SecuriTricks - ransomware

Threat Spotlight: Storm-0249 Moves from Mass Phishing to Precision EDR Exploitation

Storm-0249, a seasoned initial access broker, has evolved from mass phishing to sophisticated post-exploitation tactics. The group now abuses legitimate Endpoint Detection and Response processes, particularly SentinelOne's SentinelAgentWorker.exe, through DLL sideloading. This allows them to concea…

ransomware

dll sideloading

domain spoofing

initial access broker

Published: December 10, 2025

Downloadable IOCs: 3

Makop ransomware: GuLoader and privilege escalation in attacks against Indian businesses

Makop, a ransomware strain derived from Phobos, is targeting Indian businesses through exposed RDP systems. The attackers employ a diverse toolkit including network scanners, privilege escalation exploits, and AV killers. They have integrated GuLoader, a downloader trojan, to deliver secondary payl…

Published: December 9, 2025

Linked vulnerabilities : CVE-2020-0787, CVE-2025-7771 (CVSS 8.7), CVE-2016-0099, CVE-2020-1066, CVE-2018-8639, CVE-2020-0796, CVE-2019-1388, CVE-2021-41379, CVE-2022-24521, CVE-2017-0213

Downloadable IOCs: 62

Inside Shanya, a packer-as-a-service fueling modern attacks

The Shanya crypter is a new packer-as-a-service offering gaining popularity among ransomware groups. It features advanced capabilities like non-standard module loading, unique stubs for each customer, AMSI bypass, anti-VM measures, and runtime protection. Early samples contained revealing artifacts…

Published: December 7, 2025

Linked vulnerabilities : CVE-2022-26134, CVE-2023-3519, CVE-2022-3236, CVE-2022-30190, CVE-2020-15069, CVE-2018-0798, CVE-2023-40044

Downloadable IOCs: 5

Sharpening the knife: strategic evolution of GOLD BLADE

GOLD BLADE, a threat group previously focused on cyberespionage, has evolved into a hybrid operation combining data theft with selective ransomware deployment. The group has refined its intrusion methods, shifting from traditional phishing to abusing recruitment platforms for delivering weaponized …

recruitment platforms

terminator

zemana driver

Published: December 6, 2025

Downloadable IOCs: 28

Technical Analysis of Matanbuchus 3.0

Matanbuchus, a C++ malicious downloader offered as Malware-as-a-Service since 2020, has evolved to version 3.0. It comprises a downloader and main module, utilizing obfuscation techniques like junk code, encrypted strings, and API hashing. The malware implements anti-analysis features, including an…

Published: December 3, 2025

Downloadable IOCs: 5

License to Encrypt: Make Their Move

'The Gentlemen' ransomware group emerged in July 2025, employing advanced dual-extortion tactics. They encrypt data and exfiltrate sensitive information, threatening to release it unless a ransom is paid. The group developed their own Ransomware-as-a-Service (RaaS) platform after experimenting with…

Published: November 19, 2025

Downloadable IOCs: 0

Cat's Got Your Files: Lynx Ransomware

A threat actor gained initial access to a network via RDP using compromised credentials, likely obtained through an infostealer, data breach, or initial access broker. They quickly moved laterally to a domain controller, created multiple impersonation accounts with high privileges, and installed An…

network reconnaissance

Published: November 17, 2025

Downloadable IOCs: 7

Analysis of Encryption Structure of Yurei Ransomware Go-based Builder

The Yurei ransomware group, first identified in September 2025, employs a typical ransomware operation model targeting corporate networks. Their attacks have affected Sri Lanka and Nigeria, focusing on transportation, IT, marketing, and food industries. The ransomware, developed in Go, uses ChaCha2…

Published: November 14, 2025

Downloadable IOCs: 1

Unleashing the Kraken ransomware group

The Kraken ransomware group, emerging from the remnants of the HelloKitty cartel, has been observed conducting big-game hunting and double extortion attacks. Utilizing SMB vulnerabilities for initial access, they employ tools like Cloudflared for persistence and SSHFS for data exfiltration. Kraken'…

Published: November 13, 2025

Downloadable IOCs: 11

Gootloader Returns: What Goodies Did They Bring?

Gootloader, a sophisticated JavaScript-based malware loader, has resurfaced with renewed activity. Used by threat actor Storm-0494, it grants access to Vanilla Tempest, which delivers various ransomware families. Recent infections have led to rapid domain controller compromises. The loader now uses…

wordpress exploitation

zeppelin

supper socks5 backdoor

Published: November 6, 2025

Downloadable IOCs: 136

CLOP RANSOMWARE: DISSECTING NETWORK - THE RAVEN FILE

The report analyzes the network infrastructure used by the Clop ransomware group, focusing on their exploitation of CVE-2025-61882 in Oracle EBS. It identifies 96 IP addresses associated with a specific fingerprint, with Germany, Brazil, and Panama being prominent locations. The analysis reveals si…

Published: November 5, 2025

Downloadable IOCs: 203

The DragonForce Cartel: Scattered Spider at the gate

DragonForce, a ransomware-as-a-service group active since 2023, has rebranded as a cartel and formed alliances with groups like Scattered Spider, LAPSUS$, and ShinyHunters. The group uses Conti-derived code and employs BYOVD attacks to terminate processes. DragonForce has expanded its affiliate pro…

Published: November 5, 2025

Downloadable IOCs: 0

Certified OysterLoader: Tracking Rhysida ransomware gang activity via code-signing certificates

The Rhysida ransomware gang, formerly known as Vice Society, is conducting an ongoing malicious ad campaign to deliver OysterLoader malware. This initial access tool establishes a foothold on devices for dropping a persistent backdoor. The campaign uses Bing search engine advertisements to direct u…

microsoft trusted signing

oysterloader

Published: November 3, 2025

Downloadable IOCs: 271

A Deep Dive Into Warlock Ransomware Deployed Via ToolShell SharePoint Chained Vulnerabilities

Warlock ransomware, exploiting SharePoint vulnerabilities CVE-2025-53770 and CVE-2025-53771, represents an advanced threat combining sophisticated encryption methods with targeted defense evasion techniques. The malware employs a multi-stage attack, terminating security services, removing recovery …

Published: October 30, 2025

Downloadable IOCs: 1

Major October 2025 Cyber Attacks Your SOC Can't Ignore

October 2025 saw a surge in sophisticated cyber attacks, including phishing campaigns exploiting Google Careers and ClickUp, abuse of Figma for credential theft, the emergence of LockBit 5.0 targeting ESXi and Linux systems, and the discovery of TyKit, a new phishing kit. Attackers increasingly abu…

Published: October 29, 2025

Downloadable IOCs: 10

Analysis of Trigona Threat Actor's Latest Attack Cases

The Trigona threat actor continues to target MS-SQL servers through brute-force and dictionary attacks, exploiting weak credentials. They use CLR Shell for additional payloads and employ various tools like BCP, Curl, Bitsadmin, and PowerShell to install malware. The attackers utilize remote control…

Published: October 29, 2025

Downloadable IOCs: 5

Uncovering Qilin attack methods exposed through multiple cases

The ransomware group Qilin has been highly active in 2025, publishing over 40 victim cases per month on its leak site. Manufacturing, professional services, and wholesale trade are the most affected sectors. Attackers likely originate from Eastern Europe or Russian-speaking regions. They use tools …

Published: October 27, 2025

Downloadable IOCs: 17

Warlock Ransomware: Old Actor, New Tricks?

The Warlock ransomware, first appearing in June 2025, is linked to a China-based actor with a history dating back to 2019. It gained prominence by exploiting the ToolShell vulnerability in Microsoft SharePoint. The group, known as Storm-2603, uses multiple ransomware payloads and a custom C&C frame…

Published: October 23, 2025

Downloadable IOCs: 0

Blog Anatomy of a Hacktivist Attack: Russian-Aligned Group Targets OT/ICS

Forescout honeypot caught hacktivist activity targeting a decoy water treatment plant in Sept. 2025. A Russian-aligned group, TwoNet, claimed responsibility for the attack. The group logged into the human-machine interface (HMI) for: defacement, process disruption, manipulation, and evasion.

human-machine interface

overflame

modbus

megamedusa

Published: October 10, 2025

Downloadable IOCs: 10

Velociraptor leveraged in ransomware attacks

A ransomware attack involving the use of Velociraptor, an open-source digital forensics tool, has been linked to the threat actor Storm-2603. The attackers deployed Warlock, LockBit, and Babuk ransomware to encrypt virtual machines and servers. They exploited a vulnerability in an outdated version …

Published: October 9, 2025

Linked vulnerabilities : CVE-2025-6264

Downloadable IOCs: 5

The Evolution of Chaos Ransomware: Faster, Smarter, and More Dangerous

Chaos ransomware has evolved with a new C++ variant in 2025, marking a significant shift from its .NET origins. This new version combines destructive encryption, clipboard hijacking for cryptocurrency theft, and speed-focused attack strategies. It employs a sophisticated downloader masquerading as …

Published: October 9, 2025

Downloadable IOCs: 9

The Evolution of Qilin RaaS

Qilin ransomware is used for domain-wide encryption, and a ransom is then demanded for the decryption keys and/or to prevent the publication of the stolen data. Qilin affiliates are recruited from cybercrime forums to use the Qilin RaaS platform, which handles payload generation, the publication of…

Published: October 8, 2025

Downloadable IOCs: 5

YUREI RANSOMWARE: THE DIGITAL GHOST

A sophisticated ransomware family called Yurei has emerged, targeting Windows systems with advanced encryption methods. It rapidly encrypts data using ChaCha20 and ECIES, appends .Yurei to files, and disables recovery options. The malware spreads via SMB shares, removable drives, and credential-bas…

Published: October 4, 2025

Downloadable IOCs: 0

Analysis: AI-powered Ransomware from APT Group

FunkLocker, a ransomware strain developed by the FunkSec APT group, showcases the growing trend of AI-assisted malware creation. The ransomware exhibits inconsistent quality across multiple builds, with some versions incorporating advanced features like anti-VM checks. It aggressively disrupts syst…

Published: October 2, 2025

Downloadable IOCs: 1

Threat Profile: Conti Ransomware Group

Conti, a notorious ransomware operation identified in 2019, quickly gained infamy for its advanced encryption, rapid lateral movement, and double extortion tactics. Operated by the Russia-based Wizard Spider group, Conti evolved from Ryuk ransomware and maintained suspected ties to Russian state in…

critical infrastructure

Published: September 30, 2025

Downloadable IOCs: 2

New LockBit 5.0 Targets Windows, Linux, ESXi

Trend Research analyzed the latest version of LockBit ransomware, LockBit 5.0, which exhibits advanced obfuscation, anti-analysis techniques, and cross-platform capabilities for Windows, Linux, and ESXi systems. The Windows variant uses heavy obfuscation and packing, loading its payload through DLL…

Published: September 29, 2025

Downloadable IOCs: 5

Update on Ongoing Akira Ransomware Campaign

The Akira ransomware campaign targeting SonicWall SSL VPN accounts has intensified since July 2025, with new infrastructure observed as recently as September 20. Threat actors are exploiting previously exfiltrated credentials, including those with OTP MFA, likely related to CVE-2024-40766. The atta…

infrastructure rotation

Published: September 27, 2025

Downloadable IOCs: 0

SystemBC – Bringing the Noise

The SystemBC botnet, composed of over 80 C2s and 1,500 daily victims, primarily targets VPS systems from commercial providers. It creates proxies enabling high volumes of malicious traffic for various criminal threat groups. The network is used by multiple proxy services, including REM Proxy, which…

Published: September 25, 2025

Downloadable IOCs: 158

GUNRA RANSOMWARE: What You Don't Know!

