< ciso
brief />
Tag Banner

All news with #ransomware incident tag

135 articles · page 4 of 7

Ukrainian Affiliate Pleads Guilty in Nefilim Ransomware

🛡️Ukrainian national Artem Aleksandrovych Stryzhak, 35, pleaded guilty to participating as an affiliate in the Nefilim ransomware operation, admitting he obtained access to the ransomware code in June 2021 in exchange for a 20% share of ransom proceeds. He targeted high-revenue corporations across the United States, Canada, Australia and several European countries using custom-tailored malware and coordinating data-exfiltration and leak threats to coerce payment. Arrested in Spain in June 2024 and extradited to the U.S. in April 2025, Stryzhak faces up to 10 years in prison; sentencing is scheduled for May 6, 2026.
read more →

Askul Confirms Theft of 740,000 Customer Records after Oct.

🔒 Askul Corporation confirmed that the RansomHouse extortion group stole approximately 740,000 customer and partner records during an October ransomware incident. Compromised data types include business and individual customer service records, partner data, and employee information. Askul says attackers likely used compromised administrator credentials for an outsourced partner that lacked MFA, disabled EDR, moved laterally, deployed multiple ransomware variants, and wiped backups. The company has isolated affected networks, enforced MFA, reset admin passwords, begun individual notifications and established long-term monitoring.
read more →

Ransomware Attack Disrupts Operations at Ideal Insurance

🔒 Ideal Group has reported a cyberattack that forced several systems offline as a precaution, leaving business operations running in a limited capacity. The group's affiliate Ahorn AG is affected while subsidiary myLife Lebensversicherung reportedly remains unaffected. The ransomware group Akira is blamed; investigators and external specialists, together with law enforcement, are analysing the incident and currently report no indications of customer data misuse.
read more →

Cyberattack on Town Hall: Stolen Data Posted on Darknet

🔒 In mid-October the Untereisesheim town hall was hit by a cyberattack that encrypted IT systems and led to data theft from servers. Investigations indicate portions of the stolen material, including older personnel files and employee image drives, have appeared on the darknet, while the municipality stresses that sensitive citizen data and central document systems were not affected. No ransom was paid; the town is working with Cybersecurity Agency Baden-Württemberg (CSBW) and the State Criminal Police Office, has rebuilt and secured systems, and informed supervisory and data protection authorities.
read more →

HSE Offers €750 to Victims of 2021 Ransomware Attack

🔒 The Health Service Executive (HSE) has offered €750 to individuals whose personal data was exposed in the May 2021 Conti ransomware attack, plus an additional €650 toward legal costs. The intrusion began with a malicious Microsoft Excel file that bypassed outdated anti‑malware defenses, forcing a full IT shutdown and widespread disruption to hospital services. A later PwC review criticised the HSE's unpatched systems and frail infrastructure, while the organisation says it has found no evidence of fraud stemming from the breach after more than four years.
read more →

FinCEN: Ransomware Gangs Extorted $2.1B (2022–2024)

📊 A FinCEN analysis of 4,194 Bank Secrecy Act filings found organizations paid more than $2.1 billion in ransom between January 2022 and December 2024. Ransomware incidents peaked in 2023 before falling in 2024 after law enforcement actions disrupted ALPHV/BlackCat and LockBit. Most ransom payments were under $250,000 and roughly 97% were made in Bitcoin. Manufacturing, financial services, and healthcare were the most targeted industries.
read more →

Inotiv Discloses August Ransomware Breach Affecting 9,542

🔒 Inotiv, an Indiana-based contract research organization, disclosed an August ransomware attack that disrupted operations after networks, databases, and internal applications were taken offline. The company says it has 'restored availability and access' to impacted systems and is notifying 9,542 individuals whose information was stolen. The incident, dated to approximately August 5–8, 2025, was claimed by the Qilin ransomware group, which published alleged samples and asserted it exfiltrated roughly 162,000 files totaling about 176 GB, though Inotiv has not confirmed the specific data types or publicly attributed the attack.
read more →

Asahi Ransomware Attack Leads to Massive Data Breach

🔒 Asahi Group Holdings confirmed that a ransomware attack on 29 September, attributed to the Qilin group, resulted in a major data breach affecting over 1.5 million customers and roughly 275,000 employees and family members. The incident disrupted ordering, shipping and production systems across Japan and caused widespread product shortages. Asahi says it did not pay a ransom, has found no evidence the data has been posted publicly, and is strengthening its cybersecurity while notifying those impacted.
read more →

Asahi breach: personal data of nearly two million exposed

🔒 Asahi Group Holdings has confirmed that personal data for approximately 1.914 million people, including 1.525 million customers, may have been exposed after a September ransomware incident that forced temporary suspension of operations. The company spent two months on containment, integrity checks and system restoration, and says credit card details were not affected. Qilin has claimed responsibility; Asahi warns customers to monitor for unsolicited communications and anticipates ongoing operational impacts.
read more →

SonicWall Ransomware Incidents Highlight M&A Risk for CSOs

🛡️ A Reliaquest analysis of June–October incidents links multiple Akira ransomware intrusions to compromised SonicWall SSL VPNs that were inherited through acquisitions. In nearly every case, acquiring organizations did not know the devices remained on their networks and attackers leveraged legacy administrative credentials. The report warns that routine financial due diligence misses such cyber risks, and urges early security-led inventory, segmentation, and credential rotation during M&A onboarding.
read more →

