Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomwares. Show all posts
Ransomwares
Automobile Industry Cyber Attacks cybersecurity concerns Data Breaches data security IT Infrastructure Jaguar Land Rover Jaguar Land Rover Cybersecurity Breach disrupts Production Ransomwares

Jaguar Land Rover Cyberattack Breaches Data and Halts Global Production

Jaguar Land Rover (JLR), the UK’s largest automaker and a subsidiary of Tata Motors, has confirmed that the recent cyberattack on its systems has not only disrupted global operations but also resulted in a data breach. The company revealed during its ongoing investigation that sensitive information had been compromised, although it has not yet specified whether the data belonged to customers, suppliers, or employees. JLR stated that it will directly contact anyone impacted once the scope of the breach is confirmed. 

The incident has forced JLR to shut down its IT systems across the globe in an effort to contain the ransomware attack. Production has been halted at its Midlands and Merseyside factories in the UK, with workers told they cannot return until at least next week. Other plants outside the UK have also been affected, with some industry insiders warning that it could take weeks before operations return to normal. The disruption has spilled over to suppliers and retailers, some of whom are unable to access databases used for registering vehicles or sourcing spare parts. 

The automaker has reported the breach to all relevant authorities, including the UK’s Information Commissioner’s Office. A JLR spokesperson emphasized that third-party cybersecurity experts are assisting in forensic investigations and recovery efforts, while the company works “around the clock” to restore services safely. The spokesperson also apologized for the ongoing disruption and reiterated JLR’s commitment to transparency as the inquiry continues. 

Financial pressure is mounting as the costs of the prolonged shutdown escalate. Shares of Tata Motors dropped 0.9% in Mumbai following the disclosure, reflecting investor concerns about the impact on the company’s bottom line. The disruption comes at a challenging time for JLR, which is already dealing with falling profits and delays in the launch of new electric vehicle models. 

The attack appears to be part of a growing trend of aggressive cyber campaigns targeting global corporations. A group of English-speaking hackers, linked to previously documented attacks on retailers such as Marks & Spencer, has claimed responsibility for the JLR breach. Screenshots allegedly showing the company’s internal IT systems were posted on a Telegram channel associated with hacker groups including Scattered Spider, Lapsus$, and ShinyHunters. 

Cybersecurity analysts warn that the automotive industry is becoming a prime target due to its reliance on connected systems and critical supply chains. Attacks of this scale not only threaten operations but also risk exposing valuable intellectual property and sensitive personal data. As JLR races to restore its systems, the incident underscores the urgent need for stronger resilience measures in the sector.
Read more »
Ransomwares
AI Chatbots AI Models AI Techniques Cyber Crime Cyber Extortion Cyber Hackers Data Extortion international cybercrime operation Ransomwares

Hacker Exploits AI Chatbot Claude in Unprecedented Cybercrime Operation

 

A hacker has carried out one of the most advanced AI-driven cybercrime operations ever documented, using Anthropic’s Claude chatbot to identify targets, steal sensitive data, and even draft extortion emails, according to a new report from the company. 

It Anthropic disclosed that the attacker leveraged Claude Code — a version of its AI model designed for generating computer code — to assist in nearly every stage of the operation. The campaign targeted at least 17 organizations across industries including defense, finance, and healthcare, making it the most comprehensive example yet of artificial intelligence being exploited for cyber extortion. 

Cyber extortion typically involves hackers stealing confidential data and demanding payment to prevent its release. AI has already played a role in such crimes, with chatbots being used to write phishing emails. However, Anthropic’s findings mark the first publicly confirmed case in which a mainstream AI model automated nearly the entire lifecycle of a cyberattack. 

The hacker reportedly prompted Claude to scan for vulnerable companies, generate malicious code to infiltrate systems, and extract confidential files. The AI system then organized the stolen data, analyzed which documents carried the highest value, and suggested ransom amounts based on victims’ financial information. It also drafted extortion notes demanding bitcoin payments, which ranged from $75,000 to more than $500,000. 

Jacob Klein, Anthropic’s head of threat intelligence, said the operation was likely conducted by a single actor outside the United States and unfolded over three months. “We have robust safeguards and multiple layers of defense for detecting this kind of misuse, but determined actors sometimes attempt to evade our systems through sophisticated techniques,” Klein explained. 

The report revealed that stolen material included Social Security numbers, bank records, medical data, and files tied to sensitive defense projects regulated by the U.S. State Department. Anthropic did not disclose which companies were affected, nor did it confirm whether any ransom payments were made. 

While the company declined to detail exactly how the hacker bypassed safeguards, it emphasized that additional protections have since been introduced. “We expect this model of cybercrime to become more common as AI lowers the barrier to entry for sophisticated operations,” Anthropic warned. 

The case underscores growing concerns about the intersection of AI and cybersecurity. With the AI sector largely self-regulated in the U.S., experts fear similar incidents could accelerate unless stronger oversight and security standards are enforced.
Read more »
Ransomwares
acronis AI cyberattacks AI technology Cyber Defenses Cyber Security Cybersecurity Threats Indian Cyber Security Malwares Phishing Attacks Ransomwares

India Most Targeted by Malware as AI Drives Surge in Ransomware and Phishing Attacks

 

India has become the world’s most-targeted nation for malware, according to the latest report by cybersecurity firm Acronis, which highlights how artificial intelligence is fueling a sharp increase in ransomware and phishing activity. The findings come from the company’s biannual threat landscape analysis, compiled by the Acronis Threat Research Unit (TRU) and its global network of sensors tracking over one million Windows endpoints between January and June 2025. 

The report indicates that India accounted for 12.4 percent of all monitored attacks, placing it ahead of every other nation. Analysts attribute this trend to the rising sophistication of AI-powered cyberattacks, particularly phishing campaigns and impersonation attempts that are increasingly difficult to detect. With Windows systems still dominating business environments compared to macOS or Linux, the operating system remained the primary target for threat actors. 

Ransomware continues to be the most damaging threat to medium and large businesses worldwide, with newer criminal groups adopting AI to automate attacks and enhance efficiency. Phishing was found to be a leading driver of compromise, making up 25 percent of all detected threats and over 52 percent of those aimed at managed service providers, marking a 22 percent increase compared to the first half of 2024. 

Commenting on the findings, Rajesh Chhabra, General Manager for India and South Asia at Acronis, noted that India’s rapidly expanding digital economy has widened its attack surface significantly. He emphasized that as attackers leverage AI to scale operations, Indian enterprises—especially those in manufacturing and infrastructure—must prioritize AI-ready cybersecurity frameworks. He further explained that organizations need to move away from reactive security approaches and embrace behavior-driven models that can anticipate and adapt to evolving threats. 

