Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware attack. Show all posts
RedCurl
Cyber Attacks Hyper-V encryption QWCrypt ransomware Ransomware attack RedCurl

Corporate Espionage Group ‘RedCurl’ Expands Tactics with Hyper-V Ransomware

 

RedCurl, a cyber threat group active since 2018 and known for stealthy corporate espionage, has now shifted its approach by deploying ransomware targeting Hyper-V virtual machines.

Initially identified by Group-IB, RedCurl primarily targeted corporate organizations globally, later expanding its reach. However, as reported by Bitdefender Labs, the group has now incorporated ransomware into its operations.

"We've seen RedCurl stick to their usual playbook in most cases, continuing with data exfiltration over longer periods of time," states the Bitdefender report. "However, one case stood out. They broke their routine and deployed ransomware for the first time."

With businesses increasingly adopting virtualized infrastructure, ransomware groups are adapting by designing encryptors for these environments. While most ransomware variants target VMware ESXi servers, RedCurl’s latest tool, QWCrypt, focuses specifically on Hyper-V.

Bitdefender’s analysis reveals that RedCurl initiates attacks through phishing emails containing .IMG attachments disguised as CVs. When opened, these disk image files auto-mount in Windows, executing a malicious screensaver file. This technique exploits DLL sideloading via a legitimate Adobe executable, enabling persistence through scheduled tasks.

To avoid detection, RedCurl employs living-off-the-land (LOTL) techniques, leveraging native Windows utilities. A custom wmiexec variant facilitates lateral movement across networks without triggering security tools, while Chisel provides tunneling and remote desktop access.

Before deploying ransomware, the attackers disable security measures using encrypted 7z archives and a multi-stage PowerShell script.

Unlike standard Windows ransomware, QWCrypt supports multiple command-line arguments, allowing attackers to fine-tune encryption strategies. In observed attacks, RedCurl used the --excludeVM argument to avoid encrypting network gateway virtual machines, ensuring continued access.

The XChaCha20-Poly1305 encryption algorithm is employed to lock files, appending .locked$ or .randombits$ extensions. Additionally, QWCrypt offers intermittent encryption (block skipping) and selective file encryption based on size, optimizing speed.

The ransom note, named "!!!how_to_unlock_randombits_files.txt$", incorporates text fragments from multiple ransomware groups, including LockBit, HardBit, and Mimic.

Unlike most ransomware gangs, RedCurl does not operate a dedicated leak site, raising speculation about its true intentions. Experts propose two theories:

The ransomware may serve as a cover for data theft, creating a distraction while RedCurl exfiltrates sensitive corporate information. It could also act as a backup monetization method when clients fail to pay for stolen data. Another possibility is that RedCurl may conduct covert negotiations with victims, focusing on financial gain without public exposure.

"The RedCurl group's recent deployment of ransomware marks a significant evolution in their tactics," Bitdefender concludes. "This departure from their established modus op
Read more »
Rhysida Ransomware
Cybersecurity Attack Data Breach Pennsylvania State Education Association (PSEA) Ransomware attack Rhysida Ransomware

Pennsylvania Education Union Alerts Over 500,000 Individuals of Data Breach

 

The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, is notifying more than half a million individuals that their personal data was compromised in a cybersecurity breach that occurred in July 2024.

Representing over 178,000 education professionals—including teachers, support staff, higher education employees, nurses, retirees, and future educators—PSEA disclosed the breach in letters sent to 517,487 affected individuals.

"PSEA experienced a security incident on or about July 6, 2024, that impacted our network environment," the organization stated in its notification. "Through a thorough investigation and extensive review of impacted data, which was completed on February 18, 2025, we determined that the data acquired by the unauthorized actor contained some personal information belonging to individuals whose information was contained within certain files within our network."

Types of Stolen Data

The stolen information varies by individual and includes sensitive personal, financial, and health-related details. This may include:
  • Driver’s license or state ID numbers
  • Social Security numbers
  • Account PINs and security codes
  • Payment card details
  • Passport information
  • Taxpayer identification numbers
  • Online credentials
  • Health insurance and medical records
In response to the breach, PSEA is offering free credit monitoring and identity restoration services through IDX for those whose Social Security numbers were affected. Eligible individuals must enroll by June 17, 2025. The union also advised affected individuals to monitor their financial statements, review credit reports for suspicious activity, and consider placing a fraud alert or security freeze on their credit files.

