Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomwares. Show all posts
Ransomwares
Cyber Attacks Cyber Researchers Dark Web data security Interlock Interlock ransomware Malware Attack Ransomware attack Ransomwares

Interlock Ransomware Gang Deploys ClickFix Attacks to Breach Corporate Networks

 

Cybersecurity researchers have revealed that the Interlock ransomware gang has adopted a deceptive social engineering technique called ClickFix to infiltrate corporate networks. This method involves tricking users into executing malicious PowerShell commands under the guise of resolving system errors or completing identity verification steps, leading to the deployment of file-encrypting malware. 

While ClickFix attacks have previously been associated with ransomware campaigns, this marks the first confirmed use by Interlock, a ransomware operation that surfaced in late September 2024. The group targets both Windows systems and FreeBSD servers and maintains a dark web leak portal to pressure victims into paying ransoms that can reach millions of dollars. Interlock does not seem to operate as a ransomware-as-a-service (RaaS) model. 

According to Sekoia researchers, Interlock began using ClickFix tactics in January 2025. Attackers set up fake websites mimicking legitimate IT tools—such as Microsoft Teams and Advanced IP Scanner—to lure victims. These fake sites prompt users to click a “Fix it” button, which silently copies a malicious PowerShell script to the user’s clipboard. If run, the command downloads a 36MB PyInstaller payload that installs malware under the guise of a legitimate tool. 

Researchers found the malicious campaign hosted on spoofed domains like microsoft-msteams[.]com, microstteams[.]com, ecologilives[.]com, and advanceipscaner[.]com. Only the last domain led to the actual malware dropper disguised as Advanced IP Scanner. When users unknowingly run the script, a hidden PowerShell window executes actions such as system reconnaissance, persistence via Windows Registry, and data exfiltration. The attackers deploy a range of malware via command-and-control (C2) servers, including LummaStealer, BerserkStealer, keyloggers, and the Interlock RAT—a basic remote access trojan capable of dynamic configuration, file exfiltration, shell command execution, and DLL injection. 

Post-compromise, Interlock operators use stolen credentials to move laterally through networks via RDP, leveraging remote access tools like PuTTY, AnyDesk, and LogMeIn. Data is exfiltrated to Azure Blob Storage, after which the Windows variant of Interlock ransomware is scheduled to run daily at 8:00 PM—a redundancy tactic to ensure encryption if the initial payload fails. The gang’s ransom notes have also evolved, now placing emphasis on the legal and regulatory consequences of leaked data. 

ClickFix attacks are gaining popularity among various cybercriminal groups, with recent reports also linking them to North Korean state-sponsored actors like the Lazarus Group, who use similar tactics to target job seekers in the cryptocurrency sector.
Read more »
Ransomwares
Backdoor Backdoor Attacks Critical Infrastructure Cyber Attacks Healthcare Malware Attack RansomHub Ransomware attack Ransomwares

Symantec Links Betruger Backdoor Malware to RansomHub Ransomware Attacks

 

A sophisticated custom backdoor malware called Betruger has been discovered in recent ransomware campaigns, with Symantec researchers linking its use to affiliates of the RansomHub ransomware-as-a-service (RaaS) group. The new malware is considered a rare and powerful tool designed to streamline ransomware deployment by minimizing the use of multiple hacking tools during attacks. 

Identified by Symantec’s Threat Hunter Team, Betruger is described as a “multi-function backdoor” built specifically to aid ransomware operations. Its functions go far beyond traditional malware. It is capable of keylogging, network scanning, privilege escalation, credential theft, taking screenshots, and uploading data to a command-and-control (C2) server—all typical actions carried out before a ransomware payload is executed. Symantec notes that while ransomware actors often rely on open-source or legitimate software like Mimikatz or Cobalt Strike to navigate compromised systems, Betruger marks a departure from this norm. 

The tool’s development suggests an effort to reduce detection risks by limiting the number of separate malicious components introduced during an attack. “The use of custom malware other than encrypting payloads is relatively unusual in ransomware attacks,” Symantec stated. “Betruger may have been developed to reduce the number of tools dropped on a network during the pre-encryption phase.” Threat actors are disguising the malware under file names like ‘mailer.exe’ and ‘turbomailer.exe’ to pose as legitimate mailing applications and evade suspicion. While custom malware isn’t new in ransomware operations, most existing tools focus on data exfiltration. 

