< ciso
brief />
Tag Banner

All news with #ransomware tag

464 articles · page 10 of 24

January 2026: Global Attacks Rise; Ransomware, GenAI Risk

⚠️ Check Point Research reports a global increase in cyber attacks in January 2026, with organizations experiencing an average of 2,090 attacks per organization per week — a 3% increase from December and 17% above January 2025. The rise is driven by expanding ransomware operations and mounting data‑exposure risks linked to widespread GenAI adoption. Critical sectors are under intensified pressure as threat activity accelerates and adversaries move faster.
read more →

Weaponized Windows Shortcuts Deliver Global Group Ransomware

📄 Forcepoint X‑Labs researchers have uncovered a Phorpiex‑backed phishing campaign that weaponizes Windows shortcut (.lnk) files to deploy Global Group ransomware. Attackers send messages with the subject "Your Document" and attachments like "Document.doc.lnk", exploiting hidden file extensions and a Word‑style icon to trick recipients. The .lnk uses built‑in utilities (cms.exe and PowerShell) and heavily obfuscated commands to fetch and run a second‑stage payload, leveraging Living‑off‑the‑Land techniques so the ransomware executes locally without external C2 communication.
read more →

Warlock Ransomware Exploits Unpatched SmarterMail Instance

🔒 SmarterTools confirmed a network breach by the Warlock (aka Storm-2603) ransomware group after attackers exploited an unpatched SmarterMail instance on January 29, 2026. A single, unpatched VM allowed lateral movement to about a dozen Windows servers across the office network and a secondary QC data center, with hosted SmarterTrack customers most affected. Operators staged tools including Velociraptor and deployed a locker after gaining Active Directory control. SmarterTools urges immediate upgrade to Build 9526 and isolation of mail servers to limit further ransomware deployment.
read more →

Warlock Ransomware Breach Through SmarterMail Flaw

🔒 SmarterTools confirmed that the Warlock ransomware group breached its network after exploiting an authentication-bypass flaw in a single, unpatched SmarterMail VM (CVE-2026-23760) on January 29, allowing attackers to reset admin passwords and obtain full privileges. The intrusion led to compromise of 12 Windows servers in the company’s office network and a secondary data center used for testing and hosting, while the company’s Linux infrastructure was not affected. Security tooling, including SentinelOne, blocked the final encryption payload, impacted systems were isolated, and data was restored from backups; SmarterTools urges administrators to upgrade to Build 9511 or later.
read more →

CISA: SmarterMail RCE Flaw Actively Exploited by Ransomware

⚠️ CISA warns that ransomware actors are actively exploiting CVE-2026-24423, a critical unauthenticated remote code execution vulnerability in SmarterTools SmarterMail via the ConnectToHub API. SmarterTools released a fix on January 15 (Build 9511) and issued further updates through Build 9526 on January 30. Agencies must apply updates or stop using the product by February 26, 2026, under KEV and BOD 22-01 guidance.
read more →

Ransomware Actors Abuse ISPsystem VMs for Payload Delivery

🛡️ Ransomware groups are abusing virtual machines provisioned by ISPsystem to host and deliver malware at scale. Sophos researchers found identical Windows VM hostnames and system identifiers reused from default VMmanager templates, enabling operators such as LockBit, Qilin, Conti, BlackCat/ALPHV and others to hide malicious infrastructure among legitimate hosts. The tactic complicates attribution and slows takedown efforts, and Sophos tied most malicious VMs to a small cluster of poorly reputed hosting providers.
read more →

La Sapienza University Offline Following Ransomware Attack

🔒 Rome’s La Sapienza University has taken its IT systems offline after a cyberattack that prompted an immediate shutdown of network systems to protect data integrity. The university, Europe’s largest in‑campus institution with over 112,500 students, said authorities were notified and a technical task force is working on restoration. The campus website remains offline and temporary on‑site infopoints are in place while recovery continues. Italian reporting links the incident to Rorschach (Femwar02) ransomware; backups are reported intact.
read more →

Conpet Hit by Qilin Ransomware, Corporate IT Affected

🔒 Conpet, Romania's national oil pipeline operator, disclosed a cyberattack that disrupted its corporate IT systems and temporarily took down its public website. The company said operational technologies, including SCADA and telecommunications systems, were not affected and crude oil transport continued normally. The Qilin ransomware group claimed responsibility and alleged nearly 1 TB of data exfiltration, posting sample documents as proof. Conpet is investigating the incident with national cybersecurity authorities and has filed a criminal complaint with DIICOT.
read more →

EDR Killer Abuses EnCase Signed Kernel Driver Widespread

🔒 A custom EDR killer discovered by Huntress abused a long-revoked EnCase kernel driver to gain kernel-level access and repeatedly terminate security processes. The 64-bit tool leverages EnPortv.sys, registers as a fake OEM service for reboot persistence, and uses a kernel IOCTL kill loop to disable 59 EDR/AV processes every second. Huntress links the activity to ransomware and recommends MFA, HVCI/Memory Integrity, WDAC, and monitoring for OEM-masquerading kernel services.
read more →

New ‘Vect’ RaaS Variant Targets Windows, Linux, ESXi

🔒 Security researchers have identified a new ransomware-as-a-service operation named Vect that began recruiting affiliates in December 2025. According to Halcyon, Vect uses C++-built malware with ChaCha20-Poly1305 AEAD and intermittent (block) encryption to speed disruption, and advertises cross-platform targeting for Windows, Linux and VMware ESXi. Red Piranha notes strong OPSEC including Monero payments, TOX communications and TOR-only infrastructure.
read more →

