CySecurity News - Latest Information Security and Hacking Incidents: Ransomware

Critical Infrastructure Security cyber espionage Cyber Warfare Geopolitical Cyber Attacks Hacktivism Campaigns Middle East Cyber Threats Ransomware

Rising Cyber Threats Linked to Ongoing Middle East Conflict

A geopolitical crisis has historically been fought on physical battlefields, but its effects are seldom confined to borders in the modern threat landscape. While tensions are swirling across the Middle East as a result of the United States' military operations in Iran and Tehran's retaliatory actions, a parallel surge of activity is being witnessed in the digital world.

There is increasing concern among security analysts as well as government cyber agencies about how geopolitical instability provides fertile ground for cybercriminals and state-aligned actors. In order to manipulate public curiosity, exploit fear, and conceal malicious campaigns, attackers have utilized this rapidly evolving situation as a convenient narrative.

As soon as the escalation began, researchers began tracking a growing ecosystem of cyber infrastructure based on conflict that lures unsuspecting users into fraudulent websites, phishing scams, and malware downloads.

In many cases, what appears to be breaking news or urgent updates about a crisis hides carefully designed traps meant to infiltrate corporations, collect credentials, or spread malicious software designed to steal data.

Due to this, the conflict's digital shadow has expanded beyond the immediate region, raising concerns among cybersecurity professionals that opportunistic attacks may become increasingly targeted against individuals and organizations worldwide.

The intensification of hostilities in late February 2026, when the United States and Israel are said to have conducted coordinated airstrikes against multiple Iranian facilities, has further compounded the escalation of cyber threats.

Security analysts have identified a pattern where cyber activity closely follows developments on the ground following the strikes and retaliatory actions which have reverberated across several Middle Eastern nations following the strikes.

According to researchers, digital operations played a supporting role long before the first missiles were deployed. Iran's command-and-control infrastructure was disrupted by coordinated electronic warfare tactics and large-scale distributed denial-of-service campaigns. This temporarily impeded national internet access and could potentially complicate real-time military coordination by reducing national internet connectivity to a fraction of its usual capacity.

It is clear from such incidents that cyber capabilities are becoming increasingly integrated into broader strategic operations, influencing the circumstances under which conventional military engagements occur. However, analysts note that the cyber dimension of the conflict cannot be limited to state-directed operations alone.

As a result, it is widely expected that Iranian digital response will follow an asymmetric model, with loosely aligned or ideologically sympathetic groups operating outside its borders typically executing these actions. They vary considerably in capability, but their activities often involve defacing websites, leaking data, and launching disruptive attacks intended to generate publicity in addition to operational damage.

A team tracking online channels associated with hacktivist communities has observed hundreds of claims of cyberattack within days of the escalation, many of which were shared via propaganda platforms and messaging platforms aligned with geopolitical agendas.

In spite of the fact that not all claims reflect a verified breach, the rapid dissemination of such announcements can create confusion, inflate perceived impact, and press targeted organizations into responding before technical verification is possible. It is becoming increasingly clear that the target list is expanding beyond political disruption.

Monitoring of cybersecurity indicates that activities related to the conflict extend beyond Israel to Gulf States, Jordan, Cyprus, and American organizations based abroad. As a result of financial motivation, ransomware operators and threat groups have attempted to frame attacks against Israeli and Western-related entities as political alignments rather than criminal attacks.

A gradual blurring of the distinction between state-aligned disruption and extortion involving financial gain is being caused by the blending of ideological messaging and traditional cybercrime tactics. Moreover, security teams have warned that opportunistic actors are leveraging geopolitical tensions as a narrative hook for phishing and fraud operations.

It has been observed increasingly that travel-related scams are targeting individuals stranded or traveling within the region, and credential harvesting campaigns are targeting diplomats, journalists, humanitarian organizations and defense contractors. There has been an increase in interest in industrial and operational technology environments in recent years, which has created an alarm.

It is important to note that early cyber activity linked to the conflict was primarily defacements and distributed denial-of-service attacks against public websites. In recent reports, threat intelligence reports have indicated an attempt to probe systems linked to industrial control components such as programmable logic controllers and other industrial control components.

Consequently, if substantiated, this shift would represent a substantial escalation of both technical ambition and potential impact for energy facilities, utilities, and other critical infrastructure operators throughout the Middle East and Gulf region, should reevaluate their operational network resilience, particularly those that connect information technology with industrial control systems.

Together, these developments suggest a broad range of potential cyber activity, including high-volume DDoS campaigns that target government portals as well as targeted spear-phishing activities that seek credentials from diplomats, media organizations, and defense contractors.

A number of analysts have warned that ransomware incidents can be politicized, hack-and-leak operations will target military-linked entities, and destructive malware may be used to disable government systems.

The influence campaigns and fabricated breach claims being circulated through social media platforms are expected to play a parallel role in shaping public perception as well as these technical threats. As a result of the possibility of both verified attacks and exaggerated narratives producing real-world consequences, enhancing situational awareness and improving defensive monitoring is becoming an integral aspect of risk management in organizations.

It is also evident from the broader regional context why geopolitical escalation often results in heightened cyber security risks in the Middle East. Over the past decade, countries across the region have taken steps to transform public services, financial systems, telecommunications infrastructure, and energy operations through large-scale digital transformation initiatives.

Particularly, Gulf Cooperation Council members have led these efforts. In addition to strengthening economic diversification and technological capacity, these efforts have increased the digital attack surface available to threat actors at the same time.

Monitoring of cybercrime activities in the Gulf has indicated an increasing number of traditional cybercrime activities targeting both private and state institutions. In recent years, financial fraud campaigns, ransomware attacks, and political-motivated web defacements have disrupted a wide range of industries, including banking, telecommunications, and more.

There have been several high-profile incidents in recent years that involved financial institution and mobile banking platform breaches, while ransomware groups have increasingly targeted large regional service providers as targets. These campaigns have grown in frequency as well as sophistication, reflecting the region's interconnected digital infrastructure’s increasing strategic value.

In addition, the threat environment is not limited to conventional cybercrime. Researchers continue to report advanced persistent threat groups conducting cyberespionage operations against governmental agencies, defense organizations, and energy infrastructure throughout the region, in addition to conventional cybercrime.

There is a widespread belief that many of these campaigns are associated with states and geopolitical rivalries, with a particular focus being placed on individuals associated with Iran following earlier cyber incidents against its nuclear facilities.

Several activities attributed to this group have included deployment of destructive malware, covert surveillance campaigns, and data destruction attacks, all aimed at disrupting critical infrastructure without providing any indication as to whether the underlying motive is political disruption or financial gain.

Consequently, attribution efforts have been complicated by the convergence of these motives, resulting in the increasing overlap between cyber espionage, sabotage, and criminal activity. Cybersecurity dynamics are also influenced by the political and social significance of the digital space within the region.

Digital platforms, data flows, and communication infrastructure are frequently regulated by Middle Eastern governments as a matter of national stability and regime security. Consequently, social media platforms and messaging platforms have evolved into contested environments where state institutions, activists, extremist organizations, and influence networks compete to shape narratives in contested environments.

In times of conflict or political instability, this competition can take the form of distributed denial-of-service attacks, coordinated disinformation campaigns, doxxing operations, and claims of data breaches aimed at putting pressure on political opponents or influencing public opinion.

With the increasing use of artificial intelligence tools for creating synthetic media, automating propaganda, or manipulating information flow, it has become increasingly difficult for organizations to maintain reliable situational awareness during emergencies. In addition to the integration of artificial intelligence and autonomous technologies into military and security operations across the region, there is an emerging dimension.

