Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Ransomware attack. Show all posts

'Fog' Attackers Mock Victims With DOGE Ransom Notes

 

Fog ransomware assaults over the last month have included a new ransom note mentioning the US Department of Government Efficiency (DOGE) and enticing victims to propagate the malware to other PCs, Trend Micro said earlier this week. 

Analysis of the latest samples of Fog ransomware, which were published to VirusTotal between March 27 and April 2, 2025, found that they propagated via the transfer of a ZIP file containing an LNK file disguised as a PDF called "Pay Adjustment." This shows that attacks were carried out via phishing emails to employees.

Once the "Pay Adjustment" LNK file is clicked, a PowerShell script named stage1.ps1 is executed, which retrieves multiple payloads from a hacker-controlled domain. These include the ransomware loader cwiper.exe, a bring-your-own-vulnerable-driver (BYOVD) privilege escalation tool named Ktool.exe, a QR code image directing to a Monero wallet, a ransom letter called RANSOMNOTE.txt, and more malicious PowerShell scripts. 

Ktool.exe extracts the vulnerable Intel Network Adapter Diagnostic Driver iQVW64.sys to the %TEMP% folder, passing the target process ID (PID) and a hardcoded key as arguments. Lootsubmit.ps1 and Trackerjacker.ps1 are PowerShell scripts that collect and exfiltrate system information such IP addresses, CPU configurations, MAC addresses, and system geolocations. 

Before dropping the Fog ransomware, the ransomware loader checks to ensure it is not in a sandbox environment. It also drops dbgLog.sys, which tracks encryption-related activities, and readme.txt, an additional ransom note. This ransom note is identical to those found in past Fog ransomware assaults. 

Odd political references

While the final ransom note, readme.txt, is identical to prior attacks, the initial ransom note, RANSOMNOTE.txt, refers to DOGE and includes the names of specific individuals involved with the department. 

The note reads, "Give me five bullet points on what you accomplished for work last week," and refers to emails sent to federal employees in February as part of a DOGE campaign. The note further offers to decrypt the user's data for free if they deliver the malicious files to another person or manually execute the malicious PowerShell commands on someone else's PC. 

Earlier this year, the DoNex ransomware group followed a similar tactic, promising payment to targets in exchange for sharing sensitive company data or spreading the malware throughout their organisation. The PowerShell script also contains bizarre political references, such as the statement "The CIA didn't kill Kennedy, you idiot." The script also launched several politically orientated YouTube videos, including an episode of "Last Week Tonight with John Oliver.”

Interlock Ransomware Gang Deploys ClickFix Attacks to Breach Corporate Networks

 

Cybersecurity researchers have revealed that the Interlock ransomware gang has adopted a deceptive social engineering technique called ClickFix to infiltrate corporate networks. This method involves tricking users into executing malicious PowerShell commands under the guise of resolving system errors or completing identity verification steps, leading to the deployment of file-encrypting malware. 

While ClickFix attacks have previously been associated with ransomware campaigns, this marks the first confirmed use by Interlock, a ransomware operation that surfaced in late September 2024. The group targets both Windows systems and FreeBSD servers and maintains a dark web leak portal to pressure victims into paying ransoms that can reach millions of dollars. Interlock does not seem to operate as a ransomware-as-a-service (RaaS) model. 

According to Sekoia researchers, Interlock began using ClickFix tactics in January 2025. Attackers set up fake websites mimicking legitimate IT tools—such as Microsoft Teams and Advanced IP Scanner—to lure victims. These fake sites prompt users to click a “Fix it” button, which silently copies a malicious PowerShell script to the user’s clipboard. If run, the command downloads a 36MB PyInstaller payload that installs malware under the guise of a legitimate tool. 

Researchers found the malicious campaign hosted on spoofed domains like microsoft-msteams[.]com, microstteams[.]com, ecologilives[.]com, and advanceipscaner[.]com. Only the last domain led to the actual malware dropper disguised as Advanced IP Scanner. When users unknowingly run the script, a hidden PowerShell window executes actions such as system reconnaissance, persistence via Windows Registry, and data exfiltration. The attackers deploy a range of malware via command-and-control (C2) servers, including LummaStealer, BerserkStealer, keyloggers, and the Interlock RAT—a basic remote access trojan capable of dynamic configuration, file exfiltration, shell command execution, and DLL injection. 

Post-compromise, Interlock operators use stolen credentials to move laterally through networks via RDP, leveraging remote access tools like PuTTY, AnyDesk, and LogMeIn. Data is exfiltrated to Azure Blob Storage, after which the Windows variant of Interlock ransomware is scheduled to run daily at 8:00 PM—a redundancy tactic to ensure encryption if the initial payload fails. The gang’s ransom notes have also evolved, now placing emphasis on the legal and regulatory consequences of leaked data. 

ClickFix attacks are gaining popularity among various cybercriminal groups, with recent reports also linking them to North Korean state-sponsored actors like the Lazarus Group, who use similar tactics to target job seekers in the cryptocurrency sector.

Symantec Links Betruger Backdoor Malware to RansomHub Ransomware Attacks

 

A sophisticated custom backdoor malware called Betruger has been discovered in recent ransomware campaigns, with Symantec researchers linking its use to affiliates of the RansomHub ransomware-as-a-service (RaaS) group. The new malware is considered a rare and powerful tool designed to streamline ransomware deployment by minimizing the use of multiple hacking tools during attacks. 

Identified by Symantec’s Threat Hunter Team, Betruger is described as a “multi-function backdoor” built specifically to aid ransomware operations. Its functions go far beyond traditional malware. It is capable of keylogging, network scanning, privilege escalation, credential theft, taking screenshots, and uploading data to a command-and-control (C2) server—all typical actions carried out before a ransomware payload is executed. Symantec notes that while ransomware actors often rely on open-source or legitimate software like Mimikatz or Cobalt Strike to navigate compromised systems, Betruger marks a departure from this norm. 

The tool’s development suggests an effort to reduce detection risks by limiting the number of separate malicious components introduced during an attack. “The use of custom malware other than encrypting payloads is relatively unusual in ransomware attacks,” Symantec stated. “Betruger may have been developed to reduce the number of tools dropped on a network during the pre-encryption phase.” Threat actors are disguising the malware under file names like ‘mailer.exe’ and ‘turbomailer.exe’ to pose as legitimate mailing applications and evade suspicion. While custom malware isn’t new in ransomware operations, most existing tools focus on data exfiltration. 

