text
Abstract
Where were you on May 12, 2017? For many cybersecurity professionals, the answer is "trying to contain the fallout from WannaCry," the ransomware that on that day began hitting organizations globally.Careers Info Security
March 9, 2021
Ransomware, supply chain attacks compel health care organizations to act Full Text
Abstract
If ransomware and data exfiltration attacks that targeted hospitals and vaccine researchers during the pandemic signaled a cyber hygiene crisis in health care, the SolarWinds supply chain attack demonstrated just how deep the problem goes.SCMagazine
March 9, 2021
Another French hospital hit by a ransomware attack Full Text
Abstract
A ransomware attack hit the Oloron-Sainte-Marie hospital in southwest France, it is the third such attack in the last month. A ransomware attack paralyzed the systems at the Oloron-Sainte-Marie hospital in southwest France. The incident took place...Security Affairs
March 09, 2021
GandCrab ransomware affiliate arrested for phishing attacks Full Text
Abstract
A suspected GandCrab Ransomware member was arrested in South Korea for using phishing emails to infect victims.BleepingComputer
March 08, 2021
New Sarbloh ransomware supports Indian farmers’ protest Full Text
Abstract
A new ransomware known as Sarbloh encrypts your files while at the same time delivering a message supporting the protests of Indian farmers.BleepingComputer
March 8, 2021
Number of ransomware attacks grew by more than 150% Full Text
Abstract
COVID-19 made many organizations, distracted with mitigating the fallout from the pandemic, vulnerable to cyber threats. Ransomware turned out to be the one that capitalized on the crisis most.Help Net Security
March 7, 2021
REvil Ransomware gang uses DDoS attacks and voice calls to make pressure on the victims Full Text
Abstract
The REvil ransomware operators are using DDoS attacks and voice calls to journalists and victim's business partners to force victims to pay the ransom. The REvil/Sodinokibi ransomware operators announced that they are using DDoS attacks and voice...Security Affairs
March 06, 2021
Ransomware gang plans to call victim’s business partners about attacks Full Text
Abstract
The REvil ransomware operation announced this week that they are using DDoS attacks and voice calls to journalists and victim's business partners to generate ransom payments.BleepingComputer
March 5, 2021
‘Educational’ ransomware program may instead become a how-to guide for attackers Full Text
Abstract
The program is designed to be an educational tool for testing anti-virus protections; however, it’s possible that cybercriminals could adopt and modify the code in order to launch their own attacks.SCMagazine
March 05, 2021
The Week in Ransomware - March 5th 2021 - Targeting service providers Full Text
Abstract
This week we have seen ransomware attacks targeting online service providers and MSPs to not only encrypt the victim but also cause significant outages for their customers.BleepingComputer
March 05, 2021
New ransomware only decrypts victims who join their Discord server Full Text
Abstract
A new ransomware called 'Hog' encrypts users' devices and only decrypts them if they join the developer's Discord server.BleepingComputer
March 5, 2021
These two unusual versions of ransomware tell us a lot about how attacks are evolving Full Text
Abstract
Two newly discovered forms of ransomware with very different traits show just how diverse the world of ransomware has become as more cyber criminals attempt to join in with cyber extortion.ZDNet
March 5, 2021
Managed Services provider CompuCom by Darkside ransomware Full Text
Abstract
US managed service provider CompuCom was the victim of a cyberattack that partially disrupted its operations, experts believe it was a ransomware attack. US managed service provider CompuCom was the victim of a cyberattack that partially disrupted...Security Affairs
March 04, 2021
CompuCom MSP hit by DarkSide ransomware cyberattack Full Text
Abstract
US managed service provider CompuCom has suffered a DarkSide ransomware attack leading to service outages and customers disconnecting from the MSP's network to prevent the spread of malware.BleepingComputer
March 4, 2021
Ransomware Attack on Arizona Optometrist Full Text
Abstract
Cyber-attack on Cochise Eye and Laser impacts up to 100,000 peopleInfosecurity Magazine
March 4, 2021
Large-Scale Ransomware Hack Impacts Sensitive Employee Information at Navajo Nation Hospital Full Text
Abstract
The hacker group stole sensitive employee files, such as job applications and background check authorizations that included Social Security numbers, and posted it online to extort the hospital.NBC News
March 04, 2021
Ransomware is a multi-billion industry and it keeps growing Full Text
Abstract
An analysis from global cybersecurity company Group-IB reveals that ransomware attacks more than doubled last year and increased in both scale and sophistication.BleepingComputer
March 4, 2021
Group-IB: ransomware empire prospers in pandemic-hit world. Attacks grow by 150% Full Text
Abstract
Group-IB published a report titled “Ransomware Uncovered 2020-2021”. analyzes ransomware landscape in 2020 and TTPs of major threat actors. Group-IB, a global threat hunting and adversary-centric cyber intelligence company, has presented its new report “Ransomware...Security Affairs
March 4, 2021
Ransomware Attacks Soared 150% in 2020 Full Text
Abstract
Extortion demands doubled as more groups tried big-game huntingInfosecurity Magazine
March 4, 2021
Lazarus Group Tied to TFlower Ransomware Full Text
Abstract
The Lazarus Group, a North Korean hacking operation also known as Hidden Cobra, is deploying TFlower ransomware, using its MATA malware framework, security firm Sygnia reports.Gov Info Security
March 3, 2021
Clop ransomware gang leaks data allegedly stolen from cybersecurity firm Qualys Full Text
Abstract
Cybersecurity firm Qualys seems to have suffered a data breach, threat actors allegedly exploited zero-day flaw in their Accellion FTA server. Cybersecurity firm Qualys is the latest victim of a cyber attack, the company was likely hacked by threat...Security Affairs
March 3, 2021
RTM Cybergang Adds New Quoter Ransomware to Crime Spree Full Text
Abstract
The Russian-speaking RTM threat group is targeting organizations in an ongoing campaign that leverages a well-known banking trojan, brand new ransomware strain and extortion tactics.Threatpost
March 3, 2021
The Cybersecurity 202: A nonprofit is providing free ransomware protection to private U.S. hospitals Full Text
Abstract
As a part of the effort to combat the rise in attacks, nonprofit group Center for Internet Security (CIS) this month launched a free ransomware protection service for private U.S. hospitals.Washington Post
March 02, 2021
Payroll giant PrismHR outage likely caused by ransomware attack Full Text
Abstract
Leading payroll company PrismHR is suffering a massive outage after suffering a cyberattack this weekend that looks like a ransomware attack from conversations with customers.BleepingComputer
March 2, 2021
Ryuk Ransomware: Now with Worming Self-Propagation Full Text
Abstract
The Ryuk scourge has a new trick in its arsenal: Self-replication via SMB shares and port scanning.Threatpost
March 2, 2021
Universal Health Services reports $67 million in losses after apparent ransomware attack Full Text
Abstract
A ransomware attack last fall caused $67 million in pre-tax losses at Universal Health Services, the U.S. health care provider has revealed, illustrating the financial toll caused by hackers.Cyberscoop
March 02, 2021
Researchers Unearth Links Between SunCrypt and QNAPCrypt Ransomware Full Text
Abstract
SunCrypt, a ransomware strain that went on to infect several targets last year, may be an updated version of the QNAPCrypt ransomware, which targeted Linux-based file storage systems, according to new research. "While the two ransomware [families] are operated by distinct different threat actors on the dark web, there are strong technical connections in code reuse and techniques, linking the two ransomware to the same author," researchers from Intezer Lab said in a malware analysis published today revealing the attackers' tactics on the dark web. First identified in July 2019, QNAPCrypt (or eCh0raix ) is a ransomware family that was found to target Network Attached Storage (NAS) devices from Taiwanese companies QNAP Systems and Synology. The devices were compromised by brute-forcing weak credentials and exploiting known vulnerabilities with the goal of encrypting files found in the system. The ransomware has since been tracked to a Russian cybercrime group refeThe Hacker News
March 2, 2021
Universal Health Services Estimates $67 Million in Ransomware Losses Full Text
Abstract
Healthcare giant latest big name hit by financial tsunamiInfosecurity Magazine
March 2, 2021
Distributor of Asian food JFC International hit by Ransomware Full Text
Abstract
JFC International, a major wholesaler and distributor of Asian food products in the United States, was hit by ransomware. JFC International, a major distributor and wholesaler of Asian food products, announced it has recently suffered a ransomware...Security Affairs
March 1, 2021
Ryuk Ransomware Updated With ‘Worm-Like Capabilities’ Full Text
Abstract
The developers behind the notorious strain of crypto-locking malware have given their attack code the ability to spread itself between systems inside an infected network.Info Risk Today
March 01, 2021
Hackers use black hat SEO to push ransomware, trojans via Google Full Text
Abstract
The delivery system for the Gootkit information stealer has evolved into a complex and stealthy framework, which earned it the name Gootloader, and is now pushing a wider variety of malware via hacked WordPress sites and malicious SEO techniques for Google results.BleepingComputer
March 1, 2021
Cybercriminals Demand Ransom From Tether Crypto Token to Avoid Leaking Sensitive Documents Full Text
Abstract
The unverified email screenshots appear to relate to Bahamas-based Deltec, which has a banking relationship with Tether, and a discussion over asset backing. Tether says the documents are "bogus."ZDNet
March 01, 2021
Universal Health Services lost $67 million due to Ryuk ransomware attack Full Text
Abstract
Universal Health Services (UHS) said that the Ryuk ransomware attack it suffered during September 2020 had an estimated impact of $67 million.BleepingComputer
March 1, 2021
Data analytics agency Polecat held to ransom after server exposed 30TB of records Full Text
Abstract
An unsecured server belonging to Polecat, a data analytics company, exposed an estimated 30 terabytes of business records online, resulting in the firm being held to ransom.The Daily Swig
March 01, 2021
