All news with #ransomware tag

Turn Windows 11 Migration into a Security Opportunity

🔒 Organizations should treat the Windows 11 migration as a strategic security opportunity rather than a routine OS update. While some users resist moving from Windows 10 or explore alternatives like Linux or legacy releases, those choices can introduce operational headaches and security gaps, especially as Microsoft phases out support. Use the transition to validate backups, recovery objectives, and patch posture to reduce exposure to unpatched vulnerabilities that increasingly target MSPs and their clients.

CISA Issues Guidance to Combat Bulletproof Hosting Abuse

🔒 CISA, together with US and international partners, has published a joint guide addressing bulletproof hosting (BPH) services that enable ransomware, phishing, malware delivery and other attacks. The guidance explains how BPH providers lease or resell infrastructure to criminals, enabling fast-flux operations, command-and-control activity and data extortion while evading takedowns. It recommends concrete defensive actions — including curating a high confidence list of malicious internet resources, continuous traffic analysis, automated blocklist reviews, network-edge filters, threat intelligence sharing and feedback processes — to help ISPs and network defenders reduce abuse while limiting collateral impact.

ThreatsDay: 0-Days, LinkedIn Spying, IoT Flaws, Crypto

🛡️ This week's ThreatsDay Bulletin highlights a surge in espionage, zero-day exploits, and organized crypto laundering across multiple countries. MI5 warned that Chinese operatives are using LinkedIn profiles and fake recruiters to target lawmakers and staff, while researchers disclosed critical flaws like a pre-auth RCE in Oracle Identity Manager and a resource-exhaustion bug in the Shelly Pro 4PM relay. The bulletin also details malicious browser extensions, new macOS stealer NovaStealer, high-profile arrests and sanctions, and continued pressure on crypto-mixing services. Patch, update, and verify identities to reduce exposure.

Technician Sentenced Over Secret Crypto Mining at Wind Farms

🔒 A technical manager at Dutch wind operator Nordex was sentenced to 120 hours of community service after installing three cryptocurrency mining rigs and two Helium network nodes on the company's internal network between August and November 2022. The rigs were plugged into a substation router and hotspots placed inside turbines at two sites while the firm was recovering from a Conti ransomware attack. He must pay €4,155.65 to Nordex and an equal sum to the state, highlighting the risks of privileged insider access.

UK, US and Allies Sanction Russian Bulletproof Hosters

🔒 Western allies have announced coordinated sanctions targeting three bulletproof hosting providers — Media Land, ML.Cloud and Aeza Group — and four associated Russian executives, including Alexander Volosovik (aka Yalishanda). The measures, backed by the UK, US and Australia, also named UK-registered front Hypercore and aim to seize assets and cut access to legitimate banking channels. Authorities say the hosts supported numerous ransomware and infostealer operations, and Five Eyes nations published guidance to help ISPs and defenders mitigate malicious activity enabled by such services.

Smashing Security Ep 444: Honest Breach and Hotel Phish

📰 In episode 444 of the Smashing Security podcast Graham Cluley and guest Tricia Howard examine a refreshingly candid breach response where a company apologised and redirected a ransom payment to cybersecurity research, illustrating how legacy systems can still magnify risk. They unpack a sophisticated hotel-booking malware campaign that abuses trust in apps and CAPTCHAs to deliver PureRAT. The hosts also discuss the rise of autonomous pen testing, AI-turbocharged cybercrime, and practical questions CISOs should be asking on Monday morning, with a featured interview featuring Snehal Antani from Horizon3.ai.

US, UK, Australia Sanction Russian Bulletproof Hosts

🔒 The US, UK, and Australia have sanctioned Russian bulletproof hosting provider Media Land and related companies for supporting ransomware gangs such as LockBit, BlackSuit, and Play. Three executives were also designated and assets frozen, while clients and facilitators face secondary sanctions. Five Eyes agencies issued guidance for ISPs to detect and block BPH-enabled abuse.

Hidden Risks in DevOps Stacks and Data Protection Strategies

🔒 DevOps platforms like GitHub, GitLab, Bitbucket, and Azure DevOps accelerate development but also introduce data risks from misconfigurations, exposed credentials, and service outages. Under the SaaS shared responsibility model, customers retain liability for protecting repository data and must enforce MFA, RBAC, and tested backups. Third-party immutable backups and left-shifted security practices are recommended to mitigate ransomware, insider threats, and accidental deletions.

ShinySp1d3r RaaS Emerges - New Encryptor by ShinyHunters

🕷️ An in-development build of the ShinySp1d3r ransomware-as-a-service has surfaced, revealing a Windows encryptor developed by threat actors linked to ShinyHunters and affiliates. The sample shows ChaCha20 file encryption with RSA-2048 key protection, per-file headers beginning with "SPDR" and ending with "ENDS", and automated propagation methods via SCM, WMI, and GPO. The build includes process-killing, EtwEventWrite hooking, free-space overwriting, shadow-copy deletion, anti-analysis measures, and deploys a ransom note (R3ADME_1Vks5fYe.txt) plus a wallpaper; Linux and ESXi versions are reportedly in progress.

CISA Guide: Mitigating Risks from Bulletproof Hosting

🛡️ CISA, with NSA, DoD CyCC, FBI and international partners, released Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers to help ISPs and network defenders disrupt abuse by bulletproof hosting (BPH) providers. The guide defines BPH as providers who knowingly lease infrastructure to cybercriminals and outlines practical measures — including curated malicious resource lists, targeted filters, traffic analysis, ASN/IP logging, and intelligence sharing — to reduce malicious activity while minimizing disruption to legitimate users.