Notable examples include BlackMatter’s Exmatter and BlackByte’s Exbyte, both created to steal data and upload it to cloud platforms like Mega.co.nz. However, Betruger represents a more all-in-one solution tailored for streamlined attack execution. The RansomHub RaaS operation, previously known as Cyclops and Knight, surfaced in early 2024 and has quickly become a major threat actor in the cybercrime world. Unlike traditional ransomware gangs, RansomHub has focused more on data theft and extortion rather than just data encryption. Since its emergence, RansomHub has claimed several high-profile victims including Halliburton, Christie’s auction house, Frontier Communications, Rite Aid, Kawasaki’s EU division, Planned Parenthood, and Bologna Football Club. 

The group also leaked Change Healthcare’s stolen data after the BlackCat/ALPHV ransomware group’s infamous $22 million exit scam. More recently, the gang claimed responsibility for breaching BayMark Health Services, North America’s largest addiction treatment provider. BayMark serves over 75,000 patients daily across more than 400 locations in the US and Canada. According to the FBI, as of August 2024, RansomHub affiliates have compromised over 200 organizations, many of which are part of critical infrastructure sectors such as government, healthcare, and energy. 

As ransomware groups evolve and adopt more custom-built malware like Betruger, cybersecurity experts warn that defenses must adapt to meet increasingly sophisticated threats.

Explaining AI's Impact on Ransomware Attacks and Businesses Security

 

Ransomware has always been an evolving menace, as criminal outfits experiment with new techniques to terrorise their victims and gain maximum leverage while making extortion demands. Weaponized AI is the most recent addition to the armoury, allowing high-level groups to launch more sophisticated attacks but also opening the door for rookie hackers. The NCSC has cautioned that AI is fuelling the global threat posed by ransomware, and there has been a significant rise in AI-powered phishing attacks. 

Organisations are increasingly facing increasing threats from sophisticated assaults, such as polymorphic malware, which can mutate in real time to avoid detection, allowing organisations to strike with more precision and frequency. As AI continues to rewrite the rules of ransomware attacks, businesses that still rely on traditional defences are more vulnerable to the next generation of cyber attack. 

Ransomware accessible via AI 

Online criminals, like legal businesses, are discovering new methods to use AI tools, which makes ransomware attacks more accessible and scalable. By automating crucial attack procedures, fraudsters may launch faster, more sophisticated operations with less human intervention. 

Established and experienced criminal gangs gain from the ability to expand their operations. At the same time, because AI is lowering entrance barriers, folks with less technical expertise can now utilise ransomware as a service (RaaS) to undertake advanced attacks that would ordinarily be outside their pay grade. 

OpenAI, the company behind ChatGPT, stated that it has detected and blocked more than 20 fraudulent operations with its famous generative AI tool. This ranged from creating copy for targeted phishing operations to physically coding and debugging malware. 

FunkSec, a RaaS supplier, is a current example of how these tools are enhancing criminal groups' capabilities. The gang is reported to have only a few members, and its human-created code is rather simple, with a very low level of English. However, since its inception in late 2024, FunkSec has recorded over 80 victims in a single month, thanks to a variety of AI techniques that allow them to punch much beyond their weight. 

Investigations have revealed evidence of AI-generated code in the gang's ransomware, as well as web and ransom text that was obviously created by a Large Language Model (LLM). The team also developed a chatbot to assist with their operations using Miniapps, a generative AI platform. 

Mitigation tips against AI-driven ransomware 

With AI fuelling ransomware groups, organisations must evolve their defences to stay safe. Traditional security measures are no longer sufficient, and organisations must match their fast-moving attackers with their own adaptive, AI-driven methods to stay competitive. 

One critical step is to investigate how to combat AI with AI. Advanced AI-driven detection and response systems may analyse behavioural patterns in real time, identifying anomalies that traditional signature-based techniques may overlook. This is critical for fighting strategies like polymorphism, which have been expressly designed to circumvent standard detection technologies. Continuous network monitoring provides an additional layer of defence, detecting suspicious activity before ransomware can activate and propagate. 

Beyond detection, AI-powered solutions are critical for avoiding data exfiltration, as modern ransomware gangs almost always use data theft to squeeze their victims. According to our research, 94% of reported ransomware attacks in 2024 involved exfiltration, highlighting the importance of Anti Data Exfiltration (ADX) solutions as part of a layered security approach. Organisations can prevent extortion efforts by restricting unauthorised data transfers, leaving attackers with no choice but to move on.

Fourlis Group Confirms €20 Million Loss from IKEA Ransomware Attack

 

Fourlis Group, the retail operator responsible for IKEA stores across Greece, Cyprus, Romania, and Bulgaria, has revealed that a ransomware attack targeting its systems in late November 2024 led to significant financial losses. The cyber incident, which coincided with the busy Black Friday shopping period, disrupted critical parts of the business and caused damages estimated at €20 million (around $22.8 million). 

The breach initially surfaced as unexplained technical problems affecting IKEA’s e-commerce platforms. Days later, on December 3, the company confirmed that the disruptions were due to an external cyberattack. The attack affected digital infrastructure used for inventory restocking, online transactions, and broader retail operations, mainly impacting IKEA’s business. Other brands under the Fourlis umbrella, including Intersport and Holland & Barrett, were largely unaffected.  

According to CEO Dimitris Valachis, the company experienced a loss of approximately €15 million in revenue by the end of 2024, with an additional €5 million impact spilling into early 2025. Fourlis decided not to comply with the attackers’ demands and instead focused on system recovery through support from external cybersecurity professionals. The company also reported that it successfully blocked a number of follow-up attacks attempted after the initial breach. 

Despite the scale of the attack, an internal investigation supported by forensic analysts found no evidence that customer data had been stolen or exposed. The incident caused only a brief period of data unavailability, which was resolved swiftly. As part of its compliance obligations, Fourlis reported the breach to data protection authorities in all four affected countries, reassuring stakeholders that personal information remained secure. Interestingly, no known ransomware group has taken responsibility for the attack. This may suggest that the attackers were unable to extract valuable data or are holding out hope for an undisclosed settlement—though Fourlis maintains that no ransom was paid. 

