All news with #ransomware gang tag

🔒 Security researchers have identified a new ransomware-as-a-service operation named Vect that began recruiting affiliates in December 2025. According to Halcyon, Vect uses C++-built malware with ChaCha20-Poly1305 AEAD and intermittent (block) encryption to speed disruption, and advertises cross-platform targeting for Windows, Linux and VMware ESXi. Red Piranha notes strong OPSEC including Monero payments, TOX communications and TOR-only infrastructure.

🔒 A prolific English-language extortion gang calling itself Scattered Lapsus Shiny Hunters (SLSH) combines data theft with coordinated harassment — swatting, DDoS, and call- and email-flooding — to pressure victims into paying. Allison Nixon of Unit 221B and forensic analysis from Mandiant trace recent incidents to early–mid January 2026, when attackers used phone-based phishing to harvest SSO and MFA codes. Nixon warns SLSH is fractious and untrustworthy, and advises organizations that negotiating beyond a firm refusal generally escalates harm and provides attackers information useful for later fraud.

🔒 Have I Been Pwned reports that a January 2026 data breach at Panera Bread exposed roughly 5.1 million unique email addresses and associated contact information, rather than 14 million distinct customers as initially claimed. The files, totaling about 760 MB, were published by the ShinyHunters extortion group after an alleged failed ransom attempt. ShinyHunters says it gained access via a Microsoft Entra SSO code as part of a broader vishing campaign targeting SSO providers. Panera has confirmed the incident to authorities and said the data is contact information.

🔒Match Group confirmed a security incident after the ShinyHunters group leaked 1.7 GB of compressed files allegedly containing about 10 million records from Hinge, Match, and OkCupid, along with internal documents. The company says it terminated unauthorized access, is working with external experts, and believes a limited amount of user data was exposed with no indication that login credentials, financial information, or private communications were accessed. Match Group is notifying affected individuals as appropriate and continuing its investigation.

🚨The FBI has seized the dark‑web forum RAMP, replacing its clear‑ and dark‑web sites with law‑enforcement seizure banners and redirecting domains to ns1.fbi.seized.gov and ns2.fbi.seized.gov. The banner, attributed to the FBI, DOJ and the US Attorney’s Office for the Southern District of Florida, mocked the forum’s “ransomware allowed” stance. Forum administrator “Stallman” confirmed the takedown and said he will not rebuild. Analysts say the action disrupts low‑tier actors, may yield valuable intelligence and will have limited impact on top‑tier groups.

🔐 ReliaQuest analysis shows ransomware data leaks rose sharply in Q4 2025, with posts on leak sites up 50% quarter-on-quarter and 40% year-on-year. The researchers found fewer active ransomware groups overall, but top-tier RaaS operators increased their output and speed of execution. Qilin, Akira and Sinobi were the most prolific, with Qilin claiming 450+ victims. ReliaQuest urges stronger controls such as MFA and improved data-exfiltration monitoring to reduce impact.

🔐 Proofpoint researchers report that prolific initial access broker TA584 has begun using Tsundere Bot alongside the XWorm RAT to gain footholds that could lead to ransomware. The group ramped up activity in late 2025, expanding beyond North America and the UK to target Germany, other European countries and Australia. Their emails leverage aged compromised accounts delivered via SendGrid and Amazon SES, unique geofenced URLs, redirect chains and obfuscated PowerShell that loads payloads in memory to evade static detection.

🔒 The FBI has seized the RAMP cybercrime forum, replacing both its Tor and clearnet sites with an official seizure notice and switching DNS to FBI-controlled name servers. The action potentially grants investigators access to forum records — email addresses, IP logs, private messages and other data — that could identify and lead to arrests of negligent threat actors. RAMP, launched in July 2021 by the actor known as Orange, became a prominent hub for ransomware groups to advertise operations, recruit affiliates, and trade network access.

🔒 Cybercriminals now operate like businesses—highly specialized, service-oriented, and ROI-driven—using models such as RaaS and initial access brokers to scale attacks. This industrialization, amplified by AI and automation, forces a shift from reactive detection to proactive prevention and identity-first controls. CISOs must prioritize governance, supply-chain resilience, defensive automation, and strategic partnerships to manage risk amid talent and budget shortfalls.

🛑 Elliptic reports that Tudou Guarantee, a major marketplace in the Southeast Asia scam economy, is shutting down its Telegram groups after US and UK sanctions tied to the Prince Group. Launched in 2023, the platform is linked to roughly $12bn in crypto transactions and absorbed merchants migrating from Huione Guarantee. While gambling and other non-fraud arms appear to continue, Elliptic notes a sharp drop in central wallet activity after the January 2026 arrest of Prince Group chairman Chen Zhi, and warns displaced actors will likely disperse across other marketplaces.