Notable examples include BlackMatter’s Exmatter and BlackByte’s Exbyte, both created to steal data and upload it to cloud platforms like Mega.co.nz. However, Betruger represents a more all-in-one solution tailored for streamlined attack execution. The RansomHub RaaS operation, previously known as Cyclops and Knight, surfaced in early 2024 and has quickly become a major threat actor in the cybercrime world. Unlike traditional ransomware gangs, RansomHub has focused more on data theft and extortion rather than just data encryption. Since its emergence, RansomHub has claimed several high-profile victims including Halliburton, Christie’s auction house, Frontier Communications, Rite Aid, Kawasaki’s EU division, Planned Parenthood, and Bologna Football Club. 

The group also leaked Change Healthcare’s stolen data after the BlackCat/ALPHV ransomware group’s infamous $22 million exit scam. More recently, the gang claimed responsibility for breaching BayMark Health Services, North America’s largest addiction treatment provider. BayMark serves over 75,000 patients daily across more than 400 locations in the US and Canada. According to the FBI, as of August 2024, RansomHub affiliates have compromised over 200 organizations, many of which are part of critical infrastructure sectors such as government, healthcare, and energy. 

As ransomware groups evolve and adopt more custom-built malware like Betruger, cybersecurity experts warn that defenses must adapt to meet increasingly sophisticated threats.
Read more »
Ransomwares
Cyber Attacks Cyber Breach Cyber Defenses Data protection financial attack Financial Loss Ransomware attack Ransomwares

Fourlis Group Confirms €20 Million Loss from IKEA Ransomware Attack

 

Fourlis Group, the retail operator responsible for IKEA stores across Greece, Cyprus, Romania, and Bulgaria, has revealed that a ransomware attack targeting its systems in late November 2024 led to significant financial losses. The cyber incident, which coincided with the busy Black Friday shopping period, disrupted critical parts of the business and caused damages estimated at €20 million (around $22.8 million). 

The breach initially surfaced as unexplained technical problems affecting IKEA’s e-commerce platforms. Days later, on December 3, the company confirmed that the disruptions were due to an external cyberattack. The attack affected digital infrastructure used for inventory restocking, online transactions, and broader retail operations, mainly impacting IKEA’s business. Other brands under the Fourlis umbrella, including Intersport and Holland & Barrett, were largely unaffected.  

According to CEO Dimitris Valachis, the company experienced a loss of approximately €15 million in revenue by the end of 2024, with an additional €5 million impact spilling into early 2025. Fourlis decided not to comply with the attackers’ demands and instead focused on system recovery through support from external cybersecurity professionals. The company also reported that it successfully blocked a number of follow-up attacks attempted after the initial breach. 

Despite the scale of the attack, an internal investigation supported by forensic analysts found no evidence that customer data had been stolen or exposed. The incident caused only a brief period of data unavailability, which was resolved swiftly. As part of its compliance obligations, Fourlis reported the breach to data protection authorities in all four affected countries, reassuring stakeholders that personal information remained secure. Interestingly, no known ransomware group has taken responsibility for the attack. This may suggest that the attackers were unable to extract valuable data or are holding out hope for an undisclosed settlement—though Fourlis maintains that no ransom was paid. 

The incident highlights the growing risks faced by digital retail ecosystems, especially during peak sales periods when system uptime is critical. As online platforms become more central to retail operations, businesses like Fourlis must invest heavily in cybersecurity defenses. Their experience reinforces the importance of swift response strategies, external threat mitigation support, and robust data protection practices to safeguard operations and maintain customer trust in the face of evolving cyber threats.
Read more »
Ransomwares
cloud storage Cyber Attacks Cyber Researchers Data Backup Data protection data security Ransomware attack Ransomwares

Ransomware Attacks Surge in Q1 2025 as Immutable Backup Emerges as Critical Defense

Ransomware attacks have seen a dramatic rise in the first quarter of 2025, with new research from Object First revealing an 84% increase compared to the same period in 2024. This alarming trend highlights the growing sophistication and frequency of ransomware campaigns, with nearly two-thirds of organizations reporting at least one attack in the past two years. 

