< ciso
brief />
Tag Banner

All news with #ransomware gang tag

143 articles · page 4 of 8

FBI Seizes RAMP Ransomware Forum, Disrupting Market

🚨The FBI has seized the dark‑web forum RAMP, replacing its clear‑ and dark‑web sites with law‑enforcement seizure banners and redirecting domains to ns1.fbi.seized.gov and ns2.fbi.seized.gov. The banner, attributed to the FBI, DOJ and the US Attorney’s Office for the Southern District of Florida, mocked the forum’s “ransomware allowed” stance. Forum administrator “Stallman” confirmed the takedown and said he will not rebuild. Analysts say the action disrupts low‑tier actors, may yield valuable intelligence and will have limited impact on top‑tier groups.
read more →

Ransomware Data Leaks Surge in Q4 2025 Despite Fewer Groups

🔐 ReliaQuest analysis shows ransomware data leaks rose sharply in Q4 2025, with posts on leak sites up 50% quarter-on-quarter and 40% year-on-year. The researchers found fewer active ransomware groups overall, but top-tier RaaS operators increased their output and speed of execution. Qilin, Akira and Sinobi were the most prolific, with Qilin claiming 450+ victims. ReliaQuest urges stronger controls such as MFA and improved data-exfiltration monitoring to reduce impact.
read more →

TA584 Adopts Tsundere Bot to Enable Ransomware Access

🔐 Proofpoint researchers report that prolific initial access broker TA584 has begun using Tsundere Bot alongside the XWorm RAT to gain footholds that could lead to ransomware. The group ramped up activity in late 2025, expanding beyond North America and the UK to target Germany, other European countries and Australia. Their emails leverage aged compromised accounts delivered via SendGrid and Amazon SES, unique geofenced URLs, redirect chains and obfuscated PowerShell that loads payloads in memory to evade static detection.
read more →

FBI Seizes RAMP Cybercrime Forum Linked to Ransomware

🔒 The FBI has seized the RAMP cybercrime forum, replacing both its Tor and clearnet sites with an official seizure notice and switching DNS to FBI-controlled name servers. The action potentially grants investigators access to forum records — email addresses, IP logs, private messages and other data — that could identify and lead to arrests of negligent threat actors. RAMP, launched in July 2021 by the actor known as Orange, became a prominent hub for ransomware groups to advertise operations, recruit affiliates, and trade network access.
read more →

Cybercrime Inc. 2026: Industrialized Threats for CISOs

🔒 Cybercriminals now operate like businesses—highly specialized, service-oriented, and ROI-driven—using models such as RaaS and initial access brokers to scale attacks. This industrialization, amplified by AI and automation, forces a shift from reactive detection to proactive prevention and identity-first controls. CISOs must prioritize governance, supply-chain resilience, defensive automation, and strategic partnerships to manage risk amid talent and budget shortfalls.
read more →

Tudou Guarantee Telegram Operations Shut After Sanctions

🛑 Elliptic reports that Tudou Guarantee, a major marketplace in the Southeast Asia scam economy, is shutting down its Telegram groups after US and UK sanctions tied to the Prince Group. Launched in 2023, the platform is linked to roughly $12bn in crypto transactions and absorbed merchants migrating from Huione Guarantee. While gambling and other non-fraud arms appear to continue, Elliptic notes a sharp drop in central wallet activity after the January 2026 arrest of Prince Group chairman Chen Zhi, and warns displaced actors will likely disperse across other marketplaces.
read more →

Ukraine, Germany Seize Evidence in Black Basta Probe

🔎 Ukrainian and German law enforcement raided residences in Lviv and Ivano‑Frankivsk on 15 January, seizing digital storage devices and cryptocurrency assets linked to two suspected members of the Black Basta ransomware group. Investigators say the men acted as 'hash crackers,' extracting passwords to escalate access, steal data and deploy ransomware across corporate networks. The operation involved the Ukrainian National Police and Germany's BKA and formed part of a wider international probe coordinated by Europol. Authorities also identified alleged founder Oleg Evgenievich Nefedov, who has been placed on Europol’s EU Most Wanted and Interpol Red Notice lists.
read more →

German Authorities Seek Alleged Head of Black Basta Gang

🔎 German federal and Frankfurt internet-crime authorities have issued an arrest warrant for the alleged leader of the Black Basta ransomware group after searching residences in Ukraine and seizing evidence. The gang is accused of compromising networks, stealing sensitive data, encrypting systems and extorting payments from over 100 German victims between March 2022 and February 2025. Authorities say the group obtained more than €20 million in Germany and targeted companies, hospitals and public bodies.
read more →

Authorities Identify Black Basta Members, Leader Listed

🚨 Ukrainian and German authorities have identified two Ukrainians allegedly working for the Russia-linked ransomware-as-a-service group Black Basta, while the group's suspected leader, 35-year-old Russian national Oleg Evgenievich Nefedov, has been added to the EU Most Wanted and INTERPOL Red Notice lists. Investigators say the suspects acted as "hash crackers," extracting credentials used to breach corporate networks and deploy ransomware. Searches in Ivano-Frankivsk and Lviv yielded digital storage devices and cryptocurrency assets. Black Basta emerged in April 2022 and is linked to attacks on more than 500 organizations and hundreds of millions in illicit cryptocurrency profits.
read more →

Black Basta leader added to Europol and Interpol lists

🚨 German and Ukrainian authorities have identified Oleg Evgenievich Nefedov as the leader of the Black Basta ransomware group and added him to Europol's 'Most Wanted' and Interpol's 'Red Notice' lists. Raids in the Ivano-Frankivsk and Lviv regions targeted two alleged members who specialized in initial access, hash cracking and privilege escalation, and yielded seized digital storage and cryptocurrency assets. Black Basta, linked to the defunct Conti syndicate, has been tied to more than 600 incidents worldwide affecting major organizations.
read more →