CISA Releases Guide to Combat Bulletproof Hosting Abuse

🔒 CISA, working with U.S. and international partners, published Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers to provide ISPs and network defenders with practical guidance to identify, disrupt, and mitigate abuse of bulletproof hosting. Bulletproof hosting enables obfuscation, command-and-control, malware delivery, phishing, and hosting of illicit content that supports ransomware, extortion, and DoS campaigns. The guide recommends traffic analysis, curated high-confidence malicious resource lists with automated reviews, customer notifications and filters, and standards for ISP accountability to reduce BPH effectiveness and strengthen network resilience.

Application Containment and Ringfencing for Zero Trust

🔒 Ringfencing, or granular application containment, enforces least privilege for authorized software by restricting file, registry, network, and interprocess access. It complements allowlisting by preventing misuse of trusted tools that attackers commonly weaponize, such as scripting engines and archivers. Effective rollout uses a monitoring agent, simulated denies, and phased enforcement to minimize operational disruption. Properly applied, containment reduces lateral movement, blocks mass exfiltration and ransomware encryption while preserving business workflows.

Hijacked VPN Credentials Drive Half of Ransomware Access

🔐 Beazley's Q3 2025 analysis shows ransomware activity rose, with three groups — Akira, Qilin and INC Ransomware — responsible for 65% of leak posts and an 11% increase in leaks versus the prior quarter. Initial access increasingly relied on valid VPN credentials (48% of incidents, up from 38%), with external service exploits accounting for 23%. The report highlights an Akira campaign abusing SonicWall SSLVPNs via credential stuffing where MFA and lockout controls were absent, and warns that stolen credentials and new infostealer variants like Rhadamanthys are fuelling the underground market. Beazley urges adoption of comprehensive MFA, conditional access and continuous vulnerability management to mitigate risk.

Fake CAPTCHA Leads to 42-Day Akira Ransomware Compromise

🔒 An employee clicking a fake CAPTCHA (a ClickFix social-engineering lure) on a compromised car dealership site began a 42-day intrusion by Howling Scorpius that delivered the .NET remote access Trojan SectopRAT and ultimately Akira ransomware. Two enterprise EDRs recorded activity but produced few alerts, enabling lateral movement, privilege escalation and the exfiltration of roughly 1 TB. Unit 42 deployed Cortex XSIAM, rebuilt hardened infrastructure, tightened IAM controls and negotiated about a 68% reduction in the ransom demand.

Checkout.com Apologizes After Breach, Donates Ransom

🔒 Checkout.com publicly disclosed a breach after the ShinyHunters group accessed data from a legacy third‑party cloud storage system used prior to 2020, and issued an apology taking responsibility for the error. The company said fewer than 25% of current merchants were affected, confirmed no payment card data was taken, and refused the ransom demand. Instead of paying, it donated the ransom amount to Carnegie Mellon University and the University of Oxford Security Center to support research into cybercrime.

AWS Backup releases low-cost warm storage for S3 backups

🚀 AWS Backup introduces a low-cost warm storage tier for Amazon S3 backups that can cut storage costs by up to 30%. After S3 backup data resides in a vault for 60 days (configurable to a longer period), you can automatically move it to the new tier while preserving the same performance and features, including ransomware protection, recovery, and auditing. Automatic tiering can be enabled at the account, vault, or bucket level and is available in all Regions where AWS Backup for S3 is offered; a one-time transition fee applies.

Defeating BLOCKADE SPIDER: Stopping Cross-Domain Attacks

🔒 CrowdStrike describes how OverWatch detected and disrupted BLOCKADE SPIDER, a financially motivated eCrime group that has used cross-domain techniques since at least April 2024 to access unmanaged systems, dump credentials, and deploy Embargo ransomware. By correlating endpoint, identity, and cloud telemetry in Falcon Next-Gen SIEM and Falcon Identity Threat Protection, analysts traced a compromised VPN service account and observed MFA bypass and AD manipulation. The account underscores the value of unified visibility to stop lateral movement and protect critical assets.

Dutch Police Seize 250 Servers Used by Bulletproof Hosting

🛑 Dutch police seized around 250 physical servers and thousands of virtual machines tied to a bulletproof hosting service that allegedly catered exclusively to cybercriminals. Authorities say the infrastructure has been used since 2022 in more than 80 investigations and facilitated ransomware, botnets, phishing, and distribution of child abuse content. Investigators will perform forensic analysis on the seized systems to identify operators and clients. No arrests have been announced; the provider CrazyRDP has reportedly gone offline after the action.

Kraken Uses Benchmarking to Optimize Ransomware Attacks

🔒 Cisco Talos reported August 2025 activity by Kraken, a Russian‑speaking ransomware operation linked to the remnants of HelloKitty. The group exploits SMB flaws for initial access, uses Cloudflare for persistence and SSHFS to exfiltrate data, then deploys cross‑platform encryptors across Windows, Linux and VMware ESXi. Notably, Kraken benchmarks victim machines to tune encryption speed and reduce detection and instability. Victims span multiple countries and attackers operate a new leak forum called Last Haven Board.

Pennsylvania AG Data Breach After INC Ransom Attack

🔒 The Pennsylvania Office of the Attorney General (OAG) confirmed that files containing personal and medical information were accessed during an August 9 ransomware attack and that the office refused to pay the ransom. The incident encrypted systems and disrupted the OAG website, employee email accounts, and landline phones. Researcher Kevin Beaumont identified public-facing Citrix NetScaler appliances vulnerable to CVE-2025-5777 (Citrix Bleed 2) that may have been exploited. The threat actor INC Ransom later claimed responsibility and posted about 5.7TB of alleged stolen data.