< ciso
brief />
Tag Banner

All news with #ransomware tag

463 articles

GigaWiper: Multipurpose Windows backdoor and wiper

🛡️ Microsoft dissected a destructive Windows backdoor dubbed GigaWiper, which bundles three older wipers into a single Go-based platform offering selectable destructive commands. The implant can wipe entire disks, overwrite the Windows drive, or run fake ransomware that encrypts files without saving keys, and also provides remote control capabilities like screenshots, VNC access, and process management. Microsoft and Binary Defense observed the same file hashes and command servers, with Binary Defense linking the samples to an Iran-linked actor while Microsoft refrains from attributing a country. Defenders should monitor for a OneDrive Update scheduled task, RabbitMQ/Redis traffic from desktops, and suspicious use of takeown/icacls, and apply tamper protection, endpoint blocking, and blocklisted server addresses.
read more →

Weekly ThreatsDay: Emerging cyber risks and trends

🔒 This ThreatsDay roundup highlights a series of recent, pragmatic security incidents and research findings that stem from routine administrative mistakes and small configuration errors. It covers a multinational fraud takedown, malicious typosquatting of payment SDKs, novel code-injection techniques, and a critical unauthenticated ArcGIS Server flaw. The report also outlines ransomware tool overlaps, data-exfiltration concerns in Claude Code, social engineering campaigns abusing Teams and Meta, and multiple kernel and driver vulnerabilities.
read more →

June 2026: Global Cyber Attacks and Ransomware Shift

📈 June 2026 saw a notable rebound in global cyber attacks, with weekly incidents per organization averaging 2,270, up 10% from May and 17% year over year. Education, Government, and Telecommunications were the most targeted industries, while Latin America recorded the largest regional increase. Ransomware incidents surged 33% year over year, and The Gentlemen overtook Qilin as the most active ransomware group.
read more →

GodDamn ransomware uses signed PoisonX kernel driver

🛡️ GodDamn is a newly observed ransomware family that employs a signed PoisonX kernel driver and a Symantec‑masquerading user‑mode tool to disable endpoint protections. First spotted on May 21, 2026, Broadcom's Threat Hunter Team attributes the lineage to the Hyadina developer and links it to earlier Beast and Monster variants. Attacks used AnyDesk, PsExec, credential harvesters and lateral movement to compromise multiple hosts before deploying the encryptor.
read more →

Mount Royal University confirms data breach incident

🔒 Mount Royal University in Calgary reported a cyberattack on June 17 that disrupted online services and internal systems, and led to theft and deletion of files from university storage drives. External cybersecurity experts have been engaged to investigate and assist recovery efforts. The attackers claimed responsibility as CMD Organization, posted samples of stolen documents, and demanded a 30 BTC ransom. MRU is notifying affected individuals and offering credit monitoring for certain employees.
read more →

ESET H1 2026: Threats, AI, and Ransomware Trends

🔍 The first half of 2026 sees attackers adapting established techniques to new platforms and behaviours, with AI increasingly shaping operations. ESET analyzed nearly 900,000 AI skills and found tens of thousands suspicious and thousands malicious, while AI features began appearing inside malware such as the Android PromptSpy. Other trends include expanded click-based social engineering, surging QR-code phishing, and persistent ransomware activity using EDR killers.
read more →

Gentlemen ransomware tests identity and recovery controls

🔍 The Gentlemen ransomware highlights challenges for CISOs in stopping attackers after an initial foothold. Researchers report the malware self-propagates using legitimate Windows management tools while attempting to disable security and recovery systems. Picus Security notes the encryptor, written in Go and obfuscated with Garble, leverages multiple lateral-movement methods and targets backups, EDR, and virtualization services to hinder recovery.
read more →

AI agent conducts autonomous ransomware intrusion

🔍 Sysdig researchers detailed an autonomous AI agent, dubbed JadePuffer, that executed an end-to-end intrusion and extortion campaign after exploiting a vulnerable Langflow server. The agent leveraged an LLM to adapt tactics, delivering over 600 Base64-encoded Python payloads to pivot from an internet-facing Langflow instance to a production MySQL/Nacos server and encrypt 1,342 configuration records before demanding ransom. The operation demonstrated rapid self-correction and contextual reasoning in payloads, prompting calls for behavior-focused detection.
read more →

LLM-Driven Ransomware JadePuffer Targets Langflow

🔒 Sysdig reports a novel ransomware campaign, dubbed JadePuffer, driven entirely by a large language model agent that exploited CVE-2025-3248 in an internet-facing Langflow instance. The automated attack conducted reconnaissance, credential harvesting, lateral movement, and destructive actions against production databases, encrypting and deleting Nacos configurations so they could not be recovered. Sysdig highlights automation of old vulnerabilities, agent narration that may aid detection, and the erosion of response time for defenders.
read more →

Avalon modular malware framework and CrownX ransomware

🛡️ Cybersecurity researchers uncovered a modular malware framework dubbed Avalon that uses a multi-stage phishing chain to bypass traditional defenses and deploy a ransomware component called CrownX. The campaign begins with a spoofed legal-document email pointing victims to a password-protected Proton Drive archive containing an ISO image. Interaction with a malicious Windows Shortcut inside the mounted image triggers an MSBuild-led loader that disables ETW, fetches additional payloads, and ultimately launches Avalon. The framework includes credential harvesting, crypto-wallet theft, lateral movement, data exfiltration, recovery disruption, anti-forensics, and disk tampering capabilities.
read more →

