All news with #ransomware tag

🔒 A survey of 750 CISOs in the US and UK found 58% said their organization would be willing to pay a ransom to end a ransomware incident. Experts and law enforcement advise against paying, citing encouragement of attackers and no guarantee of data recovery, but real-world evidence shows many firms still pay. Industry sources report incomplete decryption and credential exposure even after payment, while robust backups remain the best mitigation.

🔎 Authorities across Europe and North America announced a coordinated operation that dismantled First VPN, a criminal virtual private network service used to obscure ransomware, data theft, scanning, and DDoS activity. Led by France and the Netherlands with support from many countries and agencies since December 2021, investigators executed concurrent actions in May 2026, seizing servers, domains, and infrastructure while interviewing the service administrator. Europol and the FBI say First VPN marketed anonymity to cybercriminals on Russian-language forums, offered multiple protocols and payment methods, and provided exit nodes across 27 countries used by at least 25 ransomware groups.

🛡️ European investigators dismantled First VPN in a joint operation led by France and the Netherlands, assisted by Europol and Eurojust. The service, widely promoted in Russia, was used by criminals for ransomware, fraud, and data theft to conceal identities and infrastructure. While the takedown is seen as warranted, experts warn that broad restrictions on VPNs risk harming legitimate privacy and business uses and could face legal challenges.

🔒 Microsoft says it disrupted a malware-signing-as-a-service operation, codenamed OpFauxSign, that abused Artifact Signing to produce short-lived fraudulent code-signing certificates and deliver signed malware. The company seized the SignSpace site signspace[.]cloud, took hundreds of virtual machines offline, and blocked hosting for the underlying code. Operators tied to the group, called Fox Tempest, sold signing services for $5,000–$9,000 and facilitated distribution of Rhysida ransomware and loaders like Oyster. Microsoft added the actor likely used stolen U.S. and Canadian identities to pass verification and repeatedly adapted its tradecraft as defenders revoked certificates.

⚠️ The FBI's IC3 issued an advisory on 15 May 2026 about the ShinyHunters extortion gang breaching an online learning management system used by US educational institutions. Although the advisory avoided naming the vendor, reporting and Instructure's confirmation made clear Canvas was affected and the company reportedly paid a ransom after receiving alleged 'shred logs'. The FBI warns victims not to engage with extortionists, enable multi‑factor authentication, and remain vigilant against phishing, harassment, and swatting; students and staff should assume their data may be exposed and await official guidance.

🔍 Check Point found a 124% rise in hacktivism and ransomware across Germany, Austria, and Switzerland in 2025, with Germany accounting for roughly 82% of incidents. Defacement and DDoS drove the volume—66% of events—while ransomware comprised nearly 30%, led by Akira, Qilin, and Safepay. The report highlights identity weaknesses, exposed remote services, and insufficient patching as primary enablers, and recommends MFA, patch discipline, credential monitoring, and reduced public attack surface.

🔒 Ransomware 3.0 has evolved from simple encryption to coordinated, multi-stage extortion campaigns that target operations, stolen data and public pressure. Attackers now deploy triple extortion—encryption, data exfiltration and public shaming—to maximize leverage. The insurance market is narrowing coverage with sublimits and exclusions, so organisations must pair policies with robust technical defences and rehearsed incident response aligned to NIST CSF. Boards should treat insurance as residual risk transfer, not a primary recovery plan.

🔒 Ransomware campaigns are increasingly paired with explicit threats of physical harm, with a Semperis study finding 40% of incidents involved intimidation and 46% in the US. Reported tactics include threatening notes left at homes, phone calls reciting staff addresses and identity details, and extortionists recruiting local actors to carry out violence. The FBI and vendors warn of a growing pattern — described as violence-as-a-service — and advise organisations to treat employee data as critically sensitive and update incident response plans to manage physical-threat scenarios.

🔒 West Pharmaceutical Services disclosed a cyberattack detected on May 4, 2026, that resulted in data exfiltration and encryption of certain systems. The company took affected infrastructure offline globally for containment, notified law enforcement, and engaged external responders including Palo Alto Networks Unit 42. Core enterprise systems supporting shipping and manufacturing have been partially restored, but full recovery and the scope of stolen data remain under investigation.

🔒 Tomorrow at 2:00 PM ET, BleepingComputer will host a live webinar titled "From phishing to fallout: Why MSPs must rethink both security and recovery," with Austin O'Saben and Adam Marget of Kaseya. The session explains why prevention alone is insufficient as AI-driven phishing, ransomware, SaaS abuse and BEC evolve faster than many defenses. It will show how attackers exploit trusted infrastructure and why organizations must combine security, backups and rapid recovery. Attendees will learn practical steps to reduce downtime and disruption.