Although PSEA has not directly attributed the attack to a specific threat group, the Rhysida ransomware gang took responsibility for the breach on September 9, 2024. The cybercriminals reportedly demanded a 20 BTC ransom and threatened to leak stolen data if their demands were not met. While it remains unclear if PSEA complied with the ransom request, Rhysida has since removed the stolen data from its dark web leak site.

Rhysida, a ransomware-as-a-service (RaaS) group, first emerged in May 2023 and has been linked to several high-profile cyberattacks. Notable incidents include breaches at the British Library, the Chilean Army, and Sony subsidiary Insomniac Games. In November 2023, the group leaked 1.67 TB of documents after Insomniac refused to pay a $2 million ransom.

More recently, Rhysida affiliates targeted Lurie Children’s Hospital in Chicago in February 2024, attempting to sell stolen data for 60 BTC (approximately $3.7 million at the time). Other victims include the Singing River Health System, which suffered a data breach affecting 900,000 individuals in August 2023, and the City of Columbus, Ohio, where 500,000 residents’ data was compromised in July 2024.

Cybersecurity agencies, including the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, have warned that Rhysida ransomware affiliates continue to launch opportunistic attacks across various industry sectors. Additionally, the U.S. Department of Health and Human Services (HHS) has linked the group to multiple cyberattacks targeting healthcare institutions.
Read more »
Ransomware attack
Cyber Security Cybersecurity Digital Security free file converter risks Identity Theft malware protection Online Safety Ransomware attack

FBI Warns Against Free Online File Converters as Potential Cybersecurity Threats

 

Free online file converters have become a popular choice for users looking to convert files into different formats. Whether transforming a PDF into a Word document or switching between media formats, these tools offer convenience with just a few clicks. However, the FBI has issued a warning about the hidden dangers associated with such services.

Despite their ease of use, free file conversion tools may serve as a gateway for malware, potentially compromising users’ sensitive data. According to TechRadar, the FBI has identified certain converters that embed malicious software into the converted files. This malware can infect the user's system, allowing hackers to steal personal and financial information undetected.

Once installed, malware can extract crucial data, including:
  • Full names and home addresses
  • Social Security numbers
  • Banking and financial details
  • Cryptocurrency wallets and access keys
The stolen information is often exploited for identity theft, financial fraud, and other cybercrimes. In some cases, hackers deploy ransomware, which locks victims out of their own systems and demands a hefty ransom for data recovery.

Ransomware attacks have surged, affecting both businesses and individuals. When malware encrypts files, victims face a difficult choice—either pay the ransom or lose access to critical data. The FBI emphasizes that these threats are not limited to corporations; everyday internet users relying on free online tools are also at risk. A report from Cisco Talos highlights ransomware as one of the most significant security threats in recent years.

Mark Michalek, FBI Denver Special Agent in Charge, advises that awareness and education are the best defenses against malware attacks. To minimize risks, users should follow these cybersecurity best practices:
  • Use trusted sources – Only download or use file conversion tools from reputable websites and developers.
  • Keep security software updated – Install and regularly update antivirus and anti-malware programs to detect potential threats.
  • Avoid suspicious links and attachments – Do not open files or click on links from unknown sources.
  • Maintain data backups – Regularly back up important files to prevent data loss in case of an attack.

If you suspect that malware has been installed through a file converter, take immediate action:
  • Disconnect from the internet to prevent further data compromise.
  • Run a full system scan using reputable antivirus software to detect and remove malicious files.
  • Report the incident to law enforcement to document the attack and seek assistance.
While free online file converters provide convenience, they also pose significant cybersecurity risks. Users must remain vigilant and prioritize safety when handling digital files. By adopting precautionary measures and staying informed, individuals can protect their sensitive data from cyber threats.
Read more »
Ransomwares
corporate network breach Cyber Security firewall vulnerability Forescout Research Labs Fortnite Hacker attack Ransomware attack Ransomwares

Hackers Exploit Fortinet Firewall Bugs to Deploy Ransomware

 

Cybersecurity researchers have uncovered a new attack campaign in which hackers are exploiting vulnerabilities in Fortinet firewalls to breach corporate networks and deploy ransomware. The hacking group, tracked as “Mora_001,” is leveraging two specific flaws in Fortinet’s firewall software to infiltrate systems and launch a custom ransomware strain called “SuperBlack.” 