The report also points to collaboration platforms as a growing entry point for attackers. Phishing attempts on services like Microsoft Teams and Slack spiked dramatically, rising from nine percent to 30.5 percent in the first half of 2025. Similarly, advanced email-based threats such as spoofed messages and payload-less attacks increased from nine percent to 24.5 percent, underscoring the urgent requirement for adaptive defenses. 

Acronis recommends that businesses adopt a multi-layered protection strategy to counter these risks. This includes deploying behavior-based threat detection systems, conducting regular audits of third-party applications, enhancing cloud and email security solutions, and reinforcing employee awareness through continuous training on social engineering and phishing tactics. 

The findings make clear that India’s digital growth is running parallel to escalating cyber risks. As artificial intelligence accelerates the capabilities of malicious actors, enterprises will need to proactively invest in advanced defenses to safeguard critical systems and sensitive data.
Read more »
Ransomwares
Colt ransomware attack Colt WarLock hackers Customer Data Cyber Attacks Dark Web data stealing Ransom Demand ransomware attacks Ransomware group Ransomwares

Colt Technology Services Confirms Customer Data Theft After Warlock Ransomware Attack



UK-based telecommunications provider Colt Technology Services has confirmed that sensitive customer-related documentation was stolen in a recent ransomware incident. The company initially disclosed on August 12 that it had suffered a cyberattack, but this marks the first confirmation that data exfiltration took place. In its updated advisory, Colt revealed that a criminal group accessed specific files from its systems that may contain customer information and subsequently posted the filenames on dark web forums. 

To assist affected clients, Colt has set up a dedicated call center where customers can request the list of exposed filenames. “We understand that this is concerning for you,” the company stated in its advisory. Notably, Colt also implemented a no-index HTML meta tag on the advisory webpage, ensuring the content would not appear in search engine results. 

The development follows claims from the Warlock ransomware gang, also known as Storm-2603, that they are auctioning one million stolen Colt documents for $200,000 on the Ramp cybercrime marketplace. The group alleges the files contain financial data, customer records, and details of network architecture. 
Cybersecurity experts verified that the Tox ID used in the forum listing matches identifiers seen in the gang’s earlier ransom notes, strengthening the link to Colt’s breach. The Warlock Group, attributed to Chinese threat actors, emerged in March 2025 and initially leveraged leaked LockBit Windows and Babuk VMware ESXi encryptors to launch attacks. Early operations used LockBit-style ransom notes modified with unique Tox IDs to manage negotiations. 

By June, the group rebranded under the name “Warlock Group,” establishing its own negotiation platforms and leak sites to facilitate extortion. Recent intelligence reports, including one from Microsoft, have indicated that the group has been exploiting vulnerabilities in Microsoft SharePoint to gain unauthorized access to corporate networks. Once inside, they deploy ransomware to encrypt data and steal sensitive files for leverage. 

The group’s ransom demands vary significantly, ranging from $450,000 to several million dollars, depending on the target organization and data involved. Colt’s disclosure highlights ongoing challenges faced by enterprises in safeguarding critical infrastructure against sophisticated ransomware actors. Telecommunications companies, which manage vast volumes of sensitive customer and network data, remain particularly attractive targets. 

As threat actors refine their tactics and increasingly combine encryption with data theft, the risks to both organizations and their clients continue to escalate. While Colt has not confirmed whether it plans to engage with the ransomware operators, the company emphasized its focus on mitigating the impact for customers. 

For now, the stolen documents remain for sale on the dark web, and the situation underscores the broader need for enterprises to strengthen resilience against the evolving ransomware landscape.
Read more »
Ransomwares
Advanced Social Engineering Cyber Attacks Data Exfilteration data security Ransom Demands ransom payments ransomware attacks Ransomwares

Ransom Payouts Hit Record Levels Amid Social Engineering and Data Exfiltration Attacks

 

Ransomware payouts surged to unprecedented levels in the second quarter of 2025, driven largely by the rise of highly targeted social engineering schemes. According to new data from Coveware by Veeam, the average ransom payment skyrocketed to $1.13 million, representing a 104% jump compared to the previous quarter. The median ransom also doubled to $400,000, highlighting how even mid-tier victims are now facing significantly higher costs. Analysts attribute this spike to larger organizations paying ransoms in incidents where data was stolen rather than encrypted, marking a significant shift in extortion tactics.  

The study found that data exfiltration has now overtaken file encryption as the primary method of extortion, with 74% of attacks involving theft of sensitive information. Multi-extortion techniques, including delayed release threats, are also on the rise. Bill Siegel, CEO of Coveware by Veeam, described the findings as a pivotal moment for ransomware, explaining that threat actors are no longer focused solely on disrupting backups or locking systems. Instead, they increasingly exploit people, organizational processes, and the reputational value of stolen data. 

The report identified the leading ransomware variants for the quarter as Akira, responsible for 19% of incidents, followed by Qilin at 13% and Lone Wolf at 9%. Notably, Silent Ransom and Shiny Hunters entered the top five variants for the first time, reflecting the growing influence of newer threat groups. Among the most concerning trends was the heavy reliance on social engineering by groups such as Scattered Spider, Silent Ransom, and Shiny Hunters, who have shifted from broad, opportunistic attacks to precise impersonation schemes. By targeting help desks, employees, and third-party service providers, these actors have refined their ability to gain initial access and execute more lucrative attacks.  

Exploitation of known vulnerabilities in widely used platforms including Ivanti, Fortinet, VMware, and Microsoft services remains a common entry point, often taking place immediately after public disclosure of security flaws. At the same time, “lone wolf” cybercriminals armed with generic, unbranded ransomware toolkits are increasing in number, allowing less sophisticated actors to successfully infiltrate enterprise systems. Insider risks and third-party vulnerabilities also rose during the quarter, particularly through business process outsourcing firms, contractors, and IT service providers. Researchers warned that these external partners often hold privileged credentials but lack direct oversight, making them an attractive avenue for attackers. 

The professional services sector was hit hardest, accounting for 20% of all incidents, followed closely by healthcare and consumer services at 14% each. Mid-sized companies with between 11 and 1,000 employees represented 64% of victims, a range that attackers consider optimal for balancing ransom potential against weaker defenses. Before executing data theft or encryption, many attackers are spending additional time mapping networks, identifying high-value assets, and cataloging sensitive systems. This reconnaissance phase often blends in with normal administrative activity, using built-in system commands that are difficult to detect without contextual monitoring. Experts note, however, that detection can be improved by monitoring unusual enumeration activity or deploying deception techniques such as honeyfiles, decoy credentials, or fake infrastructure to trigger early alerts. 