NSW Transport agency extorted by ransomware gang after Accellion attack Full Text
Abstract
The transport system for the Australian state of New South Wales has suffered a data breach after the Clop ransomware exploited a vulnerability to steal files.BleepingComputer
March 01, 2021
Tether cryptocurrency firm says docs in $24 million ransom are ‘forged’ Full Text
Abstract
USDT cryptocurrency developer Tether has said they are being extorted by threat actors who are demanding 500 bitcoins, or approximately $24 million, not to leak allegedly stolen emails and documents.BleepingComputer
February 26, 2021
The Week in Ransomware - February 26th 2021 - Back from the Holidays Full Text
Abstract
The number of attacks had slowed down after the winter holidays, but after the past two weeks, it's evident that the ransomware attacks are back at full speed.BleepingComputer
February 26, 2021
New Ryuk ransomware implements self-spreading capabilities Full Text
Abstract
French experts spotted a new Ryuk ransomware variant that implements self-spreading capabilities to infect other devices on victims' local networks. Experts from French national cyber-security agency ANSSI have spotted a new Ryuk ransomware variant...Security Affairs
February 26, 2021
Ransomware gang hacks Ecuador’s largest private bank, Ministry of Finance Full Text
Abstract
A hacking group called 'Hotarus Corp' has hacked Ecuador's Ministry of Finance and the country's largest bank, Banco Pichincha, where they claim to have stolen internal data.BleepingComputer
February 26, 2021
Ryuk ransomware now self-spreads to other Windows LAN devices Full Text
Abstract
A new Ryuk ransomware variant with worm-like capabilities that allow it to spread to other devices on victims' local networks has been discovered by the French national cyber-security agency while investigating an attack in early 2021.BleepingComputer
February 26, 2021
Podcast: Ransomware Attacks Exploded in Q4 2020 Full Text
Abstract
Researchers said they saw a seven-times increase in ransomware activity in the fourth quarter of 2020, across various families – from Ryuk to Egregor.Threatpost
February 26, 2021
DarkWorld Ransomware Disguises as Commonly Used Software Full Text
Abstract
Recently, 360 Security Center detected a ransomware that disguised as commonly used software and appeared on the network. The virus called itself DarkWorld in the ransom letter.360 Total Security
February 26, 2021
Dutch Research Council (NWO) confirms DoppelPaymer ransomware attack Full Text
Abstract
Dutch Research Council (NWO) confirmed that the recent cyberattack that forced it to take its servers offline was caused by the DoppelPaymer ransomware gang. On February 14, Dutch Research Council (NWO) was hit by a cyber attack that compromised its network...Security Affairs
February 25, 2021
So far, ransomware attacks way down at schools, hospitals in 2021 Full Text
Abstract
Ramsonware incidents against healthcare and government organizations have been few and far between in 2021, but experts say that could change as the year goes on.SCMagazine
February 25, 2021
Dutch Research Council (NWO) confirms ransomware attack, data leak Full Text
Abstract
The recent cyberattack that forced the Dutch Research Council (NWO) to take its servers offline and suspend grant allocation processes was caused by the DoppelPaymer ransomware gang.BleepingComputer
February 25, 2021
Steris Touted as Latest Accellion Hack Victim Full Text
Abstract
Data of Accellion client advertised for sale online by Clop ransomware groupInfosecurity Magazine
February 25, 2021
As ransomware inches from economic burden to national security threat, policies may follow Full Text
Abstract
Historically, ransomware was not seen as government’s problem any more than shoplifting: a crime against businesses that federal law enforcement saw as beyond its domain. But that may be changing.SCMagazine
February 25, 2021
As ransomware inches from economic burden to national security threat, policies may follow Full Text
Abstract
Historically, ransomware was not seen as government’s problem any more than shoplifting: a crime against businesses that federal law enforcement saw as beyond its domain. But that may be changing.SCMagazine
February 25, 2021
One Ransomware Victim Every 10 Seconds in 2020 Full Text
Abstract
Check Point sees double extortion attacks surgeInfosecurity Magazine
February 24, 2021
Reality or just entertaining TV? Cyber experts dig into the Good Doctor’s ransomware episode Full Text
Abstract
Here’s what the television show got right, and what it got wrong, from the role of cyber insurance, to response and recovery timelines.SCMagazine
February 24, 2021
Cyberpunk 2077 patch 1.2 delayed by CD Projekt ransomware attack Full Text
Abstract
CD Projekt Red announced today that they are delaying the anticipated Cyberpunk 2077 Patch 1.2 to the second half of March 2021 due to their recent cyberattack.BleepingComputer
February 24, 2021
Sharp rise in ransomware attacks against universities as learning goes online Full Text
Abstract
The number of ransomware attacks targeting universities has doubled over the past year and the cost of ransomware demands is going up as information security teams struggle to fight off cyberattacks.ZDNet
February 24, 2021
Ransomware gang extorts jet maker Bombardier after Accellion breach Full Text
Abstract
Business jet maker Bombardier is the latest company to suffer a data breach by the Clop ransomware gang after attackers exploited a zero-day vulnerability to steal company data.BleepingComputer
February 24, 2021
Everything You Need to Know About Evolving Threat of Ransomware Full Text
Abstract
The cybersecurity world is constantly evolving to new forms of threats and vulnerabilities. But ransomware proves to be a different animal—most destructive, persistent, notoriously challenging to prevent, and is showing no signs of slowing down. Falling victim to a ransomware attack can cause significant data loss, data breach, operational downtime, costly recovery, legal consequences, and reputational damage. In this story, we have covered everything you need to know about ransomware and how it works. What is ransomware? Ransomware is a malicious program that gains control over the infected device, encrypts files, and blocks user access to the data or a system until a sum of money, or ransom, is paid. Crooks' scheme includes a ransom note—with amount and instructions on how to pay a ransom in return for the decryption key—or direct communication with the victim. While ransomware impacts businesses and institutions of every size and type, attackers often target healthcare, eThe Hacker News
February 24, 2021
Clop Ransomware Gang Claims to Steal Sensitive Documents From Aerospace Giant Bombardier Full Text
Abstract
The Clop ransomware gang claims to have stolen documents from aerospace giant Bombardier’s defense division – and has leaked what appears to be a CAD drawing of one of its military aircraft products.The Register
February 24, 2021
Ransomware Attacks Double Against Global Universities Full Text
Abstract
BlueVoyant report reveals poor security practice is widespreadInfosecurity Magazine
February 24, 2021
These hackers sell network logins to the highest bidder. And ransomware gangs are buying Full Text
Abstract
Stealing and selling RDP credentials has risen over the last year - and cyber criminal middlemen are making a profit by putting businesses at risk from ransomware and other attacks.ZDNet
February 24, 2021
Clop targets execs, ransomware tactics get another new twist Full Text
Abstract
After interviewing several victims of the Clop ransomware, ZDNet discovered that its operators appear to be systematically targeting the workstations of corporate executives.Malwarebytes Labs
February 23, 2021
Ransomware attack or not, Kia’s resilience is under the microscope Full Text
Abstract
A days-long outage affecting mobile and web-based service calls into question Kia’s contingency planning for cybersecurity incidents, even as the company remains defiant about claims that a ransomware attack is to blame.SCMagazine
February 23, 2021
Finnish IT services giant TietoEVRY discloses ransomware attack Full Text
Abstract
Finnish IT services giant TietoEVRY has suffered a ransomware attack that forced them to disconnect clients' services.BleepingComputer
February 23, 2021
Finnish IT giant TietoEVRY discloses ransomware attack Full Text
Abstract
Finnish IT services giant TietoEVRY has suffered a ransomware attack that forced them to disconnect clients' services.BleepingComputer
February 23, 2021
Finnish IT Giant Hit with Ransomware Cyberattack Full Text
Abstract
A major Finnish IT provider has been hit with a ransomware attack that has forced the company to turn off some services and infrastructure in a disruption to customers, while it takes recovery measures. Norwegian business journal E24 reported the attack on Espoo, Finland-based TietoEVRY on Tuesday, claiming to have spoken with Geir Remman, a […]Threatpost
February 22, 2021
Global Accellion data breaches linked to Clop ransomware gang Full Text
Abstract
Threat actors associated with a financially-motivated hacker groups combined multiple zero-day vulnerabilities and a new web shell to breach up to 100 companies using Accellion's legacy File Transfer Appliance and steal data.BleepingComputer
February 22, 2021
Worldwide Accellion data breaches linked to Clop ransomware gang Full Text
Abstract
Threat actors associated with a financially-motivated hacker groups combined multiple zero-day vulnerabilities and a new web shell to breach up to 100 companies using Accellion's legacy File Transfer Appliance and steal data.BleepingComputer
February 22, 2021
Eye Care Practice: Vendor Paid Ransom for Return of Data Full Text
Abstract
A California-based eye care provider says its online storage vendor was recently hit by hackers and paid a ransom for the return of patient data stolen from both entities.Info Risk Today
February 19, 2021
Underwriters Laboratories (UL) certification giant hit by ransomware Full Text
Abstract
UL LLC, better known as Underwriters Laboratories, has suffered a ransomware attack that encrypted its servers and caused them to shut down systems while they recover.BleepingComputer
February 19, 2021
Payment processor used by state, municipal agencies hit by ‘Cuba’ ransomware gang Full Text
Abstract
The Cuba ransomware gang launched assaults in February on a payment processor widely used by many state and municipal agencies across the United States to manage utility bills and driver’s license data, prompting data breach notifications from numerous cities and agencies in California and Washington. The miscreants gang stole unencrypted data files from Seattle-based Automatic…SCMagazine
February 19, 2021
Kia Denies Ransomware Attack Full Text
Abstract
