All news with #double extortion tag

🔍 This Unit 42 report examines the growing shift from ransomware encryption to data-theft and extortion-only attacks, profiling threat actors, techniques, and sectors most affected. It highlights drivers such as improved backups, faster exfiltration, and regulatory pressures that make disclosure risk financially coercive. The briefing also warns of AI-accelerated attacks and offers prioritized defensive recommendations for DLP, SaaS posture, identity resilience, supply chain integrity, and AI preparedness.

⚠️ The FBI's IC3 issued an advisory on 15 May 2026 about the ShinyHunters extortion gang breaching an online learning management system used by US educational institutions. Although the advisory avoided naming the vendor, reporting and Instructure's confirmation made clear Canvas was affected and the company reportedly paid a ransom after receiving alleged 'shred logs'. The FBI warns victims not to engage with extortionists, enable multi‑factor authentication, and remain vigilant against phishing, harassment, and swatting; students and staff should assume their data may be exposed and await official guidance.

🔒 Instructure's Canvas platform was taken offline on May 7 after the cybercrime group ShinyHunters defaced login pages and posted a ransom demand claiming to hold data on 275 million students and faculty at nearly 9,000 institutions. Instructure had acknowledged a breach on May 6, saying the stolen records include names, email addresses, student ID numbers and user messages but not passwords or financial information. The outage, timed during many institutions' final exams, disrupted coursework while schools and the vendor evaluated exposure and potential extortion responses.

🔒 The ShinyHunters extortion group defaced Canvas login portals for roughly 330 colleges and universities, replacing standard pages with an extortion message that demanded payment by May 12, 2026. The same message also appeared in the Canvas app and was visible for about 30 minutes before being taken offline. Instructure has taken Canvas offline while confirming that data was stolen and continuing its investigation. BleepingComputer reports the group claims the theft includes extensive student and staff records.

🔒 Instructure says it is investigating a breach after the extortion group ShinyHunters claimed to have stolen 280 million records tied to students, teachers, and staff across 8,809 colleges, school districts, and online education platforms. The actors allege they accessed names, email addresses, private messages and enrollment data by abusing Canvas export features such as DAP queries, provisioning reports and user APIs. Instructure has acknowledged the incident but has not provided detailed public answers; several universities have begun their own inquiries.

🔒 Symantec researchers observed Trigona ransomware affiliates using a custom command-line exfiltration utility, uploader_client.exe, in March to siphon high-value documents to a hardcoded server. The tool supports parallel uploads, TCP rotation after 2GB, selective file-type exclusion, and an authentication key to control access to stolen data. The shift from public utilities like Rclone appears intended to reduce detection during double-extortion operations. Symantec has published IoCs to aid defenders.

🔒 Ransomware's shift to multi-extortion is producing real operational harm across healthcare, finance, and manufacturing, with widespread incidents and patient-care disruptions reported in 2025–2026. Attackers now routinely exfiltrate data before encrypting systems, making backups alone insufficient and increasing regulatory and business risk. The article highlights D.AMO from Penta Security, an integrated platform combining kernel-level folder encryption, process-based access control, and independent recovery to render stolen files unreadable, block unauthorized access, and speed restoration.

🔒 Halcyon warns that the Akira ransomware group can complete a full attack lifecycle in under an hour, often exploiting vulnerabilities in internet-facing VPN and backup appliances where multi-factor authentication is absent. The group supplements exploits with credential theft, spearphishing, password spraying and initial access brokers, then exfiltrates data before encryption in a double-extortion model. Akira favors stealth and living-off-the-land tools (FileZilla, WinRAR, WinSCP, RClone) to stage and encrypt data; organizations should adopt layered defenses, harden third-party access, monitor for exfiltration and deploy dedicated anti-ransomware protections.

🔍 Group-IB's March 19 report exposes operational details of the Gentlemen ransomware group after an affiliate known as hastalamuerte leaked internal information. The research describes a rapidly evolving RaaS that sprang from a Qilin ecosystem dispute and leverages a dual-extortion model, cross-platform encryption and automated lateral movement to maximize impact. Primary initial access stems from exposed FortiGate VPN devices, while advanced evasion such as BYOVD and aggressive log deletion are used to frustrate defenders and forensic analysis.

🔐 GTIG and Mandiant analysis of 2025 ransomware activity shows a shift toward greater data-theft-extortion and targeting of virtualization despite declining overall profitability for operators. Exploitation of VPNs and firewalls, increased abuse of legitimate tools and cloud services, and more aggressive extortion tactics produced a record number of data-leak-site postings. REDBIKE was the most frequently observed family, and defenders saw drops in Cobalt Strike and RMM reliance. Recommended actions include patching perimeter devices, hardening virtualization, improving backup resiliency, enforcing credential hygiene, and monitoring for anomalous data egress.

