Tag: raas

17 Attack Reports | 0 Vulnerabilities

Attack reports

Unmasking the new Chaos RaaS group attacks

Cisco Talos Incident Response has observed attacks by Chaos, a new ransomware-as-a-service group conducting big-game hunting and double extortion attacks. The group uses spam flooding, voice-based social engineering, RMM tool abuse, and legitimate file-sharing software for data exfiltration. Their …
blacksuit
raas
royal
2025-08-29
Published: August 29, 2025
Downloadable IOCs: 6

Tracking GLOBAL GROUP Ransomware from Mamona to Market Scale

A new ransomware actor, GLOBAL GROUP, emerged on the Ramp4u cybercrime forum in June 2025, claiming to offer a fresh Ransomware-as-a-Service (RaaS) platform. However, forensic evidence reveals that GLOBAL is a rebranded continuation of the Mamona RIP and Black Lock ransomware families. The ransomwa…
ransomware
golang
cross-platform
raas
tor
initial access brokers
black lock
2025-08-21
chacha20-poly1305
mamona rip
global group
ai chatbot
Published: August 21, 2025
Linked vulnerabilities : CVE-2024-57727 (CVSS 7.5), CVE-2025-22457 (CVSS 9.0), CVE-2025-32433 (CVSS 10.0), CVE-2025-31324 (CVSS 10.0)
Downloadable IOCs: 6

Qilin Ransomware and the Hidden Dangers of BYOVD

This analysis examines a recent incident involving Qilin ransomware, highlighting the evolving tactics of cybercriminals to evade Endpoint Detection and Response (EDR) systems. The attackers utilized a previously unknown driver, TPwSav.sys, to disable EDR measures through a technique known as bring…
ransomware
qilin
byovd
raas
2025-07-31
Published: July 31, 2025
Downloadable IOCs: 7

June 2025 Threat Trend Report on Ransomware

The June 2025 threat analysis reveals an increase in new ransomware samples compared to May. The data is based on detection names from AhnLab and information collected from Dedicated Leak Sites (DLS) of ransomware groups. Statistics cover the past six months, showing the total number of ransomware …
ransomware
raas
threat trends
md5 hashes
affected companies
statistics
safepay
devman
2025-07-16
dls
Published: July 16, 2025
Downloadable IOCs: 0

Pay2Key's Resurgence: Iranian Cyber Warfare Targets the West

Pay2Key, an Iranian-backed ransomware-as-a-service operation, has re-emerged as Pay2Key.I2P, targeting Western organizations. Linked to the Fox Kitten APT group and collaborating with Mimic ransomware, the campaign has collected over $4 million in ransom payments in four months. The group offers an…
ransomware
raas
evasion techniques
2025-07-10
mimic
cyber warfare
pay2key
fox kitten
Published: July 10, 2025
Downloadable IOCs: 25

DEVMAN Ransomware: Analysis of New DragonForce Variant

A new ransomware strain resembling DragonForce but with unique traits has emerged, possibly connected to an entity called DEVMAN. The sample reuses DragonForce code but adds its own elements, including the .DEVMAN file extension. Attribution is unclear, as the ransom note is identical to DragonForc…
ransomware
conti
raas
dragonforce
mamona
2025-07-02
blacklock
devman
Published: July 2, 2025
Downloadable IOCs: 2

Inside BRUTED: Black Basta (RaaS) Used Automated Brute Forcing Framework to Target Edge Network Devices

Black Basta, a ransomware-as-a-service group, has been using an automated brute forcing framework called BRUTED to target edge network devices since 2023. The framework performs internet scanning and credential stuffing against firewalls and VPN solutions in corporate networks. Black Basta prioriti…
ransomware
cobalt strike
black basta
vpn
esxi
brute ratel
raas
edge devices
brute-force
firewall
2025-03-17
credential-stuffing
edge-devices
bruted
2025-04-16
Published: April 16, 2025
Downloadable IOCs: 18

Medusa Ransomware Activity Continues to Increase

Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024.
ransomware
blackcat
anydesk
rclone
service
medusa
netscan
raas
medusalocker
psexec
simplehelp
2025-03-06
ttps
pdq deploy
pdq inventory
spearwing
navicat
avkiller
Published: March 6, 2025
Downloadable IOCs: 45

