All news with #ransomware gang tag

🔒 7-Eleven disclosed that an unauthorized party accessed systems used to store franchisee documents on April 8, 2026, and began notifying affected individuals on May 1. The company has not provided details on the number of affected people or specific data types exposed. The extortion group ShinyHunters claimed responsibility on April 17, alleging the theft of over 600,000 records from the company's Salesforce environment and later leaking a 9.4GB archive after ransom talks failed. 7-Eleven said it launched an investigation but has not commented further.

🔒 INTERPOL's Operation Ramz led to more than 200 arrests and the seizure of 53 servers used for phishing, malware, and online fraud, affecting at least 3,867 confirmed victims from nearly 8,000 intelligence packages. Authorities identified another 382 suspects across 13 MENA countries. INTERPOL partnered with private firms including Kaspersky, Group-IB, The Shadowserver Foundation, Team Cymru, and TrendAI to track malicious infrastructure. The operation disrupted phishing-as-a-service platforms, dismantled investment scam rings, and disabled malware-infected servers.

🔍 Check Point Research details a May 2026 compromise of The Gentlemen's backend that exposed chat logs, rosters, negotiation transcripts and tooling discussions. The leak shows a compact operation of roughly nine operators centered on a single administrator (zeta88 / hastalamuerte) who built the RaaS panel with AI coding assistants and participated in attacks. Initial access is mostly via unpatched edge devices or purchased credentials, and chain-victimization was observed. Check Point has notified law enforcement.

🔒 A ShinyHunters “pay or leak” extortion campaign has targeted the education sector after the compromise of Instructure, operator of the Canvas LMS. The April 25 breach reportedly exposed around 275 million records and more than 3.65 TB of data via a vulnerability in the Free‑For‑Teacher Canvas version. After an initial ransom demand and a May 8 deadline, the group extended its timeline and began school‑by‑school extortion, defacing roughly 330 institutional login pages. Affected organizations are urged to change Canvas‑related passwords, enable multi‑factor authentication and heighten phishing awareness.

🔒 Spanish and German authorities have shut down a relaunch of Crimenetwork, arresting a 35-year-old German national in Mallorca after coordination with the Frankfurt prosecutors and the BKA. The rebuilt marketplace attracted over 22,000 users and 100+ vendors, trading stolen data, narcotics and forged documents while generating more than €3.6m in revenue. Police seized €194,000 and user transaction data to support further investigations.

🔒Deniss Zolotarjovs, a Latvian national extradited to the United States, was sentenced to 8.5 years after pleading guilty to conspiracy to commit wire fraud and money laundering for his role as a negotiator in the Karakurt extortion operation. Prosecutors say he handled "cold case" extortions, researching targets and using stolen personal and health data to pressure victims. He is the first Karakurt member sentenced in the U.S.

🔒 A coordinated international operation led by Dubai Police alongside the FBI and China's Ministry of Public Security arrested 276 suspects, shut nine crypto scam centers, and restrained more than $701 million in cryptocurrency tied to investment fraud. The schemes employed pig butchering and romance-baiting lures and relied on trafficked workers forced to run scam compounds. Authorities seized hundreds of fraudulent domains and a Telegram recruitment channel, sanctioned Cambodian actors, flagged an Android Malware-as-a-Service, and credited Operation Level Up with notifying nearly 9,000 victims and saving about $562 million.

🛡️ Halcyon reports a public feud between 0APT and newcomer KryBit after the rivals leaked each other's operational data online. 0APT initially published KryBit's administrator panel, operator details, affiliate information and victim negotiation files, prompting KryBit to retaliate by stealing and releasing 0APT's access logs, PHP source code and system files. The exchanges exposed fabricated victim claims, insecure infrastructure practices and forced both groups to consider rebuilding, rebranding and rotating infrastructure to remain viable.

🔒 French authorities have arrested a 21-year-old who used the alias 'HexDex', suspected of carrying out around 100 data breaches since late 2025. Prosecutors say he was preparing another data dump when detained and has been charged with six offences, including aggravators for organised gang activity. Alleged victims include the Ministry of National Education, where the Compas trainee-teacher system exposed roughly 243,000 employee records, as well as registries, unions, cultural institutions, sports federations, food banks and hotel chains. Stolen files were redistributed on criminal marketplaces; his account page now displays a message saying it was seized.

📞 BlackFile, a financially motivated extortion group active since February 2026, is using vishing and spoofed VoIP/CNAM calls to impersonate IT support and harvest employee credentials and one-time passcodes. Palo Alto Networks' Unit 42 and RH-ISAC report attackers register devices to bypass multifactor authentication, escalate to executive accounts, and search Salesforce and SharePoint via APIs for files containing terms like 'confidential' and 'SSN'. Stolen data is moved to attacker-controlled infrastructure and published on a dark web leak site before seven-figure ransom demands are issued; victims have also faced swatting and targeted harassment. Organizations are advised to tighten call-handling policies, enforce caller identity verification, and conduct simulation-based social engineering training.