New cybersecurity vulnerabilities are inevitable as governments and non-state actors experiment with artificial intelligence-enabled surveillance, targeting, and operational coordination systems. It is important to be aware that when systems depend on complex supply chains of software or foreign technological expertise, cyber intrusions, manipulation, and espionage can be a potential entry point.

According to security specialists, interference with these technologies could have consequences beyond the theft of data, impacting battlefield decision-making, operational reliability, or strategic control over sensitive defense capabilities, among other things.

Institutions are not the only ones to face such risks. Technology-facilitated abuse has become increasingly problematic for vulnerable communities as it intersects with personal safety concerns and digital rights.

A number of places in the region have experienced an increase in the spread of manipulated images and deepfake content as a result of technology-facilitated abuse, including impersonation schemes and sextortion. Many victims experience significant social stigma or legal barriers when seeking assistance, which can discourage them from reporting and allow perpetrators to operate with relative impunity.

In combination, these trends illustrate that cybersecurity is not limited to protecting networks or infrastructure in the Middle East. A complex intersection of national security, information control, technological competition, and social vulnerability has resulted in a situation where the region is particularly vulnerable to cyber activity arising from geopolitical tensions.

University of Hawaiʻi Cancer Center Suffers Data Breach from Ransomware Attacks



 

Ransomware Threat

Cyber Security Ransomware Attacks Data Breach Ransomware Ransomware Threat

University of Hawaiʻi Cancer Center Suffers Data Breach from Ransomware Attacks

A ransomware attack on the University of Hawaii Cancer Center's epidemiology division last year resulted in information leaks for up to 1.2 million people.

About the incident

According to a statement issued by the organization last week, hackers gained access to documents that included 1998 voter registration records from the City and County of Honolulu, as well as Social Security numbers (SSNs) and driver's license numbers gathered from the Hawaiʻi State Department of Transportation.

A 1993 Multiethnic Cohort (MEC) Study was shown to be partially responsible for the breach. The institution recruited study participants using voter registration information and driver's license numbers. Health information was included in some of the files that were made public.

Leaked information

Files related to three other epidemiological studies of diet and cancer were retrieved, along with data on MEC Study participants. To determine whether further sensitive data was obtained, the hack is still being investigated. According to the university, "additional individuals whose personal information may have been included in the historical driver's license and voter registration records with SSN identifiers number approximately 1.15 million."

A total of 87,493 study participants had their information taken. The cyber problem was initially found on August 31, 2025, according to a report the university gave to the state assembly in January.

Attack discovery

The stolen data was found in a subset of research files on specific servers supporting the epidemiological research activities of the University of Hawaii Cancer Center. The University of Hawaii Cancer Center's clinical trials activities, patient care, and other divisions were unaffected by the ransomware attack. The University of Hawaii Cancer Center's director, Naoto Ueno, expressed regret for the incident last week and stated that the organization was "committed to transparency."

According to the institution, in order to address the issue, they hired cybersecurity specialists and notified law enforcement after the attackers encrypted and probably stole data. The cybersecurity company acquired "an affirmation that any information obtained was destroyed" and a decryption tool.

Three universities, seven community colleges, one employment training center, and numerous research institutions dispersed over six islands make up the University of Hawaii system. About 50,000 students are served by it.

Madison Square Garden Notifies Victims of SSN Data Breach



 

zero day attacks

Akira Cybersecurity Data Breach Madison Square Garden Ransomware SSNs zero day attacks

Madison Square Garden Notifies Victims of SSN Data Breach

The Madison Square Garden Family of Companies has disclosed that it recently alerted an undisclosed number of individuals about a cybersecurity incident that occurred in August 2025. The company confirmed that the exposed information includes names and Social Security numbers.

According to MSG’s notification letter, attackers exploited a previously unknown vulnerability in Oracle’s E-Business Suite, an enterprise software platform widely used for finance, human resources, and back-office operations. The affected system was hosted and managed by an unnamed third-party vendor, indicating the intrusion occurred through an externally maintained environment rather than MSG’s core internal network.

Oracle informed customers that an undisclosed condition in the application had been abused by an unauthorized party to obtain access to stored data. MSG stated that its investigation, completed in late November 2025, determined that unauthorized access had taken place in August 2025. The gap between compromise and confirmation reflects a common pattern in zero-day attacks, where flaws are exploited before vendors are aware of their existence or able to issue patches.

In November 2025, the ransomware group known as Clop, also stylized as Cl0p, publicly claimed responsibility for the breach. During the same period, the group carried out a broader campaign targeting hundreds of organizations by leveraging the same Oracle vulnerability. MSG has not acknowledged Clop’s claim, and independent verification of the group’s involvement has not been established. The company has not disclosed how many people were notified, whether a ransom demand was made, or whether any payment occurred. A request for further comment remains pending.

MSG is offering eligible individuals one year of complimentary credit monitoring through TransUnion. Affected recipients have 90 days from receiving the notice letter to enroll.

Clop first appeared in 2019 and has become known for exploiting zero-day flaws in enterprise software. Beyond Oracle’s E-Business Suite, the group has targeted Cleo file transfer software and, more recently, vulnerabilities in Gladinet CentreStack file servers. Unlike traditional ransomware operators that focus primarily on encrypting systems, Clop frequently prioritizes data theft. The group exfiltrates information and then threatens to publish or sell it if payment is not made.

In 2025, Clop claimed responsibility for 456 ransomware incidents. Of those, 31 targeted organizations publicly confirmed resulting data breaches, collectively exposing approximately 3.75 million personal records. Institutions reportedly affected by the Oracle zero-day campaign include Harvard University, GlobalLogic, SATO Corporation, and Dartmouth College.

So far in 2026, Clop has claimed another 123 victims, including the French labor union CFDT. Its most recent operations reportedly leverage a newer vulnerability in Gladinet CentreStack servers.

Ransomware activity across the United States remains extensive. In 2025, researchers recorded 646 confirmed ransomware attacks against U.S. organizations, along with 3,193 additional unverified claims made by ransomware groups. Confirmed incidents resulted in nearly 42 million exposed records. One of the largest cases linked to Clop involved exploitation of the Oracle vulnerability at the University of Phoenix, which later notified 3.5 million individuals. In 2026 to date, 17 confirmed attacks and 624 unconfirmed claims are under review.

Other incidents disclosed this week include a December 2024 breach affecting the City of Carthage, Texas, reportedly claimed by Rhysida; a March 2025 breach at Hennessy Advisors impacting 12,643 individuals and attributed to LockBit; an August 2025 breach at KCI Telecommunications linked to Akira; and a December 2025 incident at The Lewis Bear Company affecting 555 individuals and also claimed by Akira.

Ransomware attacks can both disable systems through encryption and involve large-scale data theft. In Clop’s case, data exfiltration appears to be the primary tactic. Organizations that refuse to meet ransom demands may face public disclosure of stolen data, extended operational disruption, and increased fraud risks for affected individuals.

The Madison Square Garden Family of Companies includes Madison Square Garden Sports Corp., Madison Square Garden Entertainment Corp., and Sphere Entertainment Co.. The group owns and operates major venues such as Madison Square Garden, Radio City Music Hall, and the Las Vegas Sphere.

Iron Man Data Breach Only Impacted Marketing Resources



 

Ransomware

Cloud Corporate Cyber Attacks Data Ransomware

Iron Man Data Breach Only Impacted Marketing Resources

Data storage and recovery services company ‘Iron Mountain’ suffered a data breach. Extortion gang ‘Everest’ was behind the breach. Iron Mountain said the breach was limited to marketing materials. The company specializes in records management and data centers, it has more than 240,000 customers globally in 61 countries.