Siegel emphasized that organizations must now treat data exfiltration as an immediate and critical risk rather than a secondary concern. Strengthening identity controls, monitoring privileged accounts, and improving employee awareness against social engineering were highlighted as essential steps to counter evolving ransomware tactics. With attackers increasingly blending technical exploits and psychological manipulation, businesses face mounting pressure to adapt their defenses or risk becoming the next high-value target.
Read more »
Ransomwares
customer data compromise Cyber Attacks Data Breaches Data Leak data security RansomHub RansomHub ransomware ransomware attacks Ransomware group Ransomwares

Manpower Data Breach Hits 145,000 After RansomHub Ransomware Attack

 

Manpower, one of the world’s largest staffing and recruitment companies, has confirmed that nearly 145,000 individuals had their personal data compromised following a ransomware attack in late December 2024. The company, which operates as part of ManpowerGroup alongside Experis and Talent Solutions, employs more than 600,000 workers across 2,700 offices worldwide and reported $17.9 billion in revenues last year. 

The breach came to light after the company investigated a systems outage at a Lansing, Michigan, franchise in January 2025. According to a filing with the Office of the Maine Attorney General, attackers gained unauthorized access to Manpower’s network between December 29, 2024, and January 12, 2025. In notification letters sent to affected individuals, Manpower revealed that certain files may have been accessed or stolen during this time. The company stated that the breach potentially exposed personal information, though the full scope of data compromised remains undisclosed. 

On July 28, 2025, the staffing firm formally notified 144,189 individuals that their data may have been involved in the incident. Following the discovery, Manpower announced that it had implemented stronger IT security measures and is cooperating with the FBI to pursue those responsible. To mitigate the impact on victims, the company is also offering complimentary credit monitoring and identity theft protection services through Equifax. 

The ransomware group RansomHub has claimed responsibility for the attack. In January, shortly after Manpower disclosed the incident, the group alleged that it had stolen 500GB of sensitive files from the company’s systems. According to RansomHub, the stolen trove included personal and corporate records such as passports, Social Security numbers, contact details, financial documents, HR analytics, and confidential contracts. The gang initially published details of the breach on its dark web site but later removed Manpower’s listing, raising speculation that a ransom may have been paid to prevent further data leaks. 

RansomHub is a ransomware-as-a-service (RaaS) operation that emerged in early 2024, evolving from earlier groups known as Cyclops and Knight. Since then, it has been linked to numerous high-profile attacks against global organizations, including Halliburton, Kawasaki’s European operations, Christie’s auction house, Frontier Communications, Planned Parenthood, and the Bologna Football Club. The group was also behind the leak of data stolen in the massive Change Healthcare cyberattack, one of the largest breaches in the U.S. healthcare sector, impacting more than 190 million individuals. 

Last year, the FBI reported that RansomHub affiliates had breached over 200 critical infrastructure organizations across the United States, further underlining the group’s reach and persistence. While ManpowerGroup has not confirmed the exact nature of the stolen data or whether negotiations occurred, a company spokesperson clarified that the incident was confined to an independently operated franchise in Lansing. The spokesperson emphasized that the franchise runs on a separate platform, meaning no ManpowerGroup corporate systems were compromised.

The breach highlights the growing risks ransomware attacks pose to global enterprises, particularly those handling large volumes of sensitive employee and client data. It also reflects how threat actors like RansomHub continue to exploit vulnerabilities in third-party and subsidiary operations, targeting organizations indirectly when direct access to corporate systems is more difficult.
Read more »
Ransomwares
Cyber Security Cyberattacks DarkBit Encryption Key Iran Israel MuddyWater ransomware attacks Ransomware group Ransomwares

Profero Cracks DarkBit Ransomware Encryption After Israel-Iran Cyberattack Links

 

Cybersecurity company Profero managed to break the encryption scheme used by the DarkBit ransomware group, allowing victims to restore their systems without having to pay a ransom. This achievement came during a 2023 incident response investigation, when Profero was called in to assist a client whose VMware ESXi servers had been locked by the malware. 

The timing of the breach coincided with escalating tensions between Israel and Iran, following drone strikes on an Iranian Defense Ministry weapons facility, raising suspicions that the ransomware attack had political motivations. The attackers behind the campaign claimed to represent DarkBit, a group that had previously posed as pro-Iranian hacktivists and had targeted Israeli universities. Their ransom messages included strong anti-Israel rhetoric and demanded payments amounting to 80 Bitcoin. 

Israel’s National Cyber Command later attributed the operation to MuddyWater, a well-known Iranian state-backed advanced persistent threat group that has a history of conducting espionage and disruption campaigns. Unlike conventional ransomware operators who typically pursue ransom negotiations, the DarkBit actors appeared less concerned with money and more focused on causing business disruption and reputational harm, signaling motivations that aligned with state-directed influence campaigns. 

When the attack was discovered, no publicly available decryptor existed for DarkBit. To overcome this, Profero researchers analyzed the malware in detail and found flaws in its encryption process. DarkBit used AES-128-CBC keys created at runtime, which were then encrypted with RSA-2048 and appended to each locked file. However, the method used to generate encryption keys lacked randomness. By combining this weakness with encryption timestamps gleaned from file modification data, the researchers were able to shrink the possible keyspace to just a few billion combinations—far more manageable than expected. 

The team further capitalized on the fact that Virtual Machine Disk (VMDK) files, common on ESXi servers, include predictable header bytes. Instead of brute forcing an entire file, they only needed to check the first 16 bytes to validate potential keys. Profero built a custom tool capable of generating key and initialization vector pairs, which they tested against these known file headers in a high-powered computing environment. This method successfully produced valid decryption keys that restored locked data. 

At the same time, Profero noticed that DarkBit’s encryption technique was incomplete, leaving many portions of files untouched. Since VMDK files are sparse and contain large amounts of empty space, the ransomware often encrypted irrelevant sections while leaving valuable data intact. By carefully exploring the underlying file systems, the team was able to retrieve essential files directly, without requiring full decryption. This dual approach allowed them to recover critical business data and minimize the impact of the attack.  

Researchers noted that DarkBit’s strategy was flawed, as a data-wiping tool would have been more effective at achieving its disruptive aims than a poorly implemented ransomware variant. The attackers’ refusal to negotiate further reinforced the idea that the campaign was intended to damage operations rather than collect ransom payments. Profero has chosen not to release its custom decryptor to the public, but confirmed that it is prepared to help any future victims affected by the same malware.  