🔍 Check Point Research details a May 2026 compromise of The Gentlemen's backend that exposed chat logs, rosters, negotiation transcripts and tooling discussions. The leak shows a compact operation of roughly nine operators centered on a single administrator (zeta88 / hastalamuerte) who built the RaaS panel with AI coding assistants and participated in attacks. Initial access is mostly via unpatched edge devices or purchased credentials, and chain-victimization was observed. Check Point has notified law enforcement.

🔒 Foxconn confirmed a cyberattack affected some of its North American factories and says impacted sites are resuming normal production. The company said its cybersecurity team activated response measures to maintain continuity of operations and deliveries. Nitrogen ransomware operators claimed 8 TB of data and over 11 million documents were stolen, allegedly including files from Apple, Nvidia, Intel and Google. Foxconn has faced prior ransomware incidents.

🔒 A new report from Absolute Security finds that 58% of CISOs would realistically consider paying a ransom to restore systems after a ransomware attack. US respondents were likelier to consider payment (63%) than UK peers (47%), with legal guidance, GDPR and doubts over recovery cited as reasons. Operational downtime was viewed as the most damaging impact. The report warns organizations to invest in resilience, infrastructure and governance to reduce reliance on ransom payments.

📈 April 2026 saw a sharp rebound in global cyber activity, with organizations averaging 2,201 weekly attacks — a 10% month‑over‑month rise and 8% year‑over‑year. Check Point Research attributes the surge to automation, expanded cloud and GenAI exposures and attackers exploiting larger digital footprints. Education, Government and Telecommunications were among the hardest hit. Ransomware incidents and GenAI data leakage risks intensified across regions.

🔒 Instructure said it reached an agreement with an unauthorized actor after a breach that exposed data from its Canvas learning platform, asserting the stolen data was returned and digitally destroyed. The company said the agreement covers all impacted customers and that it believes no customers will be separately extorted. It has engaged forensic vendors, revoked credentials, rotated keys, and temporarily disabled Free‑For‑Teacher accounts while it completes its review.

🔒 Check Point Research's Q1 2026 report finds ransomware volume near historic highs while activity consolidates around a smaller set of dominant groups. The top 10 operators now claim 71% of victims, led by Qilin, The Gentlemen, and LockBit. Consolidation raises individual incident impact and shifts attacker geography and target patterns. Defenders should prioritize prevention, exposure management, and network/cloud access controls to limit exploitation.

🔒 Instructure's Canvas platform was taken offline on May 7 after the cybercrime group ShinyHunters defaced login pages and posted a ransom demand claiming to hold data on 275 million students and faculty at nearly 9,000 institutions. Instructure had acknowledged a breach on May 6, saying the stolen records include names, email addresses, student ID numbers and user messages but not passwords or financial information. The outage, timed during many institutions' final exams, disrupted coursework while schools and the vendor evaluated exposure and potential extortion responses.

🔒 On May 14, 2026 at 2:00 PM ET, BleepingComputer will host a live webinar titled From phishing to fallout: Why MSPs must rethink both security and recovery with Austin O'Saben and Adam Marget of Kaseya. The session examines how AI-driven phishing, business email compromise, ransomware, and SaaS compromise are reshaping the threat landscape for managed service providers. Attendees will learn why prevention and recovery must operate together and how SaaS backups and a formal BCDR plan can reduce downtime and data loss.

⚠️ ThreatsDay reports a mix of blunt‑force commodity attacks and high‑impact technical flaws this week. A new MicroStealer campaign is targeting education and telecom organizations, exfiltrating browser credentials, active sessions and wallets via Discord webhooks and attacker servers. Researchers disclosed critical ICS and MOVEit vulnerabilities while analysis shows the VECT 2.0 ransomware encryptor is broken. Browsers and AI are accelerating risk vectors — patch and verify installs urgently.

🔒 Modern ransomware campaigns routinely target backup infrastructure before launching encryption, leaving organizations without viable recovery despite having backups. The article details an attack sequence — initial access, credential theft, lateral movement, backup discovery and destruction, then encryption — and identifies recurring failures like weak isolation, overprivileged credentials, lack of immutability, and untested restores. It recommends identity separation, network segmentation, immutable storage, continuous monitoring, and regular recovery testing, and highlights Acronis Cyber Platform as an integrated example that combines backup, immutability, and threat detection to reduce complexity and improve resilience.