🔒Ransomware-as-a-service (RaaS) has driven a rise in financially motivated attacks, combining double and triple extortion, data theft, and growing use of AI. Law enforcement disruptions have fragmented the marketplace and helped spawn new players such as Akira, BlackCat, and RansomHub. Attackers exploit unpatched VPNs, open RDP, phishing, and zero-day flaws to hit healthcare, manufacturing, education, telecom and critical infrastructure.

🔒 Picus Security's annual red-teaming report finds ransomware operators shifting from noisy encryption to stealthy, long-term access, favoring persistence, defense evasion and data exfiltration. The firm reports a 38% drop in encryption as attackers prioritize double-extortion and silent leaks, often routing C2 traffic through trusted services like OpenAI and AWS. Experts urge stronger identity controls, monitoring of third-party integrations, and detections tuned to persistence and exfiltration.

🔒 This article profiles major ransomware varieties — including crypto, double extortion, encryptionless, locker, scareware and Ransomware-as-a-Service — and explains how they operate. It outlines common detection approaches such as behavioral, signature, heuristic, and deception techniques. The piece also situates ransomware within the broader malware landscape and describes how Huntress’ 24/7 human-led monitoring and containment reduce risk.

🔒 Data leak sites (DLSs) have become the backbone of modern ransomware's double‑extortion strategy, combining data theft with public blackmail to force payment. Attackers publish carefully curated samples, use timers and deadlines, and exploit urgency to magnify reputational, regulatory, and financial harm. Law enforcement agencies and security teams warn that DLS content fuels follow‑on crimes like phishing and identity fraud. Organizations are urged to adopt EDR/XDR, Zero Trust, patched systems, resilient air‑gapped backups, and targeted user training.

🔒 A threat actor is automating data-extortion attacks against publicly exposed MongoDB instances, compromising roughly 1,400 servers and leaving ransom notes demanding about 0.005 BTC (~$500). Researchers at Flare found over 208,500 publicly reachable MongoDB servers, with 3,100 allowing access without authentication and nearly half of those already wiped. There is no guarantee that paying ransoms will restore data or provide working keys. Victims are urged to avoid public exposure, enforce strong authentication, apply network controls, and keep instances updated.

🔐 Modern ransomware has evolved from a technical encryption problem into a psychology-driven extortion industry where stolen data, legal exposure, and reputation risk are the primary levers. Flare's 2025 analysis documents a fragmented, collaborative attacker ecosystem and a shift to pressure-first tactics like public shaming and identity abuse. Security teams must expand playbooks beyond backups to include legal and communications readiness, targeted configuration audits, and prioritized remediation based on active exploit intelligence.

⚠️ Recent analyses show ransomware groups increasingly threaten victims by reporting alleged regulatory breaches to authorities, adding a compliance layer to the familiar double-extortion model. Researchers at Akamai observed this tactic over the past two years, citing groups such as Anubis and Ransomhub. Attackers target industries with high compliance risk and use AI to rapidly identify and craft legally framed complaints under GDPR, DORA and tightened SEC rules.

🔒 The Kraken ransomware targets Windows and Linux/VMware ESXi hosts and runs on-host benchmarks to decide whether to perform full or partial encryption. Cisco Talos researchers found it creates temporary files, times encryption of random data, and uses the result to select an encryption mode that maximizes damage while avoiding overloads. Before encrypting it deletes shadow volumes, stops backup services, appends .zpsc to files, and drops a readme_you_ws_hacked.txt ransom note. The group continues big‑game hunting and data theft for double extortion and has launched a forum called 'The Last Haven Board'.

🐙 Kraken is a Russian-speaking ransomware group active since February 2025 that conducts double-extortion, big-game hunting campaigns across multiple regions. In a documented intrusion Talos observed, attackers exploited SMB flaws for access, used Cloudflared for persistence, exfiltrated data via SSHFS, then deployed cross-platform encryptors for Windows, Linux and ESXi. The family includes on-host benchmarking to tune encryption, and Talos maps detections and IOCs to Cisco protections to aid response.

🔒 A 43-year-old Ukrainian national, Oleksii Lytvynenko, has been extradited from Ireland to the United States on charges tied to the Conti ransomware operation. U.S. authorities allege he controlled stolen data and participated in sending ransom notes during double-extortion attacks between 2020 and June 2022. Arrested by An Garda Síochána in July 2023, Lytvynenko could face up to 25 years in prison if convicted. Prosecutors say the conspiracy extorted cryptocurrency and targeted victims across multiple jurisdictions.