Gunra Ransomware is a double extortion group targeting global victims, excluding the US. They primarily attack Windows systems, recently expanding to Linux. The group uses phishing as their main vector and negotiates through a WhatsApp-themed chat panel. They can encrypt large files quickly using a…

Published: September 24, 2025

Downloadable IOCs: 0

Technical Analysis of Zloader Updates

Recent versions of Zloader, a Zeus-based modular trojan, have introduced significant enhancements to its functionality. These updates include improved obfuscation techniques, anti-analysis strategies, and network communication methods. The malware now supports WebSockets and has modified its DNS tu…

Published: September 22, 2025

Downloadable IOCs: 0

Unmasking Akira: The ransomware tactics you can't afford to ignore

The Akira ransomware group has been targeting UK businesses since 2023, primarily affecting retail, finance, manufacturing, and medical sectors. Their tactics include exploiting SSL VPNs, using double extortion, and focusing on financial gain. Key observations from 2023-2025 include initial access …

Published: September 22, 2025

Downloadable IOCs: 0

CountLoader: New Malware Loader Being Served in 3 Different Versions

A new malware loader named CountLoader has been identified, strongly associated with Russian ransomware gangs. It comes in three versions: .NET, PowerShell, and JScript. The threat is believed to be part of an Initial Access Broker's toolset or used by a ransomware affiliate linked to LockBit, Blac…

initial access broker

adaptixc2

2025-09-19

countloader

Published: September 19, 2025

Downloadable IOCs: 27

Warlock operation joins busy ransomware landscape

GOLD SALEM, also known as Warlock Group, has emerged as a significant player in the ransomware landscape since March 2025. The group has compromised networks across North America, Europe, and South America, targeting a range of organizations from small entities to large corporations. GOLD SALEM ope…

sharepoint exploitation

warlock group

Published: September 17, 2025

Linked vulnerabilities : CVE-2024-51324 (CVSS 3.8), CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706

Downloadable IOCs: 2

The Dangers of Storing Unencrypted Passwords

A threat actor exploited a SonicWall VPN vulnerability to gain initial access to an organization's network. The attacker discovered plaintext Huntress recovery codes on a user's desktop, allowing them to bypass MFA and access the Huntress portal. They then proceeded to close active incident reports…

Published: September 15, 2025

Downloadable IOCs: 2

Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass

A new ransomware called HybridPetya has been discovered, combining features of Petya and NotPetya with advanced UEFI-based system capabilities. It encrypts the Master File Table on NTFS partitions and can install a malicious EFI application to compromise UEFI systems. One variant exploits CVE-2024-…

Published: September 15, 2025

Linked vulnerabilities : CVE-2024-7433 (CVSS 8.8), CVE-2024-7344 (CVSS 8.2)

Downloadable IOCs: 7

Yurei the New Ransomware Group on the Scene

Yurei, a newly emerged ransomware group, targeted a Sri Lankan food manufacturing company on September 5, 2025. The group employs a double-extortion model, encrypting files and exfiltrating sensitive data. Check Point Research discovered that Yurei's ransomware is based on the open-source Prince-Ra…

Published: September 12, 2025

Downloadable IOCs: 5

CyberVolk Ransomware: Analysis of Double Encryption Structure and Disguised Decryption Logic

The CyberVolk ransomware, emerging in May 2024, targets public institutions and key infrastructures of anti-Russian countries. It uses a double encryption structure with AES-256 GCM and ChaCha20-Poly1305 algorithms. The ransomware excludes certain files and directories from encryption and uses a sy…

Published: September 12, 2025

Downloadable IOCs: 0

Trigona Rebranding Suspicions and Global Threats, and BlackNevas Ransomware Analysis

The BlackNevas ransomware group, first appearing in November 2024, has been targeting various industries and critical infrastructure globally, with a focus on the Asia-Pacific region. The group uses AES and RSA encryption, adding the '.-encrypted' extension to affected files. BlackNevas operates in…

Published: September 12, 2025

Downloadable IOCs: 1

Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed

The Gentlemen ransomware group has emerged as a sophisticated threat actor targeting multiple industries across 17 countries, with a focus on the Asia-Pacific region. Their campaign demonstrates advanced capabilities, including the use of custom tools to bypass enterprise endpoint protections, expl…

the gentlemen ransomware

group policy manipulation

enterprise targeting

Published: September 9, 2025

Downloadable IOCs: 0

Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs

This intelligence report details a sophisticated cyber intrusion with links to three major ransomware groups: Play, RansomHub, and DragonForce. The attack began with a malicious file impersonating DeskSoft's EarthTime application, which deployed SectopRAT malware. The threat actors used various too…

multi-group affiliation

betruger

multi-group operation

Published: September 8, 2025

Downloadable IOCs: 0

Dire Wolf Ransomware: Threat Combining Data Encryption and Leak Extortion

The DireWolf ransomware group emerged in May 2025, targeting various industries globally. They employ a double extortion technique, encrypting data and threatening leaks. The ransomware uses Curve25519 key exchange and ChaCha20 encryption, generating unique keys for each file. It implements anti-re…

Published: September 3, 2025

Downloadable IOCs: 2

Warning About NightSpire Ransomware Following Cases of Damage in South Korea

NightSpire, a ransomware group active since February 2025, employs an aggressive strategy and specialized infrastructure similar to Ransomware-as-a-Service models. They operate a Dedicated Leak Site, posting victim information and countdown timers for data release. Using highly threatening language…

Published: September 1, 2025

Downloadable IOCs: 2

Interlock Ransomware Targeting Businesses

The Interlock ransomware group has been actively targeting businesses and critical infrastructures in North America and Europe since September 2024. Their ransomware employs AES-256-GCM encryption with RSA-4096 key protection, leveraging the OpenSSL library for efficient file encryption. The malwar…

Published: August 29, 2025

Downloadable IOCs: 0

The First AI-Powered Ransomware & How It Works

PromptLock, a proof-of-concept AI-powered ransomware, leverages Lua scripts generated from hard-coded prompts to perform malicious activities across Windows, Linux, and macOS. Written in Go, it communicates with a locally hosted LLM through the Ollama API. The malware scans the filesystem, identifi…

Published: August 29, 2025

Downloadable IOCs: 0

Link up, lift up, level up

This report emphasizes the importance of community in the cybersecurity profession, reflecting on experiences at Black Hat USA 2025 and DEF CON 33. It highlights the value of these events for learning and networking, but also acknowledges their high costs and potential inaccessibility for many. The…

professional development

CVE-2025-48384

Published: August 28, 2025

Downloadable IOCs: 0

Underground Ransomware Being Distributed Worldwide

The Underground ransomware gang is conducting global attacks against companies across various countries and industries. First identified in July 2023, the group resurfaced in May 2024 with a new Dedicated Leak Site. Their targets include multinational corporations from diverse sectors, with annual …

underground ransomware

striping method

global attacks

Published: August 27, 2025

Downloadable IOCs: 0

Cherry pie, Douglas firs and the last trip of the summer

As summer winds down, a seasoned agent reflects on a journey through Seattle and the Olympic Peninsula, highlighting the importance of digital security during travel. The article provides practical cybersecurity tips for travelers, emphasizing the need to update devices, back up data, avoid public …

state-sponsored threats

data breaches

ps1bot

2025-08-21

network vulnerabilities

cisco devices

CVE-2018-0171

cybersecurity precautions

Published: August 21, 2025

Linked vulnerabilities : CVE-2018-0171

Downloadable IOCs: 0

Tracking GLOBAL GROUP Ransomware from Mamona to Market Scale

A new ransomware actor, GLOBAL GROUP, emerged on the Ramp4u cybercrime forum in June 2025, claiming to offer a fresh Ransomware-as-a-Service (RaaS) platform. However, forensic evidence reveals that GLOBAL is a rebranded continuation of the Mamona RIP and Black Lock ransomware families. The ransomwa…

initial access brokers

Published: August 21, 2025

Linked vulnerabilities : CVE-2024-57727 (CVSS 7.5), CVE-2025-22457 (CVSS 9.0), CVE-2025-32433 (CVSS 10.0), CVE-2025-31324 (CVSS 10.0)

Downloadable IOCs: 6

From SharePoint Vulnerability Exploit to Enterprise Ransomware

The Warlock ransomware group exploited unpatched Microsoft SharePoint servers to gain initial access and deploy ransomware across enterprise environments. The attack chain involved exploiting vulnerabilities, privilege escalation through Group Policy modification, credential theft using Mimikatz, l…

Published: August 20, 2025

Downloadable IOCs: 0

Ransomware incidents in Japan during the first half of 2025

The first half of 2025 saw a 1.4-fold increase in ransomware attacks in Japan compared to the previous year, with 68 confirmed cases. Small and medium-sized enterprises remained the primary targets, with manufacturing being the most affected industry. The ransomware group Qilin emerged as the most …

small-medium-enterprises

Published: August 19, 2025

Downloadable IOCs: 0

Dissecting PipeMagic: Inside the architecture of a modular backdoor framework

PipeMagic is a sophisticated modular backdoor used by the Storm-2460 threat actor, disguised as a legitimate ChatGPT Desktop Application. It employs a highly flexible architecture with multiple linked list structures for payload management, execution, and networking. The malware communicates with i…

Published: August 18, 2025

Linked vulnerabilities : CVE-2025-29824 (CVSS 7.8)

Downloadable IOCs: 4

Threat Actor Profile: Interlock Ransomware

Interlock, a relatively new ransomware group first observed in September 2024, has gained prominence in 2025 as an opportunistic ransomware operator. Unlike traditional Ransomware-as-a-Service models, Interlock operates without affiliates or public advertisements. The group conducts double extortio…

Published: August 15, 2025

Downloadable IOCs: 24

'Blue Locker' Analysis: Ransomware Targeting Oil & Gas Sector in Pakistan

A new ransomware strain called 'Blue Locker' is targeting Pakistan's oil and gas sector, particularly affecting Pakistan Petroleum Limited. The National Cyber Emergency Response Team (NCERT) has issued warnings to 39 key ministries and institutions about this severe threat. The ransomware, which sh…

Published: August 15, 2025

Downloadable IOCs: 0

This 'SAP Ariba Quote' Isn't What It Seems—It's Ransomware

A sophisticated ransomware campaign has been uncovered, masquerading as a new SAP Ariba tool. The attack uses email lures, sender spoofing, and impersonation of legitimate software vendors to deliver LeeMe Ransomware. The malware employs SAP branding, a fake GUI, and a Portuguese ransom note. It ta…

Published: August 15, 2025

Downloadable IOCs: 0

Kawabunga, Dude, You've Been Ransomed!

