< ciso
brief />
Tag Banner

All news with #ransomware tag

464 articles · page 11 of 24

ThreatsDay: Small Shifts, Big Cybersecurity Risks Ahead

🔎 This week's ThreatsDay bulletin highlights quiet but meaningful shifts where familiar tools and trusted platforms are repurposed to breach access, steal data, or launder funds. Law enforcement seized the RAMP forum while threat actors pivot to alternatives, creating operational churn and new exposures. Guidance from CISA on post‑quantum cryptography and urgent patches for Linux and Dormakaba systems underscore near‑term priorities amid rising phishing, supply‑chain, and ransomware activity.
read more →

Ransomware Data Leaks Surge in Q4 2025 Despite Fewer Groups

🔐 ReliaQuest analysis shows ransomware data leaks rose sharply in Q4 2025, with posts on leak sites up 50% quarter-on-quarter and 40% year-on-year. The researchers found fewer active ransomware groups overall, but top-tier RaaS operators increased their output and speed of execution. Qilin, Akira and Sinobi were the most prolific, with Qilin claiming 450+ victims. ReliaQuest urges stronger controls such as MFA and improved data-exfiltration monitoring to reduce impact.
read more →

Sicarii Ransomware Discards Keys, Risks Permanent Data Loss

⚠️ Halcyon researchers report a Sicarii ransomware variant that generates a fresh RSA key pair on each execution and immediately discards the private key, leaving encrypted files unrecoverable even if victims pay or use a provided decryptor. Analysts attribute the defect to poor key management or immature development, possibly involving AI-assisted tooling. Affected organizations should prioritize containment, isolate systems, and restore only from known-good, offline, or immutable backups rather than relying on ransom-based recovery.
read more →

US Charges 31 More Suspects in ATM Malware Jackpotting

🔐 A Nebraska federal grand jury indicted 31 additional defendants accused of participating in an ATM jackpotting operation that used Ploutus malware to steal millions from U.S. ATMs. Authorities say many suspects are Venezuelan or Colombian nationals tied to the gang Tren de Aragua, an organization recently designated by OFAC as a Foreign Terrorist Organization. Investigators allege attackers opened ATM housings, swapped or connected drives to load malware, deleted evidence, and forced machines to dispense cash; the stolen proceeds were split and laundered. The Justice Department has charged 87 TdA members in related cases over the past six months.
read more →

From Cipher to Fear: Psychology of Modern Ransomware

🔐 Modern ransomware has evolved from a technical encryption problem into a psychology-driven extortion industry where stolen data, legal exposure, and reputation risk are the primary levers. Flare's 2025 analysis documents a fragmented, collaborative attacker ecosystem and a shift to pressure-first tactics like public shaming and identity abuse. Security teams must expand playbooks beyond backups to include legal and communications readiness, targeted configuration audits, and prioritized remediation based on active exploit intelligence.
read more →

World Leaks Claims 188k Nike Files in Major Breach

🔒 Nike has entered incident response after the World Leaks ransomware group posted a claimed 188,000+ files from the company to its leak site, with the countdown expiring last Sunday and the full dump now live. The firm said it is investigating a potential cybersecurity incident and actively assessing the situation. Leaked folders reviewed by reporters include development, tech packs and evaluations, and schematics, indicating design and supply-chain materials may be exposed.
read more →

Multi-Stage Phishing Targets Russia with Amnesia RAT

🔒 Fortinet researchers detailed a multi-stage phishing campaign targeting Russian organizations that delivers the Amnesia RAT and Hakuna Matata ransomware. Attackers use business-themed decoy documents and malicious LNK files that fetch staged PowerShell loaders from GitHub while binary payloads are hosted on Dropbox. The chain abuses defendnot to disable Microsoft Defender, leverages Telegram bots for telemetry and exfiltration, and assembles payloads in memory to minimize disk artifacts. Targeted recipients include HR and payroll staff, enabling credential theft, surveillance, and destructive encryption.
read more →

NHS Calls for Stronger Supplier Cybersecurity Measures

🏥The NHS has issued an open letter (22 January) signaling more proactive engagement with suppliers to bolster cyber resilience across health and social care. The initiative builds on last year’s voluntary cybersecurity supply chain charter and responds to persistent ransomware and supply-chain threats. NHS England stresses this is not an audit but a partnership to identify risks and agree proportionate remediation. Expectations include MFA, patched systems, effective logging and immutable backups with tested recovery plans.
read more →

Ransomware Hits Verkehrsgesellschaft Main-Tauber Operations

🔒 The office and mobility centre of Verkehrsgesellschaft Main-Tauber (VGMT) are closed and offline after a confirmed cyberattack that encrypted the organisation’s servers and data. It is unclear whether sensitive information was stolen; investigations are ongoing with support from the Baden-Württemberg state cybersecurity agency, local police, district IT specialists and an external vendor. VGMT says public local transport remains unaffected while teams work to restore limited services under heightened security precautions.
read more →