About the breach

The gang claimed responsibility on the dark web, claiming to steal 1.4 TB of internal company documents. Threat actors used leaked login credentials to access a single folder on a file-sharing server having marketing materials.

Experts said that Everest actors didn't install any ransomware payloads on the server, and no extra systems were breached. No sensitive information was exposed. The compromised login accessed one folder that had marketing materials.

The Everest ransomware group started working from 2020. It has since changed its tactics. Earlier, it used to encrypt target's systems via ransomware. Now, it focuses on data-theft-only corporate extortion. Everest is infamous for acting as initial access broker for other hackers and groups. It also sells access to compromised networks.

History

In the last 5 years, Everest’s victim list has increased to hundreds in its list portal. This is deployed in double-extortion attacks where hackers blackmail to publish stolen files if the victims don't pay ransom.

The U.S. Department of Health and Human Services also issued a warning in August 2024 that Everest was increasingly focusing on healthcare institutions nationwide. More recently, the cybercrime operation removed its website in April 2025 after it was vandalized and the statement "Don't do crime CRIME IS BAD xoxo from Prague" was posted in its place.

If the reports of sensitive data theft turn out to be accurate, Iron Mountain's clients and partners may be at risk of identity theft and targeted phishing. Iron Mountain's present evaluation, however, suggests that the danger is restricted to the disclosure of non-confidential marketing and research documents.

What is the impact?

Such purported leaks usually result in short-term reputational issues while forensic investigations are being conducted. Iron Mountain has deactivated the compromised credential as a precaution and is still keeping an eye on its systems.

Vendors or affected parties who used the aforementioned file-sharing website should be on the lookout for odd communications. Iron Mountain's response to these unsubstantiated allegations must be transparent throughout the investigation.

New Ransomware Uses Trusted Drivers to Disable Security Defenses



 

Windows

BYOVD Attack cloud storage Cyber Attacks Linux phishing Ransomware Reynolds Windows

New Ransomware Uses Trusted Drivers to Disable Security Defenses

Security monitoring teams are tracking a new ransomware strain called Reynolds that merges system sabotage and file encryption into a single delivery package. Instead of relying on separate utilities to weaken defenses, the malware installs a flawed system driver as part of the infection process, allowing it to disable protective software before encrypting data.

The method used is known in security research as Bring Your Own Vulnerable Driver, or BYOVD. This approach abuses legitimate drivers that contain known weaknesses. Because operating systems recognize these drivers as trusted components, attackers can exploit them to gain deep system access and stop endpoint protection tools with reduced risk of detection. This tactic has been repeatedly observed across multiple ransomware operations in recent years.

In the Reynolds incidents, the malware deploys the NSecKrnl driver produced by NsecSoft. This driver contains a publicly documented vulnerability tracked as CVE-2025-68947, rated 5.7 in severity. The flaw allows any running process to be forcibly terminated, which attackers use to shut down security platforms including Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos with HitmanPro.Alert, and Symantec Endpoint Protection. The same driver has previously been abused by a threat actor known as Silver Fox in campaigns that disabled security tools before deploying ValleyRAT. Silver Fox has also relied on other vulnerable drivers, such as truesight.sys and amsdk.sys, during similar operations.

Security analysts note that integrating defense suppression into ransomware itself is not unprecedented. A comparable approach appeared during a Ryuk ransomware incident in 2020 and later in activity linked to the Obscura ransomware family in August 2025. Folding multiple attack stages into a single payload reduces operational complexity for attackers and decreases the number of separate files defenders might detect.

Investigations into recent intrusions uncovered signs of long-term preparation. A suspicious loader that used side-loading techniques was found on victim networks several weeks before encryption occurred. Following deployment of the ransomware, a remote access program known as GotoHTTP was installed within one day, indicating an effort to preserve long-term control over compromised systems.

Parallel ransomware campaigns reveal additional shifts in attacker behavior. Large phishing operations are circulating shortcut file attachments that trigger PowerShell scripts, leading to the installation of Phorpiex malware, which then delivers GLOBAL GROUP ransomware. This ransomware conducts all operations locally and does not transmit stolen data, allowing it to function in networks without internet access. Other campaigns tied to WantToCry have exploited virtual machines provisioned through ISPsystem, a legitimate infrastructure management service, to distribute malware at scale. Some of the same hosting infrastructure has been linked to LockBit, Qilin, Conti, BlackCat, and Ursnif, as well as malware families including NetSupport RAT, PureRAT, Lampion, Lumma Stealer, and RedLine Stealer.

Researchers assess that bulletproof hosting providers are renting ISPsystem virtual machines to criminal actors by abusing a design flaw in VMmanager’s default Windows templates. Because these templates reuse identical hostnames and system identifiers, thousands of virtual machines can be created with the same fingerprint, making takedown efforts more difficult.

Ransomware groups are also expanding their business models. DragonForce now provides affiliates with a “Company Data Audit” service, which includes risk assessments, pre-written call scripts, executive-level letters, and negotiation guidance. The group operates as a cartel that allows affiliates to launch their own brands while sharing infrastructure and services.

Technical changes are shaping newer ransomware versions. LockBit 5.0 has replaced AES encryption with ChaCha20 and now targets Windows, Linux, and ESXi environments. The latest version includes file wiping capabilities, delayed execution, encryption progress tracking, improved evasion techniques, stronger in-memory operation, and reduced disk footprints. The Interlock group continues to target organizations in the United Kingdom and United States, particularly in education. One attack exploited a zero-day vulnerability in the GameDriverx64.sys anti-cheat driver, tracked as CVE-2025-61155 with a 5.5 severity score, to disable security tools using BYOVD methods. The same campaign deployed NodeSnake, also known as Interlock RAT or CORNFLAKE, with MintLoader identified as the initial access point.

Targeting strategies are also shifting toward cloud storage. Poorly configured Amazon Web Services S3 buckets are being abused through native platform functions to erase data, restrict access, overwrite files, or quietly extract sensitive information while remaining difficult to detect.

Industry tracking from Cyble indicates that GLOBAL GROUP is among several ransomware crews that appeared in 2025, alongside Devman, DireWolf, NOVA, J group, Warlock, BEAST, Sinobi, NightSpire, and The Gentlemen. ReliaQuest reported that Sinobi’s data leak activity increased by 306 percent in the final quarter of 2025, ranking it third behind Qilin and Akira. LockBit’s resurgence included 110 victim listings in December alone. Researchers estimate that ransomware actors claimed 4,737 attacks in 2025, compared with 4,701 in 2024. Incidents centered only on data theft rose to 6,182, reflecting a 23 percent increase. Coveware reported that average ransom demands reached $591,988 in late 2025, driven by a small number of exceptionally large settlements, and warned that attackers may shift back toward encryption-based extortion to increase pressure on victims.

Birmingham Mental Health Authority Alerts More than 30,000 People to Ransomware-linked Data Breach



 

Ransomware

cyber attack Data Breach Data Theft mental Health Ransomware

Birmingham Mental Health Authority Alerts More than 30,000 People to Ransomware-linked Data Breach

A public mental health authority in Birmingham, Alabama has notified more than 30,000 individuals that their personal and medical information may have been exposed in a data breach linked to a ransomware attack late last year.

The informed 30,434 people of the breach, according to a disclosure filed with the . The incident occurred in November 2025 and affected data collected over a period spanning more than a decade. According to the notification sent to those affected, unauthorized access to the authority’s network was detected on or around November 25, 2025.