A new ransomware variant called KawaLocker (KAWA4096) was recently observed in an attack. The threat actor gained initial access via RDP using a compromised account and employed various tools to disable security measures. HRSword, a monitoring tool, was deployed along with kernel drivers sysdiag.sy…

Published: August 15, 2025

Downloadable IOCs: 5

New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises

A new ransomware family called Charon has been identified, targeting the Middle East's public sector and aviation industry. The attack employs sophisticated APT-style techniques, including DLL sideloading, process injection, and anti-EDR capabilities. Charon uses a multistage payload extraction tec…

Published: August 12, 2025

Downloadable IOCs: 0

650 Attack Tools, One Coordinated Campaign

The GreedyBear attack group has launched a massive crypto theft operation, utilizing 150 weaponized Firefox extensions, nearly 500 malicious executables, and numerous phishing websites. Their tactics include Extension Hollowing to bypass marketplace security, distributing various malware families, …

Published: August 8, 2025

Downloadable IOCs: 111

Observed Malicious Driver Use Associated with Akira SonicWall Campaign

Akira affiliates have been observed exploiting two common drivers as part of a suspected AV/EDR evasion effort following initial access involving SonicWall abuse. The drivers, rwdrv.sys and hlpdrv.sys, are being used to facilitate AV/EDR evasion or disablement through a Bring Your Own Vulnerable Dr…

Published: August 8, 2025

Downloadable IOCs: 2

Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator

SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, employing deceptive 'fake browser update' lures to compromise systems. It leverages Traffic Distribution Systems like Parrot TDS and Keitaro TDS to filter and redirect victims. TA569 acts as an Initial Access Broker, enablin…

initial access broker

traffic distribution system

domain shadowing

hades

Published: August 8, 2025

Downloadable IOCs: 33

Shared secret: EDR killer in the kill chain

This intelligence report analyzes a sophisticated tool designed to disable endpoint security solutions, particularly EDR systems, on infected systems. The tool, known as AVKiller, has been observed in multiple ransomware attacks since 2022. It is heavily protected, targets various security vendors,…

Published: August 7, 2025

Downloadable IOCs: 56

From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira

A sophisticated cyber attack campaign leveraged SEO poisoning to compromise organizations through trojanized IT management tool installers. The attack began when users searching for ManageEngine OpManager were directed to a malicious website, downloading a compromised MSI file that installed Bumble…

Published: August 7, 2025

Downloadable IOCs: 0

ThrottleStop driver abused to terminate AV processes

A recent incident response case in Brazil revealed a new antivirus (AV) killer software circulating since October 2024. This malware abuses the ThrottleStop.sys driver to terminate numerous antivirus processes, employing a technique known as BYOVD (Bring Your Own Vulnerable Driver). The attack bega…

Published: August 6, 2025

Downloadable IOCs: 0

Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks

Unit 42 has identified significant overlaps between Microsoft's reported ToolShell activity and a threat cluster they track as CL-CRI-1040. This cluster utilizes a tool set called Project AK47, which includes a multi-protocol backdoor, custom ransomware, and loaders. The activity is linked to the e…

Published: August 6, 2025

Linked vulnerabilities : CVE-2024-1182 (CVSS 7.0), CVE-2024-7587 (CVSS 7.8), CVE-2024-8299 (CVSS 7.8), CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2024-53870 (CVSS 3.3), CVE-2025-31324 (CVSS 10.0), CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706

Downloadable IOCs: 27

Active Exploitation of SonicWall VPNs

A potential zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware. The attack chain begins with a breach of the SonicWall appliance, followed by post-exploitation techniques including enumeration, detection evasion, lateral movement, and credential…

Published: August 4, 2025

Downloadable IOCs: 12

Exploring Storm-2603's Previous Ransomware Operations

A focused analysis of Storm-2603, a threat actor linked to recent ToolShell exploitations alongside other Chinese APT groups, reveals their use of a custom malware C2 framework called 'ak47c2'. This framework includes HTTP and DNS-based clients. The group likely targeted organizations in Latin Amer…

Published: August 1, 2025

Linked vulnerabilities : CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706

Downloadable IOCs: 25

Religious symbols weaponized, group uses Microsoft SharePoint RCE vulnerability to deliver 4L4MD4r ransomware

A serious remote code execution vulnerability in Microsoft SharePoint servers was exploited by hackers, affecting tens of thousands of servers globally. The mimo attack group, a financially motivated threat actor, utilized this vulnerability to deliver the 4L4MD4r ransomware, written in Golang and …

Published: August 1, 2025

Linked vulnerabilities : CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706

Downloadable IOCs: 2

Unmasking LockBit: A Deep Dive into DLL Sideloading and Masquerading Tactics

This analysis explores the sophisticated tactics employed by LockBit ransomware attackers, focusing on DLL sideloading and masquerading techniques. These methods allow attackers to evade detection and maximize impact. DLL sideloading involves tricking legitimate applications into loading malicious …

Published: August 1, 2025

Downloadable IOCs: 11

Qilin Ransomware and the Hidden Dangers of BYOVD

This analysis examines a recent incident involving Qilin ransomware, highlighting the evolving tactics of cybercriminals to evade Endpoint Detection and Response (EDR) systems. The attackers utilized a previously unknown driver, TPwSav.sys, to disable EDR measures through a technique known as bring…

Published: July 31, 2025

Downloadable IOCs: 7

Gunra Ransomware Group Unveils Efficient Linux Variant

Gunra ransomware, first observed in April 2025, has expanded its capabilities with a new Linux variant. This cross-platform move broadens the group's attack surface and demonstrates their intent to grow beyond their initial scope. The Linux variant features advanced capabilities, including parallel…

Published: July 30, 2025

Downloadable IOCs: 6

Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware

A new Epsilon Red ransomware campaign has been discovered targeting users globally through fake ClickFix verification pages. Active since July 2025, the threat actors employ social engineering tactics and impersonate popular platforms like Discord, Twitch, and OnlyFans to trick users into executing…

Published: July 25, 2025

Downloadable IOCs: 5

Gunra Ransomware Emerges with New DLS

A new ransomware group called Gunra has emerged with a Dedicated Leak Site (DLS) in April 2025. Gunra's code shows similarities to the infamous Conti ransomware, suggesting it may be leveraging Conti's leaked source code. The group employs aggressive tactics, including a time-based pressure techniq…

Published: July 24, 2025

Downloadable IOCs: 3

NailaoLocker Ransomware's 'Cheese'

NailaoLocker, a new ransomware variant targeting Windows systems, uses AES-256-CBC encryption and uniquely incorporates SM2 cryptography with hard-coded keys. It employs DLL side-loading for execution and uses I/O Completion Ports for multi-threaded file processing. The ransomware includes both enc…

Published: July 21, 2025

Downloadable IOCs: 3

Getting to the Crux (Ransomware) of the Matter

A new ransomware variant named Crux has been identified, claiming association with the BlackByte group. Observed in three separate incidents, Crux encrypts files with a .crux extension and leaves ransom notes. Initial access appears to involve Remote Desktop Protocol (RDP) using valid credentials. …

Published: July 21, 2025

Downloadable IOCs: 3

From a Teams Call to a Ransomware Threat: Matanbuchus 3.0 MaaS Levels Up

Matanbuchus 3.0, a malware loader available as Malware-as-a-Service, has evolved with significant updates. It now employs sophisticated techniques including improved communication protocols, in-memory stealth capabilities, enhanced obfuscation, and support for WQL queries, CMD, and PowerShell rever…

Published: July 18, 2025

Downloadable IOCs: 11

KAWA4096’s Ransomware Tide: Rising Threat With Borrowed Styles

KAWA4096, a new ransomware that emerged in June 2025, has claimed at least 11 victims, primarily targeting the United States and Japan. The malware features a leak site mimicking the Akira ransomware group's style and a ransom note format similar to Qilin's. KAWA4096 employs multithreading, semapho…

Published: July 18, 2025

Downloadable IOCs: 0

June 2025 Security Issues in Korean & Global Financial Sector

This comprehensive analysis covers cyber threats and security issues affecting financial companies in South Korea and globally. It examines malware and phishing cases targeting the financial sector, including the top 10 malware strains and leaked Korean account statistics on Telegram. The report de…

Published: July 16, 2025

Downloadable IOCs: 0

June 2025 Threat Trend Report on Ransomware

The June 2025 threat analysis reveals an increase in new ransomware samples compared to May. The data is based on detection names from AhnLab and information collected from Dedicated Leak Sites (DLS) of ransomware groups. Statistics cover the past six months, showing the total number of ransomware …

Published: July 16, 2025

Downloadable IOCs: 0

Analysis of Secp0 Ransomware

Secp0 is a ransomware that emerged in early 2025, initially mischaracterized as a vulnerability disclosure extortion group. It operates as a conventional double-extortion ransomware, encrypting data while threatening public disclosure. The malware is an ELF binary targeting Linux systems, using Cha…

Published: July 16, 2025

Downloadable IOCs: 6

A Hybrid Approach with Data Exfiltration and Encryption

The BlackSuit ransomware group, believed to be a rebrand of Royal ransomware, has emerged as a significant threat to organizations. This sophisticated attack combines data exfiltration and encryption, utilizing tools like Cobalt Strike for command and control, rclone for data exfiltration, and Blac…

Published: July 12, 2025

Downloadable IOCs: 0

Patch, track, repeat

The report discusses the current state of vulnerability management, highlighting the increasing number of CVEs published daily and the rise in Known Exploited Vulnerabilities (KEVs). It emphasizes the importance of continuous tracking and patching of vulnerabilities. The report also covers Microsof…

cybersecurity updates

vulnerability management

Published: July 11, 2025

Downloadable IOCs: 3

Pay2Key's Resurgence: Iranian Cyber Warfare Targets the West

Pay2Key, an Iranian-backed ransomware-as-a-service operation, has re-emerged as Pay2Key.I2P, targeting Western organizations. Linked to the Fox Kitten APT group and collaborating with Mimic ransomware, the campaign has collected over $4 million in ransom payments in four months. The group offers an…

Published: July 10, 2025

Downloadable IOCs: 25

BERT Ransomware Group Targets Asia and Europe on Multiple Platforms

A newly emerged ransomware group called BERT has been targeting organizations across Asia and Europe since April. The group employs simple code with effective execution, impacting sectors such as healthcare, technology, and event services. BERT's ransomware operates on both Windows and Linux platfo…

Published: July 7, 2025

Downloadable IOCs: 9

DEVMAN Ransomware: Analysis of New DragonForce Variant

A new ransomware strain resembling DragonForce but with unique traits has emerged, possibly connected to an entity called DEVMAN. The sample reuses DragonForce code but adds its own elements, including the .DEVMAN file extension. Attribution is unclear, as the ransom note is identical to DragonForc…

Published: July 2, 2025

Downloadable IOCs: 2

Dire Wolf Strikes: New Ransomware Group Targeting Global Sectors

A newly emerged ransomware group called Dire Wolf has been observed since May 2025, targeting multiple sectors globally with a focus on manufacturing and technology. The group employs double extortion tactics, encrypting files and threatening to publish stolen data. Analysis of a Dire Wolf ransomwa…

Published: July 2, 2025

Downloadable IOCs: 2

10 Things I Hate About Attribution: RomCom vs. TransferLoader

This report analyzes the activities of two threat actor clusters: TA829 and UNK_GreenSec. TA829 conducts both espionage and cybercrime operations using tools like SingleCamper and DustyHammock. UNK_GreenSec deploys TransferLoader malware leading to ransomware infections. The actors share similariti…

Published: July 1, 2025

Downloadable IOCs: 103

Hide Your RDP: Password Spray Leads to RansomHub Deployment

This report details a cyberattack where threat actors gained initial access through a password spray attack on an exposed RDP server. They used Mimikatz and Nirsoft for credential harvesting, and employed living-off-the-land techniques along with tools like Advanced IP Scanner for network discovery…

Published: June 30, 2025

Downloadable IOCs: 9

BERT RANSOMWARE - THE RAVEN FILE

BERT Ransomware, active since March 2025, has expanded its operations to target both Windows and Linux environments. The group uses phishing for initial access and communicates via the dark web and Sessions for negotiations. Victims span multiple countries, primarily affecting service and manufactu…

Published: June 20, 2025

Downloadable IOCs: 11

May 2025 Security Issues in Korean & Global Financial Sector

This comprehensive analysis covers cyber threats targeting financial companies in Korea and globally. It examines malware and phishing cases, top 10 malware strains, and statistics on leaked Korean accounts. The report delves into major financial threats on the dark web, including credit card data …

Published: June 13, 2025

Downloadable IOCs: 0

Know thyself, know thy environment

This intelligence report emphasizes the importance of understanding one's own environment and personal weaknesses in cybersecurity. It stresses the need for repeatable processes to maintain knowledge of one's environment and advocates for continuous learning to fill skill gaps. The report also high…

ransomware

qilin

critical infrastructure

pathwiper

2025-06-12

patch management

environment knowledge

gps vulnerabilities

self-awareness

vulnerability disclosure

Published: June 12, 2025

Downloadable IOCs: 0

StopRansomware: Play Ransomware

The Play ransomware group has been actively targeting businesses and critical infrastructure across North America, South America, and Europe since June 2022. They gain initial access through exploiting vulnerabilities, using stolen credentials, and leveraging remote access services. The group emplo…

Published: June 5, 2025

Linked vulnerabilities : CVE-2024-57727 (CVSS 7.5), CVE-2022-41082, CVE-2022-41040, CVE-2020-12812, CVE-2018-13379