Responding to Ransomware: Forensics, Triage, and Policy

🛡️ Stay calm and avoid rash moves when ransomware hits: shutting down systems can cause 'forensic suicide' by destroying volatile evidence such as RAM. Joanna Lang-Recht recommends isolating affected hosts from networks rather than powering them off, preserving forensic images, and engaging specialized incident response teams. Prioritize containment, secure offline backups, and clear crisis roles. Treat negotiation as an economic decision and rely on trained negotiators rather than emotional engagement.
read more →

Army Signal Officer to Insurance CSO: Hensley’s Cyberplan

🔐 Barry Hensley, a retired U.S. Army Colonel and former Signal Officer, now serves as CSO of Brown & Brown, leading efforts to protect client networks and sensitive data. He notes that organizational awareness of cyber risk has grown, but effective investment and calibrated risk tolerance often lag, especially under budget constraints. Hensley highlights threats such as ransomware and ideologically motivated attacks, the rising role of AI in both offense and defense, and the critical need to manage third- and fourth-party risk while retaining motivated security talent.
read more →

Exposed MongoDB Instances Targeted in Extortion Campaign

🔒 A threat actor is automating data-extortion attacks against publicly exposed MongoDB instances, compromising roughly 1,400 servers and leaving ransom notes demanding about 0.005 BTC (~$500). Researchers at Flare found over 208,500 publicly reachable MongoDB servers, with 3,100 allowing access without authentication and nearly half of those already wiped. There is no guarantee that paying ransoms will restore data or provide working keys. Victims are urged to avoid public exposure, enforce strong authentication, apply network controls, and keep instances updated.
read more →

FBI Seizes RAMP Ransomware Forum, Disrupting Network

🔒 The FBI has seized control of RAMP (Russian Anonymous MarketPlace), replacing both its dark‑web and clearnet domains with law‑enforcement seizure banners. The action, carried out with the US Attorney’s Office for the Southern District of Florida and the Justice Department’s CCIPS, redirects the forum's nameservers to ns1.fbi.seized.gov and ns2.fbi.seized.gov. The takedown follows the 2024 arrest of alleged operator Mikhail Matveev and may provide authorities access to user data that could prompt further prosecutions.
read more →

Crypto wallets received a record $158B in illicit funds

🔒 TRM Labs reports illegal cryptocurrency flows hit a record $158 billion in 2025, reversing a three-year decline. The firm attributes the 145% surge to increased sanctions-linked activity, expanded nation-state adoption (notably Russia, Iran, and Venezuela), and improved attribution that surfaced previously uncounted flows. Hacks, scams, and ransomware drove major losses, including $2.87 billion from 150 hacks and about $35 billion sent to fraud schemes, while laundering shifted from mixers to cross-chain bridges. TRM's 2026 crypto crime report aggregates on-chain tracing and intelligence to quantify these trends.
read more →

Badges, Bytes and Blackmail: Law Enforcement Trends

🛡️ Orange Cyberdefense compiled a dataset of 418 publicly reported law enforcement actions from 2021 to mid-2025 to clarify how agencies address cybercrime. The study shows extortion (including ransomware), malware, and hacking are the most targeted offenses, while arrests (29%), takedowns (17%) and charges (14%) are the predominant responses. The U.S. DOJ and FBI are most visible, with extensive public–private collaboration supporting operations.
read more →

Russian Cyber Threats to the 2026 Winter Olympics Overview

🔐 This Unit 42 analysis outlines the evolving Russian cyber threat to the Milano Cortina 2026 Winter Olympics, framing Russia’s IOC exclusion as a geopolitical grievance that raises the risk of disruptive operations. It reviews historical GRU-linked campaigns against prior Games and projects plausible scenarios ranging from destructive OT malware to AI-driven deepfakes and V2X manipulation. The report recommends zero‑trust visibility, IoT anomaly detection, telemetry verification, and micro‑segmentation to reduce operational impact.
read more →

Threat Source: Resilience, trends, and hard truths

📰 Hazel Burton opens this Threat Source newsletter by acknowledging how difficult it can be to stay engaged with the news and suggests small, human respites—like the U.K. show Taskmaster—to remind readers creativity and levity persist under pressure. On the technical side, Cisco Talos Incident Response’s Q4 2025 report shows exploitation of public-facing applications remains the leading initial access vector (down from 62% to ~40%), while phishing and credential harvesting rose and ransomware incidents fell to 13% with Qilin still common. The newsletter urges rapid patching, correct MFA configuration and monitoring, and comprehensive logging to detect suspicious activity.
read more →

Interlock Ransomware: New Techniques, Same Old Tricks

🔒 Fortinet's FortiGuard Incident Response describes a protracted Interlock intrusion that targeted education organizations, linking MintLoader initial access to NodeSnakeRAT and Interlock RAT implants. The report highlights a novel process-killer, Hotta Killer, that abuses a signed but vulnerable gaming anti-cheat driver (CVE-2025-61155) in a BYOVD technique to terminate security processes. Operators exfiltrated about 250 GB using AZCopy before deploying JavaScript and ELF ransomware across Windows and Nutanix hosts. FortiGuard recommends blocking unnecessary remote-access tools, restricting PowerShell egress, and monitoring anomalous driver installations.
read more →

FBI Seizes RAMP Ransomware Forum, Disrupting Market

🚨The FBI has seized the dark‑web forum RAMP, replacing its clear‑ and dark‑web sites with law‑enforcement seizure banners and redirecting domains to ns1.fbi.seized.gov and ns2.fbi.seized.gov. The banner, attributed to the FBI, DOJ and the US Attorney’s Office for the Southern District of Florida, mocked the forum’s “ransomware allowed” stance. Forum administrator “Stallman” confirmed the takedown and said he will not rebuild. Analysts say the action disrupts low‑tier actors, may yield valuable intelligence and will have limited impact on top‑tier groups.
read more →