The incident highlights the growing risks faced by digital retail ecosystems, especially during peak sales periods when system uptime is critical. As online platforms become more central to retail operations, businesses like Fourlis must invest heavily in cybersecurity defenses. Their experience reinforces the importance of swift response strategies, external threat mitigation support, and robust data protection practices to safeguard operations and maintain customer trust in the face of evolving cyber threats.

Ransomware Attacks Surge in Q1 2025 as Immutable Backup Emerges as Critical Defense

Ransomware attacks have seen a dramatic rise in the first quarter of 2025, with new research from Object First revealing an 84% increase compared to the same period in 2024. This alarming trend highlights the growing sophistication and frequency of ransomware campaigns, with nearly two-thirds of organizations reporting at least one attack in the past two years. 

The findings suggest that ransomware is no longer a matter of “if” but “when” for most businesses. Despite the increased threat, Object First’s study offers a silver lining. A large majority—81% of IT decision-makers—now recognize that immutable backup storage is the most effective defense against ransomware. Immutable storage ensures that once data is written, it cannot be changed or deleted, offering a critical safety net when other security measures fail. This form of storage plays a key role in enabling organizations to recover their data without yielding to ransom demands. 

However, the report also highlights a concerning gap between awareness and action. While most IT professionals acknowledge the benefits of immutable backups, only 59% of organizations have actually implemented such storage. Additionally, just 58% maintain multiple copies of their data in separate locations, falling short of the recommended 3-2-1 backup strategy. This gap leaves many companies dangerously exposed. The report also shows that ransomware actors are evolving their methods. A staggering 96% of organizations that experienced ransomware attacks in the last two years had their backup systems targeted at least once. Even more concerning, 10% of them had their backup storage compromised in every incident. 

These findings demonstrate how attackers now routinely seek to destroy recovery options, increasing pressure on victims to pay ransoms. Many businesses still place heavy reliance on traditional IT security hardening. In fact, 61% of respondents believe this approach is sufficient. But ransomware attackers are adept at bypassing such defenses using phishing emails, stolen credentials, and remote access tools. That’s why Object First recommends adopting a “breach mentality”—an approach that assumes an eventual breach and focuses on limiting damage. 

A Zero Trust architecture, paired with immutable backup, is essential. Organizations are urged to segment networks, restrict user access to essential data only, and implement multi-factor authentication. As cloud services grow, many companies are also turning to immutable cloud storage for flexible, scalable protection. Together, these steps offer a stronger, more resilient defense against today’s aggressive ransomware landscape.

Corporate Espionage Group ‘RedCurl’ Expands Tactics with Hyper-V Ransomware

 

RedCurl, a cyber threat group active since 2018 and known for stealthy corporate espionage, has now shifted its approach by deploying ransomware targeting Hyper-V virtual machines.

Initially identified by Group-IB, RedCurl primarily targeted corporate organizations globally, later expanding its reach. However, as reported by Bitdefender Labs, the group has now incorporated ransomware into its operations.

"We've seen RedCurl stick to their usual playbook in most cases, continuing with data exfiltration over longer periods of time," states the Bitdefender report. "However, one case stood out. They broke their routine and deployed ransomware for the first time."

With businesses increasingly adopting virtualized infrastructure, ransomware groups are adapting by designing encryptors for these environments. While most ransomware variants target VMware ESXi servers, RedCurl’s latest tool, QWCrypt, focuses specifically on Hyper-V.

Bitdefender’s analysis reveals that RedCurl initiates attacks through phishing emails containing .IMG attachments disguised as CVs. When opened, these disk image files auto-mount in Windows, executing a malicious screensaver file. This technique exploits DLL sideloading via a legitimate Adobe executable, enabling persistence through scheduled tasks.

To avoid detection, RedCurl employs living-off-the-land (LOTL) techniques, leveraging native Windows utilities. A custom wmiexec variant facilitates lateral movement across networks without triggering security tools, while Chisel provides tunneling and remote desktop access.

Before deploying ransomware, the attackers disable security measures using encrypted 7z archives and a multi-stage PowerShell script.

Unlike standard Windows ransomware, QWCrypt supports multiple command-line arguments, allowing attackers to fine-tune encryption strategies. In observed attacks, RedCurl used the --excludeVM argument to avoid encrypting network gateway virtual machines, ensuring continued access.

The XChaCha20-Poly1305 encryption algorithm is employed to lock files, appending .locked$ or .randombits$ extensions. Additionally, QWCrypt offers intermittent encryption (block skipping) and selective file encryption based on size, optimizing speed.

The ransom note, named "!!!how_to_unlock_randombits_files.txt$", incorporates text fragments from multiple ransomware groups, including LockBit, HardBit, and Mimic.

Unlike most ransomware gangs, RedCurl does not operate a dedicated leak site, raising speculation about its true intentions. Experts propose two theories:

The ransomware may serve as a cover for data theft, creating a distraction while RedCurl exfiltrates sensitive corporate information. It could also act as a backup monetization method when clients fail to pay for stolen data. Another possibility is that RedCurl may conduct covert negotiations with victims, focusing on financial gain without public exposure.

"The RedCurl group's recent deployment of ransomware marks a significant evolution in their tactics," Bitdefender concludes. "This departure from their established modus op

Pennsylvania Education Union Alerts Over 500,000 Individuals of Data Breach

 

The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, is notifying more than half a million individuals that their personal data was compromised in a cybersecurity breach that occurred in July 2024.

Representing over 178,000 education professionals—including teachers, support staff, higher education employees, nurses, retirees, and future educators—PSEA disclosed the breach in letters sent to 517,487 affected individuals.

"PSEA experienced a security incident on or about July 6, 2024, that impacted our network environment," the organization stated in its notification. "Through a thorough investigation and extensive review of impacted data, which was completed on February 18, 2025, we determined that the data acquired by the unauthorized actor contained some personal information belonging to individuals whose information was contained within certain files within our network."