Downloadable IOCs: 8

Cybercriminals camouflaging threats as AI tool installers

Cybercriminals are exploiting the popularity of AI by distributing malware disguised as AI solution installers. Three threats have been identified: CyberLock ransomware, Lucky_Gh0$t ransomware, and a newly discovered destructive malware called Numero. CyberLock, developed using PowerShell, encrypts…

Published: June 5, 2025

Downloadable IOCs: 20

From Gamer to Malware Developer: Exploring SilverRat and Its Syrian Roots

This analysis delves into the development and capabilities of Silver RAT, a Remote Access Trojan created by a Syrian developer known as 'noradlb1'. The malware, initially observed in November 2023, offers features such as keylogging, UAC bypass, and data encryption. The developer, active on various…

Published: June 4, 2025

Downloadable IOCs: 0

New Nitrogen Ransomware Targets Financial Firms in the US, UK and Canada

Nitrogen, a new ransomware strain identified in September 2024, has become a significant threat to organizations worldwide, particularly in the financial sector. It encrypts critical data and demands substantial payments for decryption, targeting industries such as finance, construction, manufactur…

Published: May 20, 2025

Downloadable IOCs: 2

Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware

A threat actor exploited an unpatched Confluence server using CVE-2023-22527, gaining initial access. They used Metasploit for command and control, then installed AnyDesk for persistent remote access. The attacker performed extensive network discovery, attempted privilege escalation using various t…

Published: May 19, 2025

Linked vulnerabilities : CVE-2021-34527, CVE-2020-1472, CVE-2023-22527, CVE-2023-22518

Downloadable IOCs: 33

The Good, the Bad and the Ugly in Cybersecurity – Week 20

This intelligence update covers recent cybersecurity events. In positive developments, global authorities disrupted a major botnet, arrested a ransomware actor, and dismantled a dark web marketplace. On the negative side, a malicious NPM package was discovered hiding multi-stage malware using Unico…

Published: May 16, 2025

Linked vulnerabilities : CVE-2025-27920 (CVSS 9.8)

Downloadable IOCs: 1

Mass Scanning and Exploit Campaigns

Trustwave SpiderLabs has identified ongoing malicious activities originating from Proton66 ASN, including vulnerability scanning, exploit attempts, and phishing campaigns. The investigation revealed connections between Proton66 and bulletproof hosting services advertised on underground forums. Mass…

ransomware

vulnerability exploitation

critical vulnerabilities

mass scanning

underground forums

Published: May 16, 2025

Linked vulnerabilities : CVE-2024-41713 (CVSS 7.5), CVE-2024-10914 (CVSS 8.1), CVE-2024-55591 (CVSS 9.8), CVE-2025-24472 (CVSS 8.1), CVE-2025-0108 (CVSS 9.1)

Downloadable IOCs: 22

Part 2: Compromised WordPress Pages and Malware Campaigns

This analysis focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. The threat actors used redirector scripts to target users from various countries, mimicking the Google Play Store. Additionally, the XWorm campaign tar…

Published: May 16, 2025

Downloadable IOCs: 45

Unfiltered look into LockBit’s operations

A breach of LockBit's dark web affiliate panels exposed a rare glimpse into their operations. The leaked data included Bitcoin addresses, admin credentials, and a chat log revealing negotiation tactics and ransom demands. Ransom amounts varied widely, with some victims confused about the demands. T…

ransomware

lockbit

data breach

initial access brokers

Published: May 15, 2025

Downloadable IOCs: 3

Technical Analysis of TransferLoader

TransferLoader is a newly identified malware loader active since February 2025. It comprises multiple components including a downloader, backdoor, and specialized loader. The malware employs various anti-analysis techniques and code obfuscation to hinder reverse engineering. TransferLoader has been…

Published: May 15, 2025

Downloadable IOCs: 7

April 2025 Threat Trend Report on Ransomware

This analysis presents ransomware statistics for April 2025, including new samples collected, affected systems, and targeted companies. The report shows a relative increase in new ransomware samples compared to March. It provides a six-month overview of collected samples and details on companies af…

Published: May 14, 2025

Downloadable IOCs: 5

Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal

The Agenda ransomware group has expanded its capabilities by incorporating SmokeLoader malware and a new loader called NETXLOADER. NETXLOADER is a highly obfuscated .NET-based loader that utilizes advanced techniques to evade detection and complicate analysis. The group has been targeting healthcar…

Published: May 7, 2025

Downloadable IOCs: 8

Malware Analysis Mamona: Technical Analysis of a New Ransomware Strain

Mamona is a newly identified commodity ransomware that operates entirely offline, with no observed Command and Control channels or data exfiltration. It uses custom local encryption routines and employs an obfuscated delay technique involving a ping to 127.0.0.7. The ransomware encrypts user files,…

Published: May 7, 2025

Downloadable IOCs: 0

DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists

The DragonForce ransomware group, initially a pro-Palestine hacktivist operation, has evolved into a profit-driven extortion enterprise targeting UK retailers and various global entities. Emerging in August 2023, the group now employs a multi-extortion model, threatening data leaks and reputational…

dragonforce ransomware

white-label

Published: May 3, 2025

Downloadable IOCs: 0

Nitrogen Dropping Cobalt Strike – A Combination of 'Chemical Elements'

The Nitrogen ransomware group has expanded its operations from North America to Africa and Europe since September 2024. They utilize malvertising tactics, disguising malicious payloads as legitimate software like WinSCP. The group employs DLL sideloading for initial access, followed by Cobalt Strik…

Published: May 2, 2025

Downloadable IOCs: 2

Navigating Through The Fog

An open directory linked to a Fog ransomware affiliate was discovered, containing tools for reconnaissance, exploitation, lateral movement, and persistence. Initial access was gained through compromised SonicWall VPN credentials, while other tools facilitated credential theft and exploitation of Ac…

Published: April 28, 2025

Linked vulnerabilities : CVE-2021-42287, CVE-2021-42278, CVE-2020-1472

Downloadable IOCs: 1

Introducing ToyMaker

The initial access broker (IAB), whom Talos calls “ToyMaker” and assesses with medium confidence is a financially motivated threat actor, exploits vulnerable systems exposed to the internet. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. …

initial access broker

Published: April 23, 2025

Downloadable IOCs: 20

FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE

An investigation of nine malware samples revealed FOG ransomware being distributed by cybercriminals impersonating the Department of Government Efficiency (DOGE). The ransomware, spread via email and phishing attacks, is concealed in a ZIP file named 'Pay Adjustment.zip'. The infection chain involv…

Published: April 21, 2025

Downloadable IOCs: 6

Proton66: Compromised WordPress Pages and Malware Campaigns

This intelligence briefing focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. It details how these sites were injected with malicious scripts to redirect Android users to fake Google Play Store pages. The report also…

Published: April 18, 2025

Downloadable IOCs: 48

Inside BRUTED: Black Basta (RaaS) Used Automated Brute Forcing Framework to Target Edge Network Devices

Black Basta, a ransomware-as-a-service group, has been using an automated brute forcing framework called BRUTED to target edge network devices since 2023. The framework performs internet scanning and credential stuffing against firewalls and VPN solutions in corporate networks. Black Basta prioriti…

Published: April 16, 2025

Downloadable IOCs: 18

Interlock ransomware evolving under the radar

The Interlock ransomware group, active since September 2024, has shown adaptability and innovation in its tactics despite a relatively low victim count. They employ fake browser updates and the ClickFix technique for initial access, followed by a multi-stage attack chain involving PowerShell backdo…

Published: April 16, 2025

Downloadable IOCs: 0

CrazyHunter Campaign Targets Taiwanese Critical Sectors

The CrazyHunter ransomware group has emerged as a significant threat, specifically targeting Taiwanese organizations in healthcare, education, and industrial sectors. The group employs sophisticated techniques, including the Bring Your Own Vulnerable Driver (BYOVD) method, to bypass security measur…

prince ransomware builder

critical sectors

open-source tools

gpo exploitation

Published: April 16, 2025

Downloadable IOCs: 9

HelloKitty Ransomware Resurfaced

The HelloKitty ransomware group, active since late 2020, has resurfaced with new variants in 2024 and potentially 2025. Originally forking from DeathRansom, HelloKitty targets Windows and Linux environments, appending .CRYPTED, .CRYPT, or .KITTY extensions to encrypted files. The group has used mul…

Published: April 15, 2025

Downloadable IOCs: 0

Ransomware Initial Access Brokers Exposed

An investigation into a brute force attack on an exposed Remote Desktop server led to the discovery of a larger ransomware ecosystem, particularly initial access brokers. The attack began with domain enumeration and successful compromise of an account from multiple IP addresses. The threat actor's …

ransomware

credential harvesting

initial access brokers

2025-04-11

hive

domain enumeration

Published: April 11, 2025

Downloadable IOCs: 0

Exploitation of CLFS zero-day leads to ransomware activity

A zero-day elevation of privilege vulnerability in Windows Common Log File System (CLFS) has been exploited against targets in IT, real estate, finance, software, and retail sectors across multiple countries. The exploit, deployed by PipeMagic malware and attributed to Storm-2460, enables privilege…

Published: April 9, 2025

Linked vulnerabilities : CVE-2025-24983 (CVSS 7.0), CVE-2025-29814 (CVSS 9.3), CVE-2025-29824 (CVSS 7.8)

Downloadable IOCs: 0

CrazyHunter: The Rising Threat of Open-Source Ransomware

A ransomware attack on Mackay Memorial Hospital in Taiwan highlights the growing use of publicly available offensive tools by threat actors. The CrazyHunter ransomware, built using the Prince Ransomware builder from GitHub, encrypted over 600 devices across two hospital branches. The attack, likely…

Published: April 8, 2025

Downloadable IOCs: 10

Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream

In January 2025, a Managed Service Provider administrator was targeted by a sophisticated phishing attack impersonating a ScreenConnect authentication alert. The attackers, affiliated with Qilin ransomware and tracked as STAC4365, used an adversary-in-the-middle technique to bypass multi-factor aut…

Published: April 1, 2025

Downloadable IOCs: 0

Fake Zoom Ends in BlackSuit Ransomware

A malicious website mimicking Zoom led to the installation of a trojanized installer, initiating a multi-stage attack. The initial payload, d3f@ckloader, downloaded additional components, including SectopRAT. After nine days, the threat actor deployed Brute Ratel and Cobalt Strike beacons for later…

Published: March 31, 2025

Downloadable IOCs: 0

Money Laundering 101, and why there is concern

This newsletter discusses the process of money laundering in the context of cybercrime, particularly ransomware attacks. It explains the three basic steps of money laundering: placement, layering, and integration. The author expresses concern about regulatory changes that might facilitate easier mo…

coinminer:mbt.26mw.in14.talos

2025-03-28

trojan.generickd.33515991

money laundering

simple_custom_detection

regulatory changes

Published: March 28, 2025

Downloadable IOCs: 0

Shifting the sands of RansomHub's EDRKillShifter

ESET researchers analyze the ransomware ecosystem in 2024, focusing on the newly emerged RansomHub gang. They uncover connections between RansomHub affiliates and rival gangs Play, Medusa, and BianLian through the use of EDRKillShifter, a custom EDR killer developed by RansomHub. The researchers le…

Published: March 27, 2025

Downloadable IOCs: 0

Albabat Ransomware Group Potentially Expands Targets to Multiple OS Uses GitHub to Streamline Operations

The Albabat ransomware group has evolved its malware to target Windows, Linux, and macOS devices, as evidenced by new versions 2.0.0 and 2.5. The group is using GitHub to streamline operations, storing configuration files and essential components. The ransomware ignores specific folders, encrypts c…

Published: March 21, 2025

Downloadable IOCs: 2

Shedding light on the ABYSSWORKER driver

The ABYSSWORKER driver is a malicious tool used in conjunction with MEDUSA ransomware to disable anti-malware systems. It employs a HEARTCRYPT-packed loader and a revoked certificate-signed driver to target and silence EDR vendors. The driver imitates a legitimate CrowdStrike Falcon driver and uses…