The case illustrates how weaknesses in ransomware design can be turned into opportunities for defense and recovery. It also highlights how cyberattacks tied to international conflicts often blur the line between criminal extortion and state-backed disruption, with groups like DarkBit using the guise of hacktivism to amplify their impact.
Read more »
Ransomwares
Akira Ransomware Business Security Cyber Attacks Cyber Vulnerabilities Cybersecurity Threats Public Wifi ransomware attacks Ransomwares

SonicWall VPN Zero-Day Vulnerability Suspected Amid Rising Ransomware Attacks

 

Virtual Private Networks (VPNs) have recently been in the spotlight due to the U.K.’s Online Safety Act, which requires age verification for adult content websites. While many consumers know VPNs as tools for bypassing geo-restrictions or securing public Wi-Fi connections, enterprise-grade VPN appliances play a critical role in business security. 

When researchers issue warnings about possible VPN exploitation, the risk cannot be dismissed. SonicWall has addressed growing concerns after reports surfaced of ransomware groups targeting its devices. According to the company, an investigation revealed that the activity is linked to CVE-2024-40766, a previously disclosed vulnerability documented in their advisory SNWLID-2024-0015, rather than an entirely new zero-day flaw. Fewer than 40 confirmed cases were reported, mostly tied to legacy credentials from firewall migrations. 

Updated guidance includes credential changes and upgrading to SonicOS 7.3.0 with enhanced multi-factor authentication (MFA) protections. Despite these reassurances, Arctic Wolf Labs researcher Julian Tuin observed a noticeable increase in ransomware activity against SonicWall firewall devices in late July. 

Several incidents involved VPN access through SonicWall SSL VPNs. While some intrusions could be explained by brute force or credential stuffing, evidence suggests the possibility of a zero-day vulnerability, as some compromised devices had the latest patches and rotated credentials. 

In several cases, even with TOTP MFA enabled, accounts were breached. SonicWall confirmed it is working closely with threat research teams, including Arctic Wolf, Google Mandiant, and Huntress, to determine whether the incidents are tied to known flaws or a new vulnerability. If a zero-day is confirmed, updated firmware and mitigation steps will be released promptly. 

The urgency is amplified by the involvement of the Akira ransomware group, which has compromised over 300 organizations globally. SonicWall also recently warned of CVE-2025-40599, a serious remote code execution vulnerability in SMA 100 appliances. Experts advise organizations to take immediate precautionary steps, especially given the potential for severe operational disruption. 

Recommended mitigations include disabling SSL VPN services where possible, restricting VPN access to trusted IP addresses, enabling all security services such as botnet protection and geo-IP filtering, removing inactive accounts, enforcing strong password policies, and implementing MFA for all remote access. 

However, MFA alone may not be sufficient in the current threat scenario. The combination of suspected zero-day activity, ransomware escalation, and the targeting of critical remote access infrastructure means that proactive defense measures are essential. 

SonicWall and security researchers continue to monitor the situation closely, urging organizations to act quickly to protect their networks before attackers exploit potential vulnerabilities further.
Read more »
remote code execution Veeam
Backup CVE CVE exploits CVE vulnerability Cyber Security Domain Flaws Ransomware Gangs Ransomwares remote code execution Veeam

Veeam Fixes Critical Remote Code Execution Bug in Backup & Replication Software

 

Veeam has issued new security patches to address multiple vulnerabilities in its Backup & Replication (VBR) software, including a severe remote code execution (RCE) flaw. Identified as CVE-2025-23121, this particular vulnerability was uncovered by researchers from watchTowr and CodeWhite and impacts only installations that are connected to a domain. 

According to Veeam’s advisory released on Tuesday, the vulnerability can be exploited by any authenticated domain user to execute code remotely on the backup server. The flaw requires minimal attack complexity and affects versions of Veeam Backup & Replication 12 and later. The issue has been resolved in version 12.3.2.3617, made available earlier today. 

Although the vulnerability is confined to domain-joined setups, it poses a significant risk due to the ease with which domain users can leverage it. Alarmingly, many organizations have connected their backup servers to Windows domains, going against Veeam’s own security recommendations. These guidelines suggest using a separate Active Directory Forest for backups and enforcing two-factor authentication on administrative accounts to reduce exposure. 

This is not the first time a serious RCE flaw has been found in Veeam’s software. In March 2025, another vulnerability (CVE-2025-23120) was patched that similarly affected domain-joined installations. Earlier, in September 2024, another VBR vulnerability (CVE-2024-40711) was exploited in the wild, eventually being used to deliver the Frag ransomware. That same flaw was later linked to Akira and Fog ransomware attacks starting in October. Cybercriminals have increasingly targeted Veeam Backup & Replication servers as part of their ransomware campaigns. 

These systems often store critical backups, making them ideal targets for attackers looking to maximize damage. Ransomware operators frequently aim to disable these systems before launching full-scale attacks, making recovery more difficult for the victim. Historically, ransomware groups such as Cuba, as well as financially motivated actors like FIN7—known for collaborating with major ransomware operations like REvil, Maze, Conti, and BlackBasta—have been seen exploiting VBR vulnerabilities. 

With over 550,000 organizations relying on Veeam’s solutions globally, including the majority of Fortune 500 companies and most of the Global 2000, the potential impact of such flaws is significant. These repeated discoveries of critical vulnerabilities highlight the urgent need for enterprises to follow recommended configurations and keep their backup software up to date.
Read more »
Ransomwares
breach recovery Cyber Attacks Cyber-recovery cybercriminals Ransomware Attack paid ransoms Ransom Demands Ransomware attack Ransomwares

Singapore Companies Struggle to Recover from Ransomware Despite Paying Hackers

 

Many businesses in Singapore continue to face prolonged and expensive recovery periods after ransomware attacks, even when they choose to pay the ransom. A new report from cybersecurity firm Sophos reveals that 50% of local organizations affected by ransomware opted to pay to regain access to their encrypted data. 

Despite this, more than half of these companies needed at least a week to resume operations, and nearly a quarter faced recovery times stretching up to six months. While paying the ransom is often viewed as a quick fix, the real costs and complications extend far beyond the initial transaction. The average total expense incurred by Singaporean firms to fully recover from a ransomware incident this year has reached an estimated US$1.54 million. 

Although the median ransom payment has decreased to approximately US$365,565—down from US$760,000 last year—this reduction in ransom size hasn’t translated into faster recoveries. Interestingly, around 39% of companies were able to negotiate lower ransom amounts, often by working with external experts or negotiators. According to Chester Wisniewski, Field CISO at Sophos, an increasing number of businesses are turning to incident response professionals to manage damage, contain threats, and potentially stop attacks mid-process. 

These experts not only help reduce the ransom amounts but also accelerate recovery timelines and fortify defences against future incidents. The study also sheds light on the primary causes of ransomware infections in Singapore. Phishing scams were identified as the top cause, accounting for 36% of cases, followed closely by malicious email attachments at 29% and compromised user credentials at 17%. 

