Tag: ransomware

234 Attack Reports | 0 Vulnerabilities

Attack reports

License to Encrypt: Make Their Move

'The Gentlemen' ransomware group emerged in July 2025, employing advanced dual-extortion tactics. They encrypt data and exfiltrate sensitive information, threatening to release it unless a ransom is paid. The group developed their own Ransomware-as-a-Service (RaaS) platform after experimenting with…
linux
ransomware
windows
persistence
encryption
esxi
raas
2025-11-19
the gentlemen
dual-extortion
Published: November 19, 2025
Downloadable IOCs: 0

Cat's Got Your Files: Lynx Ransomware

A threat actor gained initial access to a network via RDP using compromised credentials, likely obtained through an infostealer, data breach, or initial access broker. They quickly moved laterally to a domain controller, created multiple impersonation accounts with high privileges, and installed An…
ransomware
lateral movement
rdp
backup deletion
data exfiltration
lynx ransomware
credential abuse
2025-11-17
network reconnaissance
Published: November 17, 2025
Downloadable IOCs: 7

Analysis of Encryption Structure of Yurei Ransomware Go-based Builder

The Yurei ransomware group, first identified in September 2025, employs a typical ransomware operation model targeting corporate networks. Their attacks have affected Sri Lanka and Nigeria, focusing on transportation, IT, marketing, and food industries. The ransomware, developed in Go, uses ChaCha2…
ransomware
encryption
chacha20-poly1305
go-based
yurei
2025-11-14
darkweb
secp256k1-ecies
corporate networks
Published: November 14, 2025
Downloadable IOCs: 1

Unleashing the Kraken ransomware group

The Kraken ransomware group, emerging from the remnants of the HelloKitty cartel, has been observed conducting big-game hunting and double extortion attacks. Utilizing SMB vulnerabilities for initial access, they employ tools like Cloudflared for persistence and SSHFS for data exfiltration. Kraken'…
ransomware
encryption
cross-platform
data leak
russian-speaking
double extortion
2025-11-13
kraken
underground forum
Published: November 13, 2025
Downloadable IOCs: 11

Gootloader Returns: What Goodies Did They Bring?

Gootloader, a sophisticated JavaScript-based malware loader, has resurfaced with renewed activity. Used by threat actor Storm-0494, it grants access to Vanilla Tempest, which delivers various ransomware families. Recent infections have led to rapid domain controller compromises. The loader now uses…
obfuscation
ransomware
seo poisoning
blackcat
alphv
javascript
gootloader
lateral movement
noberus
rhysida
2025-11-06
vanilla tempest
quantum locker
wordpress exploitation
zeppelin
supper socks5 backdoor
Published: November 6, 2025
Downloadable IOCs: 136

CLOP RANSOMWARE: DISSECTING NETWORK - THE RAVEN FILE

The report analyzes the network infrastructure used by the Clop ransomware group, focusing on their exploitation of CVE-2025-61882 in Oracle EBS. It identifies 96 IP addresses associated with a specific fingerprint, with Germany, Brazil, and Panama being prominent locations. The analysis reveals si…
ransomware
CVE-2023-0669
cyclops blink
infrastructure
CVE-2023-34362
CVE-2025-61882
2025-11-05
cryptomix
oracle ebs
fingerprints
ip addresses
network analysis
Published: November 5, 2025
Downloadable IOCs: 203

The DragonForce Cartel: Scattered Spider at the gate

DragonForce, a ransomware-as-a-service group active since 2023, has rebranded as a cartel and formed alliances with groups like Scattered Spider, LAPSUS$, and ShinyHunters. The group uses Conti-derived code and employs BYOVD attacks to terminate processes. DragonForce has expanded its affiliate pro…
social engineering
ransomware
encryption
conti
byovd
dragonforce
affiliate program
mamona
devman
2025-11-05
scattered spider
global
cartel
Published: November 5, 2025
Downloadable IOCs: 0

Certified OysterLoader: Tracking Rhysida ransomware gang activity via code-signing certificates

The Rhysida ransomware gang, formerly known as Vice Society, is conducting an ongoing malicious ad campaign to deliver OysterLoader malware. This initial access tool establishes a foothold on devices for dropping a persistent backdoor. The campaign uses Bing search engine advertisements to direct u…
ransomware
malvertising
latrodectus
initial access
code-signing
2025-11-03
microsoft trusted signing
oysterloader
Published: November 3, 2025
Downloadable IOCs: 271

A Deep Dive Into Warlock Ransomware Deployed Via ToolShell SharePoint Chained Vulnerabilities

Warlock ransomware, exploiting SharePoint vulnerabilities CVE-2025-53770 and CVE-2025-53771, represents an advanced threat combining sophisticated encryption methods with targeted defense evasion techniques. The malware employs a multi-stage attack, terminating security services, removing recovery …
ransomware
encryption
chacha20
defense evasion
sharepoint
vulnerabilities
CVE-2025-53770
CVE-2025-53771
warlock
curve25519
2025-10-30
volume shadow copies
Published: October 30, 2025
Downloadable IOCs: 1

Major October 2025 Cyber Attacks Your SOC Can't Ignore

October 2025 saw a surge in sophisticated cyber attacks, including phishing campaigns exploiting Google Careers and ClickUp, abuse of Figma for credential theft, the emergence of LockBit 5.0 targeting ESXi and Linux systems, and the discovery of TyKit, a new phishing kit. Attackers increasingly abu…
phishing
ransomware
lockbit
credential theft
cloud abuse
lockbit 5.0
2025-10-29
tykit
clickup
google careers
figma
Published: October 29, 2025
Downloadable IOCs: 10

Analysis of Trigona Threat Actor's Latest Attack Cases

The Trigona threat actor continues to target MS-SQL servers through brute-force and dictionary attacks, exploiting weak credentials. They use CLR Shell for additional payloads and employ various tools like BCP, Curl, Bitsadmin, and PowerShell to install malware. The attackers utilize remote control…
ransomware
trigona
remote-control
2025-10-29
Published: October 29, 2025
Downloadable IOCs: 5

Uncovering Qilin attack methods exposed through multiple cases

The ransomware group Qilin has been highly active in 2025, publishing over 40 victim cases per month on its leak site. Manufacturing, professional services, and wholesale trade are the most affected sectors. Attackers likely originate from Eastern Europe or Russian-speaking regions. They use tools …
ransomware
cobalt strike
qilin
systembc
manufacturing
2025-10-27
Published: October 27, 2025
Downloadable IOCs: 17

Warlock Ransomware: Old Actor, New Tricks?

The Warlock ransomware, first appearing in June 2025, is linked to a China-based actor with a history dating back to 2019. It gained prominence by exploiting the ToolShell vulnerability in Microsoft SharePoint. The group, known as Storm-2603, uses multiple ransomware payloads and a custom C&C frame…
espionage
ransomware
lockbit
warlock
2025-10-23
anylock
Published: October 23, 2025
Downloadable IOCs: 0

Blog Anatomy of a Hacktivist Attack: Russian-Aligned Group Targets OT/ICS

Forescout honeypot caught hacktivist activity targeting a decoy water treatment plant in Sept. 2025. A Russian-aligned group, TwoNet, claimed responsibility for the attack. The group logged into the human-machine interface (HMI) for: defacement, process disruption, manipulation, and evasion.
exploit
ransomware
russian
raas
hacktivist
defacement
2025-10-10
twonet
human-machine interface
overflame
modbus
megamedusa
Published: October 10, 2025
Downloadable IOCs: 10

Velociraptor leveraged in ransomware attacks

A ransomware attack involving the use of Velociraptor, an open-source digital forensics tool, has been linked to the threat actor Storm-2603. The attackers deployed Warlock, LockBit, and Babuk ransomware to encrypt virtual machines and servers. They exploited a vulnerability in an outdated version …
ransomware
windows
privilege-escalation
lockbit
data-exfiltration
babuk
vmware
warlock
2025-10-09
CVE-2025-6264
velociraptor
open-source-tools
Published: October 9, 2025
Linked vulnerabilities : CVE-2025-6264
Downloadable IOCs: 5

The Evolution of Chaos Ransomware: Faster, Smarter, and More Dangerous

Chaos ransomware has evolved with a new C++ variant in 2025, marking a significant shift from its .NET origins. This new version combines destructive encryption, clipboard hijacking for cryptocurrency theft, and speed-focused attack strategies. It employs a sophisticated downloader masquerading as …
ransomware
cryptocurrency theft
lucky_gh0$t
2025-10-09
blacksnake
Published: October 9, 2025
Downloadable IOCs: 9

The Evolution of Qilin RaaS

Qilin ransomware is used for domain-wide encryption, and a ransom is then demanded for the decryption keys and/or to prevent the publication of the stolen data. Qilin affiliates are recruited from cybercrime forums to use the Qilin RaaS platform, which handles payload generation, the publication of…
phishing
ransomware
bitcoin
qilin
ryuk
raas
tor
supply chain attack
nova
2025-10-08
onion
fin12
alphvblackcat
kela
agenda
wikileaks
Published: October 8, 2025
Downloadable IOCs: 5

YUREI RANSOMWARE: THE DIGITAL GHOST

A sophisticated ransomware family called Yurei has emerged, targeting Windows systems with advanced encryption methods. It rapidly encrypts data using ChaCha20 and ECIES, appends .Yurei to files, and disables recovery options. The malware spreads via SMB shares, removable drives, and credential-bas…
ransomware
double-extortion
yurei
2025-10-04
Published: October 4, 2025
Downloadable IOCs: 0

Analysis: AI-powered Ransomware from APT Group

FunkLocker, a ransomware strain developed by the FunkSec APT group, showcases the growing trend of AI-assisted malware creation. The ransomware exhibits inconsistent quality across multiple builds, with some versions incorporating advanced features like anti-VM checks. It aggressively disrupts syst…
ransomware
powershell
encryption
ai-assisted
2025-10-02
funklocker
process-disruption
system-abuse
Published: October 2, 2025
Downloadable IOCs: 1

Threat Profile: Conti Ransomware Group

Conti, a notorious ransomware operation identified in 2019, quickly gained infamy for its advanced encryption, rapid lateral movement, and double extortion tactics. Operated by the Russia-based Wizard Spider group, Conti evolved from Ryuk ransomware and maintained suspected ties to Russian state in…
ransomware
cobalt strike
government
healthcare
conti
ryuk
double extortion
critical infrastructure
education
trickbot
2025-09-30
wizard spider
russia-based
Published: September 30, 2025
Downloadable IOCs: 2

New LockBit 5.0 Targets Windows, Linux, ESXi

Trend Research analyzed the latest version of LockBit ransomware, LockBit 5.0, which exhibits advanced obfuscation, anti-analysis techniques, and cross-platform capabilities for Windows, Linux, and ESXi systems. The Windows variant uses heavy obfuscation and packing, loading its payload through DLL…
obfuscation
ransomware
anti-analysis
encryption
cross-platform
esxi
virtualization
2025-09-29
dll reflection
lockbit 5.0
Published: September 29, 2025
Downloadable IOCs: 5

Update on Ongoing Akira Ransomware Campaign

The Akira ransomware campaign targeting SonicWall SSL VPN accounts has intensified since July 2025, with new infrastructure observed as recently as September 20. Threat actors are exploiting previously exfiltrated credentials, including those with OTP MFA, likely related to CVE-2024-40766. The atta…
ransomware
credential theft
akira
CVE-2024-40766
CVE-2023-20269
CVE-2020-3259
sonicwall
ssl vpn
2025-09-27
infrastructure rotation
Published: September 27, 2025
Downloadable IOCs: 0

SystemBC – Bringing the Noise

The SystemBC botnet, composed of over 80 C2s and 1,500 daily victims, primarily targets VPS systems from commercial providers. It creates proxies enabling high volumes of malicious traffic for various criminal threat groups. The network is used by multiple proxy services, including REM Proxy, which…
ransomware
icedid
botnet
cybercrime
proxy
infrastructure
ngioweb
systembc
morpheus
trickbot
transferloader
vps
2025-09-25
avoslocker
rem proxy
malicious traffic
Published: September 25, 2025
Downloadable IOCs: 158

GUNRA RANSOMWARE: What You Don't Know!

Gunra Ransomware is a double extortion group targeting global victims, excluding the US. They primarily attack Windows systems, recently expanding to Linux. The group uses phishing as their main vector and negotiates through a WhatsApp-themed chat panel. They can encrypt large files quickly using a…
linux
phishing
ransomware
windows
encryption
lumma stealer
double extortion
data leak site
2025-09-24
negotiation
gunra ransomware
donot loader
Published: September 24, 2025
Downloadable IOCs: 0

Technical Analysis of Zloader Updates

Recent versions of Zloader, a Zeus-based modular trojan, have introduced significant enhancements to its functionality. These updates include improved obfuscation techniques, anti-analysis strategies, and network communication methods. The malware now supports WebSockets and has modified its DNS tu…
obfuscation
ransomware
evasion
anti-analysis
zloader
zeus
trojan
banking
websockets
2025-09-22
dns-tunneling
zeus-based
ldap
Published: September 22, 2025
Downloadable IOCs: 0

Unmasking Akira: The ransomware tactics you can't afford to ignore

The Akira ransomware group has been targeting UK businesses since 2023, primarily affecting retail, finance, manufacturing, and medical sectors. Their tactics include exploiting SSL VPNs, using double extortion, and focusing on financial gain. Key observations from 2023-2025 include initial access …
ransomware
encryption
credential theft
data exfiltration
akira
CVE-2023-27532
CVE-2024-40766
CVE-2024-40711
double extortion
CVE-2023-20269
2025-09-22
backup destruction
Published: September 22, 2025
Downloadable IOCs: 0

CountLoader: New Malware Loader Being Served in 3 Different Versions

A new malware loader named CountLoader has been identified, strongly associated with Russian ransomware gangs. It comes in three versions: .NET, PowerShell, and JScript. The threat is believed to be part of an Initial Access Broker's toolset or used by a ransomware affiliate linked to LockBit, Blac…
phishing
ransomware
powershell
ukraine
lumma stealer
malware loader
.net
cobaltstrike
jscript
purehvnc
evasion techniques
initial access broker
adaptixc2
2025-09-19
countloader
Published: September 19, 2025
Downloadable IOCs: 27

Warlock operation joins busy ransomware landscape

GOLD SALEM, also known as Warlock Group, has emerged as a significant player in the ransomware landscape since March 2025. The group has compromised networks across North America, Europe, and South America, targeting a range of organizations from small entities to large corporations. GOLD SALEM ope…
ransomware
credential theft
lateral movement
CVE-2024-51324
CVE-2025-53770
CVE-2025-53771
CVE-2025-49704
CVE-2025-49706
warlock
dedicated leak site
2025-09-17
edr bypass
sharepoint exploitation
warlock group
Published: September 17, 2025
Linked vulnerabilities : CVE-2024-51324 (CVSS 3.8), CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 2