Published: March 20, 2025

Downloadable IOCs: 2

Dragon RaaS | Pro-Russian Hacktivist Group Aims to Build on "The Five Families" Cybercrime Reputation

Dragon RaaS is a ransomware group that emerged in July 2024 as an offshoot of Stormous, part of a larger cybercrime syndicate known as 'The Five Families'. The group markets itself as a sophisticated Ransomware-as-a-Service operation but often conducts defacements and opportunistic attacks rather t…

vulnerability exploitation

Published: March 19, 2025

Downloadable IOCs: 0

New Ransomware Operator Exploits Fortinet Vulnerability Duo

A new ransomware operator, dubbed Mora_001, has been exploiting Fortinet firewall vulnerabilities CVE-2024-55591 and CVE-2025-24472 to gain unauthorized access and deploy a modified version of LockBit ransomware. The threat actor creates persistent admin accounts, exfiltrates firewall configuration…

Published: March 14, 2025

Downloadable IOCs: 23

SocGholish's Intrusion Techniques Facilitate Distribution of RansomHub Ransomware

SocGholish, a malware-as-a-service framework, is being used to deploy RansomHub ransomware. It compromises legitimate websites, redirecting visitors to fake browser updates that deliver malicious payloads. The highly obfuscated JavaScript loader evades detection and executes various tasks, includin…

Published: March 14, 2025

Downloadable IOCs: 0

Head Mare and Twelve: Joint attacks on Russian entities

Head Mare and Twelve, two hacktivist groups, have launched joint attacks on Russian companies. Head Mare has expanded its toolkit, now using tools previously associated only with Twelve, such as the CobInt backdoor. The attackers gained initial access through phishing emails and compromised contrac…

infrastructure sharing

2025-03-13

phantomjitter

Published: March 13, 2025

Downloadable IOCs: 0

Camera off: Akira deploys ransomware via webcam

Akira, a prominent ransomware group, accounted for 15% of incidents in 2024, showcasing novel evasion techniques. In a recent attack, Akira circumvented an Endpoint Detection and Response (EDR) tool by compromising an unsecured webcam to deploy ransomware. After initial detection, the group pivoted…

Published: March 11, 2025

Downloadable IOCs: 0

Medusa Ransomware Activity Continues to Increase

Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024.

Published: March 6, 2025

Downloadable IOCs: 45

Deep Dive Into Allegedly AI-Generated FunkSec Ransomware

A new Rust-based ransomware called FunkSec has emerged, claiming to use artificial intelligence in its development. First appearing in 2024, it demonstrates a mix of sophisticated capabilities and developmental inconsistencies. FunkSec implements advanced features like XChaCha20 encryption and comp…

Published: March 4, 2025

Downloadable IOCs: 1

Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal

The Black Basta and Cactus ransomware groups have incorporated BackConnect malware into their attack strategies to maintain persistent control over compromised systems. The attackers use social engineering tactics, including email flooding and impersonation of IT support, to gain initial access. Th…

onedrive exploitation

Published: March 3, 2025

Downloadable IOCs: 0

DragonForce Ransomware Group is Targeting Saudi Arabia

DragonForce ransomware has targeted organizations in Saudi Arabia, with a significant data leak from a Riyadh real estate and construction company. The group exfiltrated over 6 TB of data, setting a deadline just before Ramadan. DragonForce operates on a RaaS model, offering high commission rates f…

Published: February 27, 2025

Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-44228, CVE-2024-21412, CVE-2024-21893

Downloadable IOCs: 17

Confluence Exploit Leads to LockBit Ransomware

An intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, leading to LockBit ransomware deployment across the environment. The threat actor utilized various tools including Mimikatz, Metasploit, and AnyDesk. They leveraged RDP for lateral movement and deplo…

Published: February 24, 2025

Linked vulnerabilities : CVE-2017-0199, CVE-2023-22515, CVE-2023-22527, CVE-2023-22518

Downloadable IOCs: 15

Finance Report: Who Targets Financial Institutions?

This report provides an overview of key cybercrime and state-sponsored threat actors targeting the financial sector in 2024. It highlights the critical role of Initial Access Brokers in enabling large-scale attacks, the persistent threat of ransomware and extortion groups, and the increasing sophis…

initial access brokers

jsoutprox

tradertraitor

golddigger

state-sponsored threats

Published: February 20, 2025

Downloadable IOCs: 0

Updated Shadowpad Malware Leads to Ransomware Deployment

A recent investigation revealed Shadowpad malware being used to deploy a new ransomware family in Europe. The threat actor targeted 21 companies across 15 countries, primarily in the manufacturing sector. Access was gained through remote network attacks, exploiting weak passwords and bypassing mult…

multi-factor authentication bypass

remote network attacks

intellectual property theft

cqhashdumpv2

Published: February 20, 2025

Downloadable IOCs: 0

Vgod RANSOMWARE

A new ransomware strain called Vgod has been observed targeting Windows systems. It encrypts files, appending the '.Vgod' extension, and leaves a ransom note titled 'Decryption Instructions.txt'. The ransomware changes the desktop wallpaper and employs a double extortion model, threatening data exp…

Published: February 18, 2025

Downloadable IOCs: 1

Ransomware Roundup – Lynx

The Lynx ransomware, first detected in July 2024, is a Windows-targeting malware that encrypts files and demands ransom for decryption. It shares similarities with the INC ransomware but offers more granular control. Lynx encrypts files with a .LYNX extension, changes desktop backgrounds, and print…

Published: February 17, 2025

Downloadable IOCs: 9

CL0P Ransomware: Latest Attacks

The Cl0p ransomware group has recently targeted 43 organizations across various industries, with a focus on Manufacturing, Retail, and Transportation sectors. The majority of victims are located in the US, Canada, and Europe. The attackers likely exploited the Cleo vulnerability (CVE-2024-50623) fo…

Published: February 12, 2025

Linked vulnerabilities : CVE-2024-50623 (CVSS 8.8)

Downloadable IOCs: 6

XELERA Ransomware Campaign: Fake Food Corporation of India Job Offers Targeting Tech Aspirants

A newly discovered ransomware campaign is targeting tech job aspirants in India using fake Food Corporation of India job offers. The XELERA ransomware, written in Python and packed with PyInstaller, is distributed through spear-phishing emails containing malicious Word documents. The infection chai…

Published: February 12, 2025

Downloadable IOCs: 4

The Anatomy of Abyss Locker Ransomware Attack

Abyss Locker (AKA Abyss ransomware) is a relatively new threat group that emerged in 2023, specializing in swift and decisive intrusions designed to cripple victims with ransomware. Abyss Locker was active throughout 2024, causing multiple incidents investigated by Sygnia. However, no recent techni…

Published: February 10, 2025

Downloadable IOCs: 15

Hackers Hijack JFK File Release: Malware & Phishing Surge

A potentially growing cyber threat campaign has been uncovered surrounding the release of declassified JFK, RFK, and MLK files. Attackers are exploiting public interest in these historical documents to launch malware campaigns, phishing schemes, and exploit attempts. Within days of the announcement…

Published: February 3, 2025

Downloadable IOCs: 4

Exposed SMB: The Hidden Risk Behind 'WantToCry' Ransomware Attacks

The WantToCry ransomware group, active since December 2023, has intensified its operations in 2024 by exploiting misconfigured Server Message Block (SMB) services. The group targets multiple network services, including SMB, SSH, FTP, RPC, and VNC, using brute-force attacks with a database of over o…

Published: January 31, 2025

Downloadable IOCs: 2

Phorpiex - Downloader Delivering Ransomware

The report analyzes the Phorpiex botnet's role in delivering LockBit Black Ransomware. It highlights the automated execution of ransomware through Phorpiex, minimal changes to the botnet's code since its source code sale in 2021, and direct deployment of LockBit without network expansion. The analy…

Published: January 29, 2025

Downloadable IOCs: 14

WINDOWS LOCKER RANSOMWARE

A new ransomware strain called 'Windows Locker' has been identified, targeting victims by encrypting files and appending the .winlocker extension. Upon infection, it drops a ransom note named Readme.txt with instructions for contacting the attacker. Written in .NET, this sophisticated malware modif…

ransomware

2025-01-29

windows locker

Published: January 29, 2025

Downloadable IOCs: 3

Windows Locker Ransomware Analysis

A new ransomware strain called 'Windows Locker' has been identified, targeting victims by encrypting files and appending the .winlocker extension. Upon infection, it drops a ransom note named Readme.txt with instructions for contacting the attacker. Written in .NET, this sophisticated malware modif…

ransomware

2025-01-29

windows locker

Published: January 29, 2025

Downloadable IOCs: 0

Analysis of Interlock Ransomware Attack on Healthcare Facilities

The Interlock ransomware group has been actively targeting healthcare facilities in the United States, causing significant disruptions and exposing sensitive patient data. The attacks involve drive-by compromise techniques, using fake software updaters to deploy malware. The group employs double-ex…

Published: January 28, 2025

Downloadable IOCs: 0

From Royal to BlackSuit: How a Ransomware Rebrand Reshaped Them

This intelligence report analyzes the evolution of the Russian-speaking ransomware group Royal as it rebranded to BlackSuit. The transition involved a shift from prioritizing data exfiltration to focusing more on encryption. The group's journey from 2022 to 2025 is detailed, including their tactics…

Published: January 27, 2025

Downloadable IOCs: 8

Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware

This report details an intrusion that began with the execution of a Cobalt Strike beacon masquerading as a Windows Media Configuration Utility. The threat actor used various tools for persistence, lateral movement, and data exfiltration, including SystemBC and GhostSOCKS proxies, Rclone, and PsExec…

Published: January 27, 2025

Downloadable IOCs: 21

Two Brands, One Payload as Ransomware Affiliates Drop Identical Code

Recent months have seen increased activity in new ransomware operations, including HellCat and Morpheus. Analysis of payloads from both operations reveals that affiliates are using almost identical code. The ransomware samples, uploaded to VirusTotal in December 2024, share similarities in behavior…

Published: January 23, 2025

Downloadable IOCs: 2

Protecting Against the Exploited CVEs in the Cleo Data Theft Attacks

The Clop ransomware group has exploited critical vulnerabilities in Cleo's managed file transfer software, specifically CVE-2024-50623 and CVE-2024-55956. These vulnerabilities allow unrestricted file upload/download and execution of arbitrary commands. Imperva has observed over 1 million exploitat…

Published: January 22, 2025

Downloadable IOCs: 2

Zyxel vulnerability exploited by 'Helldown' ransomware group

The article details a cybersecurity incident where the "Helldown" ransomware group exploited a vulnerability in Zyxel firewall devices. The attackers gained administrator access to the firewall console, collected domain credentials, and compromised the infrastructure. They used VPN services to mask…

Published: January 22, 2025

Downloadable IOCs: 0

Two ransomware campaigns tracked using 'email bombing' and Microsoft Teams 'vishing'

Sophos MDR has identified two threat clusters, STAC5143 and STAC5777, targeting organizations using Microsoft Office 365. Both employ similar tactics: email bombing to create urgency, followed by social engineering via Microsoft Teams calls posing as tech support. The attackers use remote access to…

Published: January 22, 2025

Downloadable IOCs: 17

Two ransomware campaigns tracked using 'email bombing,' Microsoft Teams 'vishing'

Sophos MDR has identified two threat clusters, STAC5143 and STAC5777, utilizing Microsoft Office 365 to gain unauthorized access to organizations. Both groups employ email bombing and fake tech support social engineering via Microsoft Teams to deliver malware. STAC5143 uses Java and Python-based to…