On an organizational level, common challenges include insufficient cybersecurity tools and a shortage of trained personnel—issues that 47% and 43% of respondents, respectively, cited as major weaknesses. Experts emphasize that mitigating ransomware threats begins with addressing these underlying vulnerabilities. Proactive strategies such as implementing multi-factor authentication, keeping software up to date, and investing in Managed Detection and Response (MDR) services can significantly reduce the likelihood of a breach. 

MDR services, in particular, offer constant threat monitoring and rapid response, making them an increasingly popular choice for companies with limited in-house cybersecurity capacity. Additional findings highlight how Singapore firms differ from global counterparts. They are more likely to pay ransoms without attempting negotiation and are less transparent about breaches. 

Verizon Business reports further confirm that attackers are increasingly targeting software supply chains and exploiting known vulnerabilities. According to Robert Le Busque, the integration of Singapore’s economy into global trade networks and supply chains makes its companies especially vulnerable, with 72% having encountered email-based threats. 

Despite falling ransom demands, the broader financial and operational toll of ransomware in Singapore continues to rise, stressing the importance of preventive action and stronger cyber resilience.
Read more »
Ransomwares
cryptocurrency Cyber Attacks CyberCriminal cybercriminal group data security Ransom Demands ransomware attacks Ransomware Groups Ransomwares

Romanian Arrested in Diskstation Ransomware Operation Targeting Synology NAS Devices

 

A 44-year-old Romanian national has been arrested as part of a coordinated international law enforcement effort to take down the cybercriminal group behind the Diskstation ransomware campaign. This group is known for targeting Synology Network-Attached Storage (NAS) devices, which are widely used by businesses and organizations for centralized file storage, data backups, and hosting. These attacks have primarily affected entities operating in enterprise environments, where NAS systems are critical to daily operations. 

The Diskstation ransomware group has operated under several aliases, including DiskStation Security, Quick Security, 7even Security, Umbrella Security, and LegendaryDisk Security. Since its emergence in 2021, the group has engaged in multiple ransomware campaigns, encrypting data on NAS devices and demanding cryptocurrency payments in exchange for decryption keys. 

Victims have included international organizations involved in civil rights advocacy, film production, and event management. These attacks left many victims unable to continue operations unless they agreed to pay substantial ransoms. Authorities in Italy launched an investigation after numerous companies in the Lombardy region reported ransomware attacks that rendered their data inaccessible. 

The attackers demanded payments in cryptocurrency, prompting investigators to analyze the affected systems and blockchain transactions. This digital trail eventually led police across borders, uncovering connections in both France and Romania. The operation, dubbed “Elicius,” was coordinated by Europol and culminated in a series of raids in Bucharest in June 2024. During these raids, several individuals believed to be involved in the Diskstation campaign were identified. One suspect was caught in the act of committing a cybercrime. 

The 44-year-old man who was arrested is now in custody and faces charges including unauthorized access to computer systems and extortion. While the Diskstation name is often associated with Synology’s NAS products, this specific campaign received little attention from mainstream cybersecurity outlets. 

However, it caused significant disruption to organizations worldwide. The ransomware gang reportedly demanded payments ranging from $10,000 to several hundred thousand dollars, depending on the organization’s size and data sensitivity. Law enforcement agencies continue to investigate the broader network behind the Diskstation operation. 

The case underscores the growing threat of ransomware campaigns targeting critical infrastructure and storage solutions. As attackers evolve their methods and target widely used systems like Synology NAS, cybersecurity vigilance remains crucial for all organizations, regardless of size or industry.
Read more »
Ransomwares
Cyber Attacks Data Leak data security Data Theft DragonForce DragonForce Ransomware Group Hacker attack Hacking Group Ransomware attack Ransomware group Ransomwares

Belk Hit by Ransomware Attack as DragonForce Claims Responsibility for Data Breach

 

The department store chain Belk recently became the target of a ransomware attack, with the hacking group DragonForce taking responsibility for the breach. The cybercriminals claim to have stolen 156 GB of sensitive data from the company’s systems in early May. 

JP Castellanos, Director of Threat Intelligence at cybersecurity firm Binary Defense, stated with high confidence that DragonForce is indeed behind the incident. The company, based in Ohio, specializes in threat detection and digital forensics. During an investigation of dark web forums on behalf of The Charlotte Observer, Castellanos found that DragonForce had shared samples of the stolen data online. 

In a message directed at Belk, the group stated that its original aim wasn’t to damage the company but to push it into acknowledging its cybersecurity failures. DragonForce claims Belk declined to meet ransom demands, which ultimately led to the data being leaked, affecting numerous individuals. 

Following the breach, Belk has been named in multiple lawsuits. The complaints allege that the company not only failed to protect sensitive personal information but also delayed disclosing the breach to the public. Information accessed by the attackers included names, Social Security numbers, and internal documentation related to employees and their families. 

The cyberattack reportedly caused a complete systems shutdown across Belk locations between May 7 and May 11. According to a formal notice submitted to North Carolina’s Attorney General, the breach was discovered on May 8 and disclosed on June 4. The total number of affected individuals was 586, including 133 residents of North Carolina. 

The stolen files contained private details such as account numbers, driver’s license data, passport information, and medical records. Belk responded by initiating a full-scale investigation, collaborating with law enforcement, and enhancing their digital security defenses. On June 5, Belk began notifying those impacted by the attack, offering one year of free identity protection services. These services include credit and dark web monitoring, as well as identity restoration and insurance coverage worth up to $1 million. 

Despite these actions, Belk has yet to issue a public statement or respond to ongoing media inquiries. DragonForce, identified by experts as a hacktivist collective, typically exploits system vulnerabilities to lock down company networks, then demands cryptocurrency payments. If the demands go unmet, the stolen data is often leaked or sold. 

In Belk’s case, the group did not list a price for the compromised data. Castellanos advised anyone who has shopped at Belk to enroll in credit monitoring as a precaution. Belk, which was acquired by Sycamore Partners in 2015, has been working through financial challenges in recent years, including a short-lived bankruptcy filing in 2021. 

The retailer, now operating nearly 300 stores across 16 southeastern U.S. states, continues to rebuild its financial footing amid cybersecurity and operational pressures.
Read more »
Ransomwares
Advanced Social Engineering Cyber Attacks Cyber SecurityTrojan Attacks Cyber Threat Intelligence Industries Interlock Interlock ransomware ransomware attacks Ransomwares

Interlock RAT Evolves in New KongTuke Web-Inject Attacks Targeting U.S. Industries

 

A recently enhanced version of the Interlock remote access Trojan (RAT) is being deployed in an ongoing web-inject campaign linked to the ransomware group behind it. Known for its double-extortion tactics, Interlock has now shifted its technical approach with a more covert RAT variant written in PHP. According to a new report by The DFIR Report, this marks a significant advancement in the group’s capabilities and strategy.  