An internal investigation found that certain files may have been accessed or taken without authorization. The potentially exposed information includes names, Social Security numbers, dates of birth, health insurance details and extensive medical information.

The compromised medical data may include billing and claims records, diagnoses, physician information, medical record numbers, Medicare or Medicaid details, prescription data and treatment or diagnostic information.

The authority said the affected records relate to patients or employees dating back to 2011. A ransomware group known as claimed responsibility for the attack in December 2025, demanding a ransom of $200,000 and threatening to publish 168.6 gigabytes of allegedly stolen data.

The group posted sample images online as proof of the breach. The mental health authority has not publicly confirmed Medusa’s claim and has not disclosed whether a ransom was paid.

The authority declined to comment on how attackers gained access to its systems. The breach notification does not mention any offer of free credit monitoring or identity theft protection for affected individuals. Medusa has been active since 2019 and operates a ransomware-as-a-service model, in which affiliates use its tools to carry out attacks.

In 2025, the group claimed responsibility for dozens of confirmed ransomware incidents, many of them targeting healthcare providers. Those attacks exposed the personal data of more than 1.7 million people, according to publicly reported figures.

Healthcare organizations have been a frequent target of ransomware groups in the US. Researchers tracking cyber incidents reported more than 100 confirmed ransomware attacks on hospitals, clinics and care providers in 2025, compromising data belonging to millions of patients. Such attacks can disrupt clinical operations, force providers to revert to manual systems and raise risks to patient safety and privacy.

The Jefferson Blount St. Claire Mental Health Authority operates four mental health facilities serving Jefferson, Blount and St. Clair counties in Alabama.

La Sapienza University’s Digital Systems Remain Shut After Cyber Intrusion Disrupts Services



 

Ransomware

cyber attack Data Breach Hacking Information Security IT Security Italy Law Enforcement Ransomware

La Sapienza University’s Digital Systems Remain Shut After Cyber Intrusion Disrupts Services

Rome’s La Sapienza University is continuing to experience major operational disruption after a cyber intrusion forced administrators to take its digital infrastructure offline as a safety measure. The shutdown began on February 2 and has affected core online services used by students, faculty, and administrative staff.

Since the incident, students have been unable to complete basic academic and administrative tasks such as registering for examinations, viewing tuition-related records, or accessing official contact information for teaching staff. With internal platforms unavailable, the university has relied mainly on its social media channels to share updates. These notices have acknowledged the disruption but have not provided detailed technical explanations or a confirmed date for when full access will be restored.

University officials confirmed that their systems were deliberately powered down to contain the threat and to prevent malicious software from spreading to other parts of the network. Emergency shutdowns of this kind are typically used when there is a risk that an attack could compromise additional servers, user accounts, or stored data. This response suggests that the incident involved harmful software capable of moving across connected systems.

According to publicly available reporting, the disruption was caused by ransomware, a category of cyber attack in which criminals attempt to lock organizations out of their own systems or data. Some media sources have claimed that a newly observed cybercrime group may be linked to the breach and that a ransomware variant referred to in security research as Bablock, also known as Rorschach, may have been involved. These attributions are part of ongoing assessments and have not been formally confirmed by authorities.

Technical analyses cited in public reporting describe this malware family as drawing components from previously leaked cybercrime tools, allowing attackers to combine multiple techniques into a single, highly disruptive program. Such ransomware is designed to operate rapidly and can spread across large digital environments, which helps explain the scale of the disruption experienced by one of Europe’s largest universities by student enrollment.

The university has formally reported the incident to Italian law enforcement and to the National Cybersecurity Agency, both of which are now involved in the investigation and response. Administrators have stated that emergency management is being coordinated across academic offices, administrative departments, and student representatives, with discussions underway to introduce deadline extensions and flexible arrangements to limit academic harm.

Due to the ongoing shutdown of internal systems, campus information desks are currently unable to access digital records that would normally support student inquiries. Updates about service availability and office hours are being shared through official faculty social media pages.

Meanwhile, technical teams are examining the full scope of the breach before restoring systems from backups. This step is necessary to ensure that no malicious code remains active. It is still unclear whether all stored data can be fully recovered or whether some information may remain inaccessible following the attack.

Federal Agencies Worldwide Hunt for Black Basta Ransomware Leader



 

Ransomware

AI Black Basta Black Basta Ransomware Cloud Cyber Crime Data Ransomware

Federal Agencies Worldwide Hunt for Black Basta Ransomware Leader

International operation to catch Ransomware leader

International law enforcement agencies have increased their search for individuals linked to the Black Basta ransomware campaign. Agencies confirmed that the suspected leader of the Russia-based Ransomware-as-a-service (RaaS) group has been put in the EU’s and Interpol’s Most Wanted list and Red Notice respectively. German and Ukrainian officials have found two more suspects working from Ukraine.

As per the notice, German Federal Criminal Police (BKA) and Ukrainian National Police collaborated to find members of a global hacking group linked with Russia.

About the operation

The agencies found two Ukrainians who had specific roles in the criminal structure of Black Basta Ransomware. Officials named the gang’s alleged organizer as Oleg Evgenievich Nefedov from Russia. He is wanted internationally. German law enforcement agencies are after him because of “extortion in an especially serious case, formation and leadership of a criminal organization, and other criminal offenses.”

According to German prosecutors, Nefedov was the ringleader and primary decision-maker of the group that created and oversaw the Black Basta ransomware. under several aliases, such as tramp, tr, AA, Kurva, Washingt0n, and S.Jimmi. He is thought to have created and established the malware known as Black Basta.

The Ukrainian National Police described how the German BKA collaborated with domestic cyber police officers and investigators from the Main Investigative Department, guided by the Office of the Prosecutor General's Cyber Department, to interfere with the group's operations.

The suspects

Two individuals operating in Ukraine were found to be carrying out technical tasks necessary for ransomware attacks as part of the international investigation. Investigators claim that these people were experts at creating ransomware campaigns and breaking into secured systems. They used specialized software to extract passwords from business computer systems, operating as so-called "hash crackers."

Following the acquisition of employee credentials, the suspects allegedly increased their control over corporate environments, raised the privileges of hacked accounts, and gained unauthorized access to internal company networks.

Authorities claimed that after gaining access, malware intended to encrypt files was installed, sensitive data was stolen, and vital systems were compromised. The suspects' homes in the Ivano-Frankivsk and Lviv regions were searched with permission from the court. Digital storage devices and cryptocurrency assets were among the evidence of illicit activity that police confiscated during these operations.

GoTo Resolve Tool Mimics Ransomware Tactics in Stealth Attacks



 

Stealth Attack

GoTo Resolve malware Malware PUA Threat Ransomware Stealth Attack

GoTo Resolve Tool Mimics Ransomware Tactics in Stealth Attacks

Security researchers have raised alarms over a remote administration tool that can quietly turn into a stealthy entry point for cybercriminals. The program, flagged as HEURRemoteAdmin.GoToResolve.gen, is now classified as a Potentially Unwanted Application (PUA) due to the way it conceals its presence and behavior from end users.

The warning comes from the Lat61 Threat Intelligence Team at Point Wild, a data breach prevention firm that analyzed how this tool can transform a routine IT utility into a serious security liability. According to their report, the application is linked to GoTo Resolve, a legitimate platform formerly known as LogMeIn, widely used by IT support teams for remote access and troubleshooting.