Car maker says this week’s network outage was not linked to ransomwareInfosecurity Magazine
February 19, 2021
CIS now offers free ransomware protection to all US hospitals Full Text
Abstract
The Center for Internet Security (CIS), a non-profit dedicated to securing IT systems and data, announced the launch of free ransomware protection for US private hospitals through the Malicious Domain Blocking and Reporting (MDBR) service.BleepingComputer
February 18, 2021
US cities disclose data breaches after vendor’s ransomware attack Full Text
Abstract
A ransomware attack against the widely used payment processor ATFS has sparked data breach notifications from numerous cities and agencies within California and Washington.BleepingComputer
February 18, 2021
The Egregor takedown: New tactics to take down ransomware groups show promise Full Text
Abstract
Ransomware ringleaders and their customers have been put on notice: they may not be as untouchable as they thought.SCMagazine
February 18, 2021
Kia Motors Hit With $20M Ransomware Attack – Report Full Text
Abstract
So far, Kia Motors America has publicly acknowledged an “extended system outage,” but ransomware gang DoppelPaymer claimed it has locked down the company’s files in a cyberattack that includes a $20 million ransom demand. That $20 million will gain Kia a decryptor and a guarantee to not to publish sensitive data bits on the gang’s […]Threatpost
February 18, 2021
When Cyber Gangs Disregard Ransomware Payments, Victims Can Be Hit Twice Full Text
Abstract
In its Quarterly Ransomware Report for Q3 2020, Coveware notes that nearly half of the ransomware attacks it had tracked during that quarter had included the threat to leak unencrypted data.Security Intelligence
February 18, 2021
Update: Information Posted Online After North Carolina Ransomware Attack Full Text
Abstract
The Chatham County network was hit on Oct. 28 with ransomware that originated in a phishing email with a malicious attachment, The News & Observer of Raleigh reported Tuesday.Security Week
February 17, 2021
Kia Motors America suffers ransomware attack, $20 million ransom Full Text
Abstract
Kia Motors America has suffered a ransomware attack by the DoppelPaymer gang, demanding $20 million for a decryptor and not to leak stolen data.BleepingComputer
February 17, 2021
Non-profit pledges $1 million to offer free ransomware protection for private hospitals Full Text
Abstract
Public hospitals and health organizations are already eligible, but a series of high-profile attacks on hospitals over the past year have convinced CIS leadership to expand the services to private hospitals as well.SCMagazine
February 17, 2021
Clop Ransomware Gang Claims to Steal 100GB of Data From Servers of Jones Day Law Firm Full Text
Abstract
Those behind the Clop ransomware claim that they had obtained 100GB of files from servers of Jones Day and have started to publish redacted files as proof of their successful ransomware attack.Silicon Angle
February 17, 2021
CISOs report that ransomware is now the biggest cybersecurity concern in 2021 Full Text
Abstract
Organizations have good reason to be concerned about ransomware. Not only are they highly effective, but often victims find that it is simply easier to pay the ransom than try to rectify the problem.AT&T Cybersecurity
February 15, 2021
Evolving Tricks and Techniques of Conti Full Text
Abstract
Conti is a relatively new addition to the ransomware landscape, however, it has turned to be quite destructive. It is a more accessible variant of Ryuk and works in a RaaS model.Cyware Alerts - Hacker News
February 15, 2021
Dax-Côte d’Argent Hospital in France Hit by Ransomware Attack Impacting Patient Care Full Text
Abstract
In a tweet on February 11, the Center Hospitalier de Dax-Côte d’Argent revealed that it had fallen prey to a cyber-attack and was trying to restore systems that included the telephone switchboard.The Daily Swig
February 15, 2021
SBRC Adds Ransomware Scenario to Security Training Program Full Text
Abstract
Update recognizes recent rise in ransomware infectionsInfosecurity Magazine
February 15, 2021
DarkSide Ransomware Gang Claims to Steal 120GB Data from Canada-based Discount Car and Truck Rentals Full Text
Abstract
Visitors who try to manage or book a rental online are met with a message stating that the website is off due to technical problems and for assistance to call the listed numbers.Secure Reading
February 15, 2021
Police Reportedly Arrest Egregor Ransomware Members Full Text
Abstract
Investigators traced suspects via Bitcoin transactionsInfosecurity Magazine
February 15, 2021
Egregor ransomware operators arrested in Ukraine Full Text
Abstract
Members of the Egregor ransomware operation have been arrested this week in Ukraine, French radio station France Inter reported on Friday, citing law enforcement sources.ZDNet
February 14, 2021
Egregor ransomware members arrested by Ukrainian, French police Full Text
Abstract
A joint operation between French and Ukrainian law enforcement has reportedly led to the arrests of several members of the Egregor ransomware operation in Ukraine.BleepingComputer
February 13, 2021
Leading Canadian rental car company hit by DarkSide ransomware Full Text
Abstract
Canadian Discount Car and Truck Rentals has been hit with a DarkSide ransomware attack where the hackers claim to have stolen 120GB of data.BleepingComputer
February 13, 2021
CD Projekt’s stolen source code allegedly sold by ransomware gang Full Text
Abstract
A ransomware gang who says they stole unencrypted source code for the company's most popular games and then encrypted CD Projekt's servers claims to have sold the data.BleepingComputer
February 12, 2021
The Week in Ransomware - February 12th 2021 - More keys released Full Text
Abstract
This week we saw another ransomware shut down its operation and a significant attack against Cyberpunk 2077 game developer CD Projekt Red.BleepingComputer
February 12, 2021
Free decrypter released for Avaddon ransomware victims… aaand, it’s gone! Full Text
Abstract
The tool works by dumping an infected system's RAM and scouring the memory content for data that could be used to recover the Avaddon ransomware's original encryption key.ZDNet
February 12, 2021
Zeoticus 2.0 Making Infections Harder to Control, Contain, and Mitigate Full Text
Abstract
A security researcher has found a more versatile and effective version of the Zeoticus ransomware with elevated capabilities such as executing payloads without connectivity or remote commands.Cyware Alerts - Hacker News
February 11, 2021
Avaddon ransomware fixes flaw allowing free decryption Full Text
Abstract
The Avaddon ransomware gang has fixed a bug that let victims recover their files without paying the ransom. The flaw came to light after a security researcher exploited it to create a decryptor.BleepingComputer
February 11, 2021
Avaddon ransomware decryptor released, but operators quickly reacted Full Text
Abstract
An expert released a free decryption tool for the Avaddon ransomware, but operators quickly updated malware code to make it inefficient. The Spanish student Javier Yuste has released a free decryption tool for the Avaddon ransomware that can be used...Security Affairs
February 11, 2021
Understanding the Use of Cryptocurrency by Ransomware Operators Full Text
Abstract
Ransomware-as-a-Service (RaaS) has become a lucrative enterprise. As per research by Chainalysis, blockchain transactions prove that different ransomware operators are interconnected.Cyware Alerts - Hacker News
February 11, 2021
Rains in the Desert: Some Takedowns, Some Shutdowns Full Text
Abstract
From the past few months, law enforcement agencies from around the globe have been making significant progress in controlling cybercrime, especially ransomware operations.Cyware Alerts - Hacker News
February 11, 2021
Researchers identify 223 vulnerabilities used in recent ransomware attacks Full Text
Abstract
Ransomware groups – and APTs – are leveraging an expanding list of vulnerabilities, misconfigurations and technologies to overwhelm IT security teams.SCMagazine
February 10, 2021
French MNH health insurance company hit by RansomExx ransomware Full Text
Abstract
French health insurance company Mutuelle Nationale des Hospitaliers (MNH) has suffered a ransomware attack that has severely disrupted the company's operations. BleepingComputer has learned.BleepingComputer
February 10, 2021
CD Projekt Red game maker discloses ransomware attack Full Text
Abstract
The gaming firm CD Projekt Red, which developed popular games like Cyberpunk 2077 and The Witcher, has disclosed a ransomware attack. The gaming firm CD Projekt Red, which developed popular games like Cyberpunk 2077 and The Witcher series, has suffered...Security Affairs
February 10, 2021
Zeoticus 2.0 Making Infections Are Now Harder to Control, Contain, and Mitigate Full Text
Abstract
A security researcher has found a more versatile and effective version of the Zeoticus ransomware with elevated capabilities such as executing payloads without connectivity or remote commands.Cyware Alerts - Hacker News
February 9, 2021
Ransomware group claims it dumped source code of Cyberpunk 2077 Full Text
Abstract
In what could have been the dystopian future envisioned by sci-fi author William Gibson or just another bad day for CD Projekt Red, the company was hit with a 48-hour ransom demand by an undetermined hacking group that claimed to have dumped full copies of the source code for the company’s Cyberpunk 2077 server and…SCMagazine
February 9, 2021
Cyberpunk 2077 Publisher Hit with Hack, Threats and Ransomware Full Text
Abstract
CD Projekt Red was hit with a cyberattack (possibly the work of the “Hello Kitty” gang), and the attackers are threatening to release source code for Witcher 3, corporate documents and more.Threatpost
February 09, 2021
HelloKitty ransomware behind CD Projekt Red cyberattack, data theft Full Text
Abstract
The ransomware attack against CD Projekt Red was conducted by a ransomware group that goes by the name 'HelloKitty,' and yes, that's the name the threat actors utilize.BleepingComputer
February 9, 2021
Ransomware targets Ness Digital Engineering, sparking concern in Israel Full Text
Abstract
The details of the cyberattack remain unclear, but initial reports indicate that the attack may have begun in Israel and then spread to other Ness branches around the world.The Jerusalem Post
February 09, 2021
CD PROJEKT RED gaming studio hit by ransomware attack Full Text
Abstract
CD PROJEKT RED, the video game development studio behind Cyberpunk 2077 and The Witcher trilogy, has disclosed a ransomware attack that impacted its network.BleepingComputer
February 9, 2021
Ransomware Extortion Strategy Deepens as New Trends Emerge Full Text
Abstract