The Dangers of Storing Unencrypted Passwords

A threat actor exploited a SonicWall VPN vulnerability to gain initial access to an organization's network. The attacker discovered plaintext Huntress recovery codes on a user's desktop, allowing them to bypass MFA and access the Huntress portal. They then proceeded to close active incident reports…
ransomware
credential theft
akira
sonicwall
2025-09-15
certificate export
vpn exploit
recovery codes
Published: September 15, 2025
Downloadable IOCs: 2

Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass

A new ransomware called HybridPetya has been discovered, combining features of Petya and NotPetya with advanced UEFI-based system capabilities. It encrypts the Master File Table on NTFS partitions and can install a malicious EFI application to compromise UEFI systems. One variant exploits CVE-2024-…
ransomware
uefi
bootkit
CVE-2024-7344
2025-09-15
2025-09-12
notpetya
petya
bypass
mft encryption
hybridpetya
secure boot
petrwrap
diskcoder.c
secure boot bypass
expetr
goldeneye
nyetya
Published: September 15, 2025
Linked vulnerabilities : CVE-2024-7433 (CVSS 8.8), CVE-2024-7344 (CVSS 8.2)
Downloadable IOCs: 7

Yurei the New Ransomware Group on the Scene

Yurei, a newly emerged ransomware group, targeted a Sri Lankan food manufacturing company on September 5, 2025. The group employs a double-extortion model, encrypting files and exfiltrating sensitive data. Check Point Research discovered that Yurei's ransomware is based on the open-source Prince-Ra…
ransomware
open-source
go
double-extortion
2025-09-12
morocco
satanlockv2
shadow copies
prince-ransomware
yurei
Published: September 12, 2025
Downloadable IOCs: 5

CyberVolk Ransomware: Analysis of Double Encryption Structure and Disguised Decryption Logic

The CyberVolk ransomware, emerging in May 2024, targets public institutions and key infrastructures of anti-Russian countries. It uses a double encryption structure with AES-256 GCM and ChaCha20-Poly1305 algorithms. The ransomware excludes certain files and directories from encryption and uses a sy…
ransomware
geopolitical
pro-russian
chacha20-poly1305
2025-09-12
symmetric key
cybervolk
aes-256 gcm
double encryption
Published: September 12, 2025
Downloadable IOCs: 0

Trigona Rebranding Suspicions and Global Threats, and BlackNevas Ransomware Analysis

The BlackNevas ransomware group, first appearing in November 2024, has been targeting various industries and critical infrastructure globally, with a focus on the Asia-Pacific region. The group uses AES and RSA encryption, adding the '.-encrypted' extension to affected files. BlackNevas operates in…
ransomware
encryption
data leak
global threats
rsa
asia-pacific
aes
2025-09-12
blacknevas
Published: September 12, 2025
Downloadable IOCs: 1

Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed

The Gentlemen ransomware group has emerged as a sophisticated threat actor targeting multiple industries across 17 countries, with a focus on the Asia-Pacific region. Their campaign demonstrates advanced capabilities, including the use of custom tools to bypass enterprise endpoint protections, expl…
ransomware
lateral movement
data exfiltration
defense evasion
custom tools
driver abuse
2025-09-09
the gentlemen ransomware
group policy manipulation
enterprise targeting
Published: September 9, 2025
Downloadable IOCs: 0

Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs

This intelligence report details a sophisticated cyber intrusion with links to three major ransomware groups: Play, RansomHub, and DragonForce. The attack began with a malicious file impersonating DeskSoft's EarthTime application, which deployed SectopRAT malware. The threat actors used various too…
ransomware
lateral movement
data exfiltration
sectoprat
systembc
grixba
2025-09-08
multi-group affiliation
betruger
multi-group operation
Published: September 8, 2025
Downloadable IOCs: 0

Dire Wolf Ransomware: Threat Combining Data Encryption and Leak Extortion

The DireWolf ransomware group emerged in May 2025, targeting various industries globally. They employ a double extortion technique, encrypting data and threatening leaks. The ransomware uses Curve25519 key exchange and ChaCha20 encryption, generating unique keys for each file. It implements anti-re…
ransomware
encryption
chacha20
double extortion
self-deletion
dire wolf
2025-09-03
curve25519
anti-recovery
data leakage
Published: September 3, 2025
Downloadable IOCs: 2

Warning About NightSpire Ransomware Following Cases of Damage in South Korea

NightSpire, a ransomware group active since February 2025, employs an aggressive strategy and specialized infrastructure similar to Ransomware-as-a-Service models. They operate a Dedicated Leak Site, posting victim information and countdown timers for data release. Using highly threatening language…
ransomware
encryption
south korea
double-extortion
nightspire
rsa
2025-08-29
2025-09-01
aes
cyber extortion
dedicated leak site
Published: September 1, 2025
Downloadable IOCs: 2

Interlock Ransomware Targeting Businesses

The Interlock ransomware group has been actively targeting businesses and critical infrastructures in North America and Europe since September 2024. Their ransomware employs AES-256-GCM encryption with RSA-4096 key protection, leveraging the OpenSSL library for efficient file encryption. The malwar…
ransomware
data theft
europe
interlock
file encryption
code obfuscation
2025-08-29
openssl
north america
aes-256-gcm
rsa-4096
Published: August 29, 2025
Downloadable IOCs: 0

The First AI-Powered Ransomware & How It Works

PromptLock, a proof-of-concept AI-powered ransomware, leverages Lua scripts generated from hard-coded prompts to perform malicious activities across Windows, Linux, and macOS. Written in Go, it communicates with a locally hosted LLM through the Ollama API. The malware scans the filesystem, identifi…
ransomware
cross-platform
proof-of-concept
2025-08-29
promptlock
speck encryption
filesystem scanning
dynamic ransom notes
ai-powered
ollama api
lua scripts
go language
Published: August 29, 2025
Downloadable IOCs: 0

Link up, lift up, level up

This report emphasizes the importance of community in the cybersecurity profession, reflecting on experiences at Black Hat USA 2025 and DEF CON 33. It highlights the value of these events for learning and networking, but also acknowledges their high costs and potential inaccessibility for many. The…
ransomware
cybersecurity
vulnerabilities
education
2025-08-28
promptlock
networking
conferences
community
professional development
CVE-2025-48384
Published: August 28, 2025
Downloadable IOCs: 0

Underground Ransomware Being Distributed Worldwide

The Underground ransomware gang is conducting global attacks against companies across various countries and industries. First identified in July 2023, the group resurfaced in May 2024 with a new Dedicated Leak Site. Their targets include multinational corporations from diverse sectors, with annual …
ransomware
data theft
encryption
2025-08-27
underground ransomware
striping method
global attacks
Published: August 27, 2025
Downloadable IOCs: 0

Cherry pie, Douglas firs and the last trip of the summer

As summer winds down, a seasoned agent reflects on a journey through Seattle and the Olympic Peninsula, highlighting the importance of digital security during travel. The article provides practical cybersecurity tips for travelers, emphasizing the need to update devices, back up data, avoid public …
ransomware
xenorat
data breach
travel security
state-sponsored threats
data breaches
ps1bot
2025-08-21
network vulnerabilities
cisco devices
CVE-2018-0171
cybersecurity precautions
device protection
unpatched systems
embassy targets
cisco vulnerability
cybersecurity tips
5g attack
Published: August 21, 2025
Linked vulnerabilities : CVE-2018-0171
Downloadable IOCs: 0

Tracking GLOBAL GROUP Ransomware from Mamona to Market Scale

A new ransomware actor, GLOBAL GROUP, emerged on the Ramp4u cybercrime forum in June 2025, claiming to offer a fresh Ransomware-as-a-Service (RaaS) platform. However, forensic evidence reveals that GLOBAL is a rebranded continuation of the Mamona RIP and Black Lock ransomware families. The ransomwa…
ransomware
golang
cross-platform
raas
tor
initial access brokers
black lock
2025-08-21
chacha20-poly1305
mamona rip
global group
ai chatbot
Published: August 21, 2025
Linked vulnerabilities : CVE-2024-57727 (CVSS 7.5), CVE-2025-22457 (CVSS 9.0), CVE-2025-32433 (CVSS 10.0), CVE-2025-31324 (CVSS 10.0)
Downloadable IOCs: 6

From SharePoint Vulnerability Exploit to Enterprise Ransomware

The Warlock ransomware group exploited unpatched Microsoft SharePoint servers to gain initial access and deploy ransomware across enterprise environments. The attack chain involved exploiting vulnerabilities, privilege escalation through Group Policy modification, credential theft using Mimikatz, l…
ransomware
lockbit
vulnerability
credential theft
dll sideloading
lateral movement
data exfiltration
CVE-2023-27532
lockbit 3.0
sharepoint
warlock
2025-08-20
Published: August 20, 2025
Downloadable IOCs: 0

Ransomware incidents in Japan during the first half of 2025

The first half of 2025 saw a 1.4-fold increase in ransomware attacks in Japan compared to the previous year, with 68 confirmed cases. Small and medium-sized enterprises remained the primary targets, with manufacturing being the most affected industry. The ransomware group Qilin emerged as the most …
ransomware
encryption
double-extortion
manufacturing
japan
kawa4096
kawalocker
2025-08-19
kawalocker 2.0
salsa20
small-medium-enterprises
Published: August 19, 2025
Downloadable IOCs: 0

Dissecting PipeMagic: Inside the architecture of a modular backdoor framework

PipeMagic is a sophisticated modular backdoor used by the Storm-2460 threat actor, disguised as a legitimate ChatGPT Desktop Application. It employs a highly flexible architecture with multiple linked list structures for payload management, execution, and networking. The malware communicates with i…
backdoor
ransomware
windows
zero-day
modular
chatgpt
CVE-2025-29824
clfs
pipemagic
2025-08-18
Published: August 18, 2025
Linked vulnerabilities : CVE-2025-29824 (CVSS 7.8)
Downloadable IOCs: 4

Threat Actor Profile: Interlock Ransomware

Interlock, a relatively new ransomware group first observed in September 2024, has gained prominence in 2025 as an opportunistic ransomware operator. Unlike traditional Ransomware-as-a-Service models, Interlock operates without affiliates or public advertisements. The group conducts double extortio…
social engineering
ransomware
powershell
cobalt strike
clickfix
systembc
double extortion
trycloudflare
remote access trojan
compromised websites
interlock rat
2025-08-15
nodesnake rat
Published: August 15, 2025
Downloadable IOCs: 24

'Blue Locker' Analysis: Ransomware Targeting Oil & Gas Sector in Pakistan

A new ransomware strain called 'Blue Locker' is targeting Pakistan's oil and gas sector, particularly affecting Pakistan Petroleum Limited. The National Cyber Emergency Response Team (NCERT) has issued warnings to 39 key ministries and institutions about this severe threat. The ransomware, which sh…
phishing
ransomware
pakistan
encryption
cybersecurity
2025-08-15
oil and gas
ncert
proton
shinra
blue locker
Published: August 15, 2025
Downloadable IOCs: 0

This 'SAP Ariba Quote' Isn't What It Seems—It's Ransomware

A sophisticated ransomware campaign has been uncovered, masquerading as a new SAP Ariba tool. The attack uses email lures, sender spoofing, and impersonation of legitimate software vendors to deliver LeeMe Ransomware. The malware employs SAP branding, a fake GUI, and a Portuguese ransom note. It ta…
phishing
social engineering
ransomware
encryption
bitcoin
keylogger
data exfiltration
2025-08-15
sap ariba
leeme ransomware
Published: August 15, 2025
Downloadable IOCs: 0

Kawabunga, Dude, You've Been Ransomed!

A new ransomware variant called KawaLocker (KAWA4096) was recently observed in an attack. The threat actor gained initial access via RDP using a compromised account and employed various tools to disable security measures. HRSword, a monitoring tool, was deployed along with kernel drivers sysdiag.sy…
ransomware
encryption
rdp
psexec
kawa4096
2025-08-15
hrsword
kawalocker
Published: August 15, 2025
Downloadable IOCs: 5

New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises

A new ransomware family called Charon has been identified, targeting the Middle East's public sector and aviation industry. The attack employs sophisticated APT-style techniques, including DLL sideloading, process injection, and anti-EDR capabilities. Charon uses a multistage payload extraction tec…
apt
ransomware
evasion
encryption
dll sideloading
aviation
middle east
network propagation
2025-08-12
charon
Published: August 12, 2025
Downloadable IOCs: 0

650 Attack Tools, One Coordinated Campaign

The GreedyBear attack group has launched a massive crypto theft operation, utilizing 150 weaponized Firefox extensions, nearly 500 malicious executables, and numerous phishing websites. Their tactics include Extension Hollowing to bypass marketplace security, distributing various malware families, …
malware
phishing
ransomware
lummastealer
browser extensions
crypto theft
2025-08-08
luca stealer
extension hollowing
scam websites
Published: August 8, 2025
Downloadable IOCs: 111

Observed Malicious Driver Use Associated with Akira SonicWall Campaign

Akira affiliates have been observed exploiting two common drivers as part of a suspected AV/EDR evasion effort following initial access involving SonicWall abuse. The drivers, rwdrv.sys and hlpdrv.sys, are being used to facilitate AV/EDR evasion or disablement through a Bring Your Own Vulnerable Dr…
ransomware
zero-day
vpn
akira
byovd
drivers
sonicwall
2025-08-08
av/edr evasion
Published: August 8, 2025
Downloadable IOCs: 2

Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator

SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, employing deceptive 'fake browser update' lures to compromise systems. It leverages Traffic Distribution Systems like Parrot TDS and Keitaro TDS to filter and redirect victims. TA569 acts as an Initial Access Broker, enablin…
ransomware
lockbit
socgholish
malware-as-a-service
initial access broker
raspberry robin
mintsloader
fake updates
2025-08-08
dridex
wastedlocker
netsupportrat
traffic distribution system
domain shadowing
hades
Published: August 8, 2025
Downloadable IOCs: 33

Shared secret: EDR killer in the kill chain

This intelligence report analyzes a sophisticated tool designed to disable endpoint security solutions, particularly EDR systems, on infected systems. The tool, known as AVKiller, has been observed in multiple ransomware attacks since 2022. It is heavily protected, targets various security vendors,…
ransomware
edr
ransomhub
compromise
blacksuit
qilin
dragonforce
medusalocker
driver
heartcrypt
lynx
avkiller
2025-08-07
inc
crytox
threat-sharing
Published: August 7, 2025
Downloadable IOCs: 56