Published: January 21, 2025

Downloadable IOCs: 15

Play Ransomware impersonates SentinelOne for stealth recon

A Play ransomware attack involving a reconnaissance tool called Grixba was detected and prevented. The attack began with the deployment of Grixba via RDP to a Windows server. The Grixba file was disguised as legitimate SentinelOne software, a new tactic for the group. Grixba is an obfuscated .NET-b…

sentinelone impersonation

xor encryption

Published: January 17, 2025

Downloadable IOCs: 4

RansomHub Affiliate leverages Python-based backdoor

A threat actor utilized a Python-based backdoor to maintain access to compromised endpoints, later deploying RansomHub encryptors across the impacted network. The malware, an updated version of a previously documented backdoor, features obfuscation, deployment via RDP, and unique indicators of comp…

Published: January 16, 2025

Downloadable IOCs: 6

FunkSec – Alleged Top Ransomware Group Powered by AI

FunkSec, an emerging ransomware group, gained prominence in late 2024 with over 85 claimed victims in December. The group's activities blend hacktivism and cybercrime, using AI-assisted malware development to quickly produce advanced tools despite apparent inexperience. FunkSec offers custom ransom…

Published: January 10, 2025

Downloadable IOCs: 9

December 2024 Threat Trend Report on Ransomware

This analysis provides statistics on new ransomware samples, targeted systems, and affected companies in November 2024. The number of new samples in December remained consistent with November's figures. The data is based on AhnLab's detection names and information from ransomware groups' Dedicated …

ransomware

2025-01-09

funksec

Published: January 9, 2025

Downloadable IOCs: 0

NotLockBit: A Deep Dive Into the New Ransomware Threat

NotLockBit is an emerging ransomware family that mimics LockBit's behavior while targeting both macOS and Windows systems. Distributed as an x86_64 golang binary, it showcases advanced capabilities including targeted file encryption, data exfiltration, and self-deletion mechanisms. The malware gath…

Published: December 19, 2024

Downloadable IOCs: 5

Hacktivists attack Russian organizations using rare RATs

The Cyber Anarchy Squad (C.A.S) is a hacktivist group targeting Russian and Belarusian organizations since 2022. They exploit vulnerabilities in public services and use free tools to inflict maximum damage. The group employs rare remote access Trojans like Revenge RAT and Spark RAT, alongside commo…

Published: December 18, 2024

Downloadable IOCs: 0

Brain Cipher Ransomware uses CVE-2023-28252

Brain Cipher ransomware is suspected of exploiting CVE-2023-28252, a vulnerability previously utilized by the now-inactive Nokowaya Ransomware Group. The exploit, often disguised as 'clfs_eop.exe', targets the Microsoft Windows CLFS Driver for privilege escalation. This vulnerability is being sold …

Published: December 17, 2024

Downloadable IOCs: 2

Intensifies Attacks On Russia With PhantomCore

The Head Mare hacktivist group has escalated its campaign against Russian targets using the PhantomCore backdoor. The group employs deceptive ZIP archives containing malicious LNK files and executables disguised as archive files to deploy PhantomCore. This C++-compiled backdoor, which replaces earl…

Published: December 11, 2024

Linked vulnerabilities : CVE-2023-38831

Downloadable IOCs: 31

Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware

A resurgence of activity related to the Black Basta ransomware campaign has been observed since early October. The threat actors have refined their tactics, introducing new malware payloads, improved delivery methods, and enhanced defense evasion techniques. The attacks begin with email bombing of …

Published: December 9, 2024

Downloadable IOCs: 72

A Technical Look At The New 'Termite' Ransomware That Hit Blue Yonder

The Termite ransomware, a rebranded version of Babuk, recently targeted supply chain management platform Blue Yonder. This new strain employs advanced tactics, including double extortion, to maximize its impact. Upon execution, it terminates services, deletes shadow copies, empties the recycle bin,…

Published: December 7, 2024

Downloadable IOCs: 0

Inside Akira Ransomware's Rust Experiment

Check Point Research analyzed the Rust version of Akira ransomware that targeted ESXi servers in early 2024. The malware's complex assembly is attributed to Rust idioms, boilerplate code, and compiler strategies. The analysis reveals the ransomware's use of the seahorse CLI framework, indicatif lib…

Published: December 3, 2024

Downloadable IOCs: 0

Howling Scorpius (Akira Ransomware)

Howling Scorpius, the entity behind Akira ransomware-as-a-service, has become one of the top five most active ransomware groups since emerging in early 2023. They target small to medium-sized businesses across various sectors in North America, Europe, and Australia using a double extortion strategy…

Published: December 3, 2024

Linked vulnerabilities : CVE-2024-0012 (CVSS 9.8), CVE-2024-9474 (CVSS 7.2), CVE-2023-20269, CVE-2020-3259

Downloadable IOCs: 44

Ransomware Roundup - Interlock

The Interlock ransomware is a new variant targeting Microsoft Windows and FreeBSD systems. It encrypts files and demands ransom for decryption. The malware has both Windows and FreeBSD versions, using AES-CBC encryption and adding a '.interlock' extension to encrypted files. It excludes certain fil…

Published: December 3, 2024

Downloadable IOCs: 5

Threat Assessment: Distributors of BlackSuit Ransomware

Ignoble Scorpius, previously known as Royal ransomware, has rebranded as BlackSuit ransomware and increased its activity since March 2024. The group has targeted at least 93 victims globally, with a focus on the construction and manufacturing industries. Their initial ransom demands average 1.6% of…

Published: November 20, 2024

Downloadable IOCs: 2

Helldown Ransomware: an overview of this emerging threat

Helldown is a new and highly active ransomware group that has claimed 31 victims in three months. It employs custom ransomware for Windows and Linux systems, engages in double extortion, and exploits vulnerabilities in Zyxel firewalls for initial access. The group exfiltrates large volumes of data,…

Published: November 20, 2024

Downloadable IOCs: 0

New Ymir ransomware discovered used together with RustyStealer | Securelist

A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The r…

Published: November 11, 2024

Downloadable IOCs: 12

New Ymir ransomware discovered used together with RustyStealer

A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The r…

Published: November 11, 2024

Downloadable IOCs: 0

Unwrapping the emerging Interlock ransomware attack

A new ransomware group called Interlock has emerged, targeting various sectors with big-game hunting and double extortion attacks. The group uses a sophisticated delivery chain including a RAT disguised as a browser updater, PowerShell scripts, credential stealers, and keyloggers. They primarily mo…

Published: November 7, 2024

Downloadable IOCs: 2

LUNAR SPIDER Enabling Ransomware Attacks on Financial Sector with Brute Ratel C4 and Latrodectus

LUNAR SPIDER, a Russian-speaking financially motivated threat group, has resumed operations following law enforcement disruptions. They've shifted from using IcedID to leveraging Latrodectus and Brute Ratel C4 malware, targeting financial services through SEO poisoning malvertising campaigns. The g…

infrastructure sharing

Published: October 31, 2024

Downloadable IOCs: 0

Chinese Hackers Toolkit Uncovered And Activity History Uncovered

A Chinese hacking group called 'You Dun' was discovered through an exposed open directory, revealing their comprehensive attack infrastructure. The group utilized sophisticated reconnaissance tools and exploited Zhiyuan OA software via SQL injection attacks, targeting South Korean pharmaceutical or…

Published: October 28, 2024

Linked vulnerabilities : CVE-2021-25003

Downloadable IOCs: 7

Inside the Open Directory of the “You Dun” Threat Group

An open directory exposed a Chinese-speaking threat actor's toolkit and operational history. The actor conducted extensive scanning and exploitation targeting organizations in South Korea, China, Thailand, Taiwan, and Iran using tools like WebLogicScan, Vulmap, and Xray. The Viper C2 framework and …

weblogic exploitation

viper c2

chinese threat actor

Published: October 28, 2024

Downloadable IOCs: 3

The Good, the Bad and the Ugly in Cybersecurity - Week 43

CISA proposes new security measures to protect sensitive data from adversary nations, following President Biden's Executive Order. A free file recovery tool for early Mallox ransomware victims is released. A novel macOS ransomware, macOS.NotLockBit, is discovered abusing AWS S3 for data exfiltratio…

Published: October 25, 2024

Downloadable IOCs: 0

Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN

Since early August, there has been a significant increase in Fog and Akira ransomware intrusions targeting SonicWall SSL VPN users across various industries. The attacks appear opportunistic rather than targeting specific sectors. All affected devices lacked patches for CVE-2024-40766. Initial acce…

Published: October 24, 2024

Linked vulnerabilities : CVE-2024-40766 (CVSS 9.8)

Downloadable IOCs: 16

Embargo ransomware: Rock'n'Rust

ESET researchers have uncovered new Rust-based tools used by the Embargo ransomware group. The toolkit includes MDeployer, a loader that deploys MS4Killer and Embargo ransomware, and MS4Killer, an EDR killer that exploits a vulnerable driver. Embargo, first observed in June 2024, is a relatively ne…

Published: October 23, 2024

Downloadable IOCs: 0

New wave of Bumblebee malware attacks warned

Security researchers have detected new attacks involving the Bumblebee malware loader, just four months after Europol disrupted its operations in Operation Endgame. The malware has resurfaced with updated tactics, using MSI files disguised as legitimate software installers to deliver its payload di…

Published: October 22, 2024

Downloadable IOCs: 9

Akira ransomware continues to evolve

Akira ransomware has established itself as a prominent threat, constantly evolving its tactics. Initially employing double-extortion, it shifted focus to data exfiltration in early 2024. The group developed a Rust variant of their ESXi encryptor, moving away from C++. Recently, Akira has returned t…

vulnerability exploitation

Published: October 22, 2024

Linked vulnerabilities : CVE-2024-37085 (CVSS 6.8), CVE-2024-40766 (CVSS 9.8), CVE-2024-40711 (CVSS 9.8), CVE-2023-27532, CVE-2023-20269, CVE-2020-3259, CVE-2023-48788, CVE-2023-20263

Downloadable IOCs: 37

Fog Ransomware – Technical Analysis

A new ransomware called Fog has been identified, affecting education and recreation centers in the United States. The threat actors gain access through compromised VPN credentials, disable Windows Defender, and deploy the ransomware. Fog is a 32-bit EXE file compiled using Microsoft Visual C/C++. I…

Published: October 21, 2024

Downloadable IOCs: 1

Analyzing the familiar tools used by the Crypt Ghouls hacktivists

The Crypt Ghouls group is targeting Russian businesses and government agencies with ransomware attacks. They utilize a toolkit including utilities like Mimikatz, XenAllPasswordPro, PingCastle, and others. The group employs LockBit 3.0 and Babuk ransomware as final payloads. Initial access is often …

credential harvesting

Published: October 18, 2024

Downloadable IOCs: 1

Infiltrating the Cicada3301 Ransomware-as-a-Service Group

This analysis provides an in-depth look into the operations of the Cicada3301 Ransomware-as-a-Service (RaaS) group. It details the workflow of their affiliates within the panel and examines the multi-platform capabilities of their ransomware, encompassing Windows, Linux, ESXi, and even uncommon arc…

Published: October 18, 2024

Downloadable IOCs: 5

Fake LockBit Real Damage Ransomware Samples Abuse AWS S3 to Steal Data

This report discusses malicious Golang ransomware samples that exploit Amazon S3's Transfer Acceleration feature to exfiltrate victims' data and upload it to attacker-controlled S3 buckets. The samples contained hard-coded AWS credentials linked to compromised accounts, allowing the researchers to …

Published: October 17, 2024

Downloadable IOCs: 39

Lynx Ransomware: A Rebranding of INC Ransomware

Lynx ransomware, discovered in July 2024, is a successor to INC ransomware targeting organizations in retail, real estate, architecture, and financial services in the U.S. and UK. It shares significant source code with INC and operates as a ransomware-as-a-service model. Lynx employs double extorti…

Published: October 14, 2024

Downloadable IOCs: 44

Analyzing Recent Cyber Attacks in the United States Coinciding with Columbus Day Celebration

The United States has experienced a significant increase in cyber attacks from June to October 2024, with over 800 organizations affected by ransomware across various sectors. Play, RansomHub, Lockbit, Qilin, and Meow have emerged as the most active ransomware groups. Notable incidents include the …

critical infrastructure

united states

Published: October 10, 2024

Downloadable IOCs: 0

Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis

Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…

Published: October 10, 2024

Downloadable IOCs: 106

Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines

Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.