One of the emerging trends involves several ransomware gangs extorting companies by targeting the classified and confidential data of top executives and managers.Cyware Alerts - Hacker News
February 8, 2021
WestRock Ransomware Attack Hinders Packaging Production Full Text
Abstract
The ransomware attack, affecting OT systems, resulted in some of WestRock’s facilities lagging in production levels.Threatpost
February 8, 2021
Conti ransomware gang tied to latest attacks on hospitals in Florida and Texas Full Text
Abstract
At least tens of thousands of sensitive medical files were posted to a blog on the dark web that the hackers used to extort the two hospital chains.SCMagazine
February 8, 2021
Victims of Ziggy ransomware can recover their files for free Full Text
Abstract
The Ziggy ransomware gang has shut down its operations and released the decryption keys fearing the ongoing investigation of law enforcement. Good news for the victims of the Ziggy ransomware, the ransomware operators have shut down their operations...Security Affairs
February 07, 2021
Ziggy ransomware shuts down and releases victims’ decryption keys Full Text
Abstract
The Ziggy ransomware operation has shut down and released the victims' decryption keys after concerns about recent law enforcement activity and guilt for encrypting victims.BleepingComputer
February 6, 2021
Ransomware Attacks Now a Million Dollar Enterprise Full Text
Abstract
Chainalysis tracked million worth of bitcoin transactions related to ransomware attacks and discovered that a sizable chunk usually ends up with actors at the top of the pyramid.Cyware Alerts - Hacker News
February 6, 2021
Packaging giant WestRock is still working to resume after recent Ransomware Attack Full Text
Abstract
Packaging giant WestRock revealed this week that the recent ransomware attack impacted the company’s IT and operational technology (OT) systems. American corrugated packaging company WestRock announced at the end of January that it was the victim...Security Affairs
February 6, 2021
Researchers find financial ties between notorious ransomware gangs Full Text
Abstract
The number of ransomware strains that lock up systems throughout the global internet might suggest an immeasurable number of independent hackers are plundering victims’ data.Cyberscoop
February 05, 2021
The Week in Ransomware - February 5th 2021 - Data destruction Full Text
Abstract
This week we saw a few large scale attacks and various ransomware reports indicating ransom payments are falling, while attacks are increasingly destroying data permanently. The good news is a new ransomware decryptor was released, allowing victims to recover files for free.BleepingComputer
February 5, 2021
Forward Air Corporation says that December Ransomware attack caused a loss of $7.5M Full Text
Abstract
Trucking and freight transportation logistics giant Forward Air Corporation said a December 2020 ransomware attack had $7.5M Impact. Trucking and freight transportation logistics giant Forward Air Corporation announced that the ransomware attack that...Security Affairs
February 5, 2021
Mortgage loan servicing company discloses ransomware attack to multiple states Full Text
Abstract
A preliminary investigation identified data related to SN Servicing Corporation’s billing statements and fee notices to customers from 2018, including names, address, loan numbers, balance information and billing information such as charges assessed, owed or paid.SCMagazine
February 5, 2021
Ransomware Attacks Hit Major Utilities Full Text
Abstract
Electrobras, the largest power company in Latin America, faced a temporary suspension of some operations.Threatpost
February 5, 2021
Experts: Foxtons Breach Was Egregor Ransomware Full Text
Abstract
Double extortion attempt likely, according to KelaInfosecurity Magazine
February 5, 2021
Meet Babuk, a ransomware attacker blamed for the Serco breach Full Text
Abstract
The ransomware gang, dubbed Babuk after its strain of code, is a case study in how quickly crooks can learn the basics of digital extortion and how that breeds ambition for big corporate scalps.Cyberscoop
February 05, 2021
Eletrobras, Copel energy companies hit by ransomware attacks Full Text
Abstract
Centrais Eletricas Brasileiras (Eletrobras) and Companhia Paranaense de Energia (Copel), two major electric utilities companies in Brazil have announced that they suffered ransomware attacks over the past week.BleepingComputer
February 4, 2021
NCIJTF Releases New Ransomware Fact Sheet Full Text
Abstract
America’s National Cyber Investigative Joint Task Force seeks to educate public on ransomware threatInfosecurity Magazine
February 04, 2021
Ransomware attacks increasingly destroy victims’ data by mistake Full Text
Abstract
More and more ransomware victims are resisting the extortionists and refuse to pay when they can recover from backups, despite hackers' threats to leak the data stolen before encryption.BleepingComputer
February 4, 2021
Trucking company Forward Air said its ransomware incident cost it $7.5 million Full Text
Abstract
The losses stemmed "primarily because of the Company's need to temporarily suspend its electronic data interfaces with its customers," Forward Air said in SEC documents filed today.ZDNet
February 4, 2021
US Shipping Giant Loses $7.5m in Ransomware Attack Full Text
Abstract
Forward Air couldn’t reach customers after December incidentInfosecurity Magazine
February 04, 2021
Rise in ransomware attacks mistakenly causing data destruction Full Text
Abstract
More and more ransomware victims are resisting the extortionists and refuse to pay when they can recover from backups, despite hackers' threats to leak the data stolen before encryption.BleepingComputer
February 03, 2021
New Fonix ransomware decryptor can recover victim’s files for free Full Text
Abstract
Kaspersky has released a decryptor for the Fonix Ransomware (XONIF) that allows victims to recover their encrypted files for free.BleepingComputer
February 3, 2021
Ransomware’s Helper: Initial Access Brokers Flourish Full Text
Abstract
To take down bigger targets more easily, ransomware gangs are increasingly tapping initial access brokers, who sell ready access to high-value networks for a few hundreds or thousands of dollars.Gov Info Security
February 3, 2021
Ransomware gangs made at least $350 million in 2020 Full Text
Abstract
According to numbers released in a previous report by Chainalysis, ransomware payments accounted for 7% of all funds received by "criminal" cryptocurrency addresses in 2020.ZDNet
February 02, 2021
Babyk Ransomware won’t hit charities, unless they support LGBT, BLM Full Text
Abstract
The Babyk ransomware operation has launched a new data leak site used to publish victim's stolen data as part of a double extortion strategy. Included is a list of targets they wont attack with some exclusions that definitely stand out.BleepingComputer
February 2, 2021
Ransomware operators exploit VMWare ESXi flaws to encrypt disks of VMs Full Text
Abstract
Ransomware operators are exploiting two VMWare ESXi vulnerabilities, CVE-2019-5544 and CVE-2020-3992, to encrypt virtual hard disks. Security experts are warning of ransomware attacks exploiting two VMWare ESXi vulnerabilities, CVE-2019-5544 and CVE-2020-3992,...Security Affairs
February 2, 2021
Ransomware gangs are abusing VMWare ESXi exploits to encrypt virtual hard disks Full Text
Abstract
At least one major ransomware gang is abusing vulnerabilities in the VMWare ESXi product to take over virtual machines deployed in enterprise environments and encrypt their virtual hard drives.ZDNet
February 02, 2021
Netgain ransomware incident impacts local governments Full Text
Abstract
The ransomware incident that Netgain, a provider of managed IT services, had late last year rippled onto its customers. Now, Ramsey County, Minnesota, is informing clients of the Family Health Division program that the hackers may have accessed personal data.BleepingComputer
February 1, 2021
So, What’s So Special About the Newest Ransomware? Full Text
Abstract
The Babuk Locker ransomware group mainly focuses on enterprise networks instead of individuals, and their ransom demands range from $60,000 to $85,000.Cyware Alerts - Hacker News
February 1, 2021
Ransomware: These Cartels Will Leak Your Data Until You Pay Full Text
Abstract
The ransomware industry has certainly come a long way, from the early days of the AIDS Trojan to the modern, very business-like Ransomware-as-a-Service model preying on businesses of all sizes.Cyber News
February 1, 2021
Average Ransom Payment Declines to $154,108 Full Text
Abstract
While ransomware attacks continue to pummel organizations, fewer victims have been paying a ransom, and when they do, on average they're paying less than before according to an assessment by Coveware.Gov Info Security
February 1, 2021
FonixCrypter Ransomware Gang Shuts Operations, Releases Master Decryption Key Full Text
Abstract
The cybercrime group behind the FonixCrypter ransomware has announced today on Twitter that they've deleted the ransomware's source code and plan to shut down their operation.ZDNet
February 1, 2021
Global Government Outsourcer Serco Hit by Ransomware Full Text
Abstract
Report suggests firm was targeted by Babuk strainInfosecurity Magazine
January 30, 2021
UK Research and Innovation (UKRI) discloses ransomware attack Full Text
Abstract
A ransomware infected the systems at the UK Research and Innovation (UKRI), at leat two services were impacted. The UK Research and Innovation (UKRI) discloses a ransomware incident that impacted a number of UKRI-related web assets. Two services...Security Affairs
January 30, 2021
UK Research and Innovation (UKRI) suffers ransomware attack Full Text
Abstract
The UK Research and Innovation (UKRI) is dealing with a ransomware incident that encrypted data and impacted two of its services that offer information to subscribers and the platform for peer review of various parts of the agency.BleepingComputer
January 30, 2021
Victims of FonixCrypter ransomware could decrypt their files for free Full Text
Abstract
FonixCrypter ransomware operators shut down their operations, released the master decryption key for free, and deleted malware's source code. Good news for the victims of the FonixCrypter ransomware, the operators behind the threat shut down their...Security Affairs
January 29, 2021
Fonix ransomware shuts down and releases master decryption key Full Text
Abstract
The Fonix Ransomware operators have shut down their operation and released the master decryption allowing victims to recover their files for free.BleepingComputer
January 29, 2021
The Week in Ransomware - January 29th 2021 - Striking back Full Text
Abstract
It has been a hectic week, with law enforcement conducting two successful law enforcement operations that will significantly impact ransomware.BleepingComputer