Interlock first emerged in late 2024, attacking high-profile targets such as Texas Tech University’s Health Sciences Centers. Earlier this year, cybersecurity firm Quorum Cyber detailed two versions of the group’s malware, named NodeSnake, focused on maintaining persistence and exfiltrating data. The newest version introduces additional stealth features, most notably a transition from JavaScript to PHP, allowing the malware to blend more easily with normal web traffic and avoid detection. 

This enhanced RAT is tied to a broader web-inject threat campaign dubbed “KongTuke,” where victims are tricked into running malicious scripts after visiting compromised websites. Visitors encounter what appears to be a legitimate CAPTCHA but are actually prompted to paste dangerous PowerShell commands into their systems. This action initiates the Interlock RAT, giving attackers access to the machine. 

Once activated, the malware gathers extensive data on the infected system. Using PowerShell, it collects system information, running processes, mounted drives, network connections, and checks its own privilege level. This enables attackers to evaluate the environment quickly and plan further intrusion tactics. It then connects back to command-and-control infrastructure, leveraging services like Cloudflare Tunneling for stealthy communication. Remote desktop protocol (RDP) is used for lateral movement and persistent access. 

Researchers say the targeting in this campaign appears opportunistic, not industry-specific. Victims across various sectors in the U.S. have been identified, with the attackers casting a wide net and focusing efforts where systems and data seem valuable or more vulnerable.  

Defensive recommendations from experts include improving phishing awareness, restricting the use of the Windows Run dialog box, enforcing least privilege access, and requiring multifactor authentication. Blocking unnecessary use of RDP is also essential. 

The growing sophistication of the Interlock RAT and its integration into mass web-inject campaigns reflects an evolving cyber threat landscape where stealth, automation, and social engineering play a central role.
Read more »
Ransomwares
corporate cyber attacks Cyber Security Cyber Security Tool Cyberattack Cyberthreart Data protection data security Enterprise security Ingram Micro Password Security ransomware attacks Ransomwares

Why Major Companies Are Still Falling to Basic Cybersecurity Failures

 

In recent weeks, three major companies—Ingram Micro, United Natural Foods Inc. (UNFI), and McDonald’s—faced disruptive cybersecurity incidents. Despite operating in vastly different sectors—technology distribution, food logistics, and fast food retail—all three breaches stemmed from poor security fundamentals, not advanced cyber threats. 

Ingram Micro, a global distributor of IT and cybersecurity products, was hit by a ransomware attack in early July 2025. The company’s order systems and communication channels were temporarily shut down. Though systems were restored within days, the incident highlights a deeper issue: Ingram had access to top-tier security tools, yet failed to use them effectively. This wasn’t a tech failure—it was a lapse in execution and internal discipline. 

Just two weeks earlier, UNFI, the main distributor for Whole Foods, suffered a similar ransomware attack. The disruption caused significant delays in food supply chains, exposing the fragility of critical infrastructure. In industries that rely on real-time operations, cyber incidents are not just IT issues—they’re direct threats to business continuity. 

Meanwhile, McDonald’s experienced a different type of breach. Researchers discovered that its AI-powered hiring tool, McHire, could be accessed using a default admin login and a weak password—“123456.” This exposed sensitive applicant data, potentially impacting millions. The breach wasn’t due to a sophisticated hacker but to oversight and poor configuration. All three cases demonstrate a common truth: major companies are still vulnerable to basic errors. 

Threat actors like SafePay and Pay2Key are capitalizing on these gaps. SafePay infiltrates networks through stolen VPN credentials, while Pay2Key, allegedly backed by Iran, is now offering incentives for targeting U.S. firms. These groups don’t need advanced tools when companies are leaving the door open. Although Ingram Micro responded quickly—resetting credentials, enforcing MFA, and working with external experts—the damage had already been done. 

Preventive action, such as stricter access control, routine security audits, and proper use of existing tools, could have stopped the breach before it started. These incidents aren’t isolated—they’re indicative of a larger issue: a culture that prioritizes speed and convenience over governance and accountability. 

Security frameworks like NIST or CMMC offer roadmaps for better protection, but they must be followed in practice, not just on paper. The lesson is clear: when organizations fail to take care of cybersecurity basics, they put systems, customers, and their own reputations at risk. Prevention starts with leadership, not technology.
Read more »
SafePay ransomware
Cyber Attacks Cyber Outage Global IT Outage IT system Palo Alto Palo Alto Networks Ransomware attack Ransomwares SafePay ransomware

Ingram Micro Confirms SafePay Ransomware Attack and Global IT System Outage

 

Ingram Micro, one of the world’s largest IT distribution and services companies, has confirmed it was targeted in a ransomware attack by the SafePay group, causing major operational disruptions across its global network. The cyberattack, which began early on July 4, 2025, forced the company to take critical internal systems offline and suspend access to platforms such as its AI-powered Xvantage distribution system and the Impulse license provisioning platform. 

The attack came to light after employees discovered ransom notes on their devices. According to cybersecurity outlet BleepingComputer, the notes were linked to the SafePay ransomware operation—an increasingly active threat actor that has claimed over 220 victims since emerging in late 2024. Although the extent of data encryption remains unclear, sources suggest that the attackers likely accessed Ingram Micro’s network via compromised credentials on the company’s GlobalProtect VPN gateway. Initially, 

Ingram Micro refrained from publicly acknowledging the attack, stating only that it was experiencing “IT issues.” Employees in some regions were instructed to work from home, and the company advised against using the VPN service believed to be involved in the breach. 

On July 6, Ingram Micro officially confirmed the ransomware incident. In a statement, the company said it took immediate steps to secure affected systems, brought in cybersecurity experts to investigate, and notified law enforcement agencies. It also assured customers and partners that it was working urgently to restore operations and minimize further disruption. 

By July 8, the company had made significant progress in recovery. Subscription orders—including renewals and modifications—were once again being processed globally, with additional support for phone and email orders reinstated in key markets such as the UK, Germany, Brazil, India, and China. However, some hardware order functions remain limited. 

Palo Alto Network issued a clarification stating that none of its products were the source of the breach. The company emphasized that attackers likely exploited misconfigurations or stolen credentials, not any inherent flaws in the VPN software. 