Published: October 9, 2024

Downloadable IOCs: 18

Dark Angels Exposed

The Dark Angels ransomware group, active since April 2022, operates with sophisticated strategies targeting large companies for substantial ransom demands. They focus on stealthy attacks, avoiding outsourcing to third-party brokers. The group uses various ransomware payloads, including Babuk and Re…

Published: October 8, 2024

Downloadable IOCs: 0

Threat actor believed to be spreading new MedusaLocker variant since 2022

A financially motivated threat actor has been active since 2022, delivering a MedusaLocker ransomware variant called 'BabyLockerKZ'. The group targets organizations worldwide, with a focus shift from EU countries to South American countries in mid-2023. The actor uses a combination of publicly know…

financially motivated

2024-10-04

babylockerkz

medusalocker

Published: October 4, 2024

Downloadable IOCs: 11

Threat Brief: Understanding Akira Ransomware

Akira is a prolific ransomware operating since March 2023, targeting multiple industries in North America, the UK, and Australia. It functions as Ransomware as a Service (RaaS) and employs double extortion tactics. Akira has connections to the disbanded Conti group, sharing code similarities and op…

Published: October 4, 2024

Linked vulnerabilities : CVE-2023-20269, CVE-2021-21972, CVE-2019-6693, CVE-2022-40684

Downloadable IOCs: 3

Key Group uses leaked builders of ransomware and wipers

Key Group, also known as keygroup777, is a financially motivated ransomware group primarily targeting Russian users. The group has been active since 2022, using various leaked ransomware builders and wipers, including Xorist, Chaos, Annabelle, Slam, RuRansom, UX-Cryptor, Hakuna Matata, and Judge/No…

Published: October 2, 2024

Downloadable IOCs: 24

Key Group: another ransomware group using leaked builders

Key Group is a financially motivated ransomware group primarily targeting Russian users. They use various leaked ransomware builders including Chaos, Xorist, Annabelle, Slam, RuRansom, UX-Cryptor, Hakuna Matata, and Judge/NoCry. The group's activity has been tracked since April 2022, with their tac…

financially motivated

Published: October 1, 2024

Downloadable IOCs: 0

Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware

A BlackCat ransomware intrusion began with a Nitrogen malware campaign impersonating Advanced IP Scanner. The attackers used Sliver and Cobalt Strike beacons for post-exploitation, leveraging Python scripts for memory loading. They performed network enumeration using various tools and moved lateral…

credential harvesting

Published: October 1, 2024

Downloadable IOCs: 45

Aiming at domestic government and enterprises! Deeply revealed ransomware operator Rast gang

A new ransomware threat, dubbed Rast, has emerged targeting Chinese government and enterprises since December 2023. Written in Rust, Rast has infected over 6,800 terminals, successfully encrypting more than 5,700. The Rast gang, named after the ransomware, operates primarily between 20:00 and 05:00…

Published: September 30, 2024

Downloadable IOCs: 21

Storm-0501: Ransomware attacks expanding to hybrid cloud environments

Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …

Published: September 30, 2024

Linked vulnerabilities : CVE-2023-4966, CVE-2023-38203, CVE-2023-29300, CVE-2022-47966

Downloadable IOCs: 14

Analysis of the BlackJack group: techniques, tools, and similarities with Twelve

The report examines the BlackJack hacktivist group targeting Russian organizations, focusing on their tools, techniques, and connections to the Twelve group. BlackJack employs freely available software like the Shamoon wiper and LockBit ransomware. Significant overlaps with Twelve include similar m…

Published: September 25, 2024

Downloadable IOCs: 1

Black Basta Ransomware: What You Need to Know

Black Basta is a ransomware-as-a-service group that emerged in April 2022, known for double extortion tactics. They target organizations globally, particularly in North America, Europe, and Australia, affecting over 500 entities across various industries. Initial access is gained through phishing, …

ransomware

black basta

2024-09-20

Published: September 20, 2024

Linked vulnerabilities : CVE-2021-42287, CVE-2021-42278, CVE-2024-1709, CVE-2021-34527, CVE-2020-1472, CVE-2024-26169

Downloadable IOCs: 82

Medusa Ransomware: A Growing Threat with a Bold Online Presence

Medusa is a prominent ransomware group that emerged in 2023, targeting sectors such as healthcare, manufacturing, and education across multiple countries. Unlike typical ransomware operators, Medusa maintains a presence on both the dark web and surface web, including social media platforms. The gro…

Published: September 18, 2024

Linked vulnerabilities : CVE-2023-48788

Downloadable IOCs: 11

ShrinkLocker Malware: Abusing BitLocker to Lock Your Data

ShrinkLocker is a new ransomware strain that exploits Windows BitLocker to encrypt targeted data. Unlike typical ransomware, it abuses this legitimate feature to create a secure boot partition, locking users out unless a ransom is paid. The malware performs system checks, modifies registry entries,…

Published: September 17, 2024

Downloadable IOCs: 2

New RansomHub attack uses TDSKiller and LaZagne, disables EDR

A recent analysis by the ThreatDown MDR team has uncovered a novel attack method employed by the RansomHub ransomware gang. The attackers are utilizing two tools: TDSSKiller, a legitimate Kaspersky rootkit removal utility, to disable endpoint detection and response (EDR) systems, and LaZagne, a cre…

ransomware

credential harvesting

Published: September 11, 2024

Downloadable IOCs: 2

Ransomware in the Cloud: Scattered Spider Targeting Insurance and Financial Industries

The Scattered Spider cybercriminal group is targeting cloud infrastructures in the insurance and financial sectors using advanced techniques. They exploit leaked authentication tokens, conduct phishing and smishing campaigns, and leverage SIM swapping to bypass multi-factor authentication. The grou…

Published: September 11, 2024

Downloadable IOCs: 12

Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware

Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…

Published: September 11, 2024

Linked vulnerabilities : CVE-2024-1709, CVE-2024-1708

Downloadable IOCs: 8

Mallox ransomware: in-depth analysis and evolution

Mallox is a sophisticated ransomware family that emerged in 2021 and has since evolved into a Ransomware-as-a-Service (RaaS) operation. Initially targeting specific companies, it transitioned to a more generic approach, likely as part of its RaaS model. The malware employs complex encryption scheme…

Published: September 4, 2024

Downloadable IOCs: 7

Head Mare: adventures of a unicorn in Russia and Belarus

Head Mare is a hacktivist group targeting companies in Russia and Belarus since 2023. They use phishing campaigns exploiting the CVE-2023-38831 vulnerability in WinRAR for initial access. Their toolkit includes custom malware like PhantomDL and PhantomCore, as well as publicly available tools like …

Published: September 2, 2024

Linked vulnerabilities : CVE-2023-38831

Downloadable IOCs: 52

Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations

This advisory outlines the activities of an Iran-based cyber threat group that has conducted numerous intrusions against organizations in the United States and other countries since 2017, with the goal of obtaining network access to facilitate ransomware attacks. The group, known by various names s…

Published: August 28, 2024

Downloadable IOCs: 33

BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks

The BlackByte ransomware group continues leveraging established tactics and vulnerable drivers to bypass security controls, while also incorporating newly disclosed vulnerabilities and using stolen credentials for propagation. A new iteration of their encryptor appends the 'blackbytent_h' extension…

Published: August 28, 2024

Downloadable IOCs: 4

BlackSuit Ransomware

The report meticulously chronicles a sophisticated intrusion which began in December 2023 and culminated in the deployment of BlackSuit ransomware approximately 15 days later. The threat actor demonstrated an array of tactics, leveraging tools like Cobalt Strike, Sharphound, and SystemBC, alongside…

Published: August 27, 2024

Downloadable IOCs: 16

How Managed Detection and Response Pressed Pause on a Play Ransomware Attack

This report details how Trend Micro's Managed Detection and Response (MDR) service successfully thwarted a sophisticated ransomware attack orchestrated by the notorious Play ransomware group. Through continuous monitoring and expert analysis, the MDR team swiftly identified and contained the intrus…

Published: August 23, 2024

Downloadable IOCs: 1

Major Payment Disruption: Ransomware Strikes Indian Banking Infrastructure

CloudSEK's threat research team uncovered a ransomware attack impacting banks and payment providers in India. The attack, initiated through a compromised Jenkins server at Brontoo Technology Solutions, is attributed to the RansomEXX ransomware group. This sophisticated threat actor employs tactics …

Published: August 20, 2024

Linked vulnerabilities : CVE-2024-23897

Downloadable IOCs: 18

Ransomware attackers introduce new EDR killer to their arsenal

An analysis by security researchers has uncovered the existence of a new tool called EDRKillShifter, which is used by threat actors to disable endpoint protection software during ransomware attacks. The tool is designed to terminate antivirus and endpoint detection and response (EDR) solutions on t…

Published: August 16, 2024

Downloadable IOCs: 2

REPLAY: Revisiting Play Ransomware Anti-Analysis Techniques

This analysis revisits the anti-analysis techniques employed by recent variants of the Play ransomware, which is known for targeting industries like healthcare and telecommunications across various regions. The report explains how the ransomware utilizes techniques like return-oriented programming …

Published: August 9, 2024

Downloadable IOCs: 4

DeathGrip RaaS | Small-Time Threat Actors Aim High With LockBit & Yashma Builders

This analysis examines the emergence of DeathGrip, a Ransomware-as-a-Service (RaaS) operation that provides threat actors with easy access to sophisticated ransomware builders like LockBit 3.0 and Yashma/Chaos. The accessibility of these tools enables even those with minimal technical skills to lau…

Published: August 9, 2024

Downloadable IOCs: 1

Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell

The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…

Published: August 7, 2024

Downloadable IOCs: 8

SharpRhino – New Hunters International RAT

Quorum Cyber's Incident Response team discovered a novel malware, SharpRhino, used by the threat actor Hunters International as an initial infection vector and Remote Access Trojan (RAT). This malware, coded in C#, is delivered via a typosquatting domain impersonating Angry IP Scanner. Upon executi…

Published: August 6, 2024

Downloadable IOCs: 6

DNS Early Detection - Breaking the Black Basta Ransomware Kill Chain

This intelligence analysis examines the Black Basta ransomware campaign, which has significantly impacted businesses and critical infrastructure across North America, Europe, and Australia. The report highlights Infoblox's ability to identify and block over 78% of the malicious domains associated w…

Published: August 2, 2024

Linked vulnerabilities : CVE-2024-1700

Downloadable IOCs: 1

Akira Ransomware Targets the LATAM Airline Industry

An in-depth analysis examined a threat actor utilizing Akira ransomware to compromise a Latin American airline. The attacker gained initial network access via SSH, exploiting a vulnerability in Veeam backup software, and subsequently exfiltrated critical data before deploying the ransomware payload…

Published: July 16, 2024

Linked vulnerabilities : CVE-2023-27532, CVE-2023-20269, CVE-2020-3259

Downloadable IOCs: 2

ShadowRoot Ransomware Targeting Turkish Businesses

An analysis reveals a basic ransomware campaign targeting Turkish enterprises. The attack commences with a malicious PDF attachment delivered via email, containing a link that downloads an executable payload. This executable then drops further components, including a .NET binary obfuscated with dot…

ransomware

2024-07-15

türkiye

Published: July 15, 2024

Downloadable IOCs: 3

Patch or Peril: A Veeam vulnerability incident

While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…

Published: July 12, 2024

Downloadable IOCs: 2

BianLian Ransomware Group: 2024 Activity Analysis

The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…

Published: July 12, 2024

Downloadable IOCs: 8

Ransomware: Activity Levels Remain High Despite Disruption

While overall activity levels dipped slightly in the first quarter of 2024, the number of claimed attacks remained high, with LockBit accounting for over 20%. The report explores the changing tactics employed by ransomware actors, including the exploitation of vulnerabilities, the use of Bring-Your…