From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira

A sophisticated cyber attack campaign leveraged SEO poisoning to compromise organizations through trojanized IT management tool installers. The attack began when users searching for ManageEngine OpManager were directed to a malicious website, downloading a compromised MSI file that installed Bumble…
ransomware
seo poisoning
credential theft
lateral movement
data exfiltration
akira
bumblebee
2025-08-07
rustdesk
it management tools
adaptixc2
Published: August 7, 2025
Downloadable IOCs: 0

ThrottleStop driver abused to terminate AV processes

A recent incident response case in Brazil revealed a new antivirus (AV) killer software circulating since October 2024. This malware abuses the ThrottleStop.sys driver to terminate numerous antivirus processes, employing a technique known as BYOVD (Bring Your Own Vulnerable Driver). The attack bega…
ransomware
byovd
medusalocker
kernel exploitation
2025-08-06
CVE-2025-7771
driver abuse
av killer
throttlestop
Published: August 6, 2025
Downloadable IOCs: 0

Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks

Unit 42 has identified significant overlaps between Microsoft's reported ToolShell activity and a threat cluster they track as CL-CRI-1040. This cluster utilizes a tool set called Project AK47, which includes a multi-protocol backdoor, custom ransomware, and loaders. The activity is linked to the e…
backdoor
ransomware
lockbit
lockbit 3.0
sharepoint
CVE-2025-53770
CVE-2025-53771
toolshell
CVE-2025-49704
CVE-2025-49706
warlock
2025-08-06
warlock client
ak47 ransomware
x2anylock
project ak47
ak47c2
Published: August 6, 2025
Linked vulnerabilities : CVE-2024-1182 (CVSS 7.0), CVE-2024-7587 (CVSS 7.8), CVE-2024-8299 (CVSS 7.8), CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2024-53870 (CVSS 3.3), CVE-2025-31324 (CVSS 10.0), CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 27

Active Exploitation of SonicWall VPNs

A potential zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware. The attack chain begins with a breach of the SonicWall appliance, followed by post-exploitation techniques including enumeration, detection evasion, lateral movement, and credential…
ransomware
zero-day
credential theft
lateral movement
vpn
mfa bypass
akira
sonicwall
2025-08-04
Published: August 4, 2025
Downloadable IOCs: 12

Exploring Storm-2603's Previous Ransomware Operations

A focused analysis of Storm-2603, a threat actor linked to recent ToolShell exploitations alongside other Chinese APT groups, reveals their use of a custom malware C2 framework called 'ak47c2'. This framework includes HTTP and DNS-based clients. The group likely targeted organizations in Latin Amer…
ransomware
windows
lockbit
lockbit black
microsoft
april
virustotal
sharepoint
psexec
iocs
toolshell
2025-08-01
storm2603
io control
dllhijacking
warlock
Published: August 1, 2025
Linked vulnerabilities : CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 25

Religious symbols weaponized, group uses Microsoft SharePoint RCE vulnerability to deliver 4L4MD4r ransomware

A serious remote code execution vulnerability in Microsoft SharePoint servers was exploited by hackers, affecting tens of thousands of servers globally. The mimo attack group, a financially motivated threat actor, utilized this vulnerability to deliver the 4L4MD4r ransomware, written in Golang and …
ransomware
microsoft
golang
sharepoint
rce
CVE-2025-53770
CVE-2025-53771
CVE-2025-49704
CVE-2025-49706
2025-08-01
4l4md4r
religious symbols
Published: August 1, 2025
Linked vulnerabilities : CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 2

Unmasking LockBit: A Deep Dive into DLL Sideloading and Masquerading Tactics

This analysis explores the sophisticated tactics employed by LockBit ransomware attackers, focusing on DLL sideloading and masquerading techniques. These methods allow attackers to evade detection and maximize impact. DLL sideloading involves tricking legitimate applications into loading malicious …
ransomware
evasion
lockbit
persistence
encryption
dll sideloading
2025-08-01
masquerading
Published: August 1, 2025
Downloadable IOCs: 11

Qilin Ransomware and the Hidden Dangers of BYOVD

This analysis examines a recent incident involving Qilin ransomware, highlighting the evolving tactics of cybercriminals to evade Endpoint Detection and Response (EDR) systems. The attackers utilized a previously unknown driver, TPwSav.sys, to disable EDR measures through a technique known as bring…
ransomware
qilin
byovd
raas
2025-07-31
Published: July 31, 2025
Downloadable IOCs: 7

Gunra Ransomware Group Unveils Efficient Linux Variant

Gunra ransomware, first observed in April 2025, has expanded its capabilities with a new Linux variant. This cross-platform move broadens the group's attack surface and demonstrates their intent to grow beyond their initial scope. The Linux variant features advanced capabilities, including parallel…
linux
ransomware
chacha20
2025-07-30
Published: July 30, 2025
Downloadable IOCs: 6

Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware

A new Epsilon Red ransomware campaign has been discovered targeting users globally through fake ClickFix verification pages. Active since July 2025, the threat actors employ social engineering tactics and impersonate popular platforms like Discord, Twitch, and OnlyFans to trick users into executing…
phishing
social engineering
impersonation
ransomware
quasar rat
drive-by download
clickfix
activex
2025-07-25
hta files
epsilon red
Published: July 25, 2025
Downloadable IOCs: 5

Gunra Ransomware Emerges with New DLS

A new ransomware group called Gunra has emerged with a Dedicated Leak Site (DLS) in April 2025. Gunra's code shows similarities to the infamous Conti ransomware, suggesting it may be leveraging Conti's leaked source code. The group employs aggressive tactics, including a time-based pressure techniq…
ransomware
encryption
conti
chacha20
dls
2025-07-24
volume shadow copy
gunra
Published: July 24, 2025
Downloadable IOCs: 3

NailaoLocker Ransomware's 'Cheese'

NailaoLocker, a new ransomware variant targeting Windows systems, uses AES-256-CBC encryption and uniquely incorporates SM2 cryptography with hard-coded keys. It employs DLL side-loading for execution and uses I/O Completion Ports for multi-threaded file processing. The ransomware includes both enc…
ransomware
windows
dll side-loading
nailaolocker
2025-07-21
aes-256-cbc
sm2 cryptography
multi-threaded
Published: July 21, 2025
Downloadable IOCs: 3

Getting to the Crux (Ransomware) of the Matter

A new ransomware variant named Crux has been identified, claiming association with the BlackByte group. Observed in three separate incidents, Crux encrypts files with a .crux extension and leaves ransom notes. Initial access appears to involve Remote Desktop Protocol (RDP) using valid credentials. …
ransomware
rclone
rdp
svchost
data exfiltration
process injection
2025-07-21
bcdedit
crux
Published: July 21, 2025
Downloadable IOCs: 3

From a Teams Call to a Ransomware Threat: Matanbuchus 3.0 MaaS Levels Up

Matanbuchus 3.0, a malware loader available as Malware-as-a-Service, has evolved with significant updates. It now employs sophisticated techniques including improved communication protocols, in-memory stealth capabilities, enhanced obfuscation, and support for WQL queries, CMD, and PowerShell rever…
ransomware
matanbuchus
microsoft teams
maas
2025-07-18
Published: July 18, 2025
Downloadable IOCs: 11

KAWA4096’s Ransomware Tide: Rising Threat With Borrowed Styles

KAWA4096, a new ransomware that emerged in June 2025, has claimed at least 11 victims, primarily targeting the United States and Japan. The malware features a leak site mimicking the Akira ransomware group's style and a ransom note format similar to Qilin's. KAWA4096 employs multithreading, semapho…
ransomware
multithreading
2025-07-18
shadow copy deletion
kawa4096
data leak site
Published: July 18, 2025
Downloadable IOCs: 0

June 2025 Security Issues in Korean & Global Financial Sector

This comprehensive analysis covers cyber threats and security issues affecting financial companies in South Korea and globally. It examines malware and phishing cases targeting the financial sector, including the top 10 malware strains and leaked Korean account statistics on Telegram. The report de…
phishing
ransomware
data breach
financial sector
cybercrime forums
account takeover
dark web
2025-07-16
database leak
digital payments
everest
Published: July 16, 2025
Downloadable IOCs: 0

June 2025 Threat Trend Report on Ransomware

The June 2025 threat analysis reveals an increase in new ransomware samples compared to May. The data is based on detection names from AhnLab and information collected from Dedicated Leak Sites (DLS) of ransomware groups. Statistics cover the past six months, showing the total number of ransomware …
ransomware
raas
threat trends
md5 hashes
affected companies
statistics
safepay
devman
2025-07-16
dls
Published: July 16, 2025
Downloadable IOCs: 0

Analysis of Secp0 Ransomware

Secp0 is a ransomware that emerged in early 2025, initially mischaracterized as a vulnerability disclosure extortion group. It operates as a conventional double-extortion ransomware, encrypting data while threatening public disclosure. The malware is an ELF binary targeting Linux systems, using Cha…
ransomware
encryption
double-extortion
2025-07-16
secp0
Published: July 16, 2025
Downloadable IOCs: 6

A Hybrid Approach with Data Exfiltration and Encryption

The BlackSuit ransomware group, believed to be a rebrand of Royal ransomware, has emerged as a significant threat to organizations. This sophisticated attack combines data exfiltration and encryption, utilizing tools like Cobalt Strike for command and control, rclone for data exfiltration, and Blac…
ransomware
cobalt strike
rclone
encryption
data exfiltration
blacksuit
2025-07-12
Published: July 12, 2025
Downloadable IOCs: 0

Patch, track, repeat

The report discusses the current state of vulnerability management, highlighting the increasing number of CVEs published daily and the rise in Known Exploited Vulnerabilities (KEVs). It emphasizes the importance of continuous tracking and patching of vulnerabilities. The report also covers Microsof…
ransomware
ai security
kev
cve
2025-07-11
microsoft patches
cybersecurity updates
vulnerability management
Published: July 11, 2025
Downloadable IOCs: 3

Pay2Key's Resurgence: Iranian Cyber Warfare Targets the West

Pay2Key, an Iranian-backed ransomware-as-a-service operation, has re-emerged as Pay2Key.I2P, targeting Western organizations. Linked to the Fox Kitten APT group and collaborating with Mimic ransomware, the campaign has collected over $4 million in ransom payments in four months. The group offers an…
ransomware
raas
evasion techniques
2025-07-10
mimic
cyber warfare
pay2key
fox kitten
Published: July 10, 2025
Downloadable IOCs: 25

BERT Ransomware Group Targets Asia and Europe on Multiple Platforms

A newly emerged ransomware group called BERT has been targeting organizations across Asia and Europe since April. The group employs simple code with effective execution, impacting sectors such as healthcare, technology, and event services. BERT's ransomware operates on both Windows and Linux platfo…
linux
ransomware
powershell
windows
encryption
esxi
europe
asia
2025-07-07
bert
Published: July 7, 2025
Downloadable IOCs: 9

DEVMAN Ransomware: Analysis of New DragonForce Variant

A new ransomware strain resembling DragonForce but with unique traits has emerged, possibly connected to an entity called DEVMAN. The sample reuses DragonForce code but adds its own elements, including the .DEVMAN file extension. Attribution is unclear, as the ransom note is identical to DragonForc…
ransomware
conti
raas
dragonforce
mamona
2025-07-02
blacklock
devman
Published: July 2, 2025
Downloadable IOCs: 2

Dire Wolf Strikes: New Ransomware Group Targeting Global Sectors

A newly emerged ransomware group called Dire Wolf has been observed since May 2025, targeting multiple sectors globally with a focus on manufacturing and technology. The group employs double extortion tactics, encrypting files and threatening to publish stolen data. Analysis of a Dire Wolf ransomwa…
ransomware
golang
data leak
2025-07-02
dire wolf
Published: July 2, 2025
Downloadable IOCs: 2

10 Things I Hate About Attribution: RomCom vs. TransferLoader

This report analyzes the activities of two threat actor clusters: TA829 and UNK_GreenSec. TA829 conducts both espionage and cybercrime operations using tools like SingleCamper and DustyHammock. UNK_GreenSec deploys TransferLoader malware leading to ransomware infections. The actors share similariti…
ransomware
romcom
singlecamper
dustyhammock
shadyhammock
rustyclaw
meltingclaw
hellcat
morpheus
transferloader
2025-07-01
slipscreen
Published: July 1, 2025
Downloadable IOCs: 103

Hide Your RDP: Password Spray Leads to RansomHub Deployment

This report details a cyberattack where threat actors gained initial access through a password spray attack on an exposed RDP server. They used Mimikatz and Nirsoft for credential harvesting, and employed living-off-the-land techniques along with tools like Advanced IP Scanner for network discovery…
ransomware
credential theft
lateral movement
rdp
ransomhub
mimikatz
data exfiltration
password spray
living-off-the-land
2025-06-30
Published: June 30, 2025
Downloadable IOCs: 9

BERT RANSOMWARE - THE RAVEN FILE

BERT Ransomware, active since March 2025, has expanded its operations to target both Windows and Linux environments. The group uses phishing for initial access and communicates via the dark web and Sessions for negotiations. Victims span multiple countries, primarily affecting service and manufactu…
linux
phishing
ransomware
powershell
windows
encryption
revil
sodinokibi
dark web
2025-06-20
bert ransomware
Published: June 20, 2025
Downloadable IOCs: 11

May 2025 Security Issues in Korean & Global Financial Sector

This comprehensive analysis covers cyber threats targeting financial companies in Korea and globally. It examines malware and phishing cases, top 10 malware strains, and statistics on leaked Korean accounts. The report delves into major financial threats on the dark web, including credit card data …
ransomware
lockbit
data breach
identity theft
play
dark web
2025-06-13
customer data
brokerage
arkana
safepay
Published: June 13, 2025
Downloadable IOCs: 0

Know thyself, know thy environment

This intelligence report emphasizes the importance of understanding one's own environment and personal weaknesses in cybersecurity. It stresses the need for repeatable processes to maintain knowledge of one's environment and advocates for continuous learning to fill skill gaps. The report also high…
ransomware
qilin
critical infrastructure
pathwiper
2025-06-12
patch management
environment knowledge
gps vulnerabilities
self-awareness
vulnerability disclosure
Published: June 12, 2025
Downloadable IOCs: 0

StopRansomware: Play Ransomware

The Play ransomware group has been actively targeting businesses and critical infrastructure across North America, South America, and Europe since June 2022. They gain initial access through exploiting vulnerabilities, using stolen credentials, and leveraging remote access services. The group emplo…
ransomware
systembc
grixba
play
CVE-2024-57727
2025-06-05
CVE-2022-41040
CVE-2022-41082
CVE-2018-13379
CVE-2020-12812
Published: June 5, 2025
Linked vulnerabilities : CVE-2024-57727 (CVSS 7.5), CVE-2022-41082, CVE-2022-41040, CVE-2020-12812, CVE-2018-13379
Downloadable IOCs: 8

