< ciso
brief />
Tag Banner

All news with #ransomware gang tag

143 articles

Armenia Detains Russian Tourist on U.S. Extradition Warrant

📰 Armenian authorities have detained a Russian tourist, Aleksandr Ermakov, at Yerevan's Zvartnots airport on June 28 after a U.S. extradition request tied to a REvil/Sodinokibi investigation. His lawyers claim Washington has targeted the wrong man, asserting the detained individual is Aleksandr Yuryevich Ermakov of Omsk, not the sanctioned Aleksandr Gennadievich Ermakov. The U.S. charging documents and an Interpol notice allege extensive ransomware activity, but Armenian officials have not commented publicly.
read more →

Two Scattered Spider Members Sentenced for TfL Hack

🔒 Two leading members of the Scattered Spider collective were sentenced to five years and six months each for the August 2024 breach of Transport for London (TfL). The attack disrupted internal systems, affected services like Dial-a-Ride and contactless ticketing, and rendered 148 systems inoperable. Investigations led to arrests in September 2024, and authorities credited TfL's cooperation with enabling convictions.
read more →

Ryuk Operative Pleads Guilty, Faces 15 Years

🛡️ Karen Serobovich Vardanyan, 34, pleaded guilty to hacking U.S. companies and deploying Ryuk ransomware after being extradited from Kyiv. She provided initial access to corporate networks and helped deploy ransomware between November 2019 and April 2020, leading to large ransom payments including a Michigan firm that paid 200 BTC. Prosecutors say the group collected about 1,610 BTC (≈$15 million then).
read more →

Former negotiator sentenced in BlackCat ransomware case

🔒 A former DigitalMint incident response employee was sentenced to 70 months for participating in BlackCat (ALPHV) ransomware attacks that targeted U.S. organizations. Prosecutors say the group tied to BlackCat conducted over 60 breaches and collected at least $300 million in ransoms. Two other former negotiators received four-year sentences after pleading guilty to related charges. Victims included large financial and nonprofit organizations that paid multi‑million dollar ransoms.
read more →

Alleged Scattered Spider member extradited to U.S.

🔎 A 19-year-old dual US-Estonian citizen, Peter Stokes, was extradited from Finland to the United States to face charges alleging membership in the Scattered Spider hacking collective. He is accused of participating in multiple intrusions and extortion schemes, including a March 2023 breach and a May 2025 attack on a multibillion-dollar retailer that led to over $2 million in losses. Stokes faces charges of fraud, conspiracy, and computer intrusion and has appeared in federal court in Chicago.
read more →

Teen Allegedly Linked to Scattered Spider Extradited

📰 The US Justice Department announced the arrest and extradition of 19-year-old dual US-Estonian citizen Peter Stokes from Finland in April, with charges unsealed on June 30. He faces conspiracy, computer intrusion and fraud counts tied to alleged membership in the Scattered Spider hacking group. Authorities say the group conducted over 100 intrusions, netting $100m+ in ransoms and causing millions in damages. Stokes is accused of targeting a luxury jeweller and attempting an $8m extortion that resulted in $2m+ losses for the firm.
read more →

DOJ Seizes Cloud Account Linked to HuiOne Group

📰 The U.S. Department of Justice announced the seizure of a cloud computing account used by subsidiaries of Cambodia-based HuiOne Group, as the Treasury sanctioned individuals and entities tied to Prince Group. The account hosted backend infrastructure for illicit marketplaces, including HuiOne Guarantee, which facilitated large-scale crypto fraud, money laundering services, and the sale of crimeware and exploitative tools. Authorities say these platforms enabled conversion of stolen cryptocurrency into the legitimate banking sector and supported human trafficking and violent control measures at scam compounds.
read more →

Weekly Recap: Browser Bugs, EDR Killers, FortiBleed

📰 This week’s recap highlights recurring attack patterns: abused integrations, poisoned websites, fake tools, and ransomware groups disabling security products. Notable incidents include the large-scale FortiBleed campaign compromising FortiGate devices, the Gentlemen RaaS developing the GentleKiller EDR-killing suite, and active exploitation of a critical Splunk flaw. Mobile and crypto-related malware campaigns also featured prominently.
read more →

RaaS group equips affiliates with EDR-killing toolkit

🔍 New research from ESET reveals that The Gentlemen ransomware-as-a-service platform now supplies affiliates with an advanced EDR killer framework called GentleKiller, alongside third-party tools like HexKiller, ThrottleBlood and HavocKiller. The leak shows affiliates can deploy bring-your-own vulnerable driver (BYOVD) techniques to gain kernel privileges and disable hundreds of EDR processes across many vendors. ESET warns this lowers the bar for less skilled attackers and urges organizations to enforce protections such as HVCI and KMCI, apply strict driver allow/block policies, and regularly audit drivers.
read more →

Gentlemen RaaS standardizes EDR-killer suite

🛡️ ESET researchers say the Gentlemen ransomware-as-a-service (RaaS) operation supplies affiliates with a standardized suite of EDR killers, centered on a framework named GentleKiller, to disable security tooling prior to encryption. The tooling mimics legitimate security products and leverages abused vulnerable drivers through a BYOVD technique, incorporating third-party killers like HexKiller and ThrottleBlood. The group rapidly operationalizes public proof-of-concept exploits, and ESET also found a Rust-based credential stealer called OxideHarvest in use.
read more →