What makes this case particularly concerning is the tool’s ability to install and operate “silently,” maintaining a persistent foothold on the system without any visible prompts or notifications. Researchers found it buried in a directory named C:\Program Files (x86)\GoTo Resolve Unattended\, along with a bundled file called “32000~” that contains hidden instructions for managing the application in the background.

Because it runs unattended, this component effectively creates a new attack surface, similar to leaving a window unlocked for intruders. Threat actors who manage to hijack the tool could exploit its background capabilities to move laterally, gather intelligence, or prepare a larger compromise, all without attracting attention from the user sitting at the keyboard.

The most disturbing link is to ransomware tradecraft through the use of the Windows Restart Manager library, RstrtMgr.dll. This DLL has been abused in past campaigns by high-profile groups like Conti and Cactus ransomware, as well as the BiBi wiper, to terminate processes that might block file encryption or forensic analysis, including antivirus tools and security services. Even more deceptive is the fact that the software carries a valid digital signature from GoTo Technologies USA, LLC, giving it an appearance of full legitimacy in the eyes of both users and operating systems.

Experts stress that a trusted signature does not guarantee safe behavior and warn organizations to treat this tool as a high-risk component unless explicitly approved and monitored by their security teams, calling its stealthy execution and Restart Manager loading a form of “dangerous pre-positioning” for future, more destructive attacks.

BitLocker Ransomware Attack Cripples Romanian Water Authority’s IT Systems



 

Water Authority

Bitlocker Cyber Attacks Ransomware Romania Water Authority

BitLocker Ransomware Attack Cripples Romanian Water Authority’s IT Systems

Romania's national water management authority, Administrația Națională Apele Române (Romanian Waters), was targeted in a sophisticated ransomware attack on December 20, 2025, compromising approximately 1,000 IT systems across the organization. The cyberattack affected 10 of the country's 11 regional water basin administrations, including facilities in Oradea, Cluj, Iași, Siret, and Buzău.

Modus operandi

The attackers employed an unusual tactic by weaponizing Windows BitLocker, a legitimate encryption tool designed to protect data, to lock files on compromised systems. Rather than deploying traditional ransomware, the threat actors exploited this built-in Windows security feature in a "living off the land" approach that differs from typical ransomware group operations. After encrypting the systems, the attackers left ransom notes demanding that officials contact them within seven days.

The breach affected critical IT infrastructure including Geographical Information System servers, database servers, email and web services, Windows workstations, and Domain Name Servers. Romanian Waters' website went offline, forcing the agency to share official updates through alternative communication channels.

Despite the extensive IT compromise, the attack did not affect operational technology systems controlling actual water infrastructure. Water management operations continued through dispatch centers using voice communication channels, with hydrotechnical facilities operated locally by on-site personnel coordinated via radio and telephone. Romanian authorities emphasized that forecasting and flood protection activities remained unaffected, with all water control systems functioning within normal parameters.

Investigation and response

Multiple Romanian security agencies, including the National Cyber Security Directorate and the Romanian Intelligence Service's National Cyberint Center, are investigating the incident. The attack vector has not yet been identified, and no ransomware group or state-backed threat actor has claimed responsibility. Officials issued strict guidance against contacting or negotiating with the attackers, emphasizing that ransom payments fund criminal operations and encourage future attacks.

The incident exposed critical gaps in Romania's infrastructure protection framework, as the water authority's systems were not previously integrated into the national cyber defense network. Authorities have initiated steps to incorporate water infrastructure into the national cybersecurity defense system managed by the National Cyber Intelligence Center.

Romanian Water Authority Hit by BitLocker Ransomware, 1,000 Systems Disrupted



 

Romanian Waters

Bitlocker Cyber Attacks OT security Ransomware Romanian Waters

Romanian Water Authority Hit by BitLocker Ransomware, 1,000 Systems Disrupted

Romanian Waters, the country's national water management authority, was targeted by a significant ransomware attack over the weekend, affecting approximately 1,000 computer systems across its headquarters and 10 of its 11 regional offices. The breach disrupted servers running geographic information systems, databases, email, web services, Windows workstations, and domain name servers, but crucially, the operational technology (OT) systems controlling the actual water infrastructure were not impacted.

According to the National Cyber Security Directorate (DNSC), the attackers leveraged the built-in Windows BitLocker security feature to encrypt files on compromised systems and left a ransom note demanding contact within seven days. Despite the widespread disruption to IT infrastructure, the DNSC confirmed that the operation of hydrotechnical assets—such as dams and water treatment plants—remains unaffected, as these are managed through dispatch centers using voice communications and local personnel.

Investigators from multiple Romanian security agencies, including the Romanian Intelligence Service's National Cyberint Center, are actively working to identify the attack vector and contain the incident's fallout. Authorities have not yet attributed the attack to any specific ransomware group or state-backed actor.

The DNSC also noted that the national cybersecurity system for critical IT infrastructure did not previously protect the water authority's systems, but efforts are underway to integrate them into broader protective measures. The incident follows recent warnings from international agencies, including the FBI, NSA, and CISA, about increased targeting of critical infrastructure by pro-Russia hacktivist groups such as Z-Pentest, Sector16, NoName, and CARR.

This attack marks another major ransomware event in Romania, following previous breaches at Electrica Group and over 100 hospitals due to similar threats in recent years. Romanian authorities continue to stress that water supply and flood protection activities remain fully operational, and no disruption to public services has occurred as a result of the cyberattack.

3.5 Million Students Impacted in US College Data Breach



 

zero-day exploit

Dark Web Monitoring Data Breach Higher Education Cyberattack identity theft protection Oracle EBS Vulnerability Ransomware Regulatory Disclosure SSN Data Leak zero-day exploit

3.5 Million Students Impacted in US College Data Breach

Several significant cyber security breaches have prompted a growing data security crisis for one of the largest private higher education institutions in the United States. University of Phoenix, an established for-profit university located in Phoenix, Arizona, has suffered an extensive network intrusion.

It was orchestrated by the Clop ransomware group, a highly motivated cybercriminal syndicate that was well known for extorting large sums of money from their victims. During the attack, nearly 3.5 million individuals' personal records, such as those belonging to students, faculty, administrative staff, and third-party suppliers, were compromised, resulting in the compromise of the records.

Established in 1976, the university has grown over the last five decades into a major national educational provider. The university has enrolled approximately 82,700 students and is supported by a workforce of 3,400 employees.

Of these, nearly 2,300 are academics. This breach was officially confirmed by the institution through a written statement posted on its website on early December, while Phoenix Education Partners' parent organization, which filed a mandatory 8-K filing with the U.S. Securities and Exchange Commission, formally notified federal regulators of the incident in early December.

In this disclosure, the first authoritative acknowledgment of a breach that experts claim may have profound implications for identity protection, financial security, and institutional accountability within the higher education sector has been made. There is a substantial risk associated with critical enterprise software and delayed threat detection, highlighting how extensive the risks can be.

The breach at the University of Phoenix highlights this fact. The internal incident briefing indicates that the intrusion took place over a period of nine days between August 13 and August 22, 2025. The attackers took advantage of an unreported vulnerability in Oracle's E-Business Suite (EBS) - an important financial and administrative platform widely used by large organizations - to exploit the vulnerability.

During the course of this vulnerability, the threat actors were able to gain unauthorized access to highly sensitive information, which they then exfiltrated to 3,489,274 individuals, including students, alumni, students and professors, as well as external suppliers and service providers. The university did not find out about the compromise until November 21, 2025, more than three months after it occurred, even though it had begun unfolding in August.