This breach highlights the increasing sophistication of ransomware groups like SafePay and the risks faced by large IT infrastructure providers. Ingram Micro’s swift containment and recovery response may help mitigate long-term impacts, but the incident serves as a critical reminder of the importance of proactive cybersecurity measures, especially in environments reliant on remote access technologies.
Read more »
Ransomwares
Data Breach Data Privacy data security Data Theft Healthcare Data healthcare data breach Healthcare Industry Personal Information Ransomware attack Ransomwares

Horizon Healthcare RCM Reports Ransomware Breach Impacting Patient Data

 

Horizon Healthcare RCM has confirmed it was the target of a ransomware attack involving the theft of sensitive health information, making it the latest revenue cycle management (RCM) vendor to report such a breach. Based on the company’s breach disclosure, it appears a ransom may have been paid to prevent the public release of stolen data. 

In a report filed with Maine’s Attorney General on June 27, Horizon disclosed that six state residents were impacted but did not provide a total number of affected individuals. As of Monday, the U.S. Department of Health and Human Services’ Office for Civil Rights had not yet listed the incident on its breach portal, which logs healthcare data breaches affecting 500 or more people.  

However, the scope of the incident may be broader. It remains unclear whether Horizon is notifying patients directly on behalf of these clients or whether each will report the breach independently. 

In a public notice, Horizon explained that the breach was first detected on December 27, 2024, when ransomware locked access to some files. While systems were later restored, the company determined that certain data had also been copied without permission. 

Horizon noted that it “arranged for the responsible party to delete the copied data,” indicating a likely ransom negotiation. Notices are being sent to affected individuals where possible. The compromised data varies, but most records included a Horizon internal number, patient ID, or insurance claims data. 

In some cases, more sensitive details were exposed, such as Social Security numbers, driver’s license or passport numbers, payment card details, or financial account information. Despite the breach, Horizon stated that there have been no confirmed cases of identity theft linked to the incident. 

The matter has been reported to federal law enforcement. Multiple law firms have since announced investigations into the breach, raising the possibility of class-action litigation. This incident follows several high-profile breaches involving other RCM firms in recent months. 

In May, Nebraska-based ALN Medical Management updated a previously filed breach report, raising the number of affected individuals from 501 to over 1.3 million. Similarly, Gryphon Healthcare disclosed in October 2024 that nearly 400,000 people were impacted by a separate attack. 

Most recently, California-based Episource LLC revealed in June that a ransomware incident in February exposed the health information of roughly 5.42 million individuals. That event now ranks as the second-largest healthcare breach in the U.S. so far in 2025. Experts say that RCM vendors continue to be lucrative targets for cybercriminals due to their access to vast stores of healthcare data and their central role in financial operations. 

Bob Maley, Chief Security Officer at Black Kite, noted that targeting these firms offers hackers outsized rewards. “Hitting one RCM provider can affect dozens of healthcare facilities, exposing massive amounts of data and disrupting financial workflows all at once,” he said.  
Maley warned that many of these firms are still operating under outdated cybersecurity models. “They’re stuck in a compliance mindset, treating risk in vague terms. But boards want to know the real-world financial impact,” he said. 

He also emphasized the importance of supply chain transparency. “These vendors play a crucial role for hospitals, but how well do they know their own vendors? Relying on outdated assessments leaves them blind to emerging threats.” 

Maley concluded that until RCM providers prioritize cybersecurity as a business imperative—not just an IT issue—the industry will remain vulnerable to repeating breaches.
Read more »
Scattered Spider
Cyber Attacks Cyber Breach DragonForce DragonForce Ransomware Group Hacker group Hacking Attack M&S Ransom Demand Ransomware attack Ransomwares Scattered Spider

M&S Faces £300M Loss After Cyberattack Involving DragonForce and Scattered Spider

 

Marks & Spencer has resumed its online services after a serious cyberattack earlier this year that disrupted its operations and is expected to slash profits by £300 million. The British retail giant’s digital operations were hit hard, and recent developments suggest the breach may have been orchestrated by multiple hacker groups. 

A hacking group known as DragonForce is now linked to the incident. According to reports by the BBC, the group sent an email to M&S CEO Stuart Machin shortly after the attack, boasting about their success and demanding ransom. The message, written in aggressive and alarming language, implied the group had encrypted the retailer’s servers. DragonForce, which has rebranded itself as a “Ransomware Cartel,” operates by offering malware tools to affiliates in exchange for a percentage of ransom earnings. 

Originally emerging in 2023, the group has become increasingly active on major dark web forums in recent months. While some cybersecurity experts believe the group is based in Malaysia, others speculate ties to Russia. They have also been linked to a similar attack on the Co-op. Meanwhile, another group, Scattered Spider, had earlier been suspected of executing the attack. Known for its advanced social engineering techniques, the group is composed primarily of young hackers from the US and UK. They have previously impersonated IT personnel and used SIM swapping tactics to breach organizations. 

In 2023, they gained notoriety after cyberattacks on major US casino operators like Caesars Entertainment and MGM Resorts, resulting in multi-million-dollar ransoms. The M&S cyberattack, disclosed on April 22, disrupted online orders and even stopped contactless payments in physical stores. As a result, hundreds of agency workers were temporarily relieved from duty. The company confirmed that customer data—including names, email addresses, addresses, and birth dates—was compromised during the breach. The cause, according to Machin, was human error by a third-party service provider. 

In response to the growing threat, the UK’s National Cyber Security Centre (NCSC) issued industry-wide guidance. Law enforcement agencies, including the National Crime Agency (NCA), are actively investigating the case and considering whether the incidents involving these hacker groups are interconnected. The financial impact has been significant. M&S’s market value dropped by £650 million in the days following the attack. Despite these setbacks, the company has now reopened its standard delivery service in England, Scotland, and Wales, with additional services like click-and-collect and international orders expected to follow soon. 

In a recent statement, M&S emphasized its commitment to restoring customer trust and maintaining high service standards. The company said, “Our stores have remained operational, and we’re now focused on delivering the quality and service our customers expect as we recover from this disruption.”
Read more »
Ransomwares
Cyberattack Data Breach Data Leak data security Employee Data Healthcare Interlock gang Interlock ransomware Kettering Health Ransomware attack Ransomware group Ransomwares

Kettering Health Ransomware Attack Linked to Interlock Group

 

Kettering Health, a prominent healthcare network based in Ohio, is still grappling with the aftermath of a disruptive ransomware attack that forced the organization to shut down its computer systems. The cyberattack, which occurred in mid-May 2025, affected operations across its hospitals, clinics, and medical centers. Now, two weeks later, the ransomware gang Interlock has officially taken responsibility for the breach, claiming to have exfiltrated more than 940 gigabytes of data.  