ESET analysis of Gentlemen’s EDR-killer suite

🔎 ESET researchers detail the EDR-killing toolset used by the ransomware-as-a-service gang Gentlemen, which rose to prominence in early 2026. The group provides affiliates with an operator-maintained suite centered on an in-house framework dubbed GentleKiller plus integrated third-party tools like HexKiller and HavocKiller. A May 2026 internal leak and long-term incident visibility enabled deep linkage between leaked data, actual samples, and the gang’s TTPs.
read more →

Ransomware gang hides C2 traffic via Teams relays

🔒 Symantec warns that DragonForce ransomware used a custom Go-based backdoor, Backdoor.Turn, to hide command-and-control traffic by abusing Microsoft Teams' TURN relay infrastructure. The malware obtains anonymous Teams visitor tokens and tunnels C2 communications through legitimate TURN relays, making malicious traffic appear as normal Teams activity. The campaign, observed in December 2025, also used BYOVD drivers for kernel privileges and extensive post-exploitation tools to exfiltrate data and deploy ransomware.
read more →

Council of Europe Probes ShinyHunters Breach Claims

🔎 The Council of Europe is investigating claims by the ShinyHunters extortion group that it exfiltrated hundreds of thousands of HR and payroll records. The organization, representing 46 member states, said it is assessing the situation and cannot provide further comment. ShinyHunters posted on a dark web leak site, threatening to publish alleged files containing extensive personal and financial data if demands are not met.
read more →

Investigation Identifies Alleged Administrator of The Gentlemen

🔍 Check Point and other cyber intelligence firms have been tracking The Gentlemen, a fast-growing RaaS operation that offers affiliates a 90/10 revenue split and has become the second most active ransomware group by victim count. Researchers link the group’s administrator to the handles Hastalamuerte and Zeta88, and trace forum registrations, email addresses, Telegram IDs, and phone numbers to a likely real-world identity in Izhevsk, Russia. Open-source and breach data suggest the suspect may be Alexander Yapaev, who lists employment at Uralenergo Udmurtia; he did not respond to requests for comment.
read more →

Vendor Sentenced for Selling Drugs on Nemesis Market

🔍 A California man received a 26-year federal prison sentence after trafficking fentanyl and methamphetamine through Nemesis Market. Darren Hughes, 39, was convicted in November 2025 and sentenced on May 26 for operating a dark web store that offered free samples and sold drugs to undercover agents for cryptocurrency. Authorities arrested Hughes on June 28, 2023, seizing 672 grams of methamphetamine and a loaded ghost gun during his arrest. The case was part of a broader international investigation that took down Nemesis Market in March 2024.
read more →

Lessons from the Canvas LMS cyberattack

🔒 Over May 6–7, 2026, Canvas LMS users encountered a defaced login page claiming a ShinyHunters extortion of Instructure, alleging theft of 3.65TB of data affecting about 275 million students, faculty, and staff across nearly 9,000 institutions. Instructure identified an exploited support-ticket vulnerability in its Free for Teacher environment and temporarily disabled that service while investigating. The incident disrupted finals and highlighted risks from centralized SaaS platforms, third-party dependencies, communications breakdowns and the evolving economics of extortion.
read more →

7-Eleven Confirms Data Breach Claimed by ShinyHunters

🔒 7-Eleven disclosed that an unauthorized party accessed systems used to store franchisee documents on April 8, 2026, and began notifying affected individuals on May 1. The company has not provided details on the number of affected people or specific data types exposed. The extortion group ShinyHunters claimed responsibility on April 17, alleging the theft of over 600,000 records from the company's Salesforce environment and later leaking a 9.4GB archive after ransom talks failed. 7-Eleven said it launched an investigation but has not commented further.
read more →

INTERPOL Operation Ramz: 200+ Arrests and 53 Servers Seized

🔒 INTERPOL's Operation Ramz led to more than 200 arrests and the seizure of 53 servers used for phishing, malware, and online fraud, affecting at least 3,867 confirmed victims from nearly 8,000 intelligence packages. Authorities identified another 382 suspects across 13 MENA countries. INTERPOL partnered with private firms including Kaspersky, Group-IB, The Shadowserver Foundation, Team Cymru, and TrendAI to track malicious infrastructure. The operation disrupted phishing-as-a-service platforms, dismantled investment scam rings, and disabled malware-infected servers.
read more →

Gentlemen RaaS Leak Reveals Modern Ransomware Risk

🔍 Check Point Research details a May 2026 compromise of The Gentlemen's backend that exposed chat logs, rosters, negotiation transcripts and tooling discussions. The leak shows a compact operation of roughly nine operators centered on a single administrator (zeta88 / hastalamuerte) who built the RaaS panel with AI coding assistants and participated in attacks. Initial access is mostly via unpatched edge devices or purchased credentials, and chain-victimization was observed. Check Point has notified law enforcement.
read more →

ShinyHunters Escalates Canvas Extortion Against Schools

🔒 A ShinyHunters “pay or leak” extortion campaign has targeted the education sector after the compromise of Instructure, operator of the Canvas LMS. The April 25 breach reportedly exposed around 275 million records and more than 3.65 TB of data via a vulnerability in the Free‑For‑Teacher Canvas version. After an initial ransom demand and a May 8 deadline, the group extended its timeline and began school‑by‑school extortion, defacing roughly 330 institutional login pages. Affected organizations are urged to change Canvas‑related passwords, enable multi‑factor authentication and heighten phishing awareness.
read more →