Multiple London councils' IT systems hit by cyberattack

🔒 The Royal Borough of Kensington and Chelsea and Westminster City Council are experiencing widespread service disruptions after a cybersecurity incident that also affected the London Borough of Hammersmith and Fulham. Several systems including phone lines were taken offline and councils activated emergency plans to preserve critical services. Officials say they shut down affected systems as a precaution while working with specialist incident responders and the National Cyber Security Centre. Security researchers indicate the outage stems from a ransomware attack on a shared services provider; investigations and efforts to restore services are ongoing.
read more →

Cyberattack Disrupts OnSolve CodeRED Emergency Alerts

⚠️ A cyber-attack on the OnSolve CodeRED platform disrupted emergency alerts used by state and local agencies across the US and exposed user data. Crisis24 shut down the legacy environment and is rebuilding the system in a new, isolated infrastructure. Investigators confirmed data theft — including names, addresses, emails, phone numbers and passwords — though there is no evidence the data has been posted online. The threat actor INC Ransom claims responsibility and has published screenshots and is selling samples of the files.
read more →

Cyberattack Forces Mainz University to Shut Down IT Systems

🔒 Mainz University of Applied Sciences reported a cyberattack on Monday, 24 November, and has shut down all IT systems. The university says most services are unavailable while IT teams and investigative authorities analyse the threat and potential damage. A crisis team was mobilised to maintain essential operations, but restoration timelines remain uncertain. No further details have been released and it is unclear how the attackers gained access.
read more →

Fake CAPTCHA Leads to 42-Day Akira Ransomware Compromise

🔒 An employee clicking a fake CAPTCHA (a ClickFix social-engineering lure) on a compromised car dealership site began a 42-day intrusion by Howling Scorpius that delivered the .NET remote access Trojan SectopRAT and ultimately Akira ransomware. Two enterprise EDRs recorded activity but produced few alerts, enabling lateral movement, privilege escalation and the exfiltration of roughly 1 TB. Unit 42 deployed Cortex XSIAM, rebuilt hardened infrastructure, tightened IAM controls and negotiated about a 68% reduction in the ransom demand.
read more →

Stadtwerke Detmold Hit by Hacker Attack, IT Shutdown

🔒 Stadtwerke Detmold has reported a widespread IT outage following an apparent hacker attack that prompted the operator to take all systems offline. Online services are unavailable and the company cannot be reached by phone or email. The utility says the supply of drinking water, electricity, gas and district heating remains assured, and customers can report technical problems via a hotline. Authorities are investigating the incident and, so far, no ransom demand has been reported.
read more →

Kraken Uses Benchmarking to Optimize Ransomware Attacks

🔒 Cisco Talos reported August 2025 activity by Kraken, a Russian‑speaking ransomware operation linked to the remnants of HelloKitty. The group exploits SMB flaws for initial access, uses Cloudflare for persistence and SSHFS to exfiltrate data, then deploys cross‑platform encryptors across Windows, Linux and VMware ESXi. Notably, Kraken benchmarks victim machines to tune encryption speed and reduce detection and instability. Victims span multiple countries and attackers operate a new leak forum called Last Haven Board.
read more →

Pennsylvania AG Data Breach After INC Ransom Attack

🔒 The Pennsylvania Office of the Attorney General (OAG) confirmed that files containing personal and medical information were accessed during an August 9 ransomware attack and that the office refused to pay the ransom. The incident encrypted systems and disrupted the OAG website, employee email accounts, and landline phones. Researcher Kevin Beaumont identified public-facing Citrix NetScaler appliances vulnerable to CVE-2025-5777 (Citrix Bleed 2) that may have been exploited. The threat actor INC Ransom later claimed responsibility and posted about 5.7TB of alleged stolen data.
read more →

JLR Posts £485m Q2 Losses After September Ransomware Attack

🔒 Jaguar Land Rover reported a £485m ($639m) Q2 loss after a September ransomware attack that halted production at its three UK plants for weeks. The company said the incident generated £196m ($258m) in cyber-related costs, contributing to a 24% year‑on‑year revenue decline to £4.9bn ($6.5bn). JLR set up a loan-backed financing scheme for suppliers and secured government loan guarantees, and confirmed production has now resumed.
read more →

Jaguar Land Rover Cyberattack Costs Company Over $220M

📰 Jaguar Land Rover reported a cyberattack cost of £196 million ($220 million) for the July–September quarter after the incident forced production shutdowns and staff to be sent home. The breach, announced on 2 September 2025, involved confirmed data theft and was claimed on Telegram by the group Scattered Lapsus$ Hunters. Following a UK government-backed £1.5 billion loan guarantee, JLR says operations, wholesale and supplier financing have been restored and production has resumed under a phased restart.
read more →

Akira ransomware linked to $244M in illicit proceeds

🔒 A joint US and international advisory on 14 November attributes approximately $244.17m in illicit proceeds to the Akira ransomware group since late September 2025. The advisory reports rapid data exfiltration in some incidents and details exploitation of SonicWall CVE-2024-40766, expansion to Nutanix AHV disk encryption, and attacks leveraging SSH and unpatched Veeam servers. Operators employ initial access brokers, tunnelling tools and remote access software such as AnyDesk to persist and evade detection. Organisations are urged to prioritise patching, enforce phishing-resistant MFA, and maintain offline backups.
read more →