< ciso
brief />
Tag Banner

All news with #double extortion tag

34 articles

Extortion-Only Attacks Rise, Shift Focus to Data Theft

๐Ÿ” Insurers report a marked increase in extortion-only incidents where attackers rely on data theft rather than encryption. Resilience found that 65% of extortion claims in H2 2025 did not involve encryption, and data theft accounted for 87% of ransomware claims by year-end. The report warns that paying for data suppression is unreliable, with 30โ€“40% of paid cases still resulting in leaks, and recommends prevention, tabletop exercises, and pre-incident legal and response retainers.
read more โ†’

DentaQuest breach exposed data of 2.6 million accounts

๐Ÿ”’ DentaQuest, a major US dental benefits administrator, disclosed a cybersecurity incident after the extortion group ShinyHunters posted and later leaked over 234 GB of stolen data. The company confirmed limited disruption to services on June 2 and said it engaged external experts to investigate and contain the breach. Analysis by Have I Been Pwned found records for 2.6 million accounts in the leaked dataset, including emails, names, phone numbers, government IDs, insurance details, genders, and dates of birth.
read more โ†’

Data-Only Extortion Rising in the Cyber Threat Economy

๐Ÿ” This Unit 42 report examines the growing shift from ransomware encryption to data-theft and extortion-only attacks, profiling threat actors, techniques, and sectors most affected. It highlights drivers such as improved backups, faster exfiltration, and regulatory pressures that make disclosure risk financially coercive. The briefing also warns of AI-accelerated attacks and offers prioritized defensive recommendations for DLP, SaaS posture, identity resilience, supply chain integrity, and AI preparedness.
read more โ†’

FBI Issues Advisory After ShinyHunters Breach of Canvas LMS

โš ๏ธ The FBI's IC3 issued an advisory on 15 May 2026 about the ShinyHunters extortion gang breaching an online learning management system used by US educational institutions. Although the advisory avoided naming the vendor, reporting and Instructure's confirmation made clear Canvas was affected and the company reportedly paid a ransom after receiving alleged 'shred logs'. The FBI warns victims not to engage with extortionists, enable multiโ€‘factor authentication, and remain vigilant against phishing, harassment, and swatting; students and staff should assume their data may be exposed and await official guidance.
read more โ†’

Canvas Breach and Extortion Disrupts US Schools Nationwide

๐Ÿ”’ Instructure's Canvas platform was taken offline on May 7 after the cybercrime group ShinyHunters defaced login pages and posted a ransom demand claiming to hold data on 275 million students and faculty at nearly 9,000 institutions. Instructure had acknowledged a breach on May 6, saying the stolen records include names, email addresses, student ID numbers and user messages but not passwords or financial information. The outage, timed during many institutions' final exams, disrupted coursework while schools and the vendor evaluated exposure and potential extortion responses.
read more โ†’

ShinyHunters Defaces Canvas Login Portals at Scale

๐Ÿ”’ The ShinyHunters extortion group defaced Canvas login portals for roughly 330 colleges and universities, replacing standard pages with an extortion message that demanded payment by May 12, 2026. The same message also appeared in the Canvas app and was visible for about 30 minutes before being taken offline. Instructure has taken Canvas offline while confirming that data was stolen and continuing its investigation. BleepingComputer reports the group claims the theft includes extensive student and staff records.
read more โ†’

ShinyHunters Claims 280M Records Stolen from Instructure

๐Ÿ”’ Instructure says it is investigating a breach after the extortion group ShinyHunters claimed to have stolen 280 million records tied to students, teachers, and staff across 8,809 colleges, school districts, and online education platforms. The actors allege they accessed names, email addresses, private messages and enrollment data by abusing Canvas export features such as DAP queries, provisioning reports and user APIs. Instructure has acknowledged the incident but has not provided detailed public answers; several universities have begun their own inquiries.
read more โ†’

Trigona Ransomware Adopts Custom Tool to Steal Data

๐Ÿ”’ Symantec researchers observed Trigona ransomware affiliates using a custom command-line exfiltration utility, uploader_client.exe, in March to siphon high-value documents to a hardcoded server. The tool supports parallel uploads, TCP rotation after 2GB, selective file-type exclusion, and an authentication key to control access to stolen data. The shift from public utilities like Rclone appears intended to reduce detection during double-extortion operations. Symantec has published IoCs to aid defenders.
read more โ†’

Evolution of Ransomware: Multi-Extortion Threats Rise

๐Ÿ”’ Ransomware's shift to multi-extortion is producing real operational harm across healthcare, finance, and manufacturing, with widespread incidents and patient-care disruptions reported in 2025โ€“2026. Attackers now routinely exfiltrate data before encrypting systems, making backups alone insufficient and increasing regulatory and business risk. The article highlights D.AMO from Penta Security, an integrated platform combining kernel-level folder encryption, process-based access control, and independent recovery to render stolen files unreadable, block unauthorized access, and speed restoration.
read more โ†’

Researchers Observe Sub-One-Hour Ransomware Attacks

๐Ÿ”’ Halcyon warns that the Akira ransomware group can complete a full attack lifecycle in under an hour, often exploiting vulnerabilities in internet-facing VPN and backup appliances where multi-factor authentication is absent. The group supplements exploits with credential theft, spearphishing, password spraying and initial access brokers, then exfiltrates data before encryption in a double-extortion model. Akira favors stealth and living-off-the-land tools (FileZilla, WinRAR, WinSCP, RClone) to stage and encrypt data; organizations should adopt layered defenses, harden third-party access, monitor for exfiltration and deploy dedicated anti-ransomware protections.
read more โ†’