Types of Stolen Data

The stolen information varies by individual and includes sensitive personal, financial, and health-related details. This may include:
  • Driver’s license or state ID numbers
  • Social Security numbers
  • Account PINs and security codes
  • Payment card details
  • Passport information
  • Taxpayer identification numbers
  • Online credentials
  • Health insurance and medical records
In response to the breach, PSEA is offering free credit monitoring and identity restoration services through IDX for those whose Social Security numbers were affected. Eligible individuals must enroll by June 17, 2025. The union also advised affected individuals to monitor their financial statements, review credit reports for suspicious activity, and consider placing a fraud alert or security freeze on their credit files.

Although PSEA has not directly attributed the attack to a specific threat group, the Rhysida ransomware gang took responsibility for the breach on September 9, 2024. The cybercriminals reportedly demanded a 20 BTC ransom and threatened to leak stolen data if their demands were not met. While it remains unclear if PSEA complied with the ransom request, Rhysida has since removed the stolen data from its dark web leak site.

Rhysida, a ransomware-as-a-service (RaaS) group, first emerged in May 2023 and has been linked to several high-profile cyberattacks. Notable incidents include breaches at the British Library, the Chilean Army, and Sony subsidiary Insomniac Games. In November 2023, the group leaked 1.67 TB of documents after Insomniac refused to pay a $2 million ransom.

More recently, Rhysida affiliates targeted Lurie Children’s Hospital in Chicago in February 2024, attempting to sell stolen data for 60 BTC (approximately $3.7 million at the time). Other victims include the Singing River Health System, which suffered a data breach affecting 900,000 individuals in August 2023, and the City of Columbus, Ohio, where 500,000 residents’ data was compromised in July 2024.

Cybersecurity agencies, including the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, have warned that Rhysida ransomware affiliates continue to launch opportunistic attacks across various industry sectors. Additionally, the U.S. Department of Health and Human Services (HHS) has linked the group to multiple cyberattacks targeting healthcare institutions.

FBI Warns Against Free Online File Converters as Potential Cybersecurity Threats

 

Free online file converters have become a popular choice for users looking to convert files into different formats. Whether transforming a PDF into a Word document or switching between media formats, these tools offer convenience with just a few clicks. However, the FBI has issued a warning about the hidden dangers associated with such services.

Despite their ease of use, free file conversion tools may serve as a gateway for malware, potentially compromising users’ sensitive data. According to TechRadar, the FBI has identified certain converters that embed malicious software into the converted files. This malware can infect the user's system, allowing hackers to steal personal and financial information undetected.

Once installed, malware can extract crucial data, including:
  • Full names and home addresses
  • Social Security numbers
  • Banking and financial details
  • Cryptocurrency wallets and access keys
The stolen information is often exploited for identity theft, financial fraud, and other cybercrimes. In some cases, hackers deploy ransomware, which locks victims out of their own systems and demands a hefty ransom for data recovery.

Ransomware attacks have surged, affecting both businesses and individuals. When malware encrypts files, victims face a difficult choice—either pay the ransom or lose access to critical data. The FBI emphasizes that these threats are not limited to corporations; everyday internet users relying on free online tools are also at risk. A report from Cisco Talos highlights ransomware as one of the most significant security threats in recent years.

Mark Michalek, FBI Denver Special Agent in Charge, advises that awareness and education are the best defenses against malware attacks. To minimize risks, users should follow these cybersecurity best practices:
  • Use trusted sources – Only download or use file conversion tools from reputable websites and developers.
  • Keep security software updated – Install and regularly update antivirus and anti-malware programs to detect potential threats.
  • Avoid suspicious links and attachments – Do not open files or click on links from unknown sources.
  • Maintain data backups – Regularly back up important files to prevent data loss in case of an attack.

If you suspect that malware has been installed through a file converter, take immediate action:
  • Disconnect from the internet to prevent further data compromise.
  • Run a full system scan using reputable antivirus software to detect and remove malicious files.
  • Report the incident to law enforcement to document the attack and seek assistance.
While free online file converters provide convenience, they also pose significant cybersecurity risks. Users must remain vigilant and prioritize safety when handling digital files. By adopting precautionary measures and staying informed, individuals can protect their sensitive data from cyber threats.

Hackers Exploit Fortinet Firewall Bugs to Deploy Ransomware

 

Cybersecurity researchers have uncovered a new attack campaign in which hackers are exploiting vulnerabilities in Fortinet firewalls to breach corporate networks and deploy ransomware. The hacking group, tracked as “Mora_001,” is leveraging two specific flaws in Fortinet’s firewall software to infiltrate systems and launch a custom ransomware strain called “SuperBlack.” 

These vulnerabilities, tracked as CVE-2024-55591 and CVE-2025-24472, have been actively exploited since December 2024, despite Fortinet releasing patches in January 2025. Many organizations have yet to apply these critical updates, leaving their networks vulnerable. Once inside a network, the attackers conduct reconnaissance to identify valuable data before deploying ransomware. Instead of immediately encrypting files, they first exfiltrate sensitive information, a tactic that has become increasingly common among ransomware groups seeking to pressure victims into paying a ransom to prevent data leaks. 

Security researchers at Forescout observed that the Mora_001 group selectively encrypted file servers only after stealing critical data, making their attacks more damaging and difficult to recover from. There is strong evidence linking Mora_001 to the notorious LockBit ransomware gang. The SuperBlack ransomware strain appears to be based on a leaked builder from LockBit 3.0 attacks, and the ransom notes left by Mora_001 include the same contact details previously used by LockBit affiliates. This suggests that Mora_001 may be a current LockBit affiliate with distinct operational methods or a separate group that shares infrastructure and communication channels. 

Cybersecurity experts believe that Mora_001 is primarily targeting organizations that have not yet applied Fortinet’s security patches. Companies that failed to update their firewalls or properly harden their network configurations when the vulnerabilities were first disclosed are at the highest risk. The ransom notes used in these attacks also bear similarities to those used by other cybercriminal groups, such as the now-defunct ALPHV/BlackCat ransomware gang, further indicating connections within the ransomware ecosystem. 

Despite Fortinet releasing fixes for the affected vulnerabilities, unpatched systems remain an easy target for attackers. Security professionals are urging organizations to update their firewalls immediately and implement additional security measures to prevent unauthorized access. Best practices include applying all available patches, segmenting networks to restrict access to critical systems, monitoring for suspicious activity using endpoint detection and response tools, and maintaining secure offline backups. Organizations that fail to take these precautions risk falling victim to sophisticated ransomware attacks that can result in severe financial and operational damage.