According to reports, the discovery coincided with public signals from the Cl0p ransomware group, which had listed the institution on its leaked site, which had triggered its public detection. It has been reported that Phoenix Education Partners, the parent company of the university, formally disclosed the incident in a regulatory Form 8-K filing submitted to the U.S. Securities and Exchange Commission on December 2, 2025, followed by a broader public notification effort initiated on December 22 and 23 of the same year.

It is not unusual for sophisticated cyber intrusions to be detected in advance, but this delayed detection caused significant complications in the institution's response efforts because the institution's focus shifted from immediate containment to ensuring regulatory compliance, managing reputational risks, and ensuring identity protection for millions of people affected.

A comprehensive identity protection plan has been implemented by the University of Phoenix in response to the breach. This program offers a 12-month credit monitoring service, dark web surveillance service, identity theft recovery assistance, and an identity theft reimbursement policy that covers up to $1 million for those who have been affected by the breach.

The institution has not formally admitted liability for the incident, but there is strong evidence that it is part of a larger extortion campaign by the Clop ransomware group to take over the institution. A security analyst indicates Clop took advantage of a zero-day vulnerability (CVE-2025-61882) in Oracle's E-Business Suite in early August 2025, and that it has also been exploited in similar fashion to steal sensitive data from other prominent U.S universities, including Harvard University and the University of Pennsylvania, in both of whom confirmed that their students' and staff's personal records were accessed by an unauthorized third party using compromised Oracle systems.

The clone has a proven history of orchestrating mass data theft, including targeting various file transfer platforms, such as GoAnywhere, Accellion FTA, MOVEit, Cleo, and Gladinet CentreStack, as well as MFT platforms such as GoAnywhere. The Department of State has announced that a reward of up to $10 million will be offered to anyone who can identify a foreign government as the source of the ransomware collective's operations.

The resulting disruption has caused a number of disruptions in the business environment. In addition to the wave of incidents, other higher-education institutions have also been victimized by cyberattacks, which is a troubling pattern.

As a result of breaches involving voice phishing, some universities have revealed that their development, alumni, and administrative systems have been accessed unauthorized and donor and community information has been exfiltrated. Furthermore, this incident is similar to other recent instances of Oracle E-Business Suite (EBS) compromises across U.S. universities that have been reported.

These include Harvard University and the University of Pennsylvania, both of whom have admitted that unauthorized access was accessed to systems used to manage sensitive student and staff data. Among cybersecurity leaders, leadership notes the fact that universities are increasingly emulating the risk profile associated with sectors such as healthcare, characterized by centralized ecosystems housing large amounts of long-term personal data.

In a world where studies of student enrolment, financial aid records, payroll infrastructure and donor databases are all kept in the same place, a single point of compromise can reveal years and even decades of accumulated personal and financial information, compromising the unique culture of the institution.

Having large and long-standing repositories makes colleges unique targets for hacker attacks due to their scale and longevity, and because the impact of a breach of these repositories will be measured not only in terms of the loss of records, but in terms of the length of exposure as well as the size of the population exposed.

With this breach at University of Phoenix, an increasing body of evidence has emerged that U.S colleges and universities are constantly being victimized by an ever more coordinated wave of cyberattacks. There are recent disclosures from leading academic institutions, including Harvard University, the University of Pennsylvania, and Princeton University, that show that the threat landscape goes beyond ransomware operations, with voice-phishing campaigns also being used as a means to infiltrate systems that serve to facilitate alumni engagement and donor information sharing.

Among the many concerns raised by the developments, there are also concerns over the protection of institutional privacy. During an unusual public outrage, the U.S. Department of State has offered an unusual reward of $10 million for information that could link Clop's activities to foreign governments. This was a result of growing concerns within federal agencies that the ransomware groups may, in some cases, intersect with broader geopolitical strategies through their financial motivations.

University administrators and administrators have been reminded of the structural vulnerability associated with modern higher education because it highlights a reliance on sprawling, interconnected enterprise platforms that centralize academic, administrative, and financial operations, which creates an environment where the effects of a single breach can cascade across multiple stakeholder groups.

There has been a remarkable shift in attackers' priorities away from downright disrupting systems to covertly extracting and eradicating data. As a result, cybersecurity experts warn that breaches involving the theft of millions of records may no longer be outliers, but a foreseeable and recurring concern.

University institutions face two significant challenges that can be attributed to this trend-intensified regulatory scrutiny as well as the more intangible challenge of preserving trust among students, faculty, and staff whose personal information institutions are bound to protect ethically and contractually.

In light of the breach, the higher-education sector is experiencing a pivotal moment that is reinforcing the need for universities to evolve from open knowledge ecosystems to fortified digital enterprises, reinforcing concerns.

The use of identity protection support may be helpful in alleviating downstream damage, but cybersecurity experts are of the opinion that long-term resilience requires structural reform, rather than episodic responses.

The field of information security is moving towards layered defenses for legacy platforms, quicker patch cycles for vulnerabilities, and continuous network monitoring that is capable of identifying anomalous access patterns in real time, which is a key part of the process.

During crisis periods, it is important for policy analysts to emphasize the importance of institutional transparency, emphasizing the fact that early communication combined with clear remediation roadmaps provides a good opportunity to limit misinformation and recover stakeholder confidence.

In addition to technical safeguards, industry leaders advocate for expanded security awareness programs to improve institutional perimeters even as advanced tools are still being used to deal with threats like social engineering and phishing.

In this time of unprecedented digital access, in which data has become as valuable as degrees, universities face the challenge of safeguarding information, which is no longer a supplemental responsibility but a fundamental institutional mandate that will help determine the credibility, compliance, and trust that universities will rely on in years to come.

Ransomware Profits Shrink Forcing Criminal Gangs to Innovate



 

supply chain attacks

Crypto-Funded Crime Cyber Extortion cyber threat Data Exfiltration Helpdesk Social Engineering Insider Threats Ransomware Retail Cyber Resilience supply chain attacks

Ransomware Profits Shrink Forcing Criminal Gangs to Innovate

Ransomware networks are increasingly using unconventional recruitment channels to recruit new operators. Using blatant job-style announcements online, these networks are enlisting young, inexperienced operators with all sorts of job experience in order to increase their payouts.

There is a Telegram post from a channel that is connected to an underground collective that emphasizes the importance of female applicants, dismissing nationality barriers and explicitly welcoming people who have no previous experience in recruitment, with the promise to train recruits “from scratch” while emphasizing the expectation that they will learn rapidly.

In return, the position was advertised as being available during weekdays between 12 p.m. and 6 p.m. Eastern Time and being compensated $300 per successful call, which is paid out exclusively in cryptocurrency. It was far from a legitimate job offer, but it served as a gateway into a thriving criminal ecosystem known as The Community or The Com, a loosely connected group of about 1,000 individuals, many of whom are children in middle and high school.

In order to operate, the network relies on fluid, short-lived alliances, constantly reshaping its structure in what cybersecurity researcher Allison Nixon calls an "infernal soup" of overlapping partnerships, which recur continuously.

In the years since 2022, the collective and its evolving offshoots have carried out sustained intrusion campaigns against large corporations across the United States and the United Kingdom that have been referred to by previously referred to as Scattered Spider, ShinyHunters, Lapsus$, SLSH, and many others, among others.

It is estimated that these sort of attacks, which include data breaches, credential theft, account takeovers, spear phishing, and digital extortion, may have compromised companies with a market value of more than $1 trillion. It is estimated that these sort of attacks, which include data breaches, credential theft, account takeovers, spear phishing, and digital extortion, may have compromised companies with a market value of more than $1 trillion.