The findings suggest that ransomware is no longer a matter of “if” but “when” for most businesses. Despite the increased threat, Object First’s study offers a silver lining. A large majority—81% of IT decision-makers—now recognize that immutable backup storage is the most effective defense against ransomware. Immutable storage ensures that once data is written, it cannot be changed or deleted, offering a critical safety net when other security measures fail. This form of storage plays a key role in enabling organizations to recover their data without yielding to ransom demands. 

However, the report also highlights a concerning gap between awareness and action. While most IT professionals acknowledge the benefits of immutable backups, only 59% of organizations have actually implemented such storage. Additionally, just 58% maintain multiple copies of their data in separate locations, falling short of the recommended 3-2-1 backup strategy. This gap leaves many companies dangerously exposed. The report also shows that ransomware actors are evolving their methods. A staggering 96% of organizations that experienced ransomware attacks in the last two years had their backup systems targeted at least once. Even more concerning, 10% of them had their backup storage compromised in every incident. 

These findings demonstrate how attackers now routinely seek to destroy recovery options, increasing pressure on victims to pay ransoms. Many businesses still place heavy reliance on traditional IT security hardening. In fact, 61% of respondents believe this approach is sufficient. But ransomware attackers are adept at bypassing such defenses using phishing emails, stolen credentials, and remote access tools. That’s why Object First recommends adopting a “breach mentality”—an approach that assumes an eventual breach and focuses on limiting damage. 

A Zero Trust architecture, paired with immutable backup, is essential. Organizations are urged to segment networks, restrict user access to essential data only, and implement multi-factor authentication. As cloud services grow, many companies are also turning to immutable cloud storage for flexible, scalable protection. Together, these steps offer a stronger, more resilient defense against today’s aggressive ransomware landscape.
Read more »
Ransomwares
CVE CVEs Cyber Attacks Malware Attack Malwares Microsoft ransomware attacks Ransomware group Ransomwares

Windows CLFS Zero-Day CVE-2025-29824 Exploited by Ransomware Group Storm-2460

 

A newly disclosed Windows zero-day vulnerability, tracked as CVE-2025-29824, is being actively exploited in cyberattacks to deliver ransomware, Microsoft has warned. This flaw affects the Windows Common Log File System (CLFS) driver and enables local privilege escalation—a method often used by attackers after gaining initial access. 

Microsoft’s Threat Intelligence and Security Response teams revealed that the bug is classified as a “use-after-free” vulnerability with a severity score of 7.8. While attackers need to compromise a system before they can exploit this flaw, it remains highly valuable in ransomware operations. Cybercriminals often rely on these types of vulnerabilities to turn a limited foothold into full administrative control across networks. 

The cybercrime group currently leveraging this zero-day is known as Storm-2460. Microsoft reports that the group is using the exploit to deploy a custom backdoor named PipeMagic, which in turn facilitates the installation of RansomEXX ransomware—a variant not commonly observed but still capable of serious disruption. So far, Storm-2460 has targeted organizations in industries such as IT, finance, and retail, with victims located in countries including the United States, Spain, Saudi Arabia, and Venezuela. 

Microsoft emphasized that the number of known cases remains small, but the sophistication of the exploit is concerning. This attack is notable for being part of a “post-compromise” campaign, meaning the attacker already has a presence within the system before using the flaw. These types of exploits are frequently used to escalate privileges and move laterally within a network, eventually leading to broader ransomware deployment. Microsoft issued a security advisory for CVE-2025-29824 on April 8 and urged organizations to install updates immediately. Failure to do so could leave critical systems vulnerable to privilege escalation and full network compromise. 