These vulnerabilities, tracked as CVE-2024-55591 and CVE-2025-24472, have been actively exploited since December 2024, despite Fortinet releasing patches in January 2025. Many organizations have yet to apply these critical updates, leaving their networks vulnerable. Once inside a network, the attackers conduct reconnaissance to identify valuable data before deploying ransomware. Instead of immediately encrypting files, they first exfiltrate sensitive information, a tactic that has become increasingly common among ransomware groups seeking to pressure victims into paying a ransom to prevent data leaks. 

Security researchers at Forescout observed that the Mora_001 group selectively encrypted file servers only after stealing critical data, making their attacks more damaging and difficult to recover from. There is strong evidence linking Mora_001 to the notorious LockBit ransomware gang. The SuperBlack ransomware strain appears to be based on a leaked builder from LockBit 3.0 attacks, and the ransom notes left by Mora_001 include the same contact details previously used by LockBit affiliates. This suggests that Mora_001 may be a current LockBit affiliate with distinct operational methods or a separate group that shares infrastructure and communication channels. 

Cybersecurity experts believe that Mora_001 is primarily targeting organizations that have not yet applied Fortinet’s security patches. Companies that failed to update their firewalls or properly harden their network configurations when the vulnerabilities were first disclosed are at the highest risk. The ransom notes used in these attacks also bear similarities to those used by other cybercriminal groups, such as the now-defunct ALPHV/BlackCat ransomware gang, further indicating connections within the ransomware ecosystem. 

Despite Fortinet releasing fixes for the affected vulnerabilities, unpatched systems remain an easy target for attackers. Security professionals are urging organizations to update their firewalls immediately and implement additional security measures to prevent unauthorized access. Best practices include applying all available patches, segmenting networks to restrict access to critical systems, monitoring for suspicious activity using endpoint detection and response tools, and maintaining secure offline backups. Organizations that fail to take these precautions risk falling victim to sophisticated ransomware attacks that can result in severe financial and operational damage.
Read more »
S-RM
Akira Akira Ransomware Camera Hack Cyber Attacks EDR Ransomware attack Ransomwares RDP S-RM

Ransomware Group Uses Unpatched Webcams to Deploy Attacks

 

A recent cybersecurity report by S-RM has revealed a new tactic used by the Akira ransomware group, demonstrating their persistence in bypassing security defenses. When their initial attempt to deploy ransomware was blocked by an endpoint detection and response (EDR) tool, the attackers shifted their focus to an unexpected network device—a webcam. 

This strategy highlights the evolving nature of cyber threats and the need for organizations to secure all connected devices. The attack began with the use of remote desktop protocol (RDP) to access a target’s server. When the group attempted to deploy a ransomware file, the victim’s EDR successfully detected and neutralized the threat. However, rather than abandoning the attack, the adversaries conducted a network search and identified other connected devices, including a fingerprint scanner and a camera. The camera was an ideal entry point because it was unpatched, ran a Linux-based operating system capable of executing commands, and had no installed EDR solution. 

Exploiting these vulnerabilities, the attackers used the camera to deploy ransomware via the Server Message Block (SMB) protocol, which facilitates file and resource sharing between networked devices. According to cybersecurity experts, this kind of attack is difficult to defend against because it targets overlooked devices. Rob T. Lee, chief of research at the SANS Institute, compared detecting such threats to “finding a needle in a haystack.” The attack underscores how cybercriminals are constantly adapting, looking for the weakest points in a network to infiltrate and execute their malicious operations. 

The Akira ransomware group has gained traction following law enforcement takedowns of major ransomware organizations like AlphV and LockBit. S-RM reported that Akira accounted for 15% of the cyber incidents it analyzed, and in January 2024, CISA confirmed that the group had impacted over 250 organizations, extorting approximately $42 million in ransom payments. Ransom demands from Akira typically range from $200,000 to $4 million. The growing threat to internet of things (IoT) devices is further supported by data from Zscaler, which blocked 45% more IoT malware transactions between June 2023 and May 2024. 