In the coming weeks, Silent Push will unveil a new research report based on cyber intelligence research conducted by Silent Push, Silent Push's partner firm Silent Push's affiliate Silent Push. Legal documents indicate that at least 120 organizations, as well as 120 brands, have been targeted, ranging from the worldwide giant Chick-fil-A, to the global giants of Instacart, Louis Vuitton, Morningstar, News Corporation, Nike, Tinder, T-Mobile, T-Mobile, Vodafone, and T-Mobile, Vodafone among others.

This indicates that modern ransomware crime rings have undergone a major shift in both their operational strategy as well as the talent pool they utilize. In a world where profit margins are tightening, ransomware operations are changing, forcing threat actors to choose their victims with greater deliberateness and design attack models that are increasingly engineered.

According to Coveware, the analysis division within Veeam, ransomware campaigns are no longer driven by broad, opportunistic targeting, but rather by pressure to extract leverage through precision and psychological manipulation in order to gain a competitive edge. There was a stark shift in corporate behavior during the third quarter that signaled a dramatic change in behavior in the ransomware industry.

The proportion of victims paying ransoms fell below 25 percent for the first time ever in the history of ransomware tracking. However, when payments were made, they reflected a contraction that was unprecedented — an average of $376,941 with a median payout of $140,000. This represents a two-thirds decline from the previous quarter.

There has been a decline in trust among major enterprises as a result of the downturn, particularly around the claim that stolen data would be permanently deleted after payment. This skepticism has had a material negative impact on exfiltration-only extortion, which has been reduced by 19 percent in ransom compliance.

According to industry researchers, the financial strain has fractured the ransomware economy, resulting in 81 unique data-leak sites being recorded in Q3, the highest number to date, as emerging groups fill the void left by larger syndicates exiting the arena, following suit with their own ransomware campaigns.

In spite of this dispersion, targeted groups have developed an erratic targeting behavior, drawing markets that were previously considered peripheral, including Southeast Asia, such as Thailand, and Thailand in particular. Especially recently, attackers have targeted midsize organizations that are lacking the financial resilience to weather sustained disruption – such as Russian-speaking crews like Akira and Qilin – even if they cannot meet multimillion-dollar demands that are being demanded.

It is not only about victim realignment; operators are also exploring a broad range of revenue-enhancement strategies, including insider recruitment and bribery, social engineering on the helpdesk, supply chain compromise, and callback phishing, a tactic first developed in 2021 by the Ryuk group to destabilize defenses by causing victims to contact attackers directly, which in turn would disrupt defenses.

Cisco Talos research highlights the importance of live negotiation in security, noting that attackers have been using real-time phone interaction to weaponize emotional pressure and adaptive social engineering to increase the effectiveness of attacks. Despite the fact that raw economic incentives have failed to deliver historical returns, modern ransomware groups have evolved a new way of leveraging influence, as evidenced by recent research.

It has become apparent over the past few months that cybercriminal groups are increasingly embracing high-profile consumer brands in their strategic entanglements, as well as a marked shift in how these brands are defending themselves against such attacks.

During the late spring and early summer of 2018, cybercrime collective Scattered Spider, a decentralized cybercrime collective that is known for targeting retail and supply chain organizations, targeted major retail and supply chain organizations including Victoria's Secret, United Natural Foods, and Belk, among others.

As the incidents unfolded, and the industry as a whole mobilized to defend itself against the attacks, the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) was established, an intelligence-sharing organization that coordinates the collective cybersecurity defense by retail enterprises.

The RH-ISAC played an important role in the escalating digital threats and the tightening budgets for security in the retail and hospitality industries, industry intelligence releases indicate that there is also a parallel increase in executive alignment and organizational preparedness across the two industry sectors. There has been an increase in the number of chief information security officers reporting directly to senior business leaders as reflected in a recent study conducted by RH-ISAC.

In a way, this represents a 12-point increase from the previous year, signaling that cybersecurity has become more integrated into corporate strategy rather than being separated from IT. It has been noted by sector leaders that, as a result of this structural shift, security chiefs have become an increasingly important part of commercial decision-making, with their influence extending beyond breach prevention to risk governance, vendor evaluation, and business continuity planning.

There is no doubt that the same report showed that operational resilience has emerged as a major priority in the boardroom, ranking at the top for approximately half of the organizations surveyed.

During the conference, the leadership of RH-ISAC highlighted the industry's need to focus on recovery readiness, incident response coordination, and cross-company intelligence exchange, all of which are now considered essential to maintaining customer trust and continuous supply chains in an environment where reputational damage can often outweigh technical damage.

Although some retail and hospitality enterprises are still faced with the challenge of tight security functions and the apparent friction between deploying them rapidly as well as ensuring that the security remains airtight, many enterprises have been able to demonstrate an improved capacity for absorbing and responding to sustained adversarial pressure.

Analysts observe that recent high-profile compromises have not derail the industry but have instead tested its defenses and, in several cases, validated them. In this regard, the growing emphasis on cyber resilience is emerging from an aspiration to a reality as a result of orchestrating coordinated response strategies, sharing threat intelligence, mitigation frameworks, and incident guidelines to help organizations prevent becoming successive targets for cyber crimes.

During the course of the center's response, European retail partners were able to share their insights quickly with the center, since they were facing Scattered Spider operations only weeks earlier. As early as April, the same group had breached a number of U.K. retail organizations including Harrods, Marks & Spencer, and the Co-op, which resulted in emergency advisories from British law enforcement and national cyber agencies advising the public.

A cross-border intelligence dialogue was held by RH-ISAC in light of those developments to gain an in-depth understanding of the group's evolving tactics. Shortly after the U.K. attacks, the organization held a members-only threat briefing with researchers from Mandiant, Google's cyber intelligence division, to review operational patterns, attacker behavior, and defensive weaknesses.

RH-ISAC's intelligence coordination with British retailers has enabled them to refine the attribution signals and enhance their early-warning models before the group escalated operations in North America and it was no surprise that they achieved this.

During this series of breaches, it was revealed that the collective was heavily dependent on young, loosely affiliated operators, but that the retail industry was also making a marked departure from historically isolated incident management models, and instead was increasingly committed to collaborative defenses, intelligence reciprocity, and coordinated response planning.

There has been a significant evolution in ransomware in recent years, marking the beginnings of a new era of cyber defenses for consumer-facing industries in which economics, psychology, and collaboration are coming together as critical forces.

In the age of fragmented threat groups, a growing number of recruits, and more manipulative attack models, resilience cannot be solely based on perimeter security. There are experts in the field who emphasize the importance of pairing rapid threat detection with institutional memory, so that organizations can preserve information from every incident, regardless of how quickly attacker infrastructure or affiliations erode.

A growing number of organizations are implementing protocols for verifying helpdesks, monitoring insider threats, performing supply chain risk audits, and sharing cross-border intelligence. This is an era in which human weaknesses are exploited as aggressively as software flaws, and these protocols are emerging as non-negotiable defenses.

Meanwhile, the shift towards executive security ownership in retail and hospitality is a blueprint for other sectors as well, since cybersecurity influence needs to be integrated with business strategy rather than being buried beneath it.

There are a number of recommendations for organizations to implement continuous employee awareness conditioning, stricter playbooks for recovering access, simulated social engineering drills, and incident response alliances that are as fast as an attacker can move.

Essentially, resilience is not being able to compromise. It does not imply that you do not compromise, but that you are able to recover more rapidly, coordinate more effectively, and think quicker than the opposition.