🔎 Ukrainian and German law enforcement raided residences in Lviv and Ivano‑Frankivsk on 15 January, seizing digital storage devices and cryptocurrency assets linked to two suspected members of the Black Basta ransomware group. Investigators say the men acted as 'hash crackers,' extracting passwords to escalate access, steal data and deploy ransomware across corporate networks. The operation involved the Ukrainian National Police and Germany's BKA and formed part of a wider international probe coordinated by Europol. Authorities also identified alleged founder Oleg Evgenievich Nefedov, who has been placed on Europol’s EU Most Wanted and Interpol Red Notice lists.

🔎 German federal and Frankfurt internet-crime authorities have issued an arrest warrant for the alleged leader of the Black Basta ransomware group after searching residences in Ukraine and seizing evidence. The gang is accused of compromising networks, stealing sensitive data, encrypting systems and extorting payments from over 100 German victims between March 2022 and February 2025. Authorities say the group obtained more than €20 million in Germany and targeted companies, hospitals and public bodies.

🚨 Ukrainian and German authorities have identified two Ukrainians allegedly working for the Russia-linked ransomware-as-a-service group Black Basta, while the group's suspected leader, 35-year-old Russian national Oleg Evgenievich Nefedov, has been added to the EU Most Wanted and INTERPOL Red Notice lists. Investigators say the suspects acted as "hash crackers," extracting credentials used to breach corporate networks and deploy ransomware. Searches in Ivano-Frankivsk and Lviv yielded digital storage devices and cryptocurrency assets. Black Basta emerged in April 2022 and is linked to attacks on more than 500 organizations and hundreds of millions in illicit cryptocurrency profits.

🚨 German and Ukrainian authorities have identified Oleg Evgenievich Nefedov as the leader of the Black Basta ransomware group and added him to Europol's 'Most Wanted' and Interpol's 'Red Notice' lists. Raids in the Ivano-Frankivsk and Lviv regions targeted two alleged members who specialized in initial access, hash cracking and privilege escalation, and yielded seized digital storage and cryptocurrency assets. Black Basta, linked to the defunct Conti syndicate, has been tied to more than 600 incidents worldwide affecting major organizations.

🛡️ Microsoft announced on 14 January that it has seized the infrastructure and website of RedVDS, a subscription-based cybercrime platform that rented disposable virtual machines and AI tools to facilitate phishing, business email compromise (BEC) and fraud. The service, available from about $24/month, has been linked to more than $40 million in losses in the US and nearly 190,000 victimised organisations worldwide. Legal partners in the US and the UK, with international law enforcement support, coordinated the takedown.

📱Acronis says a campaign named Boto Cor-de-Rosa uses WhatsApp to spread the Astaroth banking trojan in Brazil. Attackers distribute ZIP archives via messages; extracting them runs a Visual Basic Script that downloads additional components and an MSI installer. A Python-based worm module harvests WhatsApp contacts and automatically forwards malicious archives to propagate. A background banking module monitors browsing to harvest credentials and the malware logs propagation metrics.

🔒 Brightspeed is investigating claims that the hacking group Crimson Collective obtained personally identifiable information for over one million customers and disrupted connectivity. The group posted a sample of the data on Telegram in early January and later said it had disconnected many users' home internet, although Brightspeed has not confirmed outages or the breach. The purported dataset includes account records, geolocation details, payment histories and masked card data. The ISP is probing the incident while the authenticity and scope of the claims remain unclear.

🔒 Brightspeed is investigating claims that the extortion group Crimson Collective stole sensitive information belonging to more than one million customers. The U.S. broadband provider said it is rigorous in securing networks and is looking into a reported cybersecurity event, promising to keep customers, employees, and authorities informed. Crimson Collective posted on Telegram that the haul includes PII, account and payment details, and appointment/order records, and threatened to publish a sample to force a response.

🔒 Two cybersecurity professionals, Ryan Goldberg and Kevin Martin, pleaded guilty to conspiring to obstruct, delay, or affect commerce through extortion for their roles in deploying the BlackCat (ALPHV) ransomware against multiple U.S. companies between April and December 2023. They admitted identifying and targeting victims while leveraging ransomware-as-a-service rather than developing the malware themselves, and reached plea agreements in December 2025 that were accepted by the Southern District of Florida. The attacks were tied to more than $9.5 million in losses, though authorities traced roughly $324,123.26 in proceeds to the defendants; both face up to 20 years in prison.

🔐 Palo Alto Networks' Unit42 reports that RansomHouse has upgraded its ransomware-as-a-service to a multi-layered, dual-key encryption model that significantly complicates recovery. The new encryptor, tracked as Mario, generates a 32-byte primary and an 8-byte secondary key and performs interlocking encryption passes that hinder linear decryption. Targeting VMware ESXi hosts and backups (e.mario files) and paired with the MrAgent deployment utility, the change raises impact and undermines static signature detection.