Interlock, an emerging cybercriminal group active since September 2024, has increasingly focused on targeting U.S.-based healthcare providers. When CNN first reported on the incident on May 20, Interlock had not yet confirmed its role, suggesting that ransom negotiations may have been in progress. With the group now openly taking credit and releasing some of the stolen data on its dark web site, it appears those negotiations either failed or stalled. 

Kettering Health has maintained a firm position that they are against paying ransoms. John Weimer, senior vice president of emergency operations, previously stated that no ransom had been paid. Despite this, the data breach appears extensive. Information shared by Interlock indicates that sensitive files were accessed, including private patient records and internal documents. Patient information such as names, identification numbers, medical histories, medications, and mental health notes were among the compromised data. 

The breach also impacted employee data, with files from shared network drives also exposed. One particularly concerning element involves files tied to Kettering Health’s in-house police department. Some documents reportedly include background checks, polygraph results, and personally identifiable details of law enforcement staff—raising serious privacy and safety concerns. In a recent public update, Kettering Health announced a key development in its recovery process. 

The organization confirmed it had restored core functionalities of its electronic health record (EHR) system, which is provided by healthcare technology firm Epic. Officials described this restoration as a significant step toward resuming normal operations, allowing teams to access patient records, coordinate care, and communicate effectively across departments once again. The full scope of the breach and the long-term consequences for affected individuals still remains uncertain. 

Meanwhile, Kettering Health has yet to comment on whether Interlock’s claims are fully accurate. The healthcare system is working closely with cybersecurity professionals and law enforcement agencies to assess the extent of the intrusion and prevent further damage.
Read more »
Ransomwares
Customer Data Cyberattack Data Breach Data Leak data security Personal Information personal information exposure Qilin Qilin Ransomware Ransomware attack Ransomware group Ransomwares

Lee Enterprises Ransomware Attack Exposes Data of 40,000 Individuals

 

Lee Enterprises, a major U.S. news publisher, is alerting nearly 40,000 individuals about a data breach following a ransomware attack that took place in early February 2025. The company, which owns and operates 77 daily newspapers and hundreds of weekly and special-interest publications across 26 states, reported that the cyberattack resulted in the theft of personal information belonging to thousands of people. 

Details of the breach were revealed in a recent disclosure to the Maine Attorney General’s office. According to the company, the attackers gained unauthorized access to internal documents on February 3, 2025. These files contained combinations of personal identifiers such as names, Social Security numbers, driver’s license details, bank account information, medical data, and health insurance policy numbers. The security incident caused widespread operational disruptions. 

Following the attack, Lee Enterprises was forced to shut down multiple parts of its IT infrastructure, impacting both the printing and delivery of its newspapers. Several internal tools and systems became inaccessible, including virtual private networks and cloud storage services, complicating daily workflows across its local newsrooms. In a filing with the U.S. Securities and Exchange Commission shortly after the breach, the company confirmed that critical systems had been encrypted and that a portion of its data had been copied by the attackers. 

The source of the attack is yet to be identified, a group known as Qilin has allegedly claimed responsibility near the end of February. The group alleged it had stolen over 120,000 internal files, totaling 350 gigabytes, and threatened to publish the material unless their demands were met. Soon after, Qilin posted a sample of the stolen data to a dark web leak site, which included scans of government-issued IDs, financial spreadsheets, contracts, and other confidential records. The group also listed Lee Enterprises as a victim on its public-facing extortion portal. 

When asked about the authenticity of the leaked data, a spokesperson for Lee Enterprises stated the company was aware of the claims and was actively investigating. This is not the first cybersecurity issue Lee Enterprises has faced. The company’s network was previously targeted by foreign actors during the lead-up to the 2020 U.S. presidential election, where hackers from Iran allegedly attempted to use compromised media outlets to spread disinformation. 

The ransomware attack highlights ongoing threats facing media companies, especially those handling high volumes of personal and financial data. As Lee Enterprises continues its recovery and legal steps, the incident serves as a reminder of the need for robust digital defenses in today’s information-driven landscape.
Read more »
Ransomwares
Advanced Social Engineering Cyber Attacks cybercriminal group data security FBI FBI cybersecurity advisory Law Firms Luna Moth phishing techniques ransomware attacks Ransomwares

FBI Warns of Silent Ransom Group Using Phishing and Vishing to Target U.S. Law Firms

 

The FBI has issued a warning about a sophisticated cybercriminal group known as the Silent Ransom Group (SRG), also referred to by aliases like Luna Moth, Chatty Spider, and UNC3753. This group has been actively targeting U.S.-based law firms and related organizations through advanced phishing techniques and social engineering scams. The group, which has been operational since 2022, is known for using deceptive communication methods to gain unauthorized access to corporate systems and extract sensitive legal data for ransom demands. In the past, SRG’s activities spanned across industries such as healthcare and insurance. 

However, since the spring of 2023, its focus has shifted to legal entities, likely because of the highly confidential nature of the data managed by law firms. The group commonly uses a method called callback phishing, also known as reverse vishing. In this approach, victims receive emails that appear to originate from reputable companies and warn them of small charges for fake subscriptions. The emails prompt users to call a phone number to cancel the subscription. During these calls, victims are instructed to download remote access software under the guise of resolving the issue. Once the software is installed, SRG gains control of the victim’s device, searches for valuable data, and uses it to demand ransom.  

In March 2025, SRG has adapted their strategy to include voice phishing or vishing. In this new approach, the attackers call employees directly, posing as internal IT staff. These fraudulent callers attempt to convince their targets to join remote access sessions, often under the pretext of performing necessary overnight maintenance. Once inside the system, the attackers move swiftly to locate and exfiltrate data using tools like WinSCP or a disguised version of Rclone. Notably, SRG does not prioritize escalating privileges, instead focusing on immediate data theft. The FBI noted that these voice phishing methods have already resulted in multiple successful breaches. 

SRG reportedly continues to apply pressure during ransom negotiations by making follow-up calls to victim organizations. While the group does maintain a public site for releasing stolen data, its use of this platform is inconsistent, and it does not always follow through on threats to leak information. A significant concern surrounding these attacks is the difficulty in detection. SRG uses legitimate system management and remote access tools, which are often overlooked by traditional antivirus software. The FBI advises organizations to remain vigilant, particularly if there are unexplained downloads of programs such as AnyDesk, Zoho Assist, or Splashtop, or if staff receive unexpected calls from alleged IT personnel. 

In response, the FBI urges companies to bolster cybersecurity training, establish clear protocols for authenticating internal IT requests, and enforce two-factor authentication across all employee accounts. Victims of SRG attacks are encouraged to share any information that might assist in ongoing investigations, including ransom communications, caller details, and cryptocurrency wallet data.
Read more »
Subscribe to: Posts (Atom)