All news with #ransomware tag

LockBit Resurges with New Variant and Fresh Victims

🛡️ LockBit has reemerged after a disruption in early 2024 and is actively extorting new victims. Check Point Research identified roughly a dozen organizations hit in September 2025, and about half of those incidents involved the new LockBit 5.0 variant, labeled ChuongDong. The group is deploying attacks across Windows, Linux and ESXi environments in Europe, the Americas and Asia. Check Point Harmony Endpoint and Quantum customers are protected via Threat Emulation, which can block these attacks before encryption occurs.

Microsoft Blocks Ransomware Campaign Targeting Teams Users

🛡️ Microsoft said it disrupted a ransomware campaign that used fake Teams installers to deliver a backdoor and prepare for encryption operations. Attackers lured victims with impersonated MSTeamsSetup.exe files hosted on malicious domains, which installed a loader and a fraudulently signed Oyster backdoor. The group identified as Vanilla Tempest intended to follow with Rhysida ransomware. Microsoft revoked over 200 fraudulent code-signing certificates and says a fully enabled Defender Antivirus will block the threat.

IR Trends Q3 2025: ToolShell Drives Access & Response

🛡️ Cisco Talos Incident Response observed a surge in attacks exploiting public-facing apps in Q3 2025, driven chiefly by ToolShell chains targeting on-premises Microsoft SharePoint servers. Rapid automated scanning and unauthenticated RCE vulnerabilities led to widespread compromise, highlighting the need for immediate patching and strict network segmentation. Post-compromise phishing from valid accounts and diverse ransomware families, including Warlock and LockBit, continued to impact victims.

CISOs: Earning Business Respect Through Incident Response

🛡️ How a CISO handles a major incident can make or break their career. A Cytactic survey of 480 senior US cybersecurity leaders, including 165 CISOs, found that 65% said leading an incident response elevated their internal reputation while only 5% said it hurt it. Experts say a well-managed response can translate into better budgets and authority, but prevention work is often invisible and a single failure can still cost a CISO their job.

Canada Fines Cryptomus $176M over AML Oversight in 2025

🔒 FINTRAC has imposed a $176,960,190 penalty on Xeltox Enterprises Ltd., the operator of Cryptomus, after finding widespread failures to file suspicious transaction reports tied to trafficking in child sexual abuse material, fraud, ransomware payments and sanctions evasion. Regulators said the payments platform enabled dozens of Russian‑focused exchanges and cybercrime‑facing services to move illicit proceeds. The action follows investigative reporting showing numerous money service businesses clustered at shared Canadian addresses that appear to be fronts.

Chinese Groups Exploit ToolShell SharePoint Flaw Widespread

🔒 Symantec reports that China-linked threat actors exploited the ToolShell vulnerability in Microsoft SharePoint (CVE-2025-53770) weeks after Microsoft issued a July 2025 patch, compromising a Middle Eastern telecom and multiple government and corporate targets across regions. Attackers used loaders and backdoors such as KrustyLoader, ShadowPad and Zingdoor, and in several incidents employed DLL side-loading and privilege escalation via CVE-2021-36942. Symantec notes the operations aimed at credential theft, stealthy persistence, and likely espionage, with activity linked to groups including Linen Typhoon, Violet Typhoon, Storm-2603 and Salt Typhoon.

Ransomware Attack Disrupts IT at Nickelhütte Aue Company

🔒 A ransomware attack on Nickelhütte Aue's office IT encrypted data and caused disruptions across multiple back-office systems, with HR, accounting, finance, purchasing and sales identified as affected. A company spokesperson told CSO that production remained unaffected and management established a crisis organisation after the incident was discovered on Saturday, October 18. The attackers left an extortion note threatening to publish stolen files; investigations by IT forensics teams and authorities are ongoing while the firm consults on how to respond to the ransom demand. The company says it is cleaning infected devices and making steady progress, but the timeframe to fully rebuild IT systems remains unclear.

Scattered LAPSUS$ Hunters Shift to Extortion-as-Service

🔍 Palo Alto Networks' Unit 42 reports monitoring a Scattered LAPSUS$ Hunters Telegram channel since early October 2025, noting a tactical shift toward an extortion-as-a-service (EaaS) offering that omits file encryption. Researchers also observed posts mentioning a potential new ransomware, SHINYSP1D3R, though its development and the profitability of EaaS remain uncertain. Unit 42 found the group's data leak site apparently defaced and confirmed leaked records tied to at least six firms; the actors had set an Oct 10 ransom deadline but later stated on Oct 11 that "nothing else will be leaked."

UK Contractor Breach Exposes Sensitive RAF and Navy Sites

🔒 A ransomware attack on contractor Dodd Group reportedly allowed Russian-linked attackers to exfiltrate hundreds of sensitive Ministry of Defence documents, including details on RAF Lakenheath, RAF Portreath and RAF Predannack. The company confirmed an incident and said it contained access, while the MoD suspects the Lynx group is behind the intrusion. Leaked files published on the dark web allegedly include site plans and personnel data, and the case is now under investigation amid a wider rise in UK cyber incidents.

Ransomware Payouts Rise to $3.6M as Tactics Evolve

🔒 The average ransomware payment climbed to $3.6m in 2025, up from $2.5m in 2024, as attackers shift to fewer but more lucrative, targeted campaigns. ExtraHop's Global Threat Landscape Report found 70% of affected organisations paid ransoms, with healthcare and government incidents averaging nearly $7.5m each. The study highlights expanding risks from public cloud, third‑party integrations and generative AI, and urges organisations to map their attack surface, monitor internal traffic for lateral movement and prepare for AI‑enabled tactics.

