All news with #ransomware gang tag

🔒A Ukrainian national has pleaded guilty to participating as an affiliate in the Nefilim ransomware operation after being extradited from Barcelona following his June 2024 arrest. He joined the group in June 2021, received an account for a 20% cut and used databases such as ZoomInfo to identify large corporate victims in the US, Canada and Australia. Operators exfiltrated data, encrypted networks and threatened publication on a 'corporate leaks' site; the defendant faces up to 10 years and will be sentenced in May 2026. A known co-conspirator, Volodymyr Tymoshchuk, remains at large and is subject to an up-to-$11m reward.

🛡️Ukrainian national Artem Aleksandrovych Stryzhak, 35, pleaded guilty to participating as an affiliate in the Nefilim ransomware operation, admitting he obtained access to the ransomware code in June 2021 in exchange for a 20% share of ransom proceeds. He targeted high-revenue corporations across the United States, Canada, Australia and several European countries using custom-tailored malware and coordinating data-exfiltration and leak threats to coerce payment. Arrested in Spain in June 2024 and extradited to the U.S. in April 2025, Stryzhak faces up to 10 years in prison; sentencing is scheduled for May 6, 2026.

💰The U.S. Department of Justice has indicted 54 individuals tied to a large-scale ATM jackpotting conspiracy that used the Ploutus malware to force machines to dispense cash. Prosecutors allege members of the Venezuelan gang Tren de Aragua, designated a Foreign Terrorist Organization, recruited operatives who conducted surveillance, opened ATM hoods and installed malware by replacing drives or using removable media. Two related indictments returned in October and December 2025 charge bank fraud, burglary, computer fraud and money laundering, exposing an operation that siphoned millions and laundered proceeds to fund other criminal and terrorist activities.

💰 Federal prosecutors announced indictments against 54 individuals accused of using Ploutus malware to carry out ATM 'jackpotting' attacks across the United States. Two separate grand jury indictments in the District of Nebraska charge 22 and 32 defendants with installing malware, removing or replacing ATM hard drives, and forcing cash dispensals. Authorities allege total losses reached $40.73m and tie some activity to the Venezuelan syndicate Tren de Aragua.

💰 Threat actors linked to North Korea stole at least $2.02 billion in cryptocurrency during 2025, a 51% increase year‑over‑year that made DPRK actors the leading source of global crypto theft. Chainalysis attributes much of the total to a February compromise of Bybit, estimated at $1.5 billion and linked to the cluster TraderTraitor. The report details systematic laundering across DeFi, mixers, bridges and OTC services, and an expanded use of IT infiltration schemes such as Wagemole to gain privileged access and facilitate high‑impact thefts.

🔓 VolkLocker, a new RaaS from the pro‑Russian group CyberVolk (GLORIAMIST), contains a critical implementation flaw that lets victims recover files without paying. Test samples embed a master key and write it in plaintext to the %TEMP% folder (system_backup.key), while using that same key for AES‑256‑GCM encryption. The Golang-built strain targets Windows and Linux, modifies the registry, deletes shadow copies, and uses Telegram automation for command-and-control and victim management.

🛡️ Cisco Talos describes a new financially motivated campaign deploying DeadLock ransomware that uses a custom stream cipher with time-based keys to encrypt Windows hosts. The actor employs a Bring Your Own Vulnerable Driver (BYOVD) approach with a previously unseen loader to exploit the Baidu Antivirus driver vulnerability (CVE-2024-51324), enabling termination of EDR processes. Talos publishes Snort SIDs and multiple ClamAV detections and details lateral movement, anti-forensics, and selective encryption tactics aimed at complicating recovery.

🔐 At Black Hat Europe 2025, Max Smeets of Virtual Rotes presented 'Inside the Ransomware Machine', examining LockBit and its affiliate-driven RaaS operations from 2022–2024. He highlighted how reputation shapes victim decisions and the attackers' need to be seen as reliable to secure payments. The talk warned that exposed cyber insurance details can guide extortion amounts and recommended segregating or air‑gapping insurance documentation.

🔍 This analysis examines leaked communications and recent incidents to reveal how modern threat actors organize, adapt and blur the lines between criminal, contractor and researcher roles. Leaked BlackBasta chats show internal discord, leadership opacity, technical debt and disputes over revenue and workload. The EncryptHub case highlights a solo operator who both conducted malware and credited vulnerability disclosures to Microsoft, illustrating the growing hybridization of actor identities. Finally, BlackLock’s open recruitment for "traffers" demonstrates how the ransomware supply chain is becoming commoditized and industrialized.

🔒 Cisco Talos detailed a campaign where a financially motivated actor deployed DeadLock ransomware using a Bring Your Own Vulnerable Driver (BYOVD) technique to disable endpoint protections by exploiting a Baidu driver flaw (CVE-2024-51324). A custom loader invoked the vulnerable driver to issue kernel-level commands that killed security processes; PowerShell scripts then escalated privileges, stopped backup and security services, and erased shadow copies. The C++ payload (compiled July 2025) injects into rundll32.exe, uses a custom stream cipher with time-based keys to append ".dlock" and waits roughly 50 seconds to evade sandboxes; communications and ransom negotiations occurred via Session. Organizations should enforce MFA, maintain strong endpoint controls and keep regular offline backups.