🔒Angelo Martino, a 41-year-old former ransomware negotiator, has pleaded guilty to conspiring with the BlackCat (ALPHV) ransomware group after secretly supplying negotiation and insurance details from clients to the gang. While working for incident response firm Digital Mint, he passed policy limits and internal positions to maximize extortion profits and was paid for the information. He also admitted collaborating with associates to deploy ransomware between April and November 2023, and authorities have seized about $10m in assets; he faces up to 20 years and will be sentenced on July 9.

🔒 41-year-old Angelo Martino, a former negotiator at DigitalMint, pleaded guilty to participating in BlackCat (ALPHV) ransomware operations that targeted U.S. companies in 2023. Prosecutors say Martino shared confidential victim negotiation positions and insurance limits with the operators, enabling larger extortion demands, and worked with accomplices Ryan Goldberg and Kevin Martin. The trio operated as affiliates, paying administrators a 20% cut, and targeted at least five U.S. organizations, including firms and nonprofits that paid multimillion-dollar ransoms. DigitalMint condemned the conduct and said the employees were fired when the activity was discovered.

🔒 Check Point Research reports that the Gentlemen ransomware-as-a-service operation has claimed over 320 victims since mid-2025, including 240 incidents in 2026, while access to a live C2 server revealed a botnet of more than 1,570 likely corporate victims. The group targets internet-facing devices (VPNs, firewalls) and can encrypt entire networks within hours, focusing on manufacturing, technology and an increasing number of healthcare organizations. Organizations should prioritize patching, MFA, segmentation, proactive detection, and reliable offline backups to reduce exposure.

🔐 The article argues that modern ransomware operates like an industry, with affiliates, suppliers, marketplaces and subscription services coordinating long before a ransom note appears. It cites the March 2024 Change Healthcare incident and disputes between affiliates and operators to illustrate franchise dynamics. It details technical enablers such as BYOVD EDR killers and emerging AI-assisted tooling, and urges defenders to map actors, tools and supply‑chain exposure rather than treat incidents as isolated break‑ins.

🔍 German authorities have identified the operator of the notorious GandCrab ransomware as Danii Shchukin, who used the aliases UNKN and Unknown and is believed to have led the GandCrab/Revi group. Europol has added Shchukin and an associate, Anatoly Kravchuk, to its most-wanted list amid allegations of organized and commercial extortion dating to 2019. German police say Shchukin is accused in 130 cases, with €1.9 million paid in 25 incidents and total economic damage estimated at €35.4 million; both suspects are believed to be in Russia but could be operating in other countries.

🔒 In the latest episode of Brass Tacks: Talking Cybersecurity, Joe Robertson interviews Jürgen Stock, former INTERPOL secretary general, about how cybercrime has matured into a scalable, low‑risk, high‑profit industry. They outline an underground economy of specialized services—malware creation, access brokerage, extortion, laundering—often sold with support and guarantees. Stock warns that individuals, businesses, and critical infrastructure are all at risk, and that disciplined cyber hygiene, preparedness, and public–private cooperation remain the most effective defenses.

🔍 German Federal Police (BKA) have identified two Russian nationals as the leaders of GandCrab and REvil between 2019 and 2021. The suspects — 31‑year‑old Daniil Maksimovich Shchukin (alias UNKN/UNKNOWN) and 43‑year‑old Anatoly Sergeevitsch Kravchuk — are linked to at least 130 extortion cases in Germany. At least 25 victims paid roughly $2.2 million, with total damages estimated above $40 million; authorities believe both are now in Russia and have released identifying images to solicit tips.

🔎 German Federal Police (BKA) say they have identified two Russian nationals as alleged leaders of the GandCrab and REvil ransomware operations active from 2019 to 2021. Authorities attribute at least 130 extortion cases in Germany to the pair, with 25 victims paying roughly $2.2 million and estimated total damages exceeding $40 million. Images, including tattoo photos, have been released and the suspects are listed on the EU Most Wanted portal as authorities seek public tips.

🚨 Hambardzum Minasyan has been extradited to the United States and charged over his alleged role as a principal developer of RedLine, a prolific infostealing malware. Prosecutors say he set up virtual servers, domains and a cryptocurrency account to distribute and monetize the malware and provided customer support to affiliates. The arrest follows the international Operation Magnus seizure of RedLine infrastructure, which yielded a database that aided investigators. Authorities urge organizations and individuals to strengthen cybersecurity and review the Operation Magnus resources to check for exposed credentials.

🔎 Investigators have launched a worldwide manhunt for two suspects believed to be central figures in ransomware campaigns that hit 130 companies and institutions in Germany between 2019 and 2021. Authorities at the Cybercrime Center of the Karlsruhe Public Prosecutor's Office and the State Criminal Police Office of Baden-Württemberg say the men include an alleged group leader and the suspected programmer of the malware. Victims paid about €1.8 million in 25 cases, with estimated overall damage of around €35 million.