January 29, 2021
Miss England Held to Ransom by Cyber-attackers Full Text
Abstract
Criminals demand money to unlock hacked social media account of beauty pageantInfosecurity Magazine
January 29, 2021
Vovalex is likely the first ransomware written in D Full Text
Abstract
A new ransomware called Vovalex is being distributed through fake pirated software that impersonates popular Windows utilities, such as CCleaner.BleepingComputer
January 28, 2021
US Justice Department issues rare charges against ransomware operator Full Text
Abstract
The U.S. has struck a rare blow against an international ransomware gang, charging one alleged member of a hacker ring that has shut down health care facilities, colleges, and utilities companies.NBC News
January 28, 2021
UK association defends ransomware payments in cyber insurance policies Full Text
Abstract
Businesses and organizations without viable backups or with an urgent need to restore their systems -- such as hospitals and energy utilities -- are then under extreme pressure to pay up.ZDNet
January 27, 2021
Avaddon Ransomware Using Ransom DDoS Attacks Full Text
Abstract
Avaddon ransomware actors reportedly launched a DDoS attack against one of its victims' websites to put the victim organizations under pressure of negotiating the ransom payment.Cyware Alerts - Hacker News
January 27, 2021
#RSAC365: Will Recent Treasury Guidance Reduce Ransomware Payments in the US? Full Text
Abstract
Will a zero-tolerance approach to ransomware payments have a meaningful impact?Infosecurity Magazine
January 27, 2021
UK Insurers Defend Covering Ransomware Payments Full Text
Abstract
Association of British Insurers said cyber-attacks could financially ruin companiesInfosecurity Magazine
January 27, 2021
Why Enterprises Must Take Ransomware Attacks Seriously Full Text
Abstract
The impact of a ransomware attack can be devastating. The average attack can cost over $1 million. It can take a company offline for 5-10 days, costing millions more in lost productivity and damages.Security Boulevard
January 27, 2021
Sharp Increase in Emotet, Ransomware Droppers Full Text
Abstract
Ransomware continues to be one of the most impactful threats. Aside from vulnerabilities, its primary delivery method remains phishing emails, with links or attachments containing early-stage loaders.Phish Labs
January 27, 2021
Ransomware hackers launder bitcoin through just a handful of locations, researchers find Full Text
Abstract
A relatively small number of groups seem to dominate the cybercrime market, offering their malware on a rental basis, while taking a chunk of profits and using money laundering to cover their tracks.Cyberscoop
January 26, 2021
Pan-Asian retail giant Dairy Farm suffers REvil ransomware attack Full Text
Abstract
Massive pan-Asian retail chain operator Dairy Farm Group was attacked this month by the REvil ransomware operation, demanding a $30 million ransom.BleepingComputer
January 26, 2021
Ransomware Actors on the Footsteps of Maze Full Text
Abstract
Ransomware attacks have grown rapidly around the world claiming victims after victims. A new report by Emsisoft sheds light on "the life of Maze," a threat group that has unfortunately inspired many others.Cyware Alerts - Hacker News
January 26, 2021
Nefilim Ransomware Gang Hits Jackpot with Ghost Account Full Text
Abstract
An unmonitored account belonging to a deceased employee allowed Nefilim to exfiltrate data and infiltrate systems for a month, without being noticed.Threatpost
January 26, 2021
Cybercriminals use deceased staff accounts to spread Nemty ransomware Full Text
Abstract
Cybercriminals will often use brute-force attacks, phishing emails, and existing data dumps to break into corporate networks but there is one area that is often ignored to a company's detriment: ghost accounts.ZDNet
January 26, 2021
Packaging Giant WestRock Says Ransomware Attack Impacted OT Systems Full Text
Abstract
American packaging giant WestRock on Monday revealed that it was recently targeted in a ransomware attack that impacted both information technology (IT) and operational technology (OT) systems.Security Week
January 25, 2021
Ransomware attack hit WestRock IT and OT systems Full Text
Abstract
Packaging giant WestRock disclosed a ransomware attack that impacted its information technology (IT) and operational technology (OT) systems. American corrugated packaging company WestRock announced it was the victim of a ransomware attack that...Security Affairs
January 25, 2021
Ransomware gang taunts IObit with repeated forum hacks Full Text
Abstract
A ransomware gang continues to taunt Windows software developer IObit by hacking its forums to display a ransom demand.BleepingComputer
January 24, 2021
Another ransomware now uses DDoS attacks to force victims to pay Full Text
Abstract
Another ransomware gang is now using DDoS attacks to force a victim to contact them and negotiate a ransom.BleepingComputer
January 23, 2021
Clop ransomware gang clips sensitive files from Atlantic Records’ London ad agency The7stars, dumps them online Full Text
Abstract
The7stars, a London ad agency, that counts Atlantic Records, Suzuki, and Penguin Random House among its clients has had its files dumped online by the Clop ransomware gang.The Register
January 23, 2021
Hackers publish thousands of files after government agency refuses to pay ransom Full Text
Abstract
The hackers behind the ransomware attack on the Scottish Environment Protection Agency (SEPA) have published thousands of stolen files after the organisation refused to pay the ransom.ZDNet
January 22, 2021
The Week in Ransomware - January 22nd 2021 - Calm before the storm Full Text
Abstract
Ransomware news is slow this week, with mostly small ransomware variants being released and a small number of attacks reported.BleepingComputer
January 22, 2021
Ransomware Attackers Publish 4K Private Scottish Gov Agency Files Full Text
Abstract
Up to 4,000 stolen files have been released by hackers who launched a ransomware attack against the Scottish Environmental Protection Agency on Christmas Eve.Threatpost
January 21, 2021
CISA launches ransomware education program Full Text
Abstract
The effort encourages governments, schools and private companies to take steps to protect their systems and data from ransomware.SCMagazine
January 21, 2021
Truckers’ Medical Records Leaked Full Text
Abstract
Ransomware attack on Virginia healthcare provider may have exposed medical records of transport workersInfosecurity Magazine
January 21, 2021
Ransomware provides the perfect cover Full Text
Abstract
Attackers are using ransomware to their advantage as it gives them the perfect cover to divert attention so as to focus on exfiltrating IP, research, and other valuable data from corporate networks.Help Net Security
January 21, 2021
Ransomware Took Heavy Toll on US in 2020: Researchers Full Text
Abstract
Ransomware attacks took a heavy toll on the United States last year with more than 2,000 victims in government, education and health care, security researchers say in a new report.Security Week
January 21, 2021
FIN11 Attackers are Now Using Clop Ransomware Full Text
Abstract
Researchers shed light on how a cybercriminal group is trying to step into bigger shoes by collaborating with attackers behind the Clop ransomware in its recent operations.Cyware Alerts - Hacker News
January 21, 2021
Federal cyber agency announces new campaign to fight ransomware attacks Full Text
Abstract
The Cybersecurity and Infrastructure Security Agency (CISA) on Thursday rolled out a new public awareness campaign to push back against the plague of ransomware cyberattacks that have increasingly targeted governments and the nation’s education systems.The Hill
January 21, 2021
Ransomware victims that have backups are paying ransoms to stop hackers leaking their stolen data Full Text
Abstract
Some organizations that fall victim to ransomware attacks are paying ransoms to the hackers despite being able to restore their networks from backups, so as to prevent hackers publishing stolen data.ZDNet
January 20, 2021
CISO lends voice to MSPs and their small-biz clients in ransomware battle Full Text
Abstract
Ryan Weeks is CISO at Datto, a founding member of the Institute for Security and Technology’s new anti-ransomware initiative. He spoke to SC Media about the segment of the business community that he believes to be underserved by efforts to counter ransomware.SCMagazine
January 20, 2021
Over 560 US healthcare companies hit by ransomware in 2020 Full Text
Abstract
As per a study by Emsisoft, the year 2020 witnessed over 560 US healthcare companies being hit by ransomware, causing EHR downtime, ambulance diversion, inaccessible lab tests, and more.Cybersecurity Insiders
January 19, 2021
Wentworth hacked and personal details of entire member list thought to be stolen Full Text
Abstract
The theft occurred after hackers infiltrated the Wentworth IT system and sent out a post to members, seemingly demanding a payment in bitcoins, a cyber currency, to “recover files”.The Telegraph
January 19, 2021
Ransomware cyber attack suspected on Okanogan County Full Text
Abstract
The county officials including those belonging to Public Health have disclosed that the phone and email systems were deeply impacted in the attack and the time for restoration is unknown yet.Cybersecurity Insiders
January 18, 2021
IObit forums hacked to spread ransomware to its members Full Text
Abstract
Windows utility developer IObit was hacked over the weekend to perform a widespread attack to distribute the strange DeroHE ransomware to its forum members.BleepingComputer
January 18, 2021
IObit forums hacked in widespread DeroHE ransomware attack Full Text
Abstract
Windows utility developer IObit was hacked over the weekend to perform a widespread attack to distribute the strange DeroHE ransomware to its forum members.BleepingComputer
January 18, 2021
Environmental Regulator Suffers Ransomware Blow Full Text
Abstract
SEPA warns it will take some time to restore all servicesInfosecurity Magazine
January 18, 2021
Ransomware reveals the hidden weakness of our big tech world Full Text
Abstract
Rarely a week goes by without another company, or city, or hospital, falling prey to the gangs who will encrypt the data across PCs and networks and demand thousands or millions in ransom.ZDNet
January 17, 2021
New coalition aims to combat growing wave of ransomware attacks Full Text
Abstract
A new coalition of cybersecurity and tech groups is looking to create a roadmap for countering the surge of ransomware attacks that plagued city governments, schools and hospitals in 2020.The Hill
January 16, 2021
Ransomware attacks now to blame for half of healthcare data breaches Full Text
Abstract