DragonForce Ransomware Group is Targeting Saudi Arabia

DragonForce ransomware has targeted organizations in Saudi Arabia, with a significant data leak from a Riyadh real estate and construction company. The group exfiltrated over 6 TB of data, setting a deadline just before Ramadan. DragonForce operates on a RaaS model, offering high commission rates f…
ransomware
construction
raas
dragonforce
2025-02-27
saudi arabia
dark web
real estate
Published: February 27, 2025
Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-44228, CVE-2024-21412, CVE-2024-21893
Downloadable IOCs: 17

Two Brands, One Payload as Ransomware Affiliates Drop Identical Code

Recent months have seen increased activity in new ransomware operations, including HellCat and Morpheus. Analysis of payloads from both operations reveals that affiliates are using almost identical code. The ransomware samples, uploaded to VirusTotal in December 2024, share similarities in behavior…
ransomware
raas
2025-01-23
hellcat
morpheus
Published: January 23, 2025
Downloadable IOCs: 2

Howling Scorpius (Akira Ransomware)

Howling Scorpius, the entity behind Akira ransomware-as-a-service, has become one of the top five most active ransomware groups since emerging in early 2023. They target small to medium-sized businesses across various sectors in North America, Europe, and Australia using a double extortion strategy…
ransomware
akira
raas
double extortion
megazord
2024-12-03
howling scorpius
Published: December 3, 2024
Linked vulnerabilities : CVE-2024-0012 (CVSS 9.8), CVE-2024-9474 (CVSS 7.2), CVE-2023-20269, CVE-2020-3259
Downloadable IOCs: 44

Embargo ransomware: Rock'n'Rust

ESET researchers have uncovered new Rust-based tools used by the Embargo ransomware group. The toolkit includes MDeployer, a loader that deploys MS4Killer and Embargo ransomware, and MS4Killer, an EDR killer that exploits a vulnerable driver. Embargo, first observed in June 2024, is a relatively ne…
ransomware
rust
byovd
raas
2024-10-23
embargo ransomware
edr killer
safe mode abuse
ms4killer
mdeployer
Published: October 23, 2024
Downloadable IOCs: 0

THREAT ANALYSIS: Beast Ransomware

The Beast Ransomware group, active since 2022, offers a Ransomware-as-a-Service (RaaS) platform with constant updates. It supports Windows, Linux, and ESXi systems, providing affiliates with customizable binary options. Beast employs advanced encryption methods, including Elliptic-curve and ChaCha2…
linux
windows
encryption
esxi
raas
2024-10-19
geofencing
file-targeting
multithreading
beast ransomware
self-propagation
monster
Published: October 19, 2024
Downloadable IOCs: 0

Lynx Ransomware: A Rebranding of INC Ransomware

Lynx ransomware, discovered in July 2024, is a successor to INC ransomware targeting organizations in retail, real estate, architecture, and financial services in the U.S. and UK. It shares significant source code with INC and operates as a ransomware-as-a-service model. Lynx employs double extorti…
linux
ransomware
windows
encryption
data leak
raas
double extortion
2024-10-14
lynx ransomware
inc ransomware
Published: October 14, 2024
Downloadable IOCs: 44

Dark Angels Exposed

The Dark Angels ransomware group, active since April 2022, operates with sophisticated strategies targeting large companies for substantial ransom demands. They focus on stealthy attacks, avoiding outsourcing to third-party brokers. The group uses various ransomware payloads, including Babuk and Re…
ransomware
data exfiltration
babuk
raas
2024-10-08
ragnarlocker
CVE-2023-22069
Published: October 8, 2024
Downloadable IOCs: 0

Threat Brief: Understanding Akira Ransomware

Akira is a prolific ransomware operating since March 2023, targeting multiple industries in North America, the UK, and Australia. It functions as Ransomware as a Service (RaaS) and employs double extortion tactics. Akira has connections to the disbanded Conti group, sharing code similarities and op…
ransomware
lateral movement
conti
akira
raas
2024-10-04
double extortion
defense evasion
CVE-2023-20269
chacha encryption
CVE-2019-6693
credential dumping
CVE-2021-21972
CVE-2022-40684
Published: October 4, 2024
Linked vulnerabilities : CVE-2023-20269, CVE-2021-21972, CVE-2019-6693, CVE-2022-40684
Downloadable IOCs: 3

Mallox ransomware: in-depth analysis and evolution

Mallox is a sophisticated ransomware family that emerged in 2021 and has since evolved into a Ransomware-as-a-Service (RaaS) operation. Initially targeting specific companies, it transitioned to a more generic approach, likely as part of its RaaS model. The malware employs complex encryption scheme…
ransomware
mallox
2024-09-04
raas
remcos rat
Published: September 4, 2024
Downloadable IOCs: 7
Click here to see more Attack Reports