To mitigate risk, Microsoft advises businesses to prioritize patch management, restrict unnecessary administrative privileges, and closely monitor for unusual behavior across endpoints. Cybersecurity teams are also encouraged to review logs for any indicators of compromise related to PipeMagic or RansomEXX. As ransomware tactics continue to evolve, the exploitation of vulnerabilities like CVE-2025-29824 reinforces the need for proactive defense strategies and rapid incident response protocols.
Read more »
Security Flaws
Cyber Security Extension Malware Detection Malwares Marketplace Microsoft Microsoft security Ransomwares Security Flaws

Ransomware Found in VSCode Extensions Raises Concerns Over Microsoft’s Security Review

 

Cybersecurity experts have discovered ransomware hidden within two Visual Studio Code (VSCode) Marketplace extensions, raising concerns about Microsoft’s ability to detect malicious software in its platform. The compromised extensions, named “ahban.shiba” and “ahban.cychelloworld,” were downloaded by users before security researchers flagged them and they were subsequently removed. 

Despite Microsoft’s security measures, the extensions remained publicly accessible for a significant period, highlighting potential gaps in the company’s review process. The “ahban.cychelloworld” extension was first uploaded on October 27, 2024, followed by “ahban.shiba” on February 17, 2025. The VSCode Marketplace, designed to provide developers with additional tools for Microsoft’s popular coding platform, has come under scrutiny for failing to identify these threats. 

Researchers at ReversingLabs determined that both extensions included a PowerShell script that connected to a remote Amazon Web Services (AWS) server to download further malicious code. This secondary payload functioned as ransomware, though evidence suggests it was still in a testing phase. 

Unlike traditional ransomware that encrypts entire systems, this malware specifically targeted files stored in C:\users%username%\Desktop\testShiba.  Once the encryption was complete, victims received a Windows notification stating: “Your files have been encrypted. Pay 1 ShibaCoin to ShibaWallet to recover them.” However, no further instructions or payment details were provided, suggesting the malware was not yet fully developed.  

Although Microsoft eventually removed the extensions, security researcher Italy Kruk from ExtensionTotal disclosed that their automated detection system had identified the malicious code much earlier. Kruk stated that they had alerted Microsoft about the issue but received no response. Further analysis revealed that the initial version of “ahban.cychelloworld” was clean, but the ransomware was introduced in version 0.0.2, which was released on November 24, 2024. ExtensionTotal flagged this version to Microsoft on November 25, yet the extension remained available for months. 

During this time, five more versions were uploaded, all containing the same ransomware. This case has intensified concerns about Microsoft’s ability to monitor third-party extensions effectively. The security lapse within the VSCode Marketplace highlights the risk developers face when downloading extensions, even from official sources. Microsoft has previously faced criticism for both slow responses to security threats and for mistakenly removing non-malicious extensions. 

A notable example involved two popular VSCode themes, ‘Material Theme – Free’ and ‘Material Theme Icons – Free,’ which were taken down due to suspected obfuscated JavaScript. However, after further review, Microsoft determined the extensions were safe, reinstated them, and apologized, promising improvements to its security screening process. The presence of ransomware in widely used developer tools underscores the need for stronger security measures. Developers must stay cautious, regularly update security protocols, and carefully evaluate third-party extensions before installing them, even when they come from official platforms like the VSCode Marketplace.
Read more »
Ransomwares
Backdoor Backdoor Attacks Critical Infrastructure Cyber Attacks RansomHub ransomware ransomware attacks Ransomwares

Betruger Backdoor Linked to RansomHub Ransomware Attacks on Critical Infrastructure

 

A newly discovered backdoor malware, dubbed Betruger, has been identified in multiple recent ransomware attacks. Researchers at Symantec believe at least one affiliate of the RansomHub ransomware-as-a-service (RaaS) operation is using this sophisticated tool to facilitate cyber intrusions. 

Unlike many conventional malware strains, Betruger functions as a multi-purpose backdoor designed to prepare networks for ransomware deployment while minimizing the need for additional malicious software. Betruger comes equipped with several advanced features commonly associated with pre-ransomware attack stages. These include keylogging, network scanning, privilege escalation, credential theft, screenshot capture, and the ability to upload files to a command-and-control (C2) server. 