Devices such as webcams, e-readers, and routers are particularly vulnerable due to outdated software and poor security practices. To mitigate risks, cybersecurity experts recommend several best practices for securing IoT devices. Organizations should place IoT devices on restricted networks that prevent unauthorized access from workstations or servers. Unused devices should be turned off, networked devices should be regularly audited, and software patches must be applied promptly. Additionally, changing default passwords on IoT devices is essential to prevent unauthorized access. 

Cybercriminals are continuously thinking outside the box to exploit vulnerabilities, and security professionals must do the same to defend against emerging threats. If attackers can compromise a webcam, they could potentially target more complex systems, such as industrial machinery or medical devices. As ransomware groups evolve, staying ahead of their tactics is crucial for safeguarding sensitive data and preventing costly breaches.
Read more »
User Security
Data Breach Data Leak Ransomware attack Retirement Service Firm United States User Security

Ransomware Attack on Retirement Services Firm Exposes Thousands of US School Data

 

A ransomware assault targeting retirement service firm Carruth Compliance Consulting has resulted in a data breach affecting dozens of school districts and thousands of individuals in the US. Carruth Compliance Consulting (CCC) administers retirement savings accounts for public schools and non-profit organisations.

Carruth announced on its website on January 13, 2025, that it had detected suspicious activity on its computer systems on December 21, 2024. An investigation revealed that hackers gained access to company networks between December 19 and December 26, and stole some files. 

The company claims that private information such as name, Social Security number, financial account information, and, in specific circumstances, driver's license numbers, medical billing information, W-2 information, and tax filings were among the hacked files. Free identity restoration and credit monitoring services are being provided to affected consumers. 

A relatively new ransomware organisation called Skira claimed responsibility for the Carruth attack this week, claiming to have taken about 469 gigabytes of data, including databases, source code, and the data the company had included in their customer notification. Only four additional victims are listed on Skira's Tor-based leak website as of this writing; the first victim was revealed in December 2024. 

While Carruth has not disclosed the number of impacted organisations and individuals, dozens of school districts and institutions across multiple states have confirmed in recent weeks that they have been affected by the cybersecurity issue. School districts notified state attorneys general that Carruth was unable to identify affected individuals, and each educational institution is seeking to identify current and former employees whose personal information was provided with the retirement services provider. 

To date, nine school districts in Maine have reported identifying more than 20,000 individuals affected by a data breach, as mandated by the attorney general. The Carruth data breach comes just weeks after it was revealed that hackers may have stolen the personal information of millions of students and instructors in the United States and Canada after a cyberattack on education software and services company PowerSchool.
Read more »
Sensitive Data Leak
Cyber Attacks Data Leak data security Data Theft IT Systems Ransomware attack Ransomware group Ransomwares Sensitive Data Leak

Tata Technologies Cyberattack: Hunters International Ransomware Gang Claims Responsibility for 1.4TB Data Theft

 

Hunters International, a ransomware group known for high-profile cyberattacks, has claimed responsibility for a January 2025 cyberattack on Tata Technologies. The group alleges it stole 1.4TB of sensitive data from the company and has issued a threat to release the stolen files if its ransom demands are not met. Tata Technologies, a Pune-based global provider of engineering and digital solutions, reported the cyberattack in January. 

The company, which operates in 27 countries with over 12,500 employees, offers services across the automotive, aerospace, and industrial sectors. At the time of the breach, Tata Technologies confirmed that the attack had caused disruptions to certain IT systems but stated that client delivery services remained unaffected. The company also assured stakeholders that it was actively restoring impacted systems and conducting an internal investigation with cybersecurity experts. 

However, more than a month later, Hunters International listed Tata Technologies on its dark web extortion page, taking responsibility for the attack. The group claims to have exfiltrated 730,000 files, totaling 1.4TB of data. While the ransomware gang has threatened to publish the stolen files within a week if a ransom is not paid, it has not provided any samples or disclosed the nature of the compromised documents. Tata Technologies has yet to release an update regarding the breach or respond to the hackers’ claims. 