According to a new research, almost half of all data breaches in hospitals and the wider healthcare sector are a result of ransomware attacks that have recently shown an uptick in deploying an extra layer of extortion.ZDNet
January 15, 2021
The Week in Ransomware - January 15th 2021 - Locking you up Full Text
Abstract
It has been another quiet week for ransomware, though we did have some interesting stories come out this week.BleepingComputer
January 15, 2021
FIN11 e-crime group shifted to CL0P ransomware and big game hunting Full Text
Abstract
FIN11 has increasingly factored CL0P ransomware into its operations, and its clear they also put a substantial amount of effort into each follow-up compromise.SCMagazine
January 15, 2021
Intel unveils ransomware-fighting CPUs Full Text
Abstract
The capability is an easy win for CISOs, which can benefit with limited tweaks to machines.SCMagazine
January 15, 2021
Scotland environmental regulator hit by ‘ongoing’ ransomware attack Full Text
Abstract
The Scottish Environment Protection Agency confirmed on Thursday that some of its contact center, internal systems, processes and internal communications were affected following a ransomware attack that took place on Christmas Eve.BleepingComputer
January 14, 2021
CAPCOM: 390,000 people impacted in the recent ransomware Attack Full Text
Abstract
Capcom revealed that the recent ransomware attack has potentially impacted 390,000 people, an increase of approximately 40,000 people from the previous report. In November, Japanese game developer Capcom admitted to have suffered a cyberattack that...Security Affairs
January 13, 2021
Obfuscation Techniques in Ransomweb “Ransomware” Full Text
Abstract
The worst part about ransomware is that it encrypts data and removes the original encrypted copies, thereby eliminating any way to recover files that are not backed up without paying the ransom.Sucuri
January 13, 2021
Intel Adds Hardware-Enabled Ransomware Detection to 11th Gen vPro Chips Full Text
Abstract
Intel and Cybereason have partnered to build anti-ransomware defenses into the chipmaker's newly announced 11th generation Core vPro business-class processors. The hardware-based security enhancements are baked into Intel's vPro platform via its Hardware Shield and Threat Detection Technology (TDT), enabling profiling and detection of ransomware and other threats that have an impact on the CPU performance. "The joint solution represents the first instance where PC hardware plays a direct role in ransomware defenses to better protect enterprise endpoints from costly attacks," Cybereason said . Exclusive to vPro, Intel Hardware Shield provides protections against firmware-level attacks targeting the BIOS , thereby ensuring that the operating system (OS) runs on legitimate hardware as well as minimizing the risk of malicious code injection by locking down memory in the BIOS when the software is running to help prevent planted malware from compromising the OSThe Hacker News
January 13, 2021
Cybereason to Adopt Intel’s PC Hardware Ransomware Solution Full Text
Abstract
Cybereason will add the solution to its defense platformInfosecurity Magazine
January 13, 2021
Egregor on an Attacking Spree Around the World Full Text
Abstract
A recent FBI advisory urges all private sector organizations to be on the alert for potential malicious activities from the threat actors behind Egregor ransomware.Cyware Alerts - Hacker News
January 12, 2021
Capcom: 390,000 people may be affected by ransomware data breach Full Text
Abstract
Capcom has released a new update for their data breach investigation and state that up to 390,000 people may now be affected by their November ransomware attack.BleepingComputer
January 12, 2021
Ryuk: This Criminal Enterprise has Earned Millions in Ransom Full Text
Abstract
The Ryuk operators are believed to have earned over $150 million in ransom payments from its attacks around the world, according to a new report by Advanced Intelligence and HYAS.Cyware Alerts - Hacker News
January 12, 2021
Intel adds ransomware detection capabilities at the silicon level Full Text
Abstract
Intel announced it is adding ransomware detection capabilities to its new 11th Gen Core vPro processors through improvements to its Hardware Shield and Threat Detection Technology (TDT).ZDNet
January 12, 2021
US Rail Operator OmniTRAX Impacted by Conti Ransomware Attack on its Parent Firm Broe Group Full Text
Abstract
Colorado-based short line rail operator and logistics provider OmniTRAX was hit by a recent ransomware attack and data theft that targeted its corporate parent, Broe Group.Yahoo! Finance
January 12, 2021
Bitdefender releases free decrypter for Darkside ransomware Full Text
Abstract
Security firm Bitdefender released a tool that allows victims of the Darkside ransomware to recover their files without paying the ransom. Good news for the victims of the Darkside ransomware, they could recover their files for free using a tool that...Security Affairs
January 11, 2021
Intel adds hardware-based ransomware detection to 11th gen CPUs Full Text
Abstract
Intel announced today at CES 2021 that they have added hardware-based ransomware detection to their newly announced 11th generation Core vPro business-class processors.BleepingComputer
January 11, 2021
DarkSide decryptor unlocks systems without ransom payment – for now Full Text
Abstract
The decryptor works for all current DarkSide infections, but that will likely change soon as the group reacts and adapts to the disclosure.SCMagazine
January 11, 2021
DarkSide ransomware decryptor recovers victims’ files for free Full Text
Abstract
Romanian cybersecurity firm Bitdefender has released a free decryptor for the DarkSide ransomware to allow victims to recover their files without paying a ransom.BleepingComputer
January 11, 2021
Free decrypter released for victims of Darkside ransomware Full Text
Abstract
Cybersecurity firm Bitdefender has released today a free tool that can help victims of the Darkside ransomware recover their encrypted files for free, without paying the ransom demand.ZDNet
January 11, 2021
Some ransomware gangs are going after top execs to pressure companies into paying Full Text
Abstract
In recent intrusions, a group that has often used the Clop ransomware strain has been specifically searching for workstations inside a breached company that are used by its top managers.ZDNet
January 10, 2021
The Ransomware-Laden First Week of 2021 Full Text
Abstract
Looking at several organizations disclosing ransomware attacks at the beginning of the new year, the FBI issued a Private Industry Notification (PIN) warning private companies of Egregor ransomware attacks.Cyware Alerts - Hacker News
January 09, 2021
Hacker used ransomware to lock victims in their IoT chastity belt Full Text
Abstract
The source code for the ChastityLock ransomware that targeted male users of a specific adult toy is now publicly available for research purposes.BleepingComputer
January 9, 2021
Dassault Falcon Jet hit by Ragnar Locker ransomware gang Full Text
Abstract
Dassault Falcon Jet has disclosed a data breach that exposed personal information belonging to current and former employees. In December Dassault, Dassault Falcon Jet (DFJ) was the victim of a cyber attack that may have exposed personal information...Security Affairs
January 9, 2021
FBI Warns of Egregor Ransomware Targets Businesses Worldwide Full Text
Abstract
Egregor Ransomware targets businesses worldwide, attempting to extort businesses by publicly releasing Exfiltrated Data. The US Federal Bureau of...Cyber Security News
January 08, 2021
The Week in Ransomware - January 8th 2021 - $150 million Full Text
Abstract
Even though the holidays are over in many countries, it has been a very quiet week for ransomware. Unfortunately, ransomware activity will likely pick up shortly.BleepingComputer
January 8, 2021
Ryuk Rakes in $150M in Ransom Payments Full Text
Abstract
An examination of the malware gang’s payments reveals insights into its economic operations.Threatpost
January 08, 2021
Dassault Falcon Jet reports data breach after ransomware attack Full Text
Abstract
Dassault Falcon Jet has disclosed a data breach that may have led to the exposure of personal information belonging to current and former employees, as well as their spouses and dependents.BleepingComputer
January 8, 2021
2021 Sees its First Ransomware Family Full Text
Abstract
Researchers uncovered a new ransomware family called Babuk that has successfully encrypted systems of at least five online gambling companies in the first half of 2020.Cyware Alerts - Hacker News
January 8, 2021
Ransomware Attack Costs Health Network $1.5m a Day Full Text
Abstract
October ransomware attack is costing Vermont health network millions in lost revenueInfosecurity Magazine
January 8, 2021
Ryuk Ransomware Attackers Have Made $150m Full Text
Abstract
Crime pays for infamous extortionists, researchers claimInfosecurity Magazine
January 8, 2021
RansomExx newer variants adapted to Attack Linux servers Full Text
Abstract
RansomExx is a ransomware variant responsible for several high-profile attacks in 2020 and has revealed signs of further development and unhampered activity.Cyber Security News
January 07, 2021
Ryuk ransomware Bitcoin wallets point to $150 million operation Full Text
Abstract
Security researchers following the money circuit from Ryuk ransomware victims into the threat actor's pockets estimate that the criminal organization made at least $150 million.BleepingComputer
January 7, 2021
FBI alert warns private organizations of Egregor ransomware attacks Full Text
Abstract
The US Federal Bureau of Investigation (FBI) issued a security alert warning private sector companies of Egregor ransomware attacks. The US FBI has issued a Private Industry Notification (PIN) to warn private organizations of Egregor ransomware attacks. The...Security Affairs
January 7, 2021
Ryuk ransomware operations already made over $150M Full Text
Abstract
The Ryuk ransomware had a disruptive impact on multiple industries around the world, operators already earned more than $150 million. The Ryuk ransomware gang is one of the most prolific criminal operations that caused destruction in multiple industries...Security Affairs
January 7, 2021
Threatpost Poll: Weigh in on Ransomware Security Full Text
Abstract
Provide your views on ransomware and how to deal with it in our anonymous Threatpost poll.Threatpost
January 07, 2021
FBI warns of Egregor ransomware extorting businesses worldwide Full Text
Abstract
The US Federal Bureau of Investigation (FBI) has sent a security alert warning private sector companies that the Egregor ransomware operation is actively targeting and extorting businesses worldwide.BleepingComputer
January 7, 2021
The DCH Ransomware Attack: A Teachable Moment in Cyber-History Full Text
Abstract