Cybercriminals camouflaging threats as AI tool installers

Cybercriminals are exploiting the popularity of AI by distributing malware disguised as AI solution installers. Three threats have been identified: CyberLock ransomware, Lucky_Gh0$t ransomware, and a newly discovered destructive malware called Numero. CyberLock, developed using PowerShell, encrypts…
ransomware
powershell
seo poisoning
ai
yashma
chaos
seo manipulation
2025-05-29
cyberlock
technology sector
b2b sales
ai tools
lucky_gh0$t
marketing sector
fake installers
numero
2025-06-05
Published: June 5, 2025
Downloadable IOCs: 20

From Gamer to Malware Developer: Exploring SilverRat and Its Syrian Roots

This analysis delves into the development and capabilities of Silver RAT, a Remote Access Trojan created by a Syrian developer known as 'noradlb1'. The malware, initially observed in November 2023, offers features such as keylogging, UAC bypass, and data encryption. The developer, active on various…
ransomware
keylogger
remote access trojan
antivirus bypass
telegram channels
2025-06-04
syrian developer
hacking forums
silver rat
Published: June 4, 2025
Downloadable IOCs: 0

New Nitrogen Ransomware Targets Financial Firms in the US, UK and Canada

Nitrogen, a new ransomware strain identified in September 2024, has become a significant threat to organizations worldwide, particularly in the financial sector. It encrypts critical data and demands substantial payments for decryption, targeting industries such as finance, construction, manufactur…
ransomware
malvertising
cobalt strike
meterpreter
data exfiltration
nitrogen
2025-05-20
vulnerable driver
Published: May 20, 2025
Downloadable IOCs: 2

Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware

A threat actor exploited an unpatched Confluence server using CVE-2023-22527, gaining initial access. They used Metasploit for command and control, then installed AnyDesk for persistent remote access. The attacker performed extensive network discovery, attempted privilege escalation using various t…
ransomware
CVE-2020-1472
CVE-2021-34527
mimikatz
metasploit
CVE-2023-22527
confluence
2025-05-19
elpaco-team
Published: May 19, 2025
Linked vulnerabilities : CVE-2021-34527, CVE-2020-1472, CVE-2023-22527, CVE-2023-22518
Downloadable IOCs: 33

The Good, the Bad and the Ugly in Cybersecurity – Week 20

This intelligence update covers recent cybersecurity events. In positive developments, global authorities disrupted a major botnet, arrested a ransomware actor, and dismantled a dark web marketplace. On the negative side, a malicious NPM package was discovered hiding multi-stage malware using Unico…
ransomware
zero-day
botnet
npm
dns hijacking
dark web
CVE-2025-27920
omserverservice.exe
omclientservice.exe
output messenger
2025-05-16
kurdish military
doppelpaymer
Published: May 16, 2025
Linked vulnerabilities : CVE-2025-27920 (CVSS 9.8)
Downloadable IOCs: 1

Mass Scanning and Exploit Campaigns

Trustwave SpiderLabs has identified ongoing malicious activities originating from Proton66 ASN, including vulnerability scanning, exploit attempts, and phishing campaigns. The investigation revealed connections between Proton66 and bulletproof hosting services advertised on underground forums. Mass…
ransomware
vulnerability exploitation
CVE-2024-41713
CVE-2024-10914
CVE-2024-55591
CVE-2025-24472
CVE-2025-0108
superblack
bulletproof hosting
2025-05-16
exploit campaigns
critical vulnerabilities
mass scanning
underground forums
Published: May 16, 2025
Linked vulnerabilities : CVE-2024-41713 (CVSS 7.5), CVE-2024-10914 (CVSS 8.1), CVE-2024-55591 (CVSS 9.8), CVE-2025-24472 (CVSS 8.1), CVE-2025-0108 (CVSS 9.1)
Downloadable IOCs: 22

Part 2: Compromised WordPress Pages and Malware Campaigns

This analysis focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. The threat actors used redirector scripts to target users from various countries, mimicking the Google Play Store. Additionally, the XWorm campaign tar…
xworm
phishing
ransomware
android
remcos
wordpress
credential theft
strela stealer
proton66
weaxor
2025-05-16
Published: May 16, 2025
Downloadable IOCs: 45

Unfiltered look into LockBit’s operations

A breach of LockBit's dark web affiliate panels exposed a rare glimpse into their operations. The leaked data included Bitcoin addresses, admin credentials, and a chat log revealing negotiation tactics and ransom demands. Ransom amounts varied widely, with some victims confused about the demands. T…
ransomware
lockbit
data breach
initial access brokers
dark web
2025-05-15
affiliate panels
negotiation tactics
Published: May 15, 2025
Downloadable IOCs: 3

Technical Analysis of TransferLoader

TransferLoader is a newly identified malware loader active since February 2025. It comprises multiple components including a downloader, backdoor, and specialized loader. The malware employs various anti-analysis techniques and code obfuscation to hinder reverse engineering. TransferLoader has been…
backdoor
obfuscation
ransomware
anti-analysis
c2
downloader
morpheus
2025-05-15
ipfs
transferloader
Published: May 15, 2025
Downloadable IOCs: 7

April 2025 Threat Trend Report on Ransomware

This analysis presents ransomware statistics for April 2025, including new samples collected, affected systems, and targeted companies. The report shows a relative increase in new ransomware samples compared to March. It provides a six-month overview of collected samples and details on companies af…
ransomware
2025-05-14
threat trends
nightspire
md5 hashes
dedicated leak sites
sample collection
affected companies
atip infrastructure
statistics
sarcoma
Published: May 14, 2025
Downloadable IOCs: 5

Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal

The Agenda ransomware group has expanded its capabilities by incorporating SmokeLoader malware and a new loader called NETXLOADER. NETXLOADER is a highly obfuscated .NET-based loader that utilizes advanced techniques to evade detection and complicate analysis. The group has been targeting healthcar…
ransomware
evasion
rust
smokeloader
.net
2025-05-07
netxloader
Published: May 7, 2025
Downloadable IOCs: 8

Malware Analysis Mamona: Technical Analysis of a New Ransomware Strain

Mamona is a newly identified commodity ransomware that operates entirely offline, with no observed Command and Control channels or data exfiltration. It uses custom local encryption routines and employs an obfuscated delay technique involving a ping to 127.0.0.7. The ransomware encrypts user files,…
ransomware
encryption
2025-05-07
mamona
Published: May 7, 2025
Downloadable IOCs: 0

DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists

The DragonForce ransomware group, initially a pro-Palestine hacktivist operation, has evolved into a profit-driven extortion enterprise targeting UK retailers and various global entities. Emerging in August 2023, the group now employs a multi-extortion model, threatening data leaks and reputational…
ransomware
extortion
cobalt strike
CVE-2024-21412
CVE-2021-44228
CVE-2024-21887
CVE-2023-46805
systembc
2025-05-03
CVE-2024-21893
multi-extortion
dragonforce ransomware
white-label
Published: May 3, 2025
Downloadable IOCs: 0

Nitrogen Dropping Cobalt Strike – A Combination of 'Chemical Elements'

The Nitrogen ransomware group has expanded its operations from North America to Africa and Europe since September 2024. They utilize malvertising tactics, disguising malicious payloads as legitimate software like WinSCP. The group employs DLL sideloading for initial access, followed by Cobalt Strik…
ransomware
malvertising
cobalt strike
dll sideloading
lateral movement
nitrogen
2025-05-02
nitrogenloader
Published: May 2, 2025
Downloadable IOCs: 2

Navigating Through The Fog

An open directory linked to a Fog ransomware affiliate was discovered, containing tools for reconnaissance, exploitation, lateral movement, and persistence. Initial access was gained through compromised SonicWall VPN credentials, while other tools facilitated credential theft and exploitation of Ac…
ransomware
anydesk
persistence
credential theft
CVE-2020-1472
CVE-2021-42278
CVE-2021-42287
sliver
lateral movement
vpn
fog ransomware
sonicwall
2025-04-28
active directory
Published: April 28, 2025
Linked vulnerabilities : CVE-2021-42287, CVE-2021-42278, CVE-2020-1472
Downloadable IOCs: 1

Introducing ToyMaker

The initial access broker (IAB), whom Talos calls “ToyMaker” and assesses with medium confidence is a financially motivated threat actor, exploits vulnerable systems exposed to the internet. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. …
ransomware
powershell
anydesk
persistence
winscp
impacket
bugsleep
ssh
metasploit
initial access broker
file transfer
cactus
2025-04-23
lagtoy
toymaker
magnet ram
capture
holerun
Published: April 23, 2025
Downloadable IOCs: 20

FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE

An investigation of nine malware samples revealed FOG ransomware being distributed by cybercriminals impersonating the Department of Government Efficiency (DOGE). The ransomware, spread via email and phishing attacks, is concealed in a ZIP file named 'Pay Adjustment.zip'. The infection chain involv…
phishing
ransomware
foggyweb
privilege escalation
data exfiltration
sandbox evasion
multi-stage
2025-04-21
doge
Published: April 21, 2025
Downloadable IOCs: 6

Proton66: Compromised WordPress Pages and Malware Campaigns

This intelligence briefing focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. It details how these sites were injected with malicious scripts to redirect Android users to fake Google Play Store pages. The report also…
xworm
phishing
ransomware
android
korea
remcos
wordpress
strela stealer
2025-04-18
germany
weaxor
Published: April 18, 2025
Downloadable IOCs: 48

Inside BRUTED: Black Basta (RaaS) Used Automated Brute Forcing Framework to Target Edge Network Devices

Black Basta, a ransomware-as-a-service group, has been using an automated brute forcing framework called BRUTED to target edge network devices since 2023. The framework performs internet scanning and credential stuffing against firewalls and VPN solutions in corporate networks. Black Basta prioriti…
ransomware
cobalt strike
black basta
vpn
esxi
brute ratel
raas
edge devices
brute-force
firewall
2025-03-17
credential-stuffing
edge-devices
bruted
2025-04-16
Published: April 16, 2025
Downloadable IOCs: 18

Interlock ransomware evolving under the radar

The Interlock ransomware group, active since September 2024, has shown adaptability and innovation in its tactics despite a relatively low victim count. They employ fake browser updates and the ClickFix technique for initial access, followed by a multi-stage attack chain involving PowerShell backdo…
ransomware
lumma
clickfix
double extortion
remote access trojan
2025-04-16
credential stealer
berserkstealer
interlock rat
interlock ransomware
fake updaters
powershell backdoor
Published: April 16, 2025
Downloadable IOCs: 0

CrazyHunter Campaign Targets Taiwanese Critical Sectors

The CrazyHunter ransomware group has emerged as a significant threat, specifically targeting Taiwanese organizations in healthcare, education, and industrial sectors. The group employs sophisticated techniques, including the Bring Your Own Vulnerable Driver (BYOVD) method, to bypass security measur…
ransomware
taiwan
byovd
prince ransomware
2025-04-16
zammocide
prince ransomware builder
critical sectors
open-source tools
gpo exploitation
Published: April 16, 2025
Downloadable IOCs: 9

HelloKitty Ransomware Resurfaced

The HelloKitty ransomware group, active since late 2020, has resurfaced with new variants in 2024 and potentially 2025. Originally forking from DeathRansom, HelloKitty targets Windows and Linux environments, appending .CRYPTED, .CRYPT, or .KITTY extensions to encrypted files. The group has used mul…
linux
ransomware
hellokitty
2025-04-15
fivehands
Published: April 15, 2025
Downloadable IOCs: 0

Ransomware Initial Access Brokers Exposed

An investigation into a brute force attack on an exposed Remote Desktop server led to the discovery of a larger ransomware ecosystem, particularly initial access brokers. The attack began with domain enumeration and successful compromise of an account from multiple IP addresses. The threat actor's …
ransomware
credential harvesting
rdp
vpn
blacksuit
infrastructure
brute force
initial access brokers
2025-04-11
hive
domain enumeration
Published: April 11, 2025
Downloadable IOCs: 0

Exploitation of CLFS zero-day leads to ransomware activity

A zero-day elevation of privilege vulnerability in Windows Common Log File System (CLFS) has been exploited against targets in IT, real estate, finance, software, and retail sectors across multiple countries. The exploit, deployed by PipeMagic malware and attributed to Storm-2460, enables privilege…
ransomware
windows
zero-day
privilege escalation
ransomexx
CVE-2025-24983
CVE-2025-29824
2025-04-09
clfs
pipemagic
Published: April 9, 2025
Linked vulnerabilities : CVE-2025-24983 (CVSS 7.0), CVE-2025-29814 (CVSS 9.3), CVE-2025-29824 (CVSS 7.8)
Downloadable IOCs: 0

CrazyHunter: The Rising Threat of Open-Source Ransomware

A ransomware attack on Mackay Memorial Hospital in Taiwan highlights the growing use of publicly available offensive tools by threat actors. The CrazyHunter ransomware, built using the Prince Ransomware builder from GitHub, encrypted over 600 devices across two hospital branches. The attack, likely…
ransomware
prince ransomware
2025-04-08
crazyhunter
Published: April 8, 2025
Downloadable IOCs: 10

Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream

In January 2025, a Managed Service Provider administrator was targeted by a sophisticated phishing attack impersonating a ScreenConnect authentication alert. The attackers, affiliated with Qilin ransomware and tracked as STAC4365, used an adversary-in-the-middle technique to bypass multi-factor aut…
screenconnect
phishing
ransomware
supply chain
mfa bypass
qilin
CVE-2023-27532
2025-04-01
evilginx
stac4365
msp
Published: April 1, 2025
Downloadable IOCs: 0

Fake Zoom Ends in BlackSuit Ransomware

A malicious website mimicking Zoom led to the installation of a trojanized installer, initiating a multi-stage attack. The initial payload, d3f@ckloader, downloaded additional components, including SectopRAT. After nine days, the threat actor deployed Brute Ratel and Cobalt Strike beacons for later…
ransomware
cobalt strike
exfiltration
lateral movement
proxy
blacksuit
sectoprat
brute ratel
2025-03-31
d3f@ckloader
qdoor
Published: March 31, 2025
Downloadable IOCs: 0

Money Laundering 101, and why there is concern

This newsletter discusses the process of money laundering in the context of cybercrime, particularly ransomware attacks. It explains the three basic steps of money laundering: placement, layering, and integration. The author expresses concern about regulatory changes that might facilitate easier mo…
malware
ransomware
cryptocurrency
spam
cybercrime
email security
w32.file.malparent
coinminer:mbt.26mw.in14.talos
2025-03-28
trojan.generickd.33515991
money laundering
simple_custom_detection
regulatory changes
Published: March 28, 2025
Downloadable IOCs: 0