BleepingComputer, a cybersecurity news platform, attempted to contact the company for a statement but did not receive an immediate response. Hunters International emerged in late 2023, suspected to be a rebranded version of the Hive ransomware group. Since then, it has carried out multiple high-profile attacks, including breaches of Austal USA, a U.S. Navy contractor, and Japanese optics company Hoya. 

The group has gained notoriety for targeting various organizations without ethical restraint, even engaging in extortion schemes against individuals, such as cancer patients from Fred Hutchinson Cancer Center. Although many of the gang’s claims have been verified, some remain disputed. For example, in August 2024, the U.S. Marshals Service denied that its systems had been compromised, despite Hunters International’s assertions.  

With cybercriminals continuing to exploit vulnerabilities, the Tata Technologies breach serves as another reminder of the persistent and evolving threats posed by ransomware groups.
Read more »
Ransomware group
Cyber Attacks Data Leak data security Genea Healthcare Breach Patient Data Ransomware attack Ransomware group

Genea Cyberattack: Termite Ransomware Leaks Sensitive Patient Data

 

One of Australia’s leading fertility providers, Genea Pty Ltd, has been targeted in a cyberattack allegedly carried out by the Termite ransomware group. On February 26, 2025, the group claimed responsibility for breaching Genea’s systems and stated that they had stolen 700GB of data from 27 company servers. The stolen information reportedly includes financial documents, invoices, medical records, personal identification data, and detailed patient questionnaires. 

Among these files are Protected Health Information (PHI), which contains personal medical histories and sensitive patient details. The cyberattack was first confirmed by Genea on February 19, 2025, when the company disclosed that its network had been compromised. The breach caused system outages and disrupted operations, leading to an internal investigation supported by cybersecurity experts. Genea moved quickly to assess the extent of the damage and reassure patients that the incident was being addressed with urgency. 

In an update released on February 24, 2025, the company acknowledged that unauthorized access had been detected within its patient management systems. By February 26, 2025, Genea confirmed that some of the stolen data had been leaked online by the attackers. In a public statement, the company expressed deep regret over the breach, acknowledging the distress it may have caused its patients. In response, Genea took immediate legal action by securing a court-ordered injunction to prevent further distribution or use of the stolen information. 

This measure was part of the company’s broader effort to protect affected individuals and limit the potential damage caused by the breach. To assist those impacted, Genea partnered with IDCARE, Australia’s national identity and cyber support service. Affected individuals were encouraged to seek help and take necessary steps to safeguard their personal information. The company urged patients to remain alert for potential fraud or identity theft attempts, particularly unsolicited emails, phone calls, or messages requesting personal details.  

The attack was initially detected on February 14, 2025, when suspicious activity was observed within Genea’s network. Upon further investigation, it was revealed that unauthorized access had occurred, and patient data had been compromised. The attackers reportedly targeted Genea’s patient management system, gaining entry to folders containing sensitive information. The exposed data includes full names, contact details, medical histories, treatment records, Medicare card numbers, and private health insurance information. 

However, as of the latest update, there was no evidence that financial data, such as bank account details or credit card numbers, had been accessed. Despite the severity of the breach, Genea assured patients that its medical and administrative teams were working tirelessly to restore affected systems and minimize disruptions to fertility services. Ensuring continuity of patient care remained a top priority while the company simultaneously focused on strengthening security measures to prevent further incidents. 

In response to the breach, Genea has been collaborating with the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC) to investigate the full extent of the attack. The company is committed to keeping affected individuals informed and taking all necessary precautions to enhance its cybersecurity framework. Patients were advised to monitor their accounts and report any suspicious activity to authorities. 

As a precaution, Genea recommended that affected individuals follow security guidelines issued by official government agencies such as the Australian Cyber Security Centre and the ACCC’s Scamwatch. For those concerned about identity theft, IDCARE’s experts were made available to provide support and guidance on mitigating risks associated with cybercrime. The incident has highlighted the growing risks faced by healthcare providers and the importance of implementing stronger security measures to protect patient data.
Read more »
Subscribe to: Posts (Atom)