In the early hours of October 1, 2019, Alabama’s DCH Health System fell victim to an extended ransomware attack which forced it to close all three of its state hospitals.Heimdal Security
January 7, 2021
Anti-Secrecy Activists DDoSecrets Publish a Terabyte of Ransomware Victims’ Data Full Text
Abstract
The DDoSecrets group is also offering to privately share an additional 1.9 terabytes of data from more than a dozen other firms with selected journalists or academic researchers.Wired
January 6, 2021
Most Public Sector Victims Refuse to Pay Ransomware Gangs Full Text
Abstract
Veritas data suggests government orgs are best at recovering dataInfosecurity Magazine
January 05, 2021
Babuk Locker is the first new enterprise ransomware of 2021 Full Text
Abstract
It's a new year, and with it comes a new ransomware called Babuk Locker that targets corporate victims in human-operated attacks.BleepingComputer
January 5, 2021
After refusing to pay ransom, US-based auto parts distributor has sensitive data leaked by cybercriminals Full Text
Abstract
The NameSouth archive leaked by NetWalker includes financial and accounting data, credit card statements, personally identifiable employee information, and various legal documents.CyberNews
January 5, 2021
Ransomware ‘businesses’: Does acting legitimate pay off? Full Text
Abstract
While ransomware is an act of extortion aimed at separating users and enterprises from their money, some operators appear to look at the relationship with victims as a kind of business partnership.Tech Target
January 5, 2021
The anatomy of a modern day ransomware conglomerate Full Text
Abstract
Egregor, in recent months, appears to have hacked more than 130 targets, including schools, manufacturing firms, logistics companies, and financial institutions, according to security firm Sophos.Cyberscoop
January 05, 2021
Ryuk ransomware is the top threat for the healthcare sector Full Text
Abstract
Healthcare organizations continue to be a prime target for cyberattacks of all kinds, with ransomware incidents, Ryuk in particular, being more prevalent.BleepingComputer
January 5, 2021
Ransomware Surge Drives 45% Increase in Healthcare Cyber-Attacks Full Text
Abstract
Check Point claims the sector is twice as badly hit as othersInfosecurity Magazine
January 5, 2021
Apex Laboratory Confirms Ransomware Gang Stole Patient Info in Cyberattack Full Text
Abstract
The New York-based clinical laboratory Apex fell victim to a cyberattack claimed by the DoppelPaymer ransomware gang on December 15, 2020, the company has confirmed in a notification on its website.Bit Defender
January 4, 2021
Apex Laboratory disclose data breach after a ransomware attack Full Text
Abstract
At-home laboratory services provider Apex Laboratory discloses a ransomware attack and consequent data breach. Apex Laboratory, Inc. is a clinical laboratory that has been providing home laboratory services to homebound and Nursing Home patients in the NY Metropolitan...Security Affairs
January 04, 2021
TransLink confirms ransomware data theft, still restoring systems Full Text
Abstract
Metro Vancouver's transportation agency TransLink has confirmed that the Egregor ransomware operators who breached its network at the beginning of December 2020 also accessed and potentially stolen employees' banking and social security information.BleepingComputer
January 01, 2021
The Week in Ransomware - January 1st 2021 - New Year Edition Full Text
Abstract
This holiday edition cover the latest ransomware news from the past two weeks, including known ransomware attacks and law enforcement takedowns.BleepingComputer
December 31, 2020
What’s Next for Ransomware in 2021? Full Text
Abstract
Ransomware response demands a whole-of-business plan before the next attack, according to our roundtable of experts.Threatpost
December 31, 2020
City of Cornelia hit by ransomware attack Full Text
Abstract
The City of Cornelia’s data system is offline following a ransomware attack the day after Christmas. City Manager Donald Anderson confirmed the attack in a press release to local media on Tuesday.Now Habersham
December 30, 2020
GenRx Pharmacy ransomware attack leads to HIPAA data breach disclosure Full Text
Abstract
GenRx Pharmacy, a Scottsdale, Arizona-based healthcare organization, has warned hundreds of thousands of patients over a potential data breach following a ransomware attack earlier this year.The Daily Swig
December 30, 2020
Ransomware Is Headed Down a Dire Path Full Text
Abstract
Though some researchers say that the scale and severity of ransomware attacks crossed a bright line in 2020, others describe this year as simply the next step in a gradual and predictable devolution.Wired
December 29, 2020
2020 was the worst year ever for ransomware. 2021 will be more of the same Full Text
Abstract
Most of the incentives driving ransomware operations have only intensified over the past year, while law enforcement and defenders look for new angles to stem the tide.SCMagazine
December 28, 2020
Nefilim ransomware operators leak data stolen from Whirlpool Full Text
Abstract
The American multinational manufacturer and marketer of home appliances Whirlpool was hit by the Nefilim ransomware gang. The American multinational manufacturer and marketer of home appliances Whirlpool suffered a ransomware attack,...Security Affairs
December 28, 2020
Ransomware Operators Take a Liking to SystemBC RAT Full Text
Abstract
Sophos published new research into the SystemBC malware that acts as a Tor proxy and is being used in ransomware-as-a-service attacks for communications and data exfiltration.Cyware Alerts - Hacker News
December 28, 2020
Home appliance giant Whirlpool hit in Nefilim ransomware attack Full Text
Abstract
Home appliances giant Whirlpool suffered a ransomware attack by the Nefilim ransomware gang who stole data before encrypting devices.BleepingComputer
December 28, 2020
REvil Ransomware Gang Targeted ‘The Hospital Group’ and Allegedly Stole 600GB of Documents Full Text
Abstract
The Hospital Group has confirmed the ransomware attack and notified the Information Commissioner about the security breach. The Hospital Group also notified via email all customers.Security Affairs
December 28, 2020
Ransomware in 2020: A Banner Year for Extortion Full Text
Abstract
From attacks on the UVM Health Network that delayed chemotherapy appointments, to ones on public schools that delayed students going back to the classroom, ransomware gangs disrupted organizations to inordinate levels in 2020.Threatpost
December 27, 2020
Vermont Hospital confirmed the ransomware attack Full Text
Abstract
The Burlington-based University of Vermont Health Network has finally admitted that ransomware was behind the October attack. In October, threat actors hit the Wyckoff Heights Medical Center in Brooklyn and the University of Vermont Health Network....Security Affairs
December 24, 2020
FreePBX developer Sangoma hit with Conti ransomware attack Full Text
Abstract
Sangoma disclosed a data breach after files were stolen during a recent Conti ransomware attack and published online.BleepingComputer
December 24, 2020
Pay2Key Ransomware’s Mayhem Continues Full Text
Abstract
The Pay2Key ransomware is only the latest wave in a series of Iranian based targeted ransomware attacks deployed against Israeli organizations and this appears to be a growing trend.Cyware Alerts - Hacker News
December 24, 2020
Ransomware attack confirmed on Vermont Hospital Full Text
Abstract
The IT staff of the Vermont healthcare network said that the ransomware attack was launched through a server vulnerability and the hackers were demanding an enormous sum as ransom.Cybersecurity Insiders
December 24, 2020
Indian pharma firms at high ransomware attack risk in 2021 Full Text
Abstract
Targeted ransomware attacks on the healthcare and pharma sector will surge in India in 2021 as companies finalize their vaccines to fight Covid-19, a new report said on Wednesday.The Times Of India
December 23, 2020
Germany’s Funke Media Group Faces Publishing Delays Due to Potential Ransomware Attack Full Text
Abstract
The Funke media group said the attack affected numerous computer systems at editorial offices and printing plants across the country, and prevented the publishing of its Wednesday editions.Washington Post
December 23, 2020
Jefferson County PVA office hit by ransomware attack Full Text
Abstract
The Jefferson County Property Valuation Administrator's office has been hit by a ransomware attack, in which hackers are holding the agency's data hostage, PVA Colleen Younger said in an interview.WDRB
December 22, 2020
Backups are a tool – not a silver bullet – in the fight against ransomware Full Text
Abstract
How a company sets up their IT environment, where they place their backups in relation to the rest of their network and how they communicate with their cloud providers all make a difference in how effectively a business can insulate itself from ransomware.SCMagazine
December 22, 2020
Microsoft and McAfee headline newly-formed ‘Ransomware Task Force’ Full Text
Abstract
A group made up of 19 security firms, tech companies, and non-profits, including Microsoft and McAfee, announced on Monday plans to form a new coalition to deal with the rising threat of ransomware.ZDNet
December 22, 2020
Ellensburg is the victim of a ransomware cyberattack Full Text
Abstract
Officials from the City of Ellensburg announced that it was the victim of a cyberattack. The city is now working with both local and federal law enforcement to better understand the issue.Yaktri News
December 22, 2020
Big Tech Joins Up to Ransomware Task Force Full Text
Abstract
Institute for Security and Technology hoping to make a big impactInfosecurity Magazine
December 21, 2020
Trucking giant Forward Air hit by new Hades ransomware gang Full Text
Abstract
Trucking and freight logistics company Forward Air has suffered a ransomware attack by a new ransomware gang that has impacted the company's business operations.BleepingComputer
December 21, 2020
Institute for Security and Technology launches multisector ransomware task force Full Text
Abstract
The goal is not to reinvent the wheel, but to synthesize the work that has already been done into coherent solutions.SCMagazine
December 21, 2020
Ransomware Attacks Surge in Q3 as Cyber-Criminals Shift Tactics Full Text
Abstract
Ransomware accounts for over half of all malware attacks in Q3Infosecurity Magazine
December 21, 2020
Clop ransomware gang paralyzed flavor and fragrance producer Symrise Full Text
Abstract
Flavor and fragrance producer Symrise is the last victim of the Clop ransomware gang that claims to have stolen 500 GB of unencrypted files. Symrise AG, a major producer of flavours and fragrances, was hit by Clop ransomware operators. The threat...Security Affairs
December 21, 2020