Shifting the sands of RansomHub's EDRKillShifter

ESET researchers analyze the ransomware ecosystem in 2024, focusing on the newly emerged RansomHub gang. They uncover connections between RansomHub affiliates and rival gangs Play, Medusa, and BianLian through the use of EDRKillShifter, a custom EDR killer developed by RansomHub. The researchers le…
ransomware
bianlian
medusa
edrkillshifter
systembc
grixba
byovd
play
2025-03-27
scransom
Published: March 27, 2025
Downloadable IOCs: 0

Albabat Ransomware Group Potentially Expands Targets to Multiple OS Uses GitHub to Streamline Operations

The Albabat ransomware group has evolved its malware to target Windows, Linux, and macOS devices, as evidenced by new versions 2.0.0 and 2.5. The group is using GitHub to streamline operations, storing configuration files and essential components. The ransomware ignores specific folders, encrypts c…
ransomware
cryptocurrency
encryption
github
multi-platform
2025-03-21
albabat
database
configuration
system information
Published: March 21, 2025
Downloadable IOCs: 2

Shedding light on the ABYSSWORKER driver

The ABYSSWORKER driver is a malicious tool used in conjunction with MEDUSA ransomware to disable anti-malware systems. It employs a HEARTCRYPT-packed loader and a revoked certificate-signed driver to target and silence EDR vendors. The driver imitates a legitimate CrowdStrike Falcon driver and uses…
obfuscation
ransomware
medusa
edr
driver
heartcrypt
process termination
2025-03-20
abyssworker
file manipulation
Published: March 20, 2025
Downloadable IOCs: 2

Dragon RaaS | Pro-Russian Hacktivist Group Aims to Build on "The Five Families" Cybercrime Reputation

Dragon RaaS is a ransomware group that emerged in July 2024 as an offshoot of Stormous, part of a larger cybercrime syndicate known as 'The Five Families'. The group markets itself as a sophisticated Ransomware-as-a-Service operation but often conducts defacements and opportunistic attacks rather t…
ransomware
cybercrime
CVE-2024-3806
CVE-2024-3807
CVE-2024-3808
CVE-2024-3809
hacktivism
webshell
vulnerability exploitation
CVE-2024-47374
2025-03-19
defacement
stormcry
CVE-2022-0073
CVE-2023-2359
CVE-2023-6925
dragon raas
CVE-2023-47784
CVE-2022-0074
pro-russian
Published: March 19, 2025
Downloadable IOCs: 0

New Ransomware Operator Exploits Fortinet Vulnerability Duo

A new ransomware operator, dubbed Mora_001, has been exploiting Fortinet firewall vulnerabilities CVE-2024-55591 and CVE-2025-24472 to gain unauthorized access and deploy a modified version of LockBit ransomware. The threat actor creates persistent admin accounts, exfiltrates firewall configuration…
ransomware
lockbit
lateral movement
data exfiltration
fortinet
firewall
CVE-2024-55591
CVE-2025-24472
2025-03-14
superblack
wipeblack
Published: March 14, 2025
Downloadable IOCs: 23

SocGholish's Intrusion Techniques Facilitate Distribution of RansomHub Ransomware

SocGholish, a malware-as-a-service framework, is being used to deploy RansomHub ransomware. It compromises legitimate websites, redirecting visitors to fake browser updates that deliver malicious payloads. The highly obfuscated JavaScript loader evades detection and executes various tasks, includin…
backdoor
ransomware
javascript
socgholish
credential theft
ransomhub
compromised websites
2025-03-14
keitaro tds
Published: March 14, 2025
Downloadable IOCs: 0

Head Mare and Twelve: Joint attacks on Russian entities

Head Mare and Twelve, two hacktivist groups, have launched joint attacks on Russian companies. Head Mare has expanded its toolkit, now using tools previously associated only with Twelve, such as the CobInt backdoor. The attackers gained initial access through phishing emails and compromised contrac…
ransomware
lockbit
hacktivism
CVE-2021-26855
CVE-2023-38831
babuk
lockbit 3.0
cobint
infrastructure sharing
2025-03-13
phantomjitter
Published: March 13, 2025
Downloadable IOCs: 0

Camera off: Akira deploys ransomware via webcam

Akira, a prominent ransomware group, accounted for 15% of incidents in 2024, showcasing novel evasion techniques. In a recent attack, Akira circumvented an Endpoint Detection and Response (EDR) tool by compromising an unsecured webcam to deploy ransomware. After initial detection, the group pivoted…
ransomware
anydesk
iot
remote access
edr evasion
network segmentation
2025-03-11
akira ransomware
webcam
smb protocol
Published: March 11, 2025
Downloadable IOCs: 0

Medusa Ransomware Activity Continues to Increase

Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024.
ransomware
blackcat
anydesk
rclone
service
medusa
netscan
raas
medusalocker
psexec
simplehelp
2025-03-06
ttps
pdq deploy
pdq inventory
spearwing
navicat
avkiller
Published: March 6, 2025
Downloadable IOCs: 45

Deep Dive Into Allegedly AI-Generated FunkSec Ransomware

A new Rust-based ransomware called FunkSec has emerged, claiming to use artificial intelligence in its development. First appearing in 2024, it demonstrates a mix of sophisticated capabilities and developmental inconsistencies. FunkSec implements advanced features like XChaCha20 encryption and comp…
ransomware
persistence
evasion techniques
anti-vm
funksec
2025-03-04
ai-generated
Published: March 4, 2025
Downloadable IOCs: 1

Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal

The Black Basta and Cactus ransomware groups have incorporated BackConnect malware into their attack strategies to maintain persistent control over compromised systems. The attackers use social engineering tactics, including email flooding and impersonation of IT support, to gain initial access. Th…
social engineering
ransomware
darkgate
black basta
lateral movement
privilege escalation
systembc
2025-03-03
cactus
backconnect
cloud storage abuse
onedrive exploitation
Published: March 3, 2025
Downloadable IOCs: 0

DragonForce Ransomware Group is Targeting Saudi Arabia

DragonForce ransomware has targeted organizations in Saudi Arabia, with a significant data leak from a Riyadh real estate and construction company. The group exfiltrated over 6 TB of data, setting a deadline just before Ramadan. DragonForce operates on a RaaS model, offering high commission rates f…
ransomware
construction
raas
dragonforce
2025-02-27
saudi arabia
dark web
real estate
Published: February 27, 2025
Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-44228, CVE-2024-21412, CVE-2024-21893
Downloadable IOCs: 17

Confluence Exploit Leads to LockBit Ransomware

An intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, leading to LockBit ransomware deployment across the environment. The threat actor utilized various tools including Mimikatz, Metasploit, and AnyDesk. They leveraged RDP for lateral movement and deplo…
ransomware
lockbit
exfiltration
credential theft
lateral movement
rdp
CVE-2023-22527
confluence
2025-02-24
Published: February 24, 2025
Linked vulnerabilities : CVE-2017-0199, CVE-2023-22515, CVE-2023-22527, CVE-2023-22518
Downloadable IOCs: 15

Finance Report: Who Targets Financial Institutions?

This report provides an overview of key cybercrime and state-sponsored threat actors targeting the financial sector in 2024. It highlights the critical role of Initial Access Brokers in enabling large-scale attacks, the persistent threat of ransomware and extortion groups, and the increasing sophis…
apt
phishing
ransomware
cybercrime
ransomhub
edrkillshifter
rustbucket
goldpickaxe
financial sector
2025-02-20
catb
initial access brokers
jsoutprox
tradertraitor
golddigger
state-sponsored threats
goldkefu
tycoon 2fa
banking trojans
sneaky 2fa
golddiggerplus
Published: February 20, 2025
Downloadable IOCs: 0

Updated Shadowpad Malware Leads to Ransomware Deployment

A recent investigation revealed Shadowpad malware being used to deploy a new ransomware family in Europe. The threat actor targeted 21 companies across 15 countries, primarily in the manufacturing sector. Access was gained through remote network attacks, exploiting weak passwords and bypassing mult…
ransomware
plugx
shadowpad
impacket
manufacturing
anti-debugging
2025-02-20
dns over https
multi-factor authentication bypass
remote network attacks
intellectual property theft
cqhashdumpv2
Published: February 20, 2025
Downloadable IOCs: 0

Vgod RANSOMWARE

A new ransomware strain called Vgod has been observed targeting Windows systems. It encrypts files, appending the '.Vgod' extension, and leaves a ransom note titled 'Decryption Instructions.txt'. The ransomware changes the desktop wallpaper and employs a double extortion model, threatening data exp…
ransomware
evasion
windows
persistence
encryption
double extortion
2025-02-18
file extension
vgod
Published: February 18, 2025
Downloadable IOCs: 1

Ransomware Roundup – Lynx

The Lynx ransomware, first detected in July 2024, is a Windows-targeting malware that encrypts files and demands ransom for decryption. It shares similarities with the INC ransomware but offers more granular control. Lynx encrypts files with a .LYNX extension, changes desktop backgrounds, and print…
ransomware
windows
encryption
construction
data leak
manufacturing
2025-02-17
brave prince
lynx
Published: February 17, 2025
Downloadable IOCs: 9

CL0P Ransomware: Latest Attacks

The Cl0p ransomware group has recently targeted 43 organizations across various industries, with a focus on Manufacturing, Retail, and Transportation sectors. The majority of victims are located in the US, Canada, and Europe. The attackers likely exploited the Cleo vulnerability (CVE-2024-50623) fo…
ransomware
data exfiltration
transportation
CVE-2024-50623
manufacturing
retail
2025-02-12
ta505
cl0p
cleo vulnerability
evil corp
Published: February 12, 2025
Linked vulnerabilities : CVE-2024-50623 (CVSS 8.8)
Downloadable IOCs: 6

XELERA Ransomware Campaign: Fake Food Corporation of India Job Offers Targeting Tech Aspirants

A newly discovered ransomware campaign is targeting tech job aspirants in India using fake Food Corporation of India job offers. The XELERA ransomware, written in Python and packed with PyInstaller, is distributed through spear-phishing emails containing malicious Word documents. The infection chai…
ransomware
india
spear-phishing
pyinstaller
2025-02-12
job offer
tech sector
discord bot
xelera
memz
Published: February 12, 2025
Downloadable IOCs: 4

The Anatomy of Abyss Locker Ransomware Attack

Abyss Locker (AKA Abyss ransomware) is a relatively new threat group that emerged in 2023, specializing in swift and decisive intrusions designed to cripple victims with ransomware. Abyss Locker was active throughout 2024, causing multiple incidents investigated by Sygnia. However, no recent techni…
backdoor
ransomware
rclone
persistence
service
esxi
chisel
psexec
2025-02-10
file
locker
abyss locker
defender
smbexec
strong
vulnerable
remcom
impact
story
patch
restrict
velvet
ssh tunneling
Published: February 10, 2025
Downloadable IOCs: 15

Hackers Hijack JFK File Release: Malware & Phishing Surge

A potentially growing cyber threat campaign has been uncovered surrounding the release of declassified JFK, RFK, and MLK files. Attackers are exploiting public interest in these historical documents to launch malware campaigns, phishing schemes, and exploit attempts. Within days of the announcement…
malware
phishing
social engineering
ransomware
spyware
domain spoofing
2025-02-03
cyber threat
trojans
declassified files
historical documents
jfk files
Published: February 3, 2025
Downloadable IOCs: 4

Exposed SMB: The Hidden Risk Behind 'WantToCry' Ransomware Attacks

The WantToCry ransomware group, active since December 2023, has intensified its operations in 2024 by exploiting misconfigured Server Message Block (SMB) services. The group targets multiple network services, including SMB, SSH, FTP, RPC, and VNC, using brute-force attacks with a database of over o…
ransomware
smb
2025-01-31
wanttocry
Published: January 31, 2025
Downloadable IOCs: 2

Phorpiex - Downloader Delivering Ransomware

The report analyzes the Phorpiex botnet's role in delivering LockBit Black Ransomware. It highlights the automated execution of ransomware through Phorpiex, minimal changes to the botnet's code since its source code sale in 2021, and direct deployment of LockBit without network expansion. The analy…
phishing
ransomware
lockbit
botnet
phorpiex
downloader
gandcrab
2025-01-29
twizt
Published: January 29, 2025
Downloadable IOCs: 14

WINDOWS LOCKER RANSOMWARE

A new ransomware strain called 'Windows Locker' has been identified, targeting victims by encrypting files and appending the .winlocker extension. Upon infection, it drops a ransom note named Readme.txt with instructions for contacting the attacker. Written in .NET, this sophisticated malware modif…
ransomware
2025-01-29
windows locker
Published: January 29, 2025
Downloadable IOCs: 3

Windows Locker Ransomware Analysis

A new ransomware strain called 'Windows Locker' has been identified, targeting victims by encrypting files and appending the .winlocker extension. Upon infection, it drops a ransom note named Readme.txt with instructions for contacting the attacker. Written in .NET, this sophisticated malware modif…
ransomware
2025-01-29
windows locker
Published: January 29, 2025
Downloadable IOCs: 0

Analysis of Interlock Ransomware Attack on Healthcare Facilities

The Interlock ransomware group has been actively targeting healthcare facilities in the United States, causing significant disruptions and exposing sensitive patient data. The attacks involve drive-by compromise techniques, using fake software updaters to deploy malware. The group employs double-ex…
ransomware
credential theft
healthcare
lateral movement
data exfiltration
double-extortion
interlock
2025-01-28
drive-by compromise
Published: January 28, 2025
Downloadable IOCs: 0

From Royal to BlackSuit: How a Ransomware Rebrand Reshaped Them

This intelligence report analyzes the evolution of the Russian-speaking ransomware group Royal as it rebranded to BlackSuit. The transition involved a shift from prioritizing data exfiltration to focusing more on encryption. The group's journey from 2022 to 2025 is detailed, including their tactics…
ransomware
blacksuit
2025-01-27
royal
Published: January 27, 2025
Downloadable IOCs: 8

Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware

This report details an intrusion that began with the execution of a Cobalt Strike beacon masquerading as a Windows Media Configuration Utility. The threat actor used various tools for persistence, lateral movement, and data exfiltration, including SystemBC and GhostSOCKS proxies, Rclone, and PsExec…
ransomware
lockbit
cobalt strike
rclone
exfiltration
lateral movement
systembc
ghostsocks
2025-01-27
Published: January 27, 2025
Downloadable IOCs: 21