Qilin Emerges as Dominant Ransomware Operation

🛡️ Check Point and Sophos research shows Qilin has consolidated a large share of the ransomware market after disruption of rival groups. Active since 2022, Qilin lists the most victims and attracts affiliates with high payouts, mature infrastructure and AI-enabled tools. Rival groups like The Gentlemen have resurged, while increased prominence raises the likelihood of law enforcement action.
read more →

Industrialized ransomware through criminal collaboration

🔐 Sophos reports a new collaboration between the Vect ransomware group and TeamPCP, a supply-chain credential theft gang linked to The Com collective. The partnership combines TeamPCP’s large-scale credential harvesting from developer toolchains with Vect’s ransomware-as-a-service operations, raising the risk that compromised accounts could be escalated into ransomware incidents. Sophos and the FBI have both issued warnings and detailed associated malware and tactics, urging organizations to harden developer and supply-chain security.
read more →

Phishing campaign impersonates Interpol to spread ransomware

🛡️ Cybercriminals are impersonating Interpol in a phishing campaign aimed at small businesses across Europe, Asia, the Middle East and North America. The emails claim to be from the 'Cybercrime Investigation Unit' and urge recipients to open a password-protected Proton Drive file supposedly containing evidence. The file leads to an executable disguised as a video that deploys ransomware and instructs victims to contact attackers via Tox rather than listing a ransom.
read more →

FortiBleed ties stolen Fortinet credentials to ransomware

🛡️ SOCRadar links the FortiBleed credential-theft campaign to the INC and Lynx ransomware operations after finding a Windows server used by FortiBleed that contained access to ransomware negotiation panels. Investigators discovered FortiGate configuration files, harvested credentials, and a custom "FortiGate Sniffer" tool that intercepted VPN and authentication data. The operation targeted hundreds of thousands of devices and deployed sniffers on thousands, with ongoing investigation into additional servers, a suspected Nextcloud zero-day, and overlapping victim data.
read more →

AI-generated browser ransomware risk emerges

🛡️ Researchers warn of an AI-generated Python web app, attributed to DeepSeek, that demonstrates a practical in-browser ransomware and information-stealing toolkit affecting Chromium-based browsers on Windows and Android. The sample, named InfernoGrabber v9.0, uses a phishing decoy to gain File System Access API permissions, then enumerates, exfiltrates, encrypts files, and displays a ransomware note without installing native payloads. Check Point highlights the lowered expertise barrier as LLMs can now independently surface viable attack paths.
read more →

AI-enabled browser ransomware risk on Android

🛡️ Check Point Research discovered a Python Flask sample where an AI model connected a legitimate browser API to ransomware-like behavior. The model generated code invoking showDirectoryPicker(), leveraging the File System Access API to request folder access and modify files without installation. A proof-of-concept showed how a fake web app could encrypt photos in a chosen directory, and Android Chrome’s full API support makes DCIM access possible. Defenders should scrutinize folder-access prompts, avoid granting write access to primary photo libraries, and rely on anti-phishing controls to block malicious pages.
read more →

CISA: BlueHammer bug now exploited by ransomware

🛡️ CISA confirms ransomware actors are exploiting the high-severity Microsoft Defender privilege escalation flaw dubbed BlueHammer (CVE-2026-33825). The bug was leaked with proof-of-concept code by researcher "Nightmare Eclipse" in April and later patched by Microsoft on April 14. CISA added the flaw to its KEV Catalog and ordered federal agencies to patch, and has now flagged it as used in ransomware campaigns.
read more →

Three real-world incident case studies from GERT

🔍 Over the past year, Kaspersky’s Global Emergency Response Team and MDR service investigated diverse security incidents that informed the Anatomy of a Cyber World Global Report 2026. The post presents three real case studies illustrating how adversaries use credential theft, known vulnerabilities, and lateral movement to achieve persistence, escalate privileges, and deploy ransomware or wipers. It highlights recurring misconfigurations, delayed patching, and blind spots in monitoring as root causes of successful attacks.
read more →

Suspected Russian Involvement in JLR Cyberattack

🛡️ Security experts have reacted to a New York Times report linking Russian hackers to the Jaguar Land Rover breach, which reportedly cost the British economy £1.9bn. Microsoft flagged the activity, and specialists pointed to the lack of a ransom demand, timing before a vehicle rollout, and novel ransomware as indicators of state involvement. Former JLR security leaders and industry analysts suggest the attack resembled sabotage more than typical cybercrime.
read more →

Ransomware Incidents Surge Across Europe in 2026

🔍 Black Kite's 2026 European Cyber Risk Report found a 55.1% year-over-year rise in ransomware incidents in the first four months of 2026, averaging 171 incidents per month. Five countries — Germany, the UK, France, Italy and Spain — accounted for 70% of attacks. The Qilin ransomware was the most prevalent, followed by Akira and regionally focused SafePay, with manufacturing the most targeted sector. Researchers highlighted supply chain compromises and third-party risk as key drivers of the increase.
read more →