Ransomware Group Uses Unpatched Webcams to Deploy Attacks

 

A recent cybersecurity report by S-RM has revealed a new tactic used by the Akira ransomware group, demonstrating their persistence in bypassing security defenses. When their initial attempt to deploy ransomware was blocked by an endpoint detection and response (EDR) tool, the attackers shifted their focus to an unexpected network device—a webcam. 

This strategy highlights the evolving nature of cyber threats and the need for organizations to secure all connected devices. The attack began with the use of remote desktop protocol (RDP) to access a target’s server. When the group attempted to deploy a ransomware file, the victim’s EDR successfully detected and neutralized the threat. However, rather than abandoning the attack, the adversaries conducted a network search and identified other connected devices, including a fingerprint scanner and a camera. The camera was an ideal entry point because it was unpatched, ran a Linux-based operating system capable of executing commands, and had no installed EDR solution. 

Exploiting these vulnerabilities, the attackers used the camera to deploy ransomware via the Server Message Block (SMB) protocol, which facilitates file and resource sharing between networked devices. According to cybersecurity experts, this kind of attack is difficult to defend against because it targets overlooked devices. Rob T. Lee, chief of research at the SANS Institute, compared detecting such threats to “finding a needle in a haystack.” The attack underscores how cybercriminals are constantly adapting, looking for the weakest points in a network to infiltrate and execute their malicious operations. 

The Akira ransomware group has gained traction following law enforcement takedowns of major ransomware organizations like AlphV and LockBit. S-RM reported that Akira accounted for 15% of the cyber incidents it analyzed, and in January 2024, CISA confirmed that the group had impacted over 250 organizations, extorting approximately $42 million in ransom payments. Ransom demands from Akira typically range from $200,000 to $4 million. The growing threat to internet of things (IoT) devices is further supported by data from Zscaler, which blocked 45% more IoT malware transactions between June 2023 and May 2024. 

Devices such as webcams, e-readers, and routers are particularly vulnerable due to outdated software and poor security practices. To mitigate risks, cybersecurity experts recommend several best practices for securing IoT devices. Organizations should place IoT devices on restricted networks that prevent unauthorized access from workstations or servers. Unused devices should be turned off, networked devices should be regularly audited, and software patches must be applied promptly. Additionally, changing default passwords on IoT devices is essential to prevent unauthorized access. 

Cybercriminals are continuously thinking outside the box to exploit vulnerabilities, and security professionals must do the same to defend against emerging threats. If attackers can compromise a webcam, they could potentially target more complex systems, such as industrial machinery or medical devices. As ransomware groups evolve, staying ahead of their tactics is crucial for safeguarding sensitive data and preventing costly breaches.

Ransomware Attack on Retirement Services Firm Exposes Thousands of US School Data

 

A ransomware assault targeting retirement service firm Carruth Compliance Consulting has resulted in a data breach affecting dozens of school districts and thousands of individuals in the US. Carruth Compliance Consulting (CCC) administers retirement savings accounts for public schools and non-profit organisations.

Carruth announced on its website on January 13, 2025, that it had detected suspicious activity on its computer systems on December 21, 2024. An investigation revealed that hackers gained access to company networks between December 19 and December 26, and stole some files. 

The company claims that private information such as name, Social Security number, financial account information, and, in specific circumstances, driver's license numbers, medical billing information, W-2 information, and tax filings were among the hacked files. Free identity restoration and credit monitoring services are being provided to affected consumers. 

A relatively new ransomware organisation called Skira claimed responsibility for the Carruth attack this week, claiming to have taken about 469 gigabytes of data, including databases, source code, and the data the company had included in their customer notification. Only four additional victims are listed on Skira's Tor-based leak website as of this writing; the first victim was revealed in December 2024. 

While Carruth has not disclosed the number of impacted organisations and individuals, dozens of school districts and institutions across multiple states have confirmed in recent weeks that they have been affected by the cybersecurity issue. School districts notified state attorneys general that Carruth was unable to identify affected individuals, and each educational institution is seeking to identify current and former employees whose personal information was provided with the retirement services provider. 

To date, nine school districts in Maine have reported identifying more than 20,000 individuals affected by a data breach, as mandated by the attorney general. The Carruth data breach comes just weeks after it was revealed that hackers may have stolen the personal information of millions of students and instructors in the United States and Canada after a cyberattack on education software and services company PowerSchool.

Tata Technologies Cyberattack: Hunters International Ransomware Gang Claims Responsibility for 1.4TB Data Theft

 

Hunters International, a ransomware group known for high-profile cyberattacks, has claimed responsibility for a January 2025 cyberattack on Tata Technologies. The group alleges it stole 1.4TB of sensitive data from the company and has issued a threat to release the stolen files if its ransom demands are not met. Tata Technologies, a Pune-based global provider of engineering and digital solutions, reported the cyberattack in January. 

The company, which operates in 27 countries with over 12,500 employees, offers services across the automotive, aerospace, and industrial sectors. At the time of the breach, Tata Technologies confirmed that the attack had caused disruptions to certain IT systems but stated that client delivery services remained unaffected. The company also assured stakeholders that it was actively restoring impacted systems and conducting an internal investigation with cybersecurity experts. 

However, more than a month later, Hunters International listed Tata Technologies on its dark web extortion page, taking responsibility for the attack. The group claims to have exfiltrated 730,000 files, totaling 1.4TB of data. While the ransomware gang has threatened to publish the stolen files within a week if a ransom is not paid, it has not provided any samples or disclosed the nature of the compromised documents. Tata Technologies has yet to release an update regarding the breach or respond to the hackers’ claims. 

BleepingComputer, a cybersecurity news platform, attempted to contact the company for a statement but did not receive an immediate response. Hunters International emerged in late 2023, suspected to be a rebranded version of the Hive ransomware group. Since then, it has carried out multiple high-profile attacks, including breaches of Austal USA, a U.S. Navy contractor, and Japanese optics company Hoya. 