Two Brands, One Payload as Ransomware Affiliates Drop Identical Code

Recent months have seen increased activity in new ransomware operations, including HellCat and Morpheus. Analysis of payloads from both operations reveals that affiliates are using almost identical code. The ransomware samples, uploaded to VirusTotal in December 2024, share similarities in behavior…
ransomware
raas
2025-01-23
hellcat
morpheus
Published: January 23, 2025
Downloadable IOCs: 2

Protecting Against the Exploited CVEs in the Cleo Data Theft Attacks

The Clop ransomware group has exploited critical vulnerabilities in Cleo's managed file transfer software, specifically CVE-2024-50623 and CVE-2024-55956. These vulnerabilities allow unrestricted file upload/download and execution of arbitrary commands. Imperva has observed over 1 million exploitat…
ransomware
powershell
data theft
extortion
persistence
CVE-2024-50623
CVE-2024-55956
2025-01-22
clop
file transfer
Published: January 22, 2025
Downloadable IOCs: 2

Zyxel vulnerability exploited by 'Helldown' ransomware group

The article details a cybersecurity incident where the "Helldown" ransomware group exploited a vulnerability in Zyxel firewall devices. The attackers gained administrator access to the firewall console, collected domain credentials, and compromised the infrastructure. They used VPN services to mask…
ransomware
vulnerability
2025-01-22
zyxel
Published: January 22, 2025
Downloadable IOCs: 0

Two ransomware campaigns tracked using 'email bombing' and Microsoft Teams 'vishing'

Sophos MDR has identified two threat clusters, STAC5143 and STAC5777, targeting organizations using Microsoft Office 365. Both employ similar tactics: email bombing to create urgency, followed by social engineering via Microsoft Teams calls posing as tech support. The attackers use remote access to…
social engineering
ransomware
black basta
vishing
email bombing
2025-01-22
Published: January 22, 2025
Downloadable IOCs: 17

Two ransomware campaigns tracked using 'email bombing,' Microsoft Teams 'vishing'

Sophos MDR has identified two threat clusters, STAC5143 and STAC5777, utilizing Microsoft Office 365 to gain unauthorized access to organizations. Both groups employ email bombing and fake tech support social engineering via Microsoft Teams to deliver malware. STAC5143 uses Java and Python-based to…
ransomware
black basta
vishing
microsoft teams
2025-01-21
office 365
stac5777
stac5143
email bombing
Published: January 21, 2025
Downloadable IOCs: 15

Play Ransomware impersonates SentinelOne for stealth recon

A Play ransomware attack involving a reconnaissance tool called Grixba was detected and prevented. The attack began with the deployment of Grixba via RDP to a Windows server. The Grixba file was disguised as legitimate SentinelOne software, a new tactic for the group. Grixba is an obfuscated .NET-b…
obfuscation
ransomware
.net
rdp
reconnaissance
grixba
play
2025-01-17
sentinelone impersonation
xor encryption
Published: January 17, 2025
Downloadable IOCs: 4

RansomHub Affiliate leverages Python-based backdoor

A threat actor utilized a Python-based backdoor to maintain access to compromised endpoints, later deploying RansomHub encryptors across the impacted network. The malware, an updated version of a previously documented backdoor, features obfuscation, deployment via RDP, and unique indicators of comp…
obfuscation
ransomware
socgholish
lateral movement
ransomhub
python backdoor
c2 infrastructure
socks5
2025-01-16
reverse proxy
Published: January 16, 2025
Downloadable IOCs: 6

FunkSec – Alleged Top Ransomware Group Powered by AI

FunkSec, an emerging ransomware group, gained prominence in late 2024 with over 85 claimed victims in December. The group's activities blend hacktivism and cybercrime, using AI-assisted malware development to quickly produce advanced tools despite apparent inexperience. FunkSec offers custom ransom…
ransomware
ddos
rust
hacktivism
double extortion
2025-01-10
ai-assisted
Published: January 10, 2025
Downloadable IOCs: 9

December 2024 Threat Trend Report on Ransomware

This analysis provides statistics on new ransomware samples, targeted systems, and affected companies in November 2024. The number of new samples in December remained consistent with November's figures. The data is based on AhnLab's detection names and information from ransomware groups' Dedicated …
ransomware
2025-01-09
funksec
Published: January 9, 2025
Downloadable IOCs: 0

NotLockBit: A Deep Dive Into the New Ransomware Threat

NotLockBit is an emerging ransomware family that mimics LockBit's behavior while targeting both macOS and Windows systems. Distributed as an x86_64 golang binary, it showcases advanced capabilities including targeted file encryption, data exfiltration, and self-deletion mechanisms. The malware gath…
ransomware
encryption
golang
cross-platform
data-exfiltration
2024-12-19
notlockbit
aws-abuse
self-deletion
Published: December 19, 2024
Downloadable IOCs: 5

Hacktivists attack Russian organizations using rare RATs

The Cyber Anarchy Squad (C.A.S) is a hacktivist group targeting Russian and Belarusian organizations since 2022. They exploit vulnerabilities in public services and use free tools to inflict maximum damage. The group employs rare remote access Trojans like Revenge RAT and Spark RAT, alongside commo…
ransomware
russia
belarus
lockbit
meterpreter
telegram
babuk
spark rat
hacktivist
2024-12-18
revenge rat
data destruction
Published: December 18, 2024
Downloadable IOCs: 0

Brain Cipher Ransomware uses CVE-2023-28252

Brain Cipher ransomware is suspected of exploiting CVE-2023-28252, a vulnerability previously utilized by the now-inactive Nokowaya Ransomware Group. The exploit, often disguised as 'clfs_eop.exe', targets the Microsoft Windows CLFS Driver for privilege escalation. This vulnerability is being sold …
ransomware
privilege-escalation
2024-12-17
CVE-2023-28252
brain cipher
clfs filename
Published: December 17, 2024
Downloadable IOCs: 2

Intensifies Attacks On Russia With PhantomCore

The Head Mare hacktivist group has escalated its campaign against Russian targets using the PhantomCore backdoor. The group employs deceptive ZIP archives containing malicious LNK files and executables disguised as archive files to deploy PhantomCore. This C++-compiled backdoor, which replaces earl…
backdoor
apt
ransomware
russia
lockbit
CVE-2023-38831
babuk
phantomcore
2024-12-11
hacktivist
boost.beast
Published: December 11, 2024
Linked vulnerabilities : CVE-2023-38831
Downloadable IOCs: 31

Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware

A resurgence of activity related to the Black Basta ransomware campaign has been observed since early October. The threat actors have refined their tactics, introducing new malware payloads, improved delivery methods, and enhanced defense evasion techniques. The attacks begin with email bombing of …
ransomware
darkgate
2024-12-09
blackbasta
zbot
Published: December 9, 2024
Downloadable IOCs: 72

A Technical Look At The New 'Termite' Ransomware That Hit Blue Yonder

The Termite ransomware, a rebranded version of Babuk, recently targeted supply chain management platform Blue Yonder. This new strain employs advanced tactics, including double extortion, to maximize its impact. Upon execution, it terminates services, deletes shadow copies, empties the recycle bin,…
ransomware
babuk
double extortion
2024-12-07
file encryption
network shares
termite
blue yonder
Published: December 7, 2024
Downloadable IOCs: 0

Inside Akira Ransomware's Rust Experiment

Check Point Research analyzed the Rust version of Akira ransomware that targeted ESXi servers in early 2024. The malware's complex assembly is attributed to Rust idioms, boilerplate code, and compiler strategies. The analysis reveals the ransomware's use of the seahorse CLI framework, indicatif lib…
ransomware
rust
akira
2024-12-03
Published: December 3, 2024
Downloadable IOCs: 0

Howling Scorpius (Akira Ransomware)

Howling Scorpius, the entity behind Akira ransomware-as-a-service, has become one of the top five most active ransomware groups since emerging in early 2023. They target small to medium-sized businesses across various sectors in North America, Europe, and Australia using a double extortion strategy…
ransomware
akira
raas
double extortion
megazord
2024-12-03
howling scorpius
Published: December 3, 2024
Linked vulnerabilities : CVE-2024-0012 (CVSS 9.8), CVE-2024-9474 (CVSS 7.2), CVE-2023-20269, CVE-2020-3259
Downloadable IOCs: 44

Ransomware Roundup - Interlock

The Interlock ransomware is a new variant targeting Microsoft Windows and FreeBSD systems. It encrypts files and demands ransom for decryption. The malware has both Windows and FreeBSD versions, using AES-CBC encryption and adding a '.interlock' extension to encrypted files. It excludes certain fil…
ransomware
encryption
interlock
2024-12-03
Published: December 3, 2024
Downloadable IOCs: 5

Threat Assessment: Distributors of BlackSuit Ransomware

Ignoble Scorpius, previously known as Royal ransomware, has rebranded as BlackSuit ransomware and increased its activity since March 2024. The group has targeted at least 93 victims globally, with a focus on the construction and manufacturing industries. Their initial ransom demands average 1.6% of…
ransomware
extortion
cobalt strike
credential theft
gootloader
lateral movement
mimikatz
data exfiltration
blacksuit
systembc
supply chain attack
2024-11-20
nanodump
Published: November 20, 2024
Downloadable IOCs: 2

Helldown Ransomware: an overview of this emerging threat

Helldown is a new and highly active ransomware group that has claimed 31 victims in three months. It employs custom ransomware for Windows and Linux systems, engages in double extortion, and exploits vulnerabilities in Zyxel firewalls for initial access. The group exfiltrates large volumes of data,…
linux
ransomware
windows
data exfiltration
CVE-2024-42057
double extortion
2024-11-20
helldown
emerging threat
zyxel vulnerability
vmware esx
Published: November 20, 2024
Downloadable IOCs: 0

New Ymir ransomware discovered used together with RustyStealer | Securelist

A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The r…
ransomware
powershell
encryption
incident response
chacha20
systembc
2024-11-11
rustystealer
ymir
Published: November 11, 2024
Downloadable IOCs: 12

New Ymir ransomware discovered used together with RustyStealer

A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The r…
ransomware
powershell
encryption
incident response
chacha20
systembc
2024-11-11
rustystealer
ymir
Published: November 11, 2024
Downloadable IOCs: 0

Unwrapping the emerging Interlock ransomware attack

A new ransomware group called Interlock has emerged, targeting various sectors with big-game hunting and double extortion attacks. The group uses a sophisticated delivery chain including a RAT disguised as a browser updater, PowerShell scripts, credential stealers, and keyloggers. They primarily mo…
rat
ransomware
azure
rdp
keylogger
double-extortion
rhysida
2024-11-07
credential-stealer
interlock
Published: November 7, 2024
Downloadable IOCs: 2

LUNAR SPIDER Enabling Ransomware Attacks on Financial Sector with Brute Ratel C4 and Latrodectus

LUNAR SPIDER, a Russian-speaking financially motivated threat group, has resumed operations following law enforcement disruptions. They've shifted from using IcedID to leveraging Latrodectus and Brute Ratel C4 malware, targeting financial services through SEO poisoning malvertising campaigns. The g…
ransomware
malvertising
seo poisoning
icedid
latrodectus
2024-10-31
brute ratel c4
financial sector
infrastructure sharing
Published: October 31, 2024
Downloadable IOCs: 0

Chinese Hackers Toolkit Uncovered And Activity History Uncovered

A Chinese hacking group called 'You Dun' was discovered through an exposed open directory, revealing their comprehensive attack infrastructure. The group utilized sophisticated reconnaissance tools and exploited Zhiyuan OA software via SQL injection attacks, targeting South Korean pharmaceutical or…
sql injection
ransomware
cobalt strike
privilege escalation
lockbit 3.0
2024-10-28
c2 infrastructure
CVE-2021-25003
chinese hackers
viper framework
reconnaissance tools
Published: October 28, 2024
Linked vulnerabilities : CVE-2021-25003
Downloadable IOCs: 7

Inside the Open Directory of the “You Dun” Threat Group

An open directory exposed a Chinese-speaking threat actor's toolkit and operational history. The actor conducted extensive scanning and exploitation targeting organizations in South Korea, China, Thailand, Taiwan, and Iran using tools like WebLogicScan, Vulmap, and Xray. The Viper C2 framework and …
ransomware
lockbit
cobalt strike
2024-10-28
weblogic exploitation
viper c2
chinese threat actor
Published: October 28, 2024
Downloadable IOCs: 3

The Good, the Bad and the Ugly in Cybersecurity - Week 43

CISA proposes new security measures to protect sensitive data from adversary nations, following President Biden's Executive Order. A free file recovery tool for early Mallox ransomware victims is released. A novel macOS ransomware, macOS.NotLockBit, is discovered abusing AWS S3 for data exfiltratio…
ransomware
zero-day
mallox
cisa
CVE-2024-47575
2024-10-25
fortinet
aws s3
macos.notlockbit
Published: October 25, 2024
Downloadable IOCs: 0

Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN

Since early August, there has been a significant increase in Fog and Akira ransomware intrusions targeting SonicWall SSL VPN users across various industries. The attacks appear opportunistic rather than targeting specific sectors. All affected devices lacked patches for CVE-2024-40766. Initial acce…
ransomware
vpn
data exfiltration
akira
CVE-2024-40766
2024-10-24
sonicwall
initial access
fog
Published: October 24, 2024
Linked vulnerabilities : CVE-2024-40766 (CVSS 9.8)
Downloadable IOCs: 16

Embargo ransomware: Rock'n'Rust

ESET researchers have uncovered new Rust-based tools used by the Embargo ransomware group. The toolkit includes MDeployer, a loader that deploys MS4Killer and Embargo ransomware, and MS4Killer, an EDR killer that exploits a vulnerable driver. Embargo, first observed in June 2024, is a relatively ne…
ransomware
rust
byovd
raas
2024-10-23
embargo ransomware
edr killer
safe mode abuse
ms4killer
mdeployer
Published: October 23, 2024
Downloadable IOCs: 0

New wave of Bumblebee malware attacks warned

Security researchers have detected new attacks involving the Bumblebee malware loader, just four months after Europol disrupted its operations in Operation Endgame. The malware has resurfaced with updated tactics, using MSI files disguised as legitimate software installers to deliver its payload di…
malware
loader
phishing
ransomware
evasion
in-memory
msi
bumblebee
2024-10-22
Published: October 22, 2024
Downloadable IOCs: 9