Its design suggests that attackers are looking to streamline their intrusion process, reducing reliance on multiple external tools and instead using a single, custom-built malware to execute various attack functions. This approach is relatively rare, as ransomware operators typically rely on widely available tools such as Mimikatz and Cobalt Strike to conduct their attacks. To avoid detection, cybercriminals are disguising Betruger under the filenames ‘mailer.exe’ and ‘turbomailer.exe,’ making it appear like a legitimate email-related application. 

While other ransomware groups have developed proprietary tools for data exfiltration, such as BlackMatter’s Exmatter and BlackByte’s Exbyte, Betruger appears to have a broader range of capabilities beyond just stealing data. The emergence of Betruger coincides with ongoing attacks by RansomHub, a ransomware operation that has been active since February 2024. Previously known as Cyclops and Knight, RansomHub has gained a reputation for focusing on extortion through data theft rather than encrypting victim files. 

Over the past year, the group has targeted several major organizations, including Halliburton, Christie’s, Frontier Communications, Rite Aid, and Kawasaki’s EU division. It was also responsible for leaking Change Healthcare’s stolen data after the BlackCat/ALPHV group’s $22 million exit scam. More recently, RansomHub claimed responsibility for breaching BayMark Health Services, a leading addiction treatment provider in North America. 

The company operates over 400 treatment centers across the U.S. and Canada, serving approximately 75,000 patients daily. The FBI has linked RansomHub affiliates to more than 200 ransomware attacks affecting various critical infrastructure sectors in the U.S., including government agencies, healthcare institutions, and other essential services. With the deployment of Betruger, the group’s operations appear to be evolving, indicating a continued threat to businesses and organizations worldwide.
Read more »
Ransomwares
corporate network breach Cyber Security firewall vulnerability Forescout Research Labs Fortnite Hacker attack Ransomware attack Ransomwares

Hackers Exploit Fortinet Firewall Bugs to Deploy Ransomware

 

Cybersecurity researchers have uncovered a new attack campaign in which hackers are exploiting vulnerabilities in Fortinet firewalls to breach corporate networks and deploy ransomware. The hacking group, tracked as “Mora_001,” is leveraging two specific flaws in Fortinet’s firewall software to infiltrate systems and launch a custom ransomware strain called “SuperBlack.” 

These vulnerabilities, tracked as CVE-2024-55591 and CVE-2025-24472, have been actively exploited since December 2024, despite Fortinet releasing patches in January 2025. Many organizations have yet to apply these critical updates, leaving their networks vulnerable. Once inside a network, the attackers conduct reconnaissance to identify valuable data before deploying ransomware. Instead of immediately encrypting files, they first exfiltrate sensitive information, a tactic that has become increasingly common among ransomware groups seeking to pressure victims into paying a ransom to prevent data leaks. 

Security researchers at Forescout observed that the Mora_001 group selectively encrypted file servers only after stealing critical data, making their attacks more damaging and difficult to recover from. There is strong evidence linking Mora_001 to the notorious LockBit ransomware gang. The SuperBlack ransomware strain appears to be based on a leaked builder from LockBit 3.0 attacks, and the ransom notes left by Mora_001 include the same contact details previously used by LockBit affiliates. This suggests that Mora_001 may be a current LockBit affiliate with distinct operational methods or a separate group that shares infrastructure and communication channels. 

Cybersecurity experts believe that Mora_001 is primarily targeting organizations that have not yet applied Fortinet’s security patches. Companies that failed to update their firewalls or properly harden their network configurations when the vulnerabilities were first disclosed are at the highest risk. The ransom notes used in these attacks also bear similarities to those used by other cybercriminal groups, such as the now-defunct ALPHV/BlackCat ransomware gang, further indicating connections within the ransomware ecosystem. 

Despite Fortinet releasing fixes for the affected vulnerabilities, unpatched systems remain an easy target for attackers. Security professionals are urging organizations to update their firewalls immediately and implement additional security measures to prevent unauthorized access. Best practices include applying all available patches, segmenting networks to restrict access to critical systems, monitoring for suspicious activity using endpoint detection and response tools, and maintaining secure offline backups. Organizations that fail to take these precautions risk falling victim to sophisticated ransomware attacks that can result in severe financial and operational damage.
Read more »
Subscribe to: Posts (Atom)