The group has gained notoriety for targeting various organizations without ethical restraint, even engaging in extortion schemes against individuals, such as cancer patients from Fred Hutchinson Cancer Center. Although many of the gang’s claims have been verified, some remain disputed. For example, in August 2024, the U.S. Marshals Service denied that its systems had been compromised, despite Hunters International’s assertions.  

With cybercriminals continuing to exploit vulnerabilities, the Tata Technologies breach serves as another reminder of the persistent and evolving threats posed by ransomware groups.

Genea Cyberattack: Termite Ransomware Leaks Sensitive Patient Data

 

One of Australia’s leading fertility providers, Genea Pty Ltd, has been targeted in a cyberattack allegedly carried out by the Termite ransomware group. On February 26, 2025, the group claimed responsibility for breaching Genea’s systems and stated that they had stolen 700GB of data from 27 company servers. The stolen information reportedly includes financial documents, invoices, medical records, personal identification data, and detailed patient questionnaires. 

Among these files are Protected Health Information (PHI), which contains personal medical histories and sensitive patient details. The cyberattack was first confirmed by Genea on February 19, 2025, when the company disclosed that its network had been compromised. The breach caused system outages and disrupted operations, leading to an internal investigation supported by cybersecurity experts. Genea moved quickly to assess the extent of the damage and reassure patients that the incident was being addressed with urgency. 

In an update released on February 24, 2025, the company acknowledged that unauthorized access had been detected within its patient management systems. By February 26, 2025, Genea confirmed that some of the stolen data had been leaked online by the attackers. In a public statement, the company expressed deep regret over the breach, acknowledging the distress it may have caused its patients. In response, Genea took immediate legal action by securing a court-ordered injunction to prevent further distribution or use of the stolen information. 

This measure was part of the company’s broader effort to protect affected individuals and limit the potential damage caused by the breach. To assist those impacted, Genea partnered with IDCARE, Australia’s national identity and cyber support service. Affected individuals were encouraged to seek help and take necessary steps to safeguard their personal information. The company urged patients to remain alert for potential fraud or identity theft attempts, particularly unsolicited emails, phone calls, or messages requesting personal details.  

The attack was initially detected on February 14, 2025, when suspicious activity was observed within Genea’s network. Upon further investigation, it was revealed that unauthorized access had occurred, and patient data had been compromised. The attackers reportedly targeted Genea’s patient management system, gaining entry to folders containing sensitive information. The exposed data includes full names, contact details, medical histories, treatment records, Medicare card numbers, and private health insurance information. 

However, as of the latest update, there was no evidence that financial data, such as bank account details or credit card numbers, had been accessed. Despite the severity of the breach, Genea assured patients that its medical and administrative teams were working tirelessly to restore affected systems and minimize disruptions to fertility services. Ensuring continuity of patient care remained a top priority while the company simultaneously focused on strengthening security measures to prevent further incidents. 

In response to the breach, Genea has been collaborating with the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC) to investigate the full extent of the attack. The company is committed to keeping affected individuals informed and taking all necessary precautions to enhance its cybersecurity framework. Patients were advised to monitor their accounts and report any suspicious activity to authorities. 

As a precaution, Genea recommended that affected individuals follow security guidelines issued by official government agencies such as the Australian Cyber Security Centre and the ACCC’s Scamwatch. For those concerned about identity theft, IDCARE’s experts were made available to provide support and guidance on mitigating risks associated with cybercrime. The incident has highlighted the growing risks faced by healthcare providers and the importance of implementing stronger security measures to protect patient data.

Lee Enterprises Confirms Ransomware Attack Impacting 75+ Publications

 

Lee Enterprises, a major newspaper publisher and the parent company of The Press of Atlantic City, has confirmed a ransomware attack that disrupted operations across at least 75 publications. The cybersecurity breach caused widespread outages, impacting the distribution of printed newspapers, subscription services, and internal business operations.

The attack, first disclosed to the Securities and Exchange Commission (SEC) on February 3, led to significant technology failures, affecting essential business functions. In an official update to the SEC, Lee Enterprises reported that hackers gained access to its network, encrypted key applications, and extracted files—common tactics associated with ransomware incidents.

As a result of the attack, the company's ability to deliver newspapers, process billing and collections, and manage vendor payments was severely affected. “The incident impacted the Company’s operations, including distribution of products, billing, collections, and vendor payments,” Lee Enterprises stated in its SEC filing.

With a vast portfolio of 350 weekly and specialty publications spanning 25 states, Lee Enterprises is now conducting a forensic investigation to assess the extent of the data breach. The company aims to determine whether hackers accessed personal or sensitive information belonging to subscribers, employees, or business partners.

By February 12, the company had successfully restored distribution for its core publications. However, weekly and ancillary publications are still facing disruptions, accounting for approximately five percent of the company's total operating revenue. While recovery efforts are underway, full restoration of all affected services is expected to take several weeks.

Cybersecurity experts have warned that ransomware attacks targeting media organizations can have severe consequences, including financial losses, reputational damage, and compromised data security. The increasing frequency of such incidents highlights the urgent need for media companies to strengthen their cybersecurity defenses against evolving cyber threats.

Growing Cybersecurity Threats in the Media Industry


The publishing industry has become an attractive target for cybercriminals due to its reliance on digital infrastructure for content distribution, subscription management, and advertising revenue. Recent high-profile cyberattacks on media organizations have demonstrated the vulnerability of traditional and digital publishing operations.

While Lee Enterprises has not yet disclosed whether a ransom demand was made, ransomware attacks typically involve hackers encrypting critical data and demanding payment for its release. Cybersecurity experts caution against paying ransoms, as it does not guarantee full data recovery and may encourage further attacks.

As Lee Enterprises continues its recovery process, the company is expected to implement stronger cybersecurity measures to prevent future breaches. The incident serves as a reminder for organizations across the media sector to enhance their security protocols, conduct regular system audits, and invest in advanced threat detection technologies.

Internal Chat Logs of Black Basta Ransomware Gang Leaked Online

 

A previously unidentified source has leaked what is claimed to be an archive of internal Matrix chat logs linked to the Black Basta ransomware group. The individual behind the leak, known as ExploitWhispers, initially uploaded the stolen messages to the MEGA file-sharing platform, which has since taken them down. However, they have now made the archive available through a dedicated Telegram channel.