Ransomware Operators Using SystemBC Backdoor with Tor proxy & RAT Futures to Attack New Targets Full Text
Abstract
SystemBC is a commodity malware sold on undercover marketplaces; ransomware-as-a-service (RaaS) operations are practicing this malware to disguise all kind of malicious...Cyber Security News
December 20, 2020
Flavors designer Symrise halts production after Clop ransomware attack Full Text
Abstract
Flavor and fragrance developer Symrise has suffered a Clop ransomware attack where the attackers allegedly stole 500 GB of unencrypted files and encrypted close to 1,000 devices.BleepingComputer
December 18, 2020
The Week in Ransomware - December 18th 2020 - Targeting Israel Full Text
Abstract
The SolarWinds supply chain attack has dominated this week's cybersecurity news, but there was still plenty of ransomware news this week.BleepingComputer
December 18, 2020
Senators push for an investigation into education ransomware conundrum Full Text
Abstract
Three Democratic senators requested a federal auditing group look into how the national government assists local school districts in fighting the scourge of ransomware. In a letter dated December 16, Sens. Maggie Hassan, D-N.H., Kyrsten Sinema, D-Ariz, and Jackie Rosen, D-Nev., requested the Government Accountability Office look into “efforts by Education, DHS, and other relevant…SCMagazine
December 18, 2020
Fake mobile version of Cyberpunk 2077 spreads ransomware Full Text
Abstract
A threat actor is spreading ransomware dubbed CoderWare that masquerades as Windows and Android versions of the recent Cyberpunk 2077. Crooks are spreading fake Windows and Android versions of installers for the new Cyberpunk 2077 video game that...Security Affairs
December 17, 2020
Ransomware masquerades as mobile version of Cyberpunk 2077 Full Text
Abstract
A threat actor is distributing fake Windows and Android installers for the Cyberpunk 2077 game that is installing a ransomware calling itself CoderWare.BleepingComputer
December 17, 2020
DoppelPaymer ransomware gang now cold-calling victims, FBI warns Full Text
Abstract
FBI says DoppelPaymer ransomware gang is harassing victims who refuse to pay, threatening to send individuals to their homes. FBI is warning of a new escalation in the extortion activities of the DoppelPaymer ransomware gang, the operators have been...Security Affairs
December 17, 2020
Iranian nation-state hackers linked to Pay2Key ransomware Full Text
Abstract
Iranian-backed hacking group Fox Kitten has been linked to the Pay2Key ransomware operation that has recently started targeting organizations from Israel and Brazil.BleepingComputer
December 17, 2020
Phobos Ransomware: Everything You Need to Know and More Full Text
Abstract
As far as its genetic makeup goes, so to speak, Phobos ransomware is a heavily similar strain to the infamous Dharma variant. Experts regard the former as a highly similar version of the latter.Heimdal Security
December 17, 2020
When zombie malware leads to big-money ransomware attacks Full Text
Abstract
In one recent and confronting story, an educational establishment in Scotland was confronted with an extortion demand for a surprisingly specific sum of money matching their bank balance.Sophos
December 17, 2020
Ransomware and Cyber-Extortion Payments Double in 2020 Full Text
Abstract
The payment of ransoms and extortions doubled between 2019 and 2020Infosecurity Magazine
December 17, 2020
FBI Warns DoppelPaymer Ransomware Gang is Harassing Victims Who Refuse to Pay Full Text
Abstract
The US FBI says it is aware of incidents where the DoppelPaymer ransomware gang has resorted to cold-calling companies in order to intimidate and coerce victims into paying ransom demands.ZDNet
December 17, 2020
Ransomware attacks on the rise even as cyber insurers scale back Full Text
Abstract
Ransomware attacks increased in terms of both severity and costs in 2020, forcing insurers to become more selective and even scale back on the cover they offer, a report from a leading insurer showed.Reuters
December 16, 2020
Ryuk, Egregor Ransomware Attacks Leverage SystemBC Backdoor Full Text
Abstract
In the past few months researchers have detected hundreds of attempted SystemBC deployments globally, as part of recent Ryuk and Egregor ransomware attacks.Threatpost
December 16, 2020
Ransomware gangs automate payload delivery with SystemBC malware Full Text
Abstract
SystemBC, a commodity malware sold on underground marketplaces, is being used by ransomware-as-a-service (RaaS) operations to hide malicious traffic and automate ransomware payload delivery on the networks of compromised victims.BleepingComputer
December 16, 2020
Ransomware Attackers Using SystemBC Malware With RAT and Tor Proxy Full Text
Abstract
Cybercriminals are increasingly outsourcing the task of deploying ransomware to affiliates using commodity malware and attack tools, according to new research. In a new analysis published by Sophos today and shared with The Hacker News, recent deployments of Ryuk and Egregor ransomware have involved the use of SystemBC backdoor to laterally move across the network and fetch additional payloads for further exploitation. Affiliates are typically threat actors responsible for gaining an initial foothold in a target network. "SystemBC is a regular part of recent ransomware attackers' toolkits," said Sophos senior threat researcher and former Ars Technica national security editor Sean Gallagher. "The backdoor can be used in combination with other scripts and malware to perform discovery, exfiltration and lateral movement in an automated way across multiple targets. These SystemBC capabilities were originally intended for mass exploitation, but they have now beThe Hacker News
December 15, 2020
MountLocker Ransomware Gets Trimmed, Joins Hands with Affiliates Full Text
Abstract
The Ransomware-as-a-Service (RaaS) and affiliate program deploy MountLocker widely across corporate networks, seeking multimillion-dollar payments for decryption services.Cyware Alerts - Hacker News
December 15, 2020
Norwegian cruise company Hurtigruten was hit by a ransomware Full Text
Abstract
Norwegian cruise company Hurtigruten disclosed a cyber attack that impacted its entire worldwide digital infrastructure. The Norwegian cruise company Hurtigruten announced its entire worldwide digital infrastructure was the victim of a cyber attack. "It's...Security Affairs
December 15, 2020
Ransomware attack causing billing delays for Missouri city Full Text
Abstract
The City of Independence, Missouri, suffered a ransomware attack last week that continues to disrupt the city's services.BleepingComputer
December 14, 2020
PLEASE_READ_ME Ransomware Campaign Targeting MySQL Servers Full Text
Abstract
Guardicore first spotted the attack back in January 2020. After that, it witnessed a total of 92 attacks emanate from 11 IP addresses, with most based in Ireland and the UK at the time of analysis.Tripwire
December 13, 2020
Intel’s Habana Labs hacked by Pay2Key ransomware, data stolen Full Text
Abstract
Intel-owned AI processor developer Habana Labs has suffered a cyberattack where data was stolen and leaked by threat actors.BleepingComputer
December 11, 2020
The Week in Ransomware - December 11th 2020 - Targeting K-12 Full Text
Abstract
This week we continued to see ransomware target businesses, education, and healthcare with cyberattacks that disrupt operations and lead to school closings.BleepingComputer
December 11, 2020
MountLocker ransomware gets slimmer, now encrypts fewer files Full Text
Abstract
MountLocker ransomware received an update recently that cut its size by half but preserves a weakness that could potentially allow learning the random key used to encrypt files.BleepingComputer
December 11, 2020
New ransomware campaign exploits weak MySQL credentials to lock thousands of databases Full Text
Abstract
Researchers have tracked 92 separate attacks since January, but the group’s website indicates it has compromised tens of thousands of internet-exposed databases.SCMagazine
December 10, 2020
PLEASE_READ_ME Ransomware Attacks 85K MySQL Servers Full Text
Abstract
Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Threatpost
December 9, 2020
Palo Alto creates visualization tool to guide response to Egregor ransomware attacks Full Text
Abstract
In the Unit 42 ATOM Viewer, security pros can view in a table what tactics the attackers used, then click on a chart to see what to enable on a Palo Alto firewall.SCMagazine
December 07, 2020
Foxconn electronics giant hit by ransomware, $34 million ransom Full Text
Abstract
Foxconn electronics giant suffered a ransomware attack at a Mexican facility over the Thanksgiving weekend, where attackers stole unencrypted files before encrypting devices.December 06, 2020
GBMC HealthCare detected a ransomware incident Full Text
Abstract
On the morning of Sunday, December 6, 2020, GBMC HealthCare detected a ransomware incident that impacted information technology systems. Although many of our systems are down, GBMC HealthCare has robust processes in place to maintain safe and effective patient care. We are collectively responding in accordance with our well-planned process and policies for this type of event.December 03, 2020
Egregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot Full Text
Abstract
Egregor ransomware is a complex piece of malware that appears to be associated with the operators of QakBot. The ransomware has been used against organizations across many industries since its debut in September 2020 and is likely to continue to present a threat to organizations in the future. Unlike most ransomware variants, Egregor’s payload cannot be executed or decrypted fully without the correct cryptographic key provided to the malware at runtime, rendering static or dynamic analysis impossible. Because very little is known about the deployment of the ransomware in open sources and how the threat actors target victims, Recorded Future recommends employing mitigations for technical threats used by other “big game hunting” threat actors to mitigate the threat prior to ransom, using the provided hunting package to threat hunt Egregor and ensuring that internet-facing systems are appropriately configured to provide only the minimum needed access.December 02, 2020
Alabama school district shut down by ransomware attack Full Text
Abstract
Ransomware operators have attacked the Huntsville City Schools district in Alabama, forcing them to shut down schools for the rest of the week and possibly next week.The Huntsville City Schools district is the sixth-largest school district in Alabama, with almost 24,000 students, 2,300 employees, and thirty-seven schools. Due to the COVID-19 pandemic, the school district offered both in-school instruction and a fully online learning experience.