Akira ransomware continues to evolve

Akira ransomware has established itself as a prominent threat, constantly evolving its tactics. Initially employing double-extortion, it shifted focus to data exfiltration in early 2024. The group developed a Rust variant of their ESXi encryptor, moving away from C++. Recently, Akira has returned t…
linux
ransomware
windows
rust
CVE-2024-37085
vulnerability exploitation
akira
CVE-2023-27532
esxi
CVE-2024-40766
CVE-2023-48788
double-extortion
CVE-2024-40711
CVE-2023-20269
2024-10-22
CVE-2020-3259
CVE-2023-20263
chacha8
megazord
Published: October 22, 2024
Linked vulnerabilities : CVE-2024-37085 (CVSS 6.8), CVE-2024-40766 (CVSS 9.8), CVE-2024-40711 (CVSS 9.8), CVE-2023-27532, CVE-2023-20269, CVE-2020-3259, CVE-2023-48788, CVE-2023-20263
Downloadable IOCs: 37

Fog Ransomware – Technical Analysis

A new ransomware called Fog has been identified, affecting education and recreation centers in the United States. The threat actors gain access through compromised VPN credentials, disable Windows Defender, and deploy the ransomware. Fog is a 32-bit EXE file compiled using Microsoft Visual C/C++. I…
ransomware
windows
encryption
vpn
cryptography
2024-10-21
fog ransomware
file-encryption
multi-threading
process-termination
service-stopping
Published: October 21, 2024
Downloadable IOCs: 1

Analyzing the familiar tools used by the Crypt Ghouls hacktivists

The Crypt Ghouls group is targeting Russian businesses and government agencies with ransomware attacks. They utilize a toolkit including utilities like Mimikatz, XenAllPasswordPro, PingCastle, and others. The group employs LockBit 3.0 and Babuk ransomware as final payloads. Initial access is often …
ransomware
russia
lockbit
hacktivism
credential harvesting
lateral movement
babuk
lockbit 3.0
2024-10-18
xenallpasswordpro
cobint
Published: October 18, 2024
Downloadable IOCs: 1

Infiltrating the Cicada3301 Ransomware-as-a-Service Group

This analysis provides an in-depth look into the operations of the Cicada3301 Ransomware-as-a-Service (RaaS) group. It details the workflow of their affiliates within the panel and examines the multi-platform capabilities of their ransomware, encompassing Windows, Linux, ESXi, and even uncommon arc…
ransomware
sophisticated
encryption
cicada3301
2024-10-18
multi-platform
affiliate
Published: October 18, 2024
Downloadable IOCs: 5

Fake LockBit Real Damage Ransomware Samples Abuse AWS S3 to Steal Data

This report discusses malicious Golang ransomware samples that exploit Amazon S3's Transfer Acceleration feature to exfiltrate victims' data and upload it to attacker-controlled S3 buckets. The samples contained hard-coded AWS credentials linked to compromised accounts, allowing the researchers to …
ransomware
golang
aws
data-exfiltration
2024-10-17
lockbit-imitation
Published: October 17, 2024
Downloadable IOCs: 39

Lynx Ransomware: A Rebranding of INC Ransomware

Lynx ransomware, discovered in July 2024, is a successor to INC ransomware targeting organizations in retail, real estate, architecture, and financial services in the U.S. and UK. It shares significant source code with INC and operates as a ransomware-as-a-service model. Lynx employs double extorti…
linux
ransomware
windows
encryption
data leak
raas
double extortion
2024-10-14
lynx ransomware
inc ransomware
Published: October 14, 2024
Downloadable IOCs: 44

Analyzing Recent Cyber Attacks in the United States Coinciding with Columbus Day Celebration

The United States has experienced a significant increase in cyber attacks from June to October 2024, with over 800 organizations affected by ransomware across various sectors. Play, RansomHub, Lockbit, Qilin, and Meow have emerged as the most active ransomware groups. Notable incidents include the …
espionage
ransomware
lockbit
hacktivism
ransomhub
qilin
data breach
2024-10-10
rhysida
critical infrastructure
united states
Published: October 10, 2024
Downloadable IOCs: 0

Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis

Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
backdoor
ransomware
seo poisoning
extortion
multi-tiered
infrastructure
2024-10-10
rhysida
chrgetpdsi
portstarter
cleanuploader
early detection
Published: October 10, 2024
Downloadable IOCs: 106

Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines

Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
ransomware
powershell
redline
lua script
compiler
redline stealer
2024-10-09
morphisec
lua malware
lua loader
c2 lua
windows servers
linux server
prometheus
crypter
Published: October 9, 2024
Downloadable IOCs: 18

Dark Angels Exposed

The Dark Angels ransomware group, active since April 2022, operates with sophisticated strategies targeting large companies for substantial ransom demands. They focus on stealthy attacks, avoiding outsourcing to third-party brokers. The group uses various ransomware payloads, including Babuk and Re…
ransomware
data exfiltration
babuk
raas
2024-10-08
ragnarlocker
CVE-2023-22069
Published: October 8, 2024
Downloadable IOCs: 0

Threat actor believed to be spreading new MedusaLocker variant since 2022

A financially motivated threat actor has been active since 2022, delivering a MedusaLocker ransomware variant called 'BabyLockerKZ'. The group targets organizations worldwide, with a focus shift from EU countries to South American countries in mid-2023. The actor uses a combination of publicly know…
iab
ransomware
credential theft
lateral movement
financially motivated
2024-10-04
babylockerkz
medusalocker
Published: October 4, 2024
Downloadable IOCs: 11

Threat Brief: Understanding Akira Ransomware

Akira is a prolific ransomware operating since March 2023, targeting multiple industries in North America, the UK, and Australia. It functions as Ransomware as a Service (RaaS) and employs double extortion tactics. Akira has connections to the disbanded Conti group, sharing code similarities and op…
ransomware
lateral movement
conti
akira
raas
2024-10-04
double extortion
defense evasion
CVE-2023-20269
chacha encryption
CVE-2019-6693
credential dumping
CVE-2021-21972
CVE-2022-40684
Published: October 4, 2024
Linked vulnerabilities : CVE-2023-20269, CVE-2021-21972, CVE-2019-6693, CVE-2022-40684
Downloadable IOCs: 3

Key Group uses leaked builders of ransomware and wipers

Key Group, also known as keygroup777, is a financially motivated ransomware group primarily targeting Russian users. The group has been active since 2022, using various leaked ransomware builders and wipers, including Xorist, Chaos, Annabelle, Slam, RuRansom, UX-Cryptor, Hakuna Matata, and Judge/No…
phishing
ransomware
persistence
njrat
wiper
telegram
chaos
2024-10-02
xorist
slam
hakuna matata
annabelle
ruransom
ux-cryptor
multi-stage loaders
leaked builders
russian-speaking
judge/nocry
Published: October 2, 2024
Downloadable IOCs: 24

Key Group: another ransomware group using leaked builders

Key Group is a financially motivated ransomware group primarily targeting Russian users. They use various leaked ransomware builders including Chaos, Xorist, Annabelle, Slam, RuRansom, UX-Cryptor, Hakuna Matata, and Judge/NoCry. The group's activity has been tracked since April 2022, with their tac…
ransomware
persistence
njrat
wiper
github
telegram
chaos
financially motivated
2024-10-01
xorist
slam
hakuna matata
annabelle
ruransom
ux-cryptor
multi-stage loaders
leaked builders
russian-speaking
judge/nocry
Published: October 1, 2024
Downloadable IOCs: 0

Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware

A BlackCat ransomware intrusion began with a Nitrogen malware campaign impersonating Advanced IP Scanner. The attackers used Sliver and Cobalt Strike beacons for post-exploitation, leveraging Python scripts for memory loading. They performed network enumeration using various tools and moved lateral…
ransomware
blackcat
alphv
cobalt strike
sliver
credential harvesting
lateral movement
noberus
data exfiltration
2024-10-01
nitrogen
Published: October 1, 2024
Downloadable IOCs: 45

Aiming at domestic government and enterprises! Deeply revealed ransomware operator Rast gang

A new ransomware threat, dubbed Rast, has emerged targeting Chinese government and enterprises since December 2023. Written in Rust, Rast has infected over 6,800 terminals, successfully encrypting more than 5,700. The Rast gang, named after the ransomware, operates primarily between 20:00 and 05:00…
ransomware
china
government
rust
rdp
phobos
2024-09-30
globeimposter
mysql
gandcrab
buran
nday
rast
enterprises
Published: September 30, 2024
Downloadable IOCs: 21

Storm-0501: Ransomware attacks expanding to hybrid cloud environments

Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
backdoor
ransomware
credential-theft
cobalt strike
rclone
impacket
data-exfiltration
lateral-movement
2024-09-30
CVE-2022-47966
CVE-2023-4966
hybrid-cloud
embargo
aadinternals
CVE-2023-38203
CVE-2023-29300
Published: September 30, 2024
Linked vulnerabilities : CVE-2023-4966, CVE-2023-38203, CVE-2023-29300, CVE-2022-47966
Downloadable IOCs: 14

Analysis of the BlackJack group: techniques, tools, and similarities with Twelve

The report examines the BlackJack hacktivist group targeting Russian organizations, focusing on their tools, techniques, and connections to the Twelve group. BlackJack employs freely available software like the Shamoon wiper and LockBit ransomware. Significant overlaps with Twelve include similar m…
ransomware
lockbit
2024-09-25
shamoon
twelve
Published: September 25, 2024
Downloadable IOCs: 1

Black Basta Ransomware: What You Need to Know

Black Basta is a ransomware-as-a-service group that emerged in April 2022, known for double extortion tactics. They target organizations globally, particularly in North America, Europe, and Australia, affecting over 500 entities across various industries. Initial access is gained through phishing, …
ransomware
black basta
2024-09-20
Published: September 20, 2024
Linked vulnerabilities : CVE-2021-42287, CVE-2021-42278, CVE-2024-1709, CVE-2021-34527, CVE-2020-1472, CVE-2024-26169
Downloadable IOCs: 82

Medusa Ransomware: A Growing Threat with a Bold Online Presence

Medusa is a prominent ransomware group that emerged in 2023, targeting sectors such as healthcare, manufacturing, and education across multiple countries. Unlike typical ransomware operators, Medusa maintains a presence on both the dark web and surface web, including social media platforms. The gro…
ransomware
CVE-2023-48788
2024-09-18
medusa ransomware
Published: September 18, 2024
Linked vulnerabilities : CVE-2023-48788
Downloadable IOCs: 11

ShrinkLocker Malware: Abusing BitLocker to Lock Your Data

ShrinkLocker is a new ransomware strain that exploits Windows BitLocker to encrypt targeted data. Unlike typical ransomware, it abuses this legitimate feature to create a secure boot partition, locking users out unless a ransom is paid. The malware performs system checks, modifies registry entries,…
ransomware
encryption
bitlocker
2024-09-17
shrinklocker
disk partitioning
Published: September 17, 2024
Downloadable IOCs: 2

New RansomHub attack uses TDSKiller and LaZagne, disables EDR

A recent analysis by the ThreatDown MDR team has uncovered a novel attack method employed by the RansomHub ransomware gang. The attackers are utilizing two tools: TDSSKiller, a legitimate Kaspersky rootkit removal utility, to disable endpoint detection and response (EDR) systems, and LaZagne, a cre…
ransomware
credential harvesting
edr
ransomhub
byovd
2024-09-11
lazagne
tdsskiller
network segmentation
Published: September 11, 2024
Downloadable IOCs: 2

Ransomware in the Cloud: Scattered Spider Targeting Insurance and Financial Industries

The Scattered Spider cybercriminal group is targeting cloud infrastructures in the insurance and financial sectors using advanced techniques. They exploit leaked authentication tokens, conduct phishing and smishing campaigns, and leverage SIM swapping to bypass multi-factor authentication. The grou…
phishing
ransomware
blackcat
alphv
persistence
cloud
noberus
vidar stealer
stealc
redline stealer
raccoon stealer
2024-09-11
sim swapping
finance
insurance
Published: September 11, 2024
Downloadable IOCs: 12

Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware

Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
ransomware
extortion
exfiltration
encryption
cybercrime
2024-09-11
cicada3301
Published: September 11, 2024
Linked vulnerabilities : CVE-2024-1709, CVE-2024-1708
Downloadable IOCs: 8

Mallox ransomware: in-depth analysis and evolution

Mallox is a sophisticated ransomware family that emerged in 2021 and has since evolved into a Ransomware-as-a-Service (RaaS) operation. Initially targeting specific companies, it transitioned to a more generic approach, likely as part of its RaaS model. The malware employs complex encryption scheme…
ransomware
mallox
2024-09-04
raas
remcos rat
Published: September 4, 2024
Downloadable IOCs: 7

Head Mare: adventures of a unicorn in Russia and Belarus

Head Mare is a hacktivist group targeting companies in Russia and Belarus since 2023. They use phishing campaigns exploiting the CVE-2023-38831 vulnerability in WinRAR for initial access. Their toolkit includes custom malware like PhantomDL and PhantomCore, as well as publicly available tools like …
phishing
ransomware
russia
belarus
lockbit
CVE-2023-38831
2024-09-02
babuk
vasa locker
phantomdl
phantomcore
babyk
hacktivists
Published: September 2, 2024
Linked vulnerabilities : CVE-2023-38831
Downloadable IOCs: 52

Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations

This advisory outlines the activities of an Iran-based cyber threat group that has conducted numerous intrusions against organizations in the United States and other countries since 2017, with the goal of obtaining network access to facilitate ransomware attacks. The group, known by various names s…
ransomware
state-sponsored
credential-theft
blackcat
alphv
CVE-2024-3400
iran
CVE-2024-21887
CVE-2024-24919
noberus
2024-08-28
webshells
CVE-2022-1388
CVE-2023-3519
noescape
ransomhouse
CVE-2019-19781
Published: August 28, 2024
Downloadable IOCs: 33

BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks

The BlackByte ransomware group continues leveraging established tactics and vulnerable drivers to bypass security controls, while also incorporating newly disclosed vulnerabilities and using stolen credentials for propagation. A new iteration of their encryptor appends the 'blackbytent_h' extension…
ransomware
worm
CVE-2024-37085
authentication
2024-08-28
byovd
exbyte
blackbytent
Published: August 28, 2024
Downloadable IOCs: 4

BlackSuit Ransomware

The report meticulously chronicles a sophisticated intrusion which began in December 2023 and culminated in the deployment of BlackSuit ransomware approximately 15 days later. The threat actor demonstrated an array of tactics, leveraging tools like Cobalt Strike, Sharphound, and SystemBC, alongside…
ransomware
cobalt strike
discovery
lateral movement
credential access
cobaltstrike
blacksuit
systembc
2024-08-27
sharphound
get-datainfo.ps1
rubeus
Published: August 27, 2024
Downloadable IOCs: 16

How Managed Detection and Response Pressed Pause on a Play Ransomware Attack

This report details how Trend Micro's Managed Detection and Response (MDR) service successfully thwarted a sophisticated ransomware attack orchestrated by the notorious Play ransomware group. Through continuous monitoring and expert analysis, the MDR team swiftly identified and contained the intrus…
ransomware
incident response
cybersecurity
threat analysis
2024-08-23
systembc
grixba
malware campaign
Published: August 23, 2024
Downloadable IOCs: 1