It remains uncertain whether ExploitWhispers is a cybersecurity researcher who infiltrated the group's internal chat server or a discontented member of the operation. While no specific reason was provided for the leak, cybersecurity intelligence firm PRODAFT suggested that it could be a direct consequence of the ransomware gang’s alleged attacks on Russian banks.

"As part of our continuous monitoring, we've observed that BLACKBASTA (Vengeful Mantis) has been mostly inactive since the start of the year due to internal conflicts. Some of its operators scammed victims by collecting ransom payments without providing functional decryptors," PRODAFT stated.

"On February 11, 2025, a major leak exposed BLACKBASTA's internal Matrix chat logs. The leaker claimed they released the data because the group was targeting Russian banks. This leak closely resembles the previous Conti leaks."

The leaked archive contains internal chat messages exchanged between September 18, 2023, and September 28, 2024. A review conducted by BleepingComputer reveals that the messages encompass a broad range of sensitive information, including phishing templates, email addresses for targeting, cryptocurrency wallets, data dumps, victims' login credentials, and confirmations of previously reported attack strategies.

Additionally, the leaked records contain 367 unique ZoomInfo links, potentially reflecting the number of organizations targeted during the specified timeframe. Ransomware groups frequently use ZoomInfo to gather intelligence on their targets, either internally or for negotiations with victims.

ExploitWhispers also disclosed information about key Black Basta members, identifying Lapa as an administrator, Cortes as a threat actor connected to the Qakbot malware group, and YY as the primary administrator. Another individual, referred to as Trump (also known as GG and AA), is believed to be Oleg Nefedov, who is suspected of leading the operation.

Black Basta operates as a Ransomware-as-a-Service (RaaS) group, first emerging in April 2022. The gang has targeted several high-profile organizations across various industries, including healthcare, government contractors, and major corporations.

Notable victims include German defense contractor Rheinmetall, Hyundai's European division, BT Group (formerly British Telecom), U.S. healthcare provider Ascension, government contractor ABB, the American Dental Association, U.K. tech outsourcing firm Capita, the Toronto Public Library, and Yellow Pages Canada.

A joint report from CISA and the FBI, published in May 2024, revealed that Black Basta affiliates compromised more than 500 organizations between April 2022 and May 2024.

Research from Corvus Insurance and Elliptic estimates that the ransomware gang collected approximately $100 million in ransom payments from over 90 victims by November 2023.

This incident bears similarities to the February 2022 data breach involving the Russian-based Conti cybercrime syndicate. At that time, a Ukrainian security researcher leaked over 170,000 internal chat messages and the source code for the Conti ransomware encryptor, following the group's public support for Russia amid the Ukraine conflict.

Lee Enterprises Faces Prolonged Ransomware Attack Disrupting Newspaper Operations

 

Lee Enterprises, one of the largest newspaper publishers in the United States, is facing an ongoing ransomware attack that has severely disrupted its operations for over three weeks. The company confirmed the attack in a filing with the U.S. Securities and Exchange Commission (SEC), revealing that hackers illegally accessed its network, encrypted critical applications, and exfiltrated certain files. 

The publishing giant is now conducting a forensic investigation to determine whether sensitive or personal data was stolen. The attack has had widespread consequences across Lee’s business, affecting essential operations such as billing, collections, vendor payments, and the distribution of print newspapers. Many of its 72 publications have experienced significant delays, with some print editions not being published at all. 

The Winston-Salem Journal in North Carolina reported that it was unable to print several editions, while the Albany Democrat-Herald and Corvallis Gazette-Times in Oregon faced similar disruptions, preventing the release of at least two editions. Digital services have also been affected. On February 3, Lee Enterprises notified affected media outlets that one of its data centers, which supports applications and services for both the company and its customers, had gone offline. 

This outage has prevented subscribers from logging into their accounts and accessing key business applications. Several Lee-owned newspaper websites now display maintenance messages, warning readers that subscription services and digital editions may be temporarily unavailable. The full impact of the attack is still being assessed, but Lee has acknowledged that the incident is “reasonably likely” to have a material financial impact. With print and digital disruptions continuing, the company faces potential revenue losses from advertising, subscription cancellations, and operational delays. 

Law enforcement has been notified, though the company has not disclosed details about the perpetrators or whether it is considering paying a ransom. Ransomware attacks typically involve cybercriminals encrypting a company’s data and demanding payment in exchange for its release. If Lee refuses to negotiate, it may take weeks or months to fully restore its systems. 

Cyberattacks targeting media organizations have become increasingly common, as newspapers and digital publications rely on complex networks that can be vulnerable to security breaches. The Freedom of the Press Foundation is currently tracking the scope of the attack and compiling a list of affected newspapers. For now, Lee Enterprises continues its recovery efforts while its newspapers work to restore regular operations. 

Until the attack is fully resolved, readers, advertisers, and employees may continue to face disruptions across print and digital platforms. The incident highlights the growing threat of ransomware attacks on critical infrastructure and the challenges companies face in securing their networks against cyber threats.

Ransomware Attack Disrupts New York Blood Center Operations Amid Critical Shortage

 

The New York Blood Center (NYBC), a major provider of blood products and transfusion services in the U.S., suffered a ransomware attack on Sunday, leading to operational disruptions and the cancellation of some donor appointments. 

The cyberattack comes at a time when the center is already struggling with a significant drop in blood donations, further straining supply levels. 

NYBC, which collects approximately 4,000 units of blood daily and supports over 500 hospitals across multiple states, detected the security breach over the weekend of January 26. 
After noticing unusual activity within its IT systems, the organization swiftly enlisted cybersecurity experts to investigate. Their findings confirmed that ransomware was responsible for the disruption. 

In response, NYBC took immediate measures to contain the attack, including temporarily shutting down certain systems while working toward a secure restoration. Despite the ongoing challenges, the organization continues to accept blood donations but warned that some appointments may need to be rescheduled. 

The attack comes just days after NYBC issued a blood emergency following a dramatic 30% decline in donations, resulting in 6,500 fewer units collected and severely impacting regional blood supplies. At this time, it remains unclear whether the attackers accessed or stole sensitive donor information. No ransomware group has claimed responsibility yet.

As NYBC works to restore its systems, it is urging donors to continue making appointments to help address the ongoing blood shortage and ensure hospitals receive the critical supplies they need.