🛡️ Shanya is a packer-as-a-service used by multiple ransomware gangs to conceal payloads that disable endpoint detection and response (EDR) tools. The service returns a custom, encrypted wrapper that decrypts and decompresses the payload entirely in memory and inserts it into a memory-mapped copy of shell32.dll, avoiding disk artifacts. Sophos telemetry links Shanya-packed samples to Medusa, Qilin, Crytox and Akira, and notes techniques that crash user-mode debuggers and facilitate DLL side-loading to deploy EDR killers.

📊 A FinCEN analysis of 4,194 Bank Secrecy Act filings found organizations paid more than $2.1 billion in ransom between January 2022 and December 2024. Ransomware incidents peaked in 2023 before falling in 2024 after law enforcement actions disrupted ALPHV/BlackCat and LockBit. Most ransom payments were under $250,000 and roughly 97% were made in Bitcoin. Manufacturing, financial services, and healthcare were the most targeted industries.

🔒Barts Health NHS Trust has applied to the High Court seeking an order to prevent the sharing, publication or use of data stolen from an Oracle E-business Suite database. A criminal group known as Cl0p posted compressed files on the dark web containing names, addresses and invoicing records relating to patients, suppliers and former staff. The trust says clinical systems and core IT infrastructure were unaffected and it is working with NHS England, the NCSC and law enforcement while notifying regulators.

🔍 A prolific operator known as "Rey," one of three administrators of the Scattered LAPSUS$ Hunters (SLSH) Telegram channel, has confirmed his real-world identity after investigative outreach. Rey is tied to the recent release of the group's new RaaS offering ShinySp1d3r, which he says is derived from Hellcat ransomware code modified with AI tools. Reporting shows Rey made multiple operational security mistakes that allowed analysts to link him to a shared family PC in Amman, Jordan, revealing his name as Saif Al‑Din Khader and that he is a mid‑teens minor who says he is cooperating with law enforcement.

🛡️ South Korea's financial sector was struck by a coordinated supply-chain campaign that deployed Qilin ransomware via a compromised MSP, Bitdefender reports. The operation, self-styled as 'Korean Leaks', unfolded in three publication waves in September–October 2025 and resulted in the theft of over 1 million files (about 2 TB) from 28 victims. Analysis ties the clustered intrusions to a single upstream MSP compromise and notes possible involvement by North Korean-affiliated actors alongside Qilin affiliates operating under a RaaS model.

⚠️ Unit 42 documents a renewed campaign by the Scattered LAPSUS$ Hunters (SLSH) that combines a supply-chain driven data theft affecting Gainsight/Salesforce integrations with the emergence of a new Windows-focused ransomware-as-a-service, ShinySp1d3r. The actors publicly threatened mass ransomware deployment and set a leak deadline while also actively recruiting insiders and claiming hundreds of additional victim accesses. Organizations should prioritize rotating exposed tokens, enforcing strong insider controls, and engaging incident response if they suspect compromise.

🔓 A threat actor claims to have stolen 2.3 terabytes of data from IT services provider Almaviva and posted the material on a dark web forum. The leak reportedly includes confidential documents and sensitive information related to FS Italiane Group, such as internal shares, technical documentation, contracts, HR and accounting archives. D3Lab's Andrea Draghetti says the files are recent (Q3 2025) and not recycled from a 2022 Hive incident. Almaviva confirmed a breach, says affected systems were isolated, and that authorities have been notified while an investigation continues.

🔒 A threat actor claims to have stolen 2.3 terabytes of data from Almaviva, the IT services provider linked to Italy's state-owned rail operator, FS Italiane Group. The actor posted the alleged dump on a dark web forum and described the contents as confidential documents, technical files, contracts, HR and accounting archives. Almaviva confirmed a cyberattack affecting corporate systems, said some data were taken, and reported it to national authorities while an investigation is ongoing.

🔒 The US, UK, and Australia have sanctioned Russian bulletproof hosting provider Media Land and related companies for supporting ransomware gangs such as LockBit, BlackSuit, and Play. Three executives were also designated and assets frozen, while clients and facilitators face secondary sanctions. Five Eyes agencies issued guidance for ISPs to detect and block BPH-enabled abuse.

🔒 CrowdStrike describes how OverWatch detected and disrupted BLOCKADE SPIDER, a financially motivated eCrime group that has used cross-domain techniques since at least April 2024 to access unmanaged systems, dump credentials, and deploy Embargo ransomware. By correlating endpoint, identity, and cloud telemetry in Falcon Next-Gen SIEM and Falcon Identity Threat Protection, analysts traced a compromised VPN service account and observed MFA bypass and AD manipulation. The account underscores the value of unified visibility to stop lateral movement and protect critical assets.