Major Payment Disruption: Ransomware Strikes Indian Banking Infrastructure

CloudSEK's threat research team uncovered a ransomware attack impacting banks and payment providers in India. The attack, initiated through a compromised Jenkins server at Brontoo Technology Solutions, is attributed to the RansomEXX ransomware group. This sophisticated threat actor employs tactics …
ransomware
vulnerability
india
banking
2024-08-20
jenkins
ransomexx
CVE-2024-23897
Published: August 20, 2024
Linked vulnerabilities : CVE-2024-23897
Downloadable IOCs: 18

Ransomware attackers introduce new EDR killer to their arsenal

An analysis by security researchers has uncovered the existence of a new tool called EDRKillShifter, which is used by threat actors to disable endpoint protection software during ransomware attacks. The tool is designed to terminate antivirus and endpoint detection and response (EDR) solutions on t…
ransomware
ransomhub
privilege escalation
2024-08-16
edr evasion
driver exploitation
edrkillshifter
Published: August 16, 2024
Downloadable IOCs: 2

REPLAY: Revisiting Play Ransomware Anti-Analysis Techniques

This analysis revisits the anti-analysis techniques employed by recent variants of the Play ransomware, which is known for targeting industries like healthcare and telecommunications across various regions. The report explains how the ransomware utilizes techniques like return-oriented programming …
ransomware
anti-analysis
2024-08-09
playcrypt
Published: August 9, 2024
Downloadable IOCs: 4

DeathGrip RaaS | Small-Time Threat Actors Aim High With LockBit & Yashma Builders

This analysis examines the emergence of DeathGrip, a Ransomware-as-a-Service (RaaS) operation that provides threat actors with easy access to sophisticated ransomware builders like LockBit 3.0 and Yashma/Chaos. The accessibility of these tools enables even those with minimal technical skills to lau…
ransomware
lockbit
2024-08-09
yashma
chaos
Published: August 9, 2024
Downloadable IOCs: 1

Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell

The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
phishing
ransomware
powershell
fileless
2024-08-07
cronus
Published: August 7, 2024
Downloadable IOCs: 8

SharpRhino – New Hunters International RAT

Quorum Cyber's Incident Response team discovered a novel malware, SharpRhino, used by the threat actor Hunters International as an initial infection vector and Remote Access Trojan (RAT). This malware, coded in C#, is delivered via a typosquatting domain impersonating Angry IP Scanner. Upon executi…
ransomware
remote access
2024-08-06
sharprhino
Published: August 6, 2024
Downloadable IOCs: 6

DNS Early Detection - Breaking the Black Basta Ransomware Kill Chain

This intelligence analysis examines the Black Basta ransomware campaign, which has significantly impacted businesses and critical infrastructure across North America, Europe, and Australia. The report highlights Infoblox's ability to identify and block over 78% of the malicious domains associated w…
ransomware
dns
black basta
2024-08-02
threat intelligence
Published: August 2, 2024
Linked vulnerabilities : CVE-2024-1700
Downloadable IOCs: 1

Akira Ransomware Targets the LATAM Airline Industry

An in-depth analysis examined a threat actor utilizing Akira ransomware to compromise a Latin American airline. The attacker gained initial network access via SSH, exploiting a vulnerability in Veeam backup software, and subsequently exfiltrated critical data before deploying the ransomware payload…
linux
ransomware
exfiltration
akira
CVE-2023-27532
2024-07-16
ssh
backup
Published: July 16, 2024
Linked vulnerabilities : CVE-2023-27532, CVE-2023-20269, CVE-2020-3259
Downloadable IOCs: 2

ShadowRoot Ransomware Targeting Turkish Businesses

An analysis reveals a basic ransomware campaign targeting Turkish enterprises. The attack commences with a malicious PDF attachment delivered via email, containing a link that downloads an executable payload. This executable then drops further components, including a .NET binary obfuscated with dot…
ransomware
2024-07-15
türkiye
Published: July 15, 2024
Downloadable IOCs: 3

Patch or Peril: A Veeam vulnerability incident

While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
backdoor
ransomware
adfind
vpn
2024-07-12
fortigate
veeam
CVE-2023-27532
svhost
netscan
Published: July 12, 2024
Downloadable IOCs: 2

BianLian Ransomware Group: 2024 Activity Analysis

The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…
ransomware
extortion
cybercrime
bianlian
2024-07-12
data breach
Published: July 12, 2024
Downloadable IOCs: 8

Ransomware: Activity Levels Remain High Despite Disruption

While overall activity levels dipped slightly in the first quarter of 2024, the number of claimed attacks remained high, with LockBit accounting for over 20%. The report explores the changing tactics employed by ransomware actors, including the exploitation of vulnerabilities, the use of Bring-Your…
ransomware
lockbit
vulnerability
blackcat
alphv
encryption
phobos
cyclops blink
CVE-2024-4577
noberus
tellyouthepass
blacksuit
2024-07-11
akira
warp av killer
qilin
disruption
Published: July 11, 2024
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8)
Downloadable IOCs: 27

Decrypted: DoNex Ransomware and its Predecessors

Researchers have uncovered a cryptographic flaw in the DoNex ransomware and its previous iterations, allowing for the creation of a decryptor tool. Initially discovered in March 2024, this cryptographic weakness was made public at Recon 2024. The ransomware, which has undergone several rebrands sin…
ransomware
lockbit
darkrace
donex
encryption
2024-07-10
chacha20
rebranding
muse
cryptography
Published: July 10, 2024
Downloadable IOCs: 8

BlackSuit Ransomware: Insights and Defense Strategies

This report provides an in-depth analysis of the BlackSuit ransomware, a threat that has been actively targeting various sectors since May 2023. It presents statistics from incident response engagements, explores the ransomware's behavior and technical analysis, and offers insights into the potenti…
ransomware
encryption
data exfiltration
2024-07-08
blacksuit
cybersecurity
threat analysis
Published: July 8, 2024
Downloadable IOCs: 8

Mallox Ransomware: Linux Variant Decryptor Found

The report analyzes the Mallox ransomware, which has been active since mid-2021 and focuses on multi-extortion by encrypting victims' data and threatening to post it on public TOR sites. Initially targeting Windows systems, Mallox has now developed Linux variants using custom Python scripts for pay…
ransomware
encryption
mallox
targetcompany
2024-07-04
fargo
cyber-extortion
mawahelper
Published: July 4, 2024
Downloadable IOCs: 5

New Ransomware Operator Volcano Demon Serving Up LukaLocker

A cybersecurity firm has encountered a new ransomware organization, dubbed Volcano Demon, responsible for recent attacks involving an encryptor called LukaLocker. The malware encrypts victims' files with the .nba extension and was successful in compromising Windows workstations and servers after ha…
ransomware
data-theft
2024-07-03
lukalocker
Published: July 3, 2024
Downloadable IOCs: 3

From Dormant to Dangerous: P2Pinfect Evolves to Deploy New Ransomware and Cryptominer

P2Pinfect is a sophisticated malware that utilizes a peer-to-peer botnet for command and control. Initially appearing dormant, it has evolved to deploy ransomware and cryptominer payloads. The malware spreads via exploiting Redis and limited SSH capabilities. A recent update introduced a new ransom…
ransomware
rootkit
worm
cryptominer
2024-06-27
p2pinfect
rsagen
Published: June 27, 2024
Downloadable IOCs: 15

Chamelgang & Friends | Cyberespionage Groups Attacking Critical Infrastructure with Ransomware

In collaboration with Recorded Future, SentinelLabs has been tracking two distinct activity clusters targeting government and critical infrastructure sectors globally between 2021 and 2023.
ransomware
cobalt strike
icedid
bitlocker
2024-06-26
china chopper
wiper
conti
chamelgang
bestcrypt
beaconloader
silver sparrow
Published: June 26, 2024
Downloadable IOCs: 8

RAFEL RAT, ANDROID MALWARE FROM ESPIONAGE TO RANSOMWARE OPERATIONS

Check Point Research has identified multiple threat actors utilizing Rafel, an open-source remote administration tool (RAT). The discovery of an espionage group leveraging Rafel in their operations was of particular significance, as it indicates the tool’s efficacy across various threat actor profi…
ransomware
android
infostealer
discord
2024-06-20
google play
rafel rat
data wipe
smartphone
2fa bypass
Published: June 20, 2024
Downloadable IOCs: 6

Update: CVE-2024-4577 quickly weaponized to distribute Ransomware

The report describes an attack campaign leveraging the CVE-2024-4577 vulnerability to deliver the "TellYouThePass" ransomware. The attackers use the vulnerability to execute arbitrary PHP code and run a malicious HTML application that loads a .NET variant of the ransomware into memory. Upon executi…
exploit
ransomware
encryption
CVE-2024-4577
2024-06-11
tellyouthepass
infection
Published: June 11, 2024
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8), CVE-2021-44228, CVE-2024-3577, CVE-2023-22524, CVE-2023-46604
Downloadable IOCs: 5

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
backdoor
rat
ransomware
blackcat
alphv
cobalt strike
icedid
exfiltration
2024-06-10
noberus
csharp streamer
Published: June 10, 2024
Downloadable IOCs: 33

Lost in the Fog: A New Ransomware Threat

Arctic Wolf Labs began monitoring the deployment of a new ransomware variant called Fog in early May 2024. The ransomware attacks targeted organizations in the education and recreation sectors within the United States. Evidence suggests threat actors gained initial access through compromised VPN cr…
ransomware
encryption
lateral movement
credential
2024-06-07
backup deletion
foggyweb
Published: June 7, 2024
Linked vulnerabilities : CVE-2024-4358 (CVSS 9.8), CVE-2024-1800
Downloadable IOCs: 5

TargetCompany’s Linux Variant Targets ESXi Environments

Since its discovery in 2021, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of fully undetectable (FUD) obfuscator packers. A new varian…
ransomware
lockbit
execution
2024-06-06
vmware esxi
targetcompany
cloud security
vampire
Published: June 6, 2024
Downloadable IOCs: 3

Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors

This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to…
ransomware
coinminer
botnet
2024-06-06
rdp
phobos
havex
backdoor.oldrea
proxy
Published: June 6, 2024
Downloadable IOCs: 34

Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks

Microsoft has identified Moonstone Sleet, a new North Korean threat actor that employs various tactics, including creating fake companies, distributing trojanized legitimate tools, developing a malicious game, and deploying custom ransomware. This actor combines methods used by other North Korean g…
north korea
ransomware
2024-05-29
moonstone sleet
fake companies
Published: May 29, 2024
Linked vulnerabilities : CVE-2023-42793
Downloadable IOCs: 20

New ransomware group abusing BitLocker

The report examines an incident where threat actors leveraged Microsoft's BitLocker encryption utility to deploy unauthorized file encryption on targeted systems. The adversaries employed a sophisticated VBScript that resized disk partitions, modified registry entries, enabled BitLocker with random…
ransomware
exfiltration
encryption
2024-05-23
bitlocker
trojan-ransom.vbs.bitlock.gen
trojan.vbs.sagent.gen
trojan.win32.generic
partitions
Published: May 23, 2024
Linked vulnerabilities : CVE-2024-30051 (CVSS 7.8)
Downloadable IOCs: 6

Threat actors misusing Quick Assist in social engineering attacks leading to ransomware

The report describes a recent campaign by the threat actor Storm-1811, a financially motivated cybercriminal group known for deploying Black Basta ransomware. The campaign begins with social engineering tactics like voice phishing (vishing) and email bombing to trick users into granting remote acce…
malware
ransomware
qakbot
qbot
quackbot
pinkslipbot
2024-05-16
2024-05-11
black basta
remote-access
vishing
social-engineering
Published: May 16, 2024
Downloadable IOCs: 12

Ongoing Malvertising Campaign leads to Ransomware

Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat act…
malware
ransomware
python
cobalt strike
2024-05-15
2024-05-10
msi package
winscp
sliver
putty
service
execution
localappdata
dropped
c2 address
sliver beacon
dnstwist
Published: May 15, 2024
Downloadable IOCs: 78

Security Brief: Millions of Messages Distribute LockBit Black Ransomware

In late April 2024, Proofpoint observed high-volume email campaigns facilitated by the Phorpiex botnet, distributing millions of messages with attachments leading to LockBit Black ransomware infections. The messages appeared to originate from 'Jenny Green' and contained ZIP attachments with executa…
ransomware
lockbit
botnet
2024-05-08
malspam
phorpiex
lockbit black
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Downloadable IOCs: 16

StopRansomware: Black Basta

This advisory details tactics, techniques, procedures and indicators of compromise related to Black Basta ransomware, a variant first identified in April 2022. Its affiliates have impacted over 500 organizations globally across multiple critical infrastructure sectors, including Healthcare and Publ…
phishing
ransomware
exfiltration
encryption
2024-05-08
qakbot
qbot
CVE-2020-1472
quackbot
pinkslipbot
CVE-2024-1709
healthcare
CVE-2021-34527
CVE-2021-42278
CVE-2021-42287
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Linked vulnerabilities : CVE-2021-42287, CVE-2021-42278, CVE-2024-1709, CVE-2021-34527, CVE-2020-1472
Downloadable IOCs: 174

Code Emulation and Cybercrime Infrastructure Discovery

This report details the analysis of a malspam campaign utilizing the Matanbuchus loader, which involved decrypting strings within the malware through emulation techniques. The investigation pivoted to uncover a Russian bulletproof hosting service, Proton66 OOO, that currently hosts various maliciou…
loader
ransomware
stealer
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
socgholish
matanbuchus
emulation
bulletproof
Published: May 8, 2024
Downloadable IOCs: 76

Analysis of TargetCompany’s Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware)

The report analyzes recent attacks by the TargetCompany ransomware group targeting poorly managed MS-SQL servers. The group initially installs Remcos RAT and a remote screen control malware for reconnaissance and lateral movement. Subsequently, the Mallox ransomware is deployed to encrypt the infec…
ransomware
remcos
mallox
sql
tor2mine
bluesky
Published: May 2, 2024
Downloadable IOCs: 5

Ransomware Roundup (April 29, 2024)

This concise report provides insights into the evolving ransomware landscape, covering the KageNoHitobito and DoNex variants. It analyzes their infection vectors, victimology, attack methods, and associated indicators of compromise (IoCs). The report also highlights Fortinet's protections against t…
ransomware
windows
data theft
ransom
darkrace
donex
encryption
kagenohitobito
Published: April 29, 2024
Downloadable IOCs: 7
Click here to see more Attack Reports