Published: July 11, 2024

Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8)

Downloadable IOCs: 27

Decrypted: DoNex Ransomware and its Predecessors

Researchers have uncovered a cryptographic flaw in the DoNex ransomware and its previous iterations, allowing for the creation of a decryptor tool. Initially discovered in March 2024, this cryptographic weakness was made public at Recon 2024. The ransomware, which has undergone several rebrands sin…

Published: July 10, 2024

Downloadable IOCs: 8

BlackSuit Ransomware: Insights and Defense Strategies

This report provides an in-depth analysis of the BlackSuit ransomware, a threat that has been actively targeting various sectors since May 2023. It presents statistics from incident response engagements, explores the ransomware's behavior and technical analysis, and offers insights into the potenti…

Published: July 8, 2024

Downloadable IOCs: 8

Mallox Ransomware: Linux Variant Decryptor Found

The report analyzes the Mallox ransomware, which has been active since mid-2021 and focuses on multi-extortion by encrypting victims' data and threatening to post it on public TOR sites. Initially targeting Windows systems, Mallox has now developed Linux variants using custom Python scripts for pay…

Published: July 4, 2024

Downloadable IOCs: 5

New Ransomware Operator Volcano Demon Serving Up LukaLocker

A cybersecurity firm has encountered a new ransomware organization, dubbed Volcano Demon, responsible for recent attacks involving an encryptor called LukaLocker. The malware encrypts victims' files with the .nba extension and was successful in compromising Windows workstations and servers after ha…

Published: July 3, 2024

Downloadable IOCs: 3

From Dormant to Dangerous: P2Pinfect Evolves to Deploy New Ransomware and Cryptominer

P2Pinfect is a sophisticated malware that utilizes a peer-to-peer botnet for command and control. Initially appearing dormant, it has evolved to deploy ransomware and cryptominer payloads. The malware spreads via exploiting Redis and limited SSH capabilities. A recent update introduced a new ransom…

Published: June 27, 2024

Downloadable IOCs: 15

Chamelgang & Friends | Cyberespionage Groups Attacking Critical Infrastructure with Ransomware

In collaboration with Recorded Future, SentinelLabs has been tracking two distinct activity clusters targeting government and critical infrastructure sectors globally between 2021 and 2023.

Published: June 26, 2024

Downloadable IOCs: 8

RAFEL RAT, ANDROID MALWARE FROM ESPIONAGE TO RANSOMWARE OPERATIONS

Check Point Research has identified multiple threat actors utilizing Rafel, an open-source remote administration tool (RAT). The discovery of an espionage group leveraging Rafel in their operations was of particular significance, as it indicates the tool’s efficacy across various threat actor profi…

Published: June 20, 2024

Downloadable IOCs: 6

Update: CVE-2024-4577 quickly weaponized to distribute Ransomware

The report describes an attack campaign leveraging the CVE-2024-4577 vulnerability to deliver the "TellYouThePass" ransomware. The attackers use the vulnerability to execute arbitrary PHP code and run a malicious HTML application that loads a .NET variant of the ransomware into memory. Upon executi…

Published: June 11, 2024

Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8), CVE-2021-44228, CVE-2024-3577, CVE-2023-22524, CVE-2023-46604

Downloadable IOCs: 5

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…

Published: June 10, 2024

Downloadable IOCs: 33

Lost in the Fog: A New Ransomware Threat

Arctic Wolf Labs began monitoring the deployment of a new ransomware variant called Fog in early May 2024. The ransomware attacks targeted organizations in the education and recreation sectors within the United States. Evidence suggests threat actors gained initial access through compromised VPN cr…

Published: June 7, 2024

Linked vulnerabilities : CVE-2024-4358 (CVSS 9.8), CVE-2024-1800

Downloadable IOCs: 5

TargetCompany’s Linux Variant Targets ESXi Environments

Since its discovery in 2021, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of fully undetectable (FUD) obfuscator packers. A new varian…

Published: June 6, 2024

Downloadable IOCs: 3

Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors

This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to…

Published: June 6, 2024

Downloadable IOCs: 34

Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks

Microsoft has identified Moonstone Sleet, a new North Korean threat actor that employs various tactics, including creating fake companies, distributing trojanized legitimate tools, developing a malicious game, and deploying custom ransomware. This actor combines methods used by other North Korean g…

Published: May 29, 2024

Linked vulnerabilities : CVE-2023-42793

Downloadable IOCs: 20

New ransomware group abusing BitLocker

The report examines an incident where threat actors leveraged Microsoft's BitLocker encryption utility to deploy unauthorized file encryption on targeted systems. The adversaries employed a sophisticated VBScript that resized disk partitions, modified registry entries, enabled BitLocker with random…

trojan-ransom.vbs.bitlock.gen

trojan.vbs.sagent.gen

trojan.win32.generic

partitions

Published: May 23, 2024

Linked vulnerabilities : CVE-2024-30051 (CVSS 7.8)

Downloadable IOCs: 6

Threat actors misusing Quick Assist in social engineering attacks leading to ransomware

The report describes a recent campaign by the threat actor Storm-1811, a financially motivated cybercriminal group known for deploying Black Basta ransomware. The campaign begins with social engineering tactics like voice phishing (vishing) and email bombing to trick users into granting remote acce…

Published: May 16, 2024

Downloadable IOCs: 12

Ongoing Malvertising Campaign leads to Ransomware

Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat act…

Published: May 15, 2024

Downloadable IOCs: 78

Security Brief: Millions of Messages Distribute LockBit Black Ransomware

In late April 2024, Proofpoint observed high-volume email campaigns facilitated by the Phorpiex botnet, distributing millions of messages with attachments leading to LockBit Black ransomware infections. The messages appeared to originate from 'Jenny Green' and contained ZIP attachments with executa…

Published: May 13, 2024

Downloadable IOCs: 16

StopRansomware: Black Basta

This advisory details tactics, techniques, procedures and indicators of compromise related to Black Basta ransomware, a variant first identified in April 2022. Its affiliates have impacted over 500 organizations globally across multiple critical infrastructure sectors, including Healthcare and Publ…

Published: May 13, 2024

Linked vulnerabilities : CVE-2021-42287, CVE-2021-42278, CVE-2024-1709, CVE-2021-34527, CVE-2020-1472

Downloadable IOCs: 174

Code Emulation and Cybercrime Infrastructure Discovery

This report details the analysis of a malspam campaign utilizing the Matanbuchus loader, which involved decrypting strings within the malware through emulation techniques. The investigation pivoted to uncover a Russian bulletproof hosting service, Proton66 OOO, that currently hosts various maliciou…

Published: May 8, 2024

Downloadable IOCs: 76

Analysis of TargetCompany’s Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware)

The report analyzes recent attacks by the TargetCompany ransomware group targeting poorly managed MS-SQL servers. The group initially installs Remcos RAT and a remote screen control malware for reconnaissance and lateral movement. Subsequently, the Mallox ransomware is deployed to encrypt the infec…

Published: May 2, 2024

Downloadable IOCs: 5

Ransomware Roundup (April 29, 2024)

This concise report provides insights into the evolving ransomware landscape, covering the KageNoHitobito and DoNex variants. It analyzes their infection vectors, victimology, attack methods, and associated indicators of compromise (IoCs). The report also highlights Fortinet's protections against t…

Published: April 29, 2024

Downloadable IOCs: 7

Tag: ransomware

Attack reports

GOLD SALEM tradecraft for deploying Warlock ransomware

Multi-Platform Ransomware Written in Rust

New BYOVD loader behind DeadLock ransomware attack

Threat Spotlight: Storm-0249 Moves from Mass Phishing to Precision EDR Exploitation

Makop ransomware: GuLoader and privilege escalation in attacks against Indian businesses

Inside Shanya, a packer-as-a-service fueling modern attacks

Sharpening the knife: strategic evolution of GOLD BLADE

Technical Analysis of Matanbuchus 3.0

License to Encrypt: Make Their Move

Cat's Got Your Files: Lynx Ransomware

Analysis of Encryption Structure of Yurei Ransomware Go-based Builder

Unleashing the Kraken ransomware group

Gootloader Returns: What Goodies Did They Bring?

CLOP RANSOMWARE: DISSECTING NETWORK - THE RAVEN FILE

The DragonForce Cartel: Scattered Spider at the gate

Certified OysterLoader: Tracking Rhysida ransomware gang activity via code-signing certificates

A Deep Dive Into Warlock Ransomware Deployed Via ToolShell SharePoint Chained Vulnerabilities

Major October 2025 Cyber Attacks Your SOC Can't Ignore

Analysis of Trigona Threat Actor's Latest Attack Cases

Uncovering Qilin attack methods exposed through multiple cases

Warlock Ransomware: Old Actor, New Tricks?

Blog Anatomy of a Hacktivist Attack: Russian-Aligned Group Targets OT/ICS

Velociraptor leveraged in ransomware attacks

The Evolution of Chaos Ransomware: Faster, Smarter, and More Dangerous

The Evolution of Qilin RaaS

YUREI RANSOMWARE: THE DIGITAL GHOST

Analysis: AI-powered Ransomware from APT Group

Threat Profile: Conti Ransomware Group

New LockBit 5.0 Targets Windows, Linux, ESXi

Update on Ongoing Akira Ransomware Campaign

SystemBC – Bringing the Noise

GUNRA RANSOMWARE: What You Don't Know!

Technical Analysis of Zloader Updates

Unmasking Akira: The ransomware tactics you can't afford to ignore

CountLoader: New Malware Loader Being Served in 3 Different Versions

Warlock operation joins busy ransomware landscape

The Dangers of Storing Unencrypted Passwords

Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass

Yurei the New Ransomware Group on the Scene

CyberVolk Ransomware: Analysis of Double Encryption Structure and Disguised Decryption Logic

Trigona Rebranding Suspicions and Global Threats, and BlackNevas Ransomware Analysis

Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed

Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs

Dire Wolf Ransomware: Threat Combining Data Encryption and Leak Extortion

Warning About NightSpire Ransomware Following Cases of Damage in South Korea

Interlock Ransomware Targeting Businesses

The First AI-Powered Ransomware & How It Works

Link up, lift up, level up

Underground Ransomware Being Distributed Worldwide

Cherry pie, Douglas firs and the last trip of the summer

Tracking GLOBAL GROUP Ransomware from Mamona to Market Scale

From SharePoint Vulnerability Exploit to Enterprise Ransomware

Ransomware incidents in Japan during the first half of 2025

Dissecting PipeMagic: Inside the architecture of a modular backdoor framework

Threat Actor Profile: Interlock Ransomware

'Blue Locker' Analysis: Ransomware Targeting Oil & Gas Sector in Pakistan

This 'SAP Ariba Quote' Isn't What It Seems—It's Ransomware

Kawabunga, Dude, You've Been Ransomed!

New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises

650 Attack Tools, One Coordinated Campaign

Observed Malicious Driver Use Associated with Akira SonicWall Campaign

Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator

Shared secret: EDR killer in the kill chain

From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira

ThrottleStop driver abused to terminate AV processes

Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks

Active Exploitation of SonicWall VPNs

Exploring Storm-2603's Previous Ransomware Operations

Religious symbols weaponized, group uses Microsoft SharePoint RCE vulnerability to deliver 4L4MD4r ransomware

Unmasking LockBit: A Deep Dive into DLL Sideloading and Masquerading Tactics

Qilin Ransomware and the Hidden Dangers of BYOVD

Gunra Ransomware Group Unveils Efficient Linux Variant

Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware

Gunra Ransomware Emerges with New DLS

NailaoLocker Ransomware's 'Cheese'

Getting to the Crux (Ransomware) of the Matter

From a Teams Call to a Ransomware Threat: Matanbuchus 3.0 MaaS Levels Up

KAWA4096’s Ransomware Tide: Rising Threat With Borrowed Styles