Microsoft Disrupts RedVDS Cybercrime Subscription Service

🛡️ Microsoft announced on 14 January that it has seized the infrastructure and website of RedVDS, a subscription-based cybercrime platform that rented disposable virtual machines and AI tools to facilitate phishing, business email compromise (BEC) and fraud. The service, available from about $24/month, has been linked to more than $40 million in losses in the US and nearly 190,000 victimised organisations worldwide. Legal partners in the US and the UK, with international law enforcement support, coordinated the takedown.
read more →

WhatsApp Worm Deploys Astaroth Banking Trojan in Brazil

📱Acronis says a campaign named Boto Cor-de-Rosa uses WhatsApp to spread the Astaroth banking trojan in Brazil. Attackers distribute ZIP archives via messages; extracting them runs a Visual Basic Script that downloads additional components and an MSI installer. A Python-based worm module harvests WhatsApp contacts and automatically forwards malicious archives to propagate. A background banking module monitors browsing to harvest credentials and the malware logs propagation metrics.
read more →

Hackers Claim to Disconnect Brightspeed Customers Now

🔒 Brightspeed is investigating claims that the hacking group Crimson Collective obtained personally identifiable information for over one million customers and disrupted connectivity. The group posted a sample of the data on Telegram in early January and later said it had disconnected many users' home internet, although Brightspeed has not confirmed outages or the breach. The purported dataset includes account records, geolocation details, payment histories and masked card data. The ISP is probing the incident while the authenticity and scope of the claims remain unclear.
read more →

Brightspeed Probes Alleged Data Theft by Crimson Collective

🔒 Brightspeed is investigating claims that the extortion group Crimson Collective stole sensitive information belonging to more than one million customers. The U.S. broadband provider said it is rigorous in securing networks and is looking into a reported cybersecurity event, promising to keep customers, employees, and authorities informed. Crimson Collective posted on Telegram that the haul includes PII, account and payment details, and appointment/order records, and threatened to publish a sample to force a response.
read more →

Two Plead Guilty to Running BlackCat Ransomware Operation

🔒 Two cybersecurity professionals, Ryan Goldberg and Kevin Martin, pleaded guilty to conspiring to obstruct, delay, or affect commerce through extortion for their roles in deploying the BlackCat (ALPHV) ransomware against multiple U.S. companies between April and December 2023. They admitted identifying and targeting victims while leveraging ransomware-as-a-service rather than developing the malware themselves, and reached plea agreements in December 2025 that were accepted by the Southern District of Florida. The attacks were tied to more than $9.5 million in losses, though authorities traced roughly $324,123.26 in proceeds to the defendants; both face up to 20 years in prison.
read more →

RansomHouse upgrades to multi-layered dual-key RaaS

🔐 Palo Alto Networks' Unit42 reports that RansomHouse has upgraded its ransomware-as-a-service to a multi-layered, dual-key encryption model that significantly complicates recovery. The new encryptor, tracked as Mario, generates a 32-byte primary and an 8-byte secondary key and performs interlocking encryption passes that hinder linear decryption. Targeting VMware ESXi hosts and backups (e.mario files) and paired with the MrAgent deployment utility, the change raises impact and undermines static signature detection.
read more →

Ukrainian Affiliate Pleads Guilty in Nefilim Attacks

🔒A Ukrainian national has pleaded guilty to participating as an affiliate in the Nefilim ransomware operation after being extradited from Barcelona following his June 2024 arrest. He joined the group in June 2021, received an account for a 20% cut and used databases such as ZoomInfo to identify large corporate victims in the US, Canada and Australia. Operators exfiltrated data, encrypted networks and threatened publication on a 'corporate leaks' site; the defendant faces up to 10 years and will be sentenced in May 2026. A known co-conspirator, Volodymyr Tymoshchuk, remains at large and is subject to an up-to-$11m reward.
read more →

Ukrainian Affiliate Pleads Guilty in Nefilim Ransomware

🛡️Ukrainian national Artem Aleksandrovych Stryzhak, 35, pleaded guilty to participating as an affiliate in the Nefilim ransomware operation, admitting he obtained access to the ransomware code in June 2021 in exchange for a 20% share of ransom proceeds. He targeted high-revenue corporations across the United States, Canada, Australia and several European countries using custom-tailored malware and coordinating data-exfiltration and leak threats to coerce payment. Arrested in Spain in June 2024 and extradited to the U.S. in April 2025, Stryzhak faces up to 10 years in prison; sentencing is scheduled for May 6, 2026.
read more →

US DOJ Indicts 54 in Multi-Million ATM Jackpotting Scheme

💰The U.S. Department of Justice has indicted 54 individuals tied to a large-scale ATM jackpotting conspiracy that used the Ploutus malware to force machines to dispense cash. Prosecutors allege members of the Venezuelan gang Tren de Aragua, designated a Foreign Terrorist Organization, recruited operatives who conducted surveillance, opened ATM hoods and installed malware by replacing drives or using removable media. Two related indictments returned in October and December 2025 charge bank fraud, burglary, computer fraud and money laundering, exposing an operation that siphoned millions and laundered proceeds to fund other criminal and terrorist activities.
read more →

US Indicts 54 in ATM 'Jackpotting' Scheme Using Ploutus

💰 Federal prosecutors announced indictments against 54 individuals accused of using Ploutus malware to carry out ATM 'jackpotting' attacks across the United States. Two separate grand jury indictments in the District of Nebraska charge 22 and 32 defendants with installing malware, removing or replacing ATM hard drives, and forcing cash dispensals. Authorities allege total losses reached $40.73m and tie some activity to the Venezuelan syndicate Tren de Aragua.
read more →