Leak Reveals Tactics and Tensions in Gentlemen Ransomware

๐Ÿ” Group-IB's March 19 report exposes operational details of the Gentlemen ransomware group after an affiliate known as hastalamuerte leaked internal information. The research describes a rapidly evolving RaaS that sprang from a Qilin ecosystem dispute and leverages a dual-extortion model, cross-platform encryption and automated lateral movement to maximize impact. Primary initial access stems from exposed FortiGate VPN devices, while advanced evasion such as BYOVD and aggressive log deletion are used to frustrate defenders and forensic analysis.
read more โ†’

Ransomware TTPs and Shifting Threat Landscape โ€” 2025

๐Ÿ” GTIG and Mandiant analysis of 2025 ransomware activity shows a shift toward greater data-theft-extortion and targeting of virtualization despite declining overall profitability for operators. Exploitation of VPNs and firewalls, increased abuse of legitimate tools and cloud services, and more aggressive extortion tactics produced a record number of data-leak-site postings. REDBIKE was the most frequently observed family, and defenders saw drops in Cobalt Strike and RMM reliance. Recommended actions include patching perimeter devices, hardening virtualization, improving backup resiliency, enforcing credential hygiene, and monitoring for anomalous data egress.
read more โ†’

The Dirty Dozen: Active Ransomware Groups Today 2026

๐Ÿ”’Ransomware-as-a-service (RaaS) has driven a rise in financially motivated attacks, combining double and triple extortion, data theft, and growing use of AI. Law enforcement disruptions have fragmented the marketplace and helped spawn new players such as Akira, BlackCat, and RansomHub. Attackers exploit unpatched VPNs, open RDP, phishing, and zero-day flaws to hit healthcare, manufacturing, education, telecom and critical infrastructure.
read more โ†’

Ransomware Shift: Stealthy, Long-Term Access Tactics

๐Ÿ”’ Picus Security's annual red-teaming report finds ransomware operators shifting from noisy encryption to stealthy, long-term access, favoring persistence, defense evasion and data exfiltration. The firm reports a 38% drop in encryption as attackers prioritize double-extortion and silent leaks, often routing C2 traffic through trusted services like OpenAI and AWS. Experts urge stronger identity controls, monitoring of third-party integrations, and detections tuned to persistence and exfiltration.
read more โ†’

Types of Ransomware Attacks and Detection Methods Overview

๐Ÿ”’ This article profiles major ransomware varieties โ€” including crypto, double extortion, encryptionless, locker, scareware and Ransomware-as-a-Service โ€” and explains how they operate. It outlines common detection approaches such as behavioral, signature, heuristic, and deception techniques. The piece also situates ransomware within the broader malware landscape and describes how Huntressโ€™ 24/7 human-led monitoring and containment reduce risk.
read more โ†’

Ransomware leak sites escalate pressure on victims

๐Ÿ”’ Data leak sites (DLSs) have become the backbone of modern ransomware's doubleโ€‘extortion strategy, combining data theft with public blackmail to force payment. Attackers publish carefully curated samples, use timers and deadlines, and exploit urgency to magnify reputational, regulatory, and financial harm. Law enforcement agencies and security teams warn that DLS content fuels followโ€‘on crimes like phishing and identity fraud. Organizations are urged to adopt EDR/XDR, Zero Trust, patched systems, resilient airโ€‘gapped backups, and targeted user training.
read more โ†’

Exposed MongoDB Instances Targeted in Extortion Campaign

๐Ÿ”’ A threat actor is automating data-extortion attacks against publicly exposed MongoDB instances, compromising roughly 1,400 servers and leaving ransom notes demanding about 0.005 BTC (~$500). Researchers at Flare found over 208,500 publicly reachable MongoDB servers, with 3,100 allowing access without authentication and nearly half of those already wiped. There is no guarantee that paying ransoms will restore data or provide working keys. Victims are urged to avoid public exposure, enforce strong authentication, apply network controls, and keep instances updated.
read more โ†’

From Cipher to Fear: Psychology of Modern Ransomware

๐Ÿ” Modern ransomware has evolved from a technical encryption problem into a psychology-driven extortion industry where stolen data, legal exposure, and reputation risk are the primary levers. Flare's 2025 analysis documents a fragmented, collaborative attacker ecosystem and a shift to pressure-first tactics like public shaming and identity abuse. Security teams must expand playbooks beyond backups to include legal and communications readiness, targeted configuration audits, and prioritized remediation based on active exploit intelligence.
read more โ†’

Ransomware Gangs Use Compliance Violations to Extort

โš ๏ธ Recent analyses show ransomware groups increasingly threaten victims by reporting alleged regulatory breaches to authorities, adding a compliance layer to the familiar double-extortion model. Researchers at Akamai observed this tactic over the past two years, citing groups such as Anubis and Ransomhub. Attackers target industries with high compliance risk and use AI to rapidly identify and craft legally framed complaints under GDPR, DORA and tightened SEC rules.
read more โ†’

Kraken Ransomware Benchmarks Hosts to Choose Encryption

๐Ÿ”’ The Kraken ransomware targets Windows and Linux/VMware ESXi hosts and runs on-host benchmarks to decide whether to perform full or partial encryption. Cisco Talos researchers found it creates temporary files, times encryption of random data, and uses the result to select an encryption mode that maximizes damage while avoiding overloads. Before encrypting it deletes shadow volumes, stops backup services, appends .zpsc to files, and drops a readme_you_ws_hacked.txt ransom note. The group continues bigโ€‘game hunting and data theft for double extortion and has launched a forum called 'The Last Haven Board'.
read more โ†’