Tata Technologies Hit by Ransomware Attack: IT Services Temporarily Suspended

 

Tata Technologies, a multinational engineering firm and subsidiary of Tata Motors, recently experienced a ransomware attack that led to the temporary suspension of certain IT services. The company promptly launched an investigation into the incident and assured stakeholders that its operations remained unaffected. In a statement to Recorded Future News, Tata Technologies confirmed the cyberattack but refrained from sharing specifics, including the identity of the ransomware gang responsible, the divisions impacted, or whether any sensitive data was compromised.

On Friday, Tata Technologies filed an official report with the National Stock Exchange of India (NSE), confirming that only a few IT assets were affected. The company stated that it had taken precautionary measures by temporarily suspending some IT services, which have since been restored. Despite the attack, Tata Technologies emphasized that its client delivery services continued without interruption. As of now, no ransomware group has publicly claimed responsibility for the attack.

Implications of the Attack

Ransomware attacks often involve data exfiltration, raising concerns about the potential exposure of sensitive corporate or customer information. Cybercriminal gangs typically take credit for breaches to pressure organizations into paying ransoms, but in this case, there has been no such acknowledgment. Tata Technologies specializes in providing engineering services to industries such as automotive, aerospace, and industrial manufacturing. Operating in 27 countries, the company plays a critical role in supporting the global automotive sector with advanced digital solutions.

In its latest financial report, Tata Technologies reported a revenue of $156.6 million in the last quarter, underscoring its significant market presence. This incident is not the first time a Tata Group company has faced cybersecurity challenges. In 2022, Tata Power, a major energy subsidiary, reported a cyberattack that affected parts of its IT infrastructure. That breach raised concerns about the cybersecurity preparedness of Tata Group companies, given their extensive global operations and reliance on digital technologies.

Growing Cybersecurity Risks for Multinational Corporations

The attack on Tata Technologies highlights the increasing cybersecurity risks faced by multinational corporations. Ransomware groups continue to target high-value organizations, exploiting vulnerabilities in IT systems to disrupt operations and steal sensitive data. While Tata Technologies has managed to maintain business continuity, the incident serves as a reminder of the importance of robust cybersecurity measures.

Organizations facing ransomware threats typically invest in enhanced security protocols, such as:

  1. Regular System Updates: Ensuring that all software and systems are up-to-date to patch known vulnerabilities.
  2. Multi-Factor Authentication (MFA): Adding an extra layer of security to prevent unauthorized access.
  3. Employee Cybersecurity Training: Educating staff on recognizing phishing attempts and other common attack vectors.

Additionally, cybersecurity experts recommend that companies establish comprehensive incident response plans to mitigate the impact of potential cyberattacks. These plans should include steps for identifying, containing, and recovering from breaches, as well as communication strategies to keep stakeholders informed.

The ransomware attack on Tata Technologies underscores the growing threat of cyberattacks targeting multinational corporations. While the company has managed to restore its IT services and maintain business continuity, the incident highlights the need for proactive cybersecurity measures. As Tata Technologies continues its investigation, further details may emerge regarding the extent of the attack and any measures being taken to prevent future incidents. In an era of escalating cyber threats, organizations must remain vigilant and invest in robust security frameworks to protect their operations and sensitive data.

ENGlobal Corporation Hit by Ransomware Attack: Sensitive Data Exposed

 

ENGlobal Corporation, a prominent contractor in the energy sector, has disclosed that a ransomware attack in November 2024 led to the exposure of sensitive personal data. The incident, which occurred on November 25, forced the company to take certain systems offline as a containment measure, limiting access to only critical business processes.

Details of the Attack and Response

In early December, ENGlobal reported the incident to the U.S. Securities and Exchange Commission (SEC), stating that some data on its systems had been encrypted during the attack. However, at the time, the company did not confirm whether any data had been stolen. In a subsequent regulatory filing, ENGlobal revealed that the attackers had indeed accessed sensitive personal information stored on its systems, though it did not provide specific details about the nature or scope of the breach. 

“The cybersecurity incident involved the threat actor’s access to a portion of the company’s IT system that contained sensitive personal information. The company intends to provide notifications to affected and potentially affected parties and applicable regulatory agencies as required by federal and state law,” ENGlobal stated.

ENGlobal assured stakeholders that the threat actor had been removed from its network and that all systems had been fully restored. The company also confirmed that its business operations and functions have resumed as usual. However, the attack significantly disrupted the company’s operations for approximately six weeks, limiting access to critical business applications, including financial and operating reporting systems.

Despite the disruption, ENGlobal stated that the incident is not expected to have a material impact on its financial position or operational results. The company emphasized its commitment to notifying affected individuals and regulatory agencies in compliance with federal and state laws.

The Growing Threat of Ransomware and Mitigation Strategies

The ENGlobal incident highlights the escalating threat of ransomware attacks, particularly against critical infrastructure and energy sector companies. Ransomware attacks not only disrupt operations but also expose sensitive data, putting individuals and organizations at risk of identity theft, financial fraud, and other cybercrimes.

To mitigate such risks, cybersecurity experts recommend the following measures:

  1. Regular Backups: Maintain frequent and secure backups of critical data to ensure quick recovery in case of an attack.
  2. Employee Training: Educate employees on recognizing phishing attempts and other common attack vectors.
  3. Multi-Factor Authentication (MFA): Implement MFA to add an extra layer of security to accounts and systems.
  4. Incident Response Plan: Develop and regularly update an incident response plan to ensure a swift and effective response to cyberattacks.
  5. Network Segmentation: Divide networks into smaller segments to limit the spread of ransomware in case of a breach.

As of now, no known ransomware group has claimed responsibility for the attack, and ENGlobal has not disclosed any information about the threat actor behind the incident. This lack of attribution is not uncommon in ransomware cases, as attackers often operate anonymously to avoid legal repercussions.

The ransomware attack on ENGlobal Corporation serves as a stark reminder of the vulnerabilities faced by organizations in the energy sector and beyond. While the company has managed to restore its systems and resume operations, the incident underscores the importance of robust cybersecurity measures and proactive threat mitigation strategies. As ransomware attacks continue to evolve, organizations must remain vigilant and prepared to defend against increasingly sophisticated threats.