AI-Enabled Ransomware: CISOs’ Top Security Concern

🛡️ CrowdStrike’s 2025 ransomware survey finds that AI is compressing attacker timelines and enhancing phishing, malware creation, and social engineering, forcing defenders to react in minutes rather than hours. 78% of respondents reported a ransomware incident in the past year, yet fewer than 25% recovered within 24 hours and paying victims often faced repeat compromise and data theft. CISOs rank AI-enabled ransomware as their top AI-related security concern, and many organizations are accelerating adoption of AI detection, automated response, and improved training.

Ransomware Reality: High Confidence, Low Preparedness

⚠️ The CrowdStrike State of Ransomware Survey reveals a sizable gap between organizational confidence and actual ransomware readiness. Half of 1,100 security leaders say they are "very well prepared," yet 78% were attacked in the past year and fewer than 25% recovered within 24 hours. The report warns that AI-accelerated attacks deepen this gap and recommends AI-native detection and response such as Falcon to regain the advantage.

Scattered LAPSUS$ Hunters: Recent Activity and Risks

🚨 Unit 42 observed renewed activity from Scattered LAPSUS$ Hunters in early October 2025, including leaked data claims, a defaced clearnet leak site, and announcements of an extortion-as-a-service offering. The actors set a self-imposed ransom deadline of Oct. 10, 2025 and claimed to have released data allegedly from six victim companies across aviation, energy and retail. Unit 42 recommends organizations prepare EaaS incident playbooks and engage third-party responders.

Muji Halts Japan Online Sales After Supplier Ransomware

🔒 Muji has temporarily taken its Japan online store offline after a ransomware attack disrupted logistics systems at its delivery partner, Askul. The outage affects browsing, purchases, order histories in the Muji app, and some web content; Muji is investigating which shipments and pre-attack orders were impacted and will notify affected customers by email. Askul confirmed a ransomware infection suspended orders, shipping, and several customer services while it investigates potential data exposure; international Muji stores remain operational.

Cybersecurity Awareness Month 2025: Ransomware Resilience

🔒 ESET's Cybersecurity Awareness Month 2025 video, presented by Chief Security Evangelist Tony Anscombe, explains why ransomware continues to threaten organizations large and small. Citing Verizon's 2025 DBIR and a Coalition Inc. study, it notes that 44% of breaches involved ransomware and 40% of insured victims paid ransoms. The video outlines common intrusion vectors and practical steps — backups, patching, access controls and training — organizations should take to improve resilience.

AI-Driven Social Engineering Tops ISACA Threats for 2026

⚠️A new ISACA report identifies AI-driven social engineering as the top cyber threat for 2026, cited by 63% of nearly 3,000 IT and security professionals. The 2026 Tech Trends and Priorities report, published 20 October 2025, shows AI concerns outpacing ransomware (54%) and supply chain attacks (35%), while only 13% of organizations feel very prepared to manage generative AI risks. ISACA urges organizations to adopt AI governance, strengthen compliance amid divergent US and EU approaches, and invest in talent, resilience and legacy modernization.

Rhysida Ransomware Group Lists German Manufacturer Geiger

🔒 On October 17, the ransomware group Rhysida posted the German machine manufacturer Geiger on a darknet victims list, claiming to offer data stolen from the company. The attackers set an asking price of 10 BTC (roughly €1 million) and indicated a sale deadline of October 24, 2025, without specifying the scope or types of data. Geiger has not publicly responded to the claim. Security researchers characterize Rhysida as financially motivated and likely operating from Russia or the CIS.

Analyzing ClickFix: Why Browser Copy-Paste Attacks Rise

🔐 ClickFix attacks trick users into copying and executing malicious code from a webpage—often presented as a CAPTCHA or a prompt to 'fix' an error—so the payload runs locally without a download. Researchers link the technique to Interlock and multiple public breaches and note delivery has shifted from email to SEO poisoning and malvertising. The articles says clipboard copying via JavaScript and heavy obfuscation let these pages evade scanners, and that traditional EDR and DLP often miss the attack. Push Security recommends browser-based copy-and-paste detection to block attacks before the endpoint is reached.

Microsoft Revokes 200+ Fraudulent Code-Signing Certificates

🔒 Microsoft Threat Intelligence has revoked more than 200 code-signing certificates that were fraudulently used to sign counterfeit Microsoft Teams installers delivering a persistent backdoor and ransomware. The campaign, tracked as Vanilla Tempest (also known as Vice Spider/Vice Society), employed SEO poisoning and malvertising to lure users to spoofed download sites hosting fake MSTeamsSetup.exe files that deployed the Oyster backdoor and ultimately Rhysida ransomware. Microsoft says the actor abused Trusted Signing and services such as SSL.com, DigiCert and GlobalSign to sign malicious binaries. A fully enabled Microsoft Defender Antivirus detects and blocks these threats, and Microsoft provides guidance through Microsoft Defender for Endpoint for mitigation and investigation.

SharePoint Flaws Led to Breach at Kansas City Nuclear Plant

🔒 A foreign threat actor exploited unpatched Microsoft SharePoint vulnerabilities to infiltrate the Kansas City National Security Campus (KCNSC), which produces most non‑nuclear components for U.S. nuclear weapons. Honeywell FM&T, which manages the site for the NNSA, and the Department of Energy did not respond to requests for comment. Federal responders, including the NSA, were onsite in early August after Microsoft issued fixes on July 19. Attribution remains disputed between Chinese-linked groups and possible Russian actors; there is no public evidence that classified information was taken.