Former Cybersecurity Employees Involved in Ransomware Extortion Incidents Worth Millions



 

Ransomware

AI Cloud Cyber Crime Data Extortion Internet Ransomware

Former Cybersecurity Employees Involved in Ransomware Extortion Incidents Worth Millions

It is very unfortunate and shameful for the cybersecurity industry, when cybersecurity professionals themselves betray trust to launch cyberattacks against their own country. In a shocking incident, two men have admitted to working normal jobs as cybersecurity professionals during the day, while moonlighting as cyber attackers.

About accused

An ex-employee of the Israeli cybersecurity company Sygnia has pleaded guilty to federal crimes in the US for having involvement in ransomware cyberattacks aimed to extort millions of dollars from firms in the US.

The culprit, Ryan Clifford Goldberg, worked as a cyber incident response supervisor at Sygnia, and accepted that he was involved in a year-long plan of attacking business around the US.

Kevin Tyler Martin, another associate,who worked as an ex DigitalMint employee, worked as a negotiation intermediary with the threat actors, a role supposed to help ransomware targets, has also accepted involvement.

The situation is particularly disturbing because both men held positions of trust inside the sector established to fight against such threats.

Accused pled guilty to extortion charges

Both the accused have pleaded guilty to one count of conspiracy to manipulate commerce via extortion, according to federal court records. In the plea statement, they have accepted that along with a third actor (not charged and unknown), they both launched business compromises and ransom extortions over many years.

Extortion worth millions

In one incident, the actors successfully extorted over $1 million in crypto from a Florida based medical equipment firm. According to the federal court, besides their legitimate work, they deployed software ‘ALPHV BlackCat’ to extract and encode target’s data, and distributed the extortion money with the software’s developers.

According to DigitalMint, two of the people who were charged were ex-employees. After the incident, both were fired and “acted wholly outside the scope of their employment and without any authorization, knowledge or involvement from the company,” DigitalMint said in an email shared with Bloomberg.

In a recent conversation with Bloomberg, Sygnia mentioned that it was not a target of the investigation and the accused Goldberg was relieved of his duties as soon as the news became known.

A representative for Sygnia declined to speak further, and Goldberg and Martin's lawyers also declined to comment on the report.

Ex-Cybersecurity Pros Plead Guilty in $9.5M Ransomware Spree



 

Ransomware

BlackCat Cyber Crime Insider Threat Plea Guilty Ransomware

Ex-Cybersecurity Pros Plead Guilty in $9.5M Ransomware Spree

Former incident responders Ryan Clifford Goldberg and Kevin Tyler Martin have pleaded guilty to participating in a series of ransomware attacks while working at cybersecurity firms tasked with helping organizations recover from such incidents. The case highlights a rare instance of trusted professionals abusing their positions to commit cybercrime, causing significant damage to multiple organizations in 2023.

Goldberg, formerly a manager of incident response at Sygnia, and Martin, a ransomware negotiator at DigitalMint, collaborated with an unnamed co-conspirator to carry out ransomware attacks using the ALPHV (BlackCat) ransomware variant. According to federal court records, the total losses caused by their actions exceeded $9.5 million. The attacks targeted a medical company in Florida, a pharmaceutical firm in Maryland, a California doctor’s office, an engineering company in California, and a drone manufacturer in Virginia.

The indictment revealed that the trio received nearly $1.3 million in ransom payments from the Florida medical company in May 2023, but were unable to extort payments from the other victims. The ALPHV/BlackCat ransomware, first identified in late 2021, has been linked to numerous attacks on critical infrastructure providers, including the high-profile breach of UnitedHealth Group’s subsidiary Change Healthcare in 2024.

Goldberg and Martin each pleaded guilty to one count of conspiracy to interfere with interstate commerce by extortion, which reduces their maximum penalty from 50 years to 20 years in federal prison. As part of their plea agreements, both defendants are ordered to forfeit $342,000, representing the value of proceeds traced to their crimes. The court may also impose fines of up to $250,000 and additional restitution.

A spokesperson for DigitalMint stated that the company cooperated fully with the Justice Department and supports the outcome as a step toward accountability. “His behavior is a clear violation of our values and ethical standards,” the spokesperson said, emphasizing that Martin’s actions were undertaken without the company’s knowledge or involvement. Sygnia did not immediately respond to requests for comment.

Prosecutors noted that Goldberg and Martin abused their positions of trust and used their specialized skills to facilitate and conceal their crimes. Officials have indicated that they will recommend reduced sentences if both defendants make full, accurate, and complete disclosures of their offenses and refrain from committing further crimes.

RansomHouse Develops More Complex Encryption for Recent Attacks



 

Ransomware

Cyber Crime Data Extortion Encryption Files RansomHouse Ransomware

RansomHouse Develops More Complex Encryption for Recent Attacks

The ransomware group known as RansomHouse has recently enhanced the encryption mechanism used in its attacks, moving away from a basic, single-step process to a more advanced, multi-layered approach. This change reflects a deliberate effort to strengthen the effectiveness of its ransomware operations.

Earlier versions of the encryptor relied on a linear method, where data was transformed in one continuous pass. The updated version introduces multiple stages of processing, which results in stronger encryption, improved execution speed, and greater stability across modern systems. These improvements increase the pressure on victims by making encrypted data harder to recover and negotiations more favorable for attackers after systems are locked.

RansomHouse first appeared in late 2021 as a cybercrime group focused on data extortion, where stolen information was used as leverage rather than encryption alone. Over time, the group expanded its tactics and began deploying ransomware encryptors during attacks. It also developed an automated tool, known as MrAgent, designed to simultaneously encrypt multiple VMware ESXi hypervisors, a technique that allows attackers to disrupt large virtualized environments efficiently.

In more recent activity, security analysts observed RansomHouse using more than one ransomware strain during attacks on a major Japanese e-commerce company. This suggests a flexible operational strategy rather than reliance on a single malware family.

Further insight into the group’s evolving capabilities comes from a new analysis by cybersecurity researchers, who examined RansomHouse’s latest encryptor, internally referred to as “Mario.” This version introduces a two-stage data transformation process that relies on two different encryption keys: one substantially longer than the other. Using multiple keys increases the randomness of the encrypted output, making partial file recovery or reconstruction far more challenging.

The updated encryptor also changes how files are handled during the encryption process. Instead of treating all files the same way, it adjusts its behavior based on file size. Large files are processed in dynamically sized chunks, with encryption applied intermittently rather than continuously. This irregular pattern makes the malware harder to analyze because it avoids predictable processing behavior.

Researchers also noted improvements in how the encryptor manages memory. The newer version separates tasks across multiple buffers, with each buffer assigned a specific role during encryption. This design increases operational complexity and reduces inefficiencies found in earlier variants.

Another visible change is the amount of internal information displayed during file processing. Unlike older versions, which only indicated when encryption was complete, the new encryptor provides more detailed status output as it operates.

Despite these changes, the ransomware continues to focus on virtual machine-related files, renaming encrypted data with a new extension and placing ransom instructions across affected directories.

Security researchers caution that these upgrades indicate a troubling direction in ransomware development. While RansomHouse does not carry out attacks at the scale of larger ransomware groups, its continued investment in advanced encryption techniques points to a strategy centered on precision, resilience, and evasion rather than volume.

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

About Me

Footer About

Labels

Showing result(s) for

Popular Posts

Pages

Menu Item

About the incident

Leaked information

Attack discovery

About the breach

History

What is the impact?

International operation to catch Ransomware leader

About the operation

The suspects

About accused

Accused pled guilty to extortion charges

Extortion worth millions