Under Armour Investigates Alleged Leak of 72M Records

🔒 Under Armour is investigating claims that an unauthorized third party obtained customer data after the Everest ransomware group allegedly added the brand as a victim and claimed to have taken 343GB of information. Reports on 18 January 2026 said roughly 72 million email addresses and other personal details were posted on a hacking forum, and the incident was listed by Have I Been Pwned on 21 January. Compromised data is reported to include names, dates of birth, genders, geographic locations, purchase history and possibly phone numbers and some employee contact information. Under Armour says there is no evidence UA.com, payment processing systems or customer passwords were affected, and the company is working with external cybersecurity experts to investigate.
read more →

Building Cyber Readiness Early: Youth Education Imperative

🔐 Cyber security should begin in childhood, not only as a late-stage workforce specialization. The piece argues that threat actors target schools, hospitals, municipalities and small businesses as aggressively as large enterprises, and that waiting for workforce pipelines to mature leaves communities exposed. Early, practical education—covering ransomware awareness, phishing resistance, hands-on skills and teacher training—reduces immediate risk and strengthens future talent pools.
read more →

INC Ransomware Slip Reveals Cloud Backup Weaknesses

🔍 Florida-based Cyber Centaurs discovered that the INC ransomware group left behind Restic backup artifacts that exposed an S3-style cloud repository used to hold stolen files. By performing forensic, non-destructive enumeration with Restic semantics, investigators were able to locate and decrypt datasets belonging to 12 US firms. The team reported findings to law enforcement and highlighted practical remediation steps: audit backups, monitor for encrypted egress, and patch backup software promptly.
read more →

Osiris Ransomware Employs POORTRY Driver to Evade Detection

🔒 Symantec and Carbon Black disclosed a new ransomware family called Osiris that targeted a major food service franchisee operator in Southeast Asia in November 2025. The attackers deployed a bespoke malicious driver named POORTRY in a BYOVD-style technique to disable security tooling and elevate privileges, and they exfiltrated data to Wasabi cloud buckets using Rclone before encryption. Osiris uses a hybrid per-file encryption scheme that generates unique keys per file, can stop services and terminate processes, and targets numerous backup and productivity services; defenders are advised to limit RDP exposure, monitor dual‑use tools, enforce MFA, adopt application allowlisting where feasible, and maintain off-site backups.
read more →

INC ransomware OPSEC lapse allowed recovery for 12 US orgs

🔍 Cyber Centaurs conducted a forensic investigation after a client reported ransomware activity and found a RainINC variant executed from the PerfLogs directory. Analysts discovered artifacts tied to Restic — renamed binaries, PowerShell scripts (notably new.ps1 with Base64-encoded commands) and hardcoded S3 credentials — indicating long-lived attacker-controlled backup repositories. Using a controlled, non-destructive enumeration they recovered encrypted backups for 12 unrelated U.S. organizations across healthcare, manufacturing, technology, and services, preserved copies, and notified law enforcement. The team published findings, a list of tools observed in INC infrastructure, and YARA/Sigma rules to help defenders detect suspicious Restic usage and renamed binaries.
read more →

Ransomware Disrupts Conceptnet, Affecting Around 500 Clients

🔒 Conceptnet reported a ransomware attack that encrypted central systems, including web and email servers, after perpetrators gained access around 13 January 2026. The incident was detected, isolated and reported to authorities, and external forensics teams are assisting with recovery. The provider—supporting roughly 500 customers—has set up temporary websites for affected clients, which include REWAG, Stadtwerk Regensburg and SSV Jahn Regensburg, while a possible ransom demand and reports of AI use in the attack are under consideration.
read more →

Ransomware and Data Theft Hit Ingram Micro, 42K Affected

🔒 In July 2025 a ransomware attack on distributor Ingram Micro disrupted the company's logistics for about a week, impacting its U.S. headquarters and a German site. The company notified U.S. authorities that more than 42,000 people—current and former employees and job applicants—had personal data stolen, including names, contact details, dates of birth, identity document numbers and Social Security numbers. Documents from hiring processes and employee performance reviews were also exfiltrated, and the ransomware group Safepay, active since September 2024, claimed roughly 3.5 terabytes of data.
read more →

PDFSider Windows Backdoor Targeted Fortune 100 Firm

🔐 Researchers discovered a stealthy Windows backdoor named PDFSider during incident response at a Fortune 100 finance firm; the tool has been linked to Qilin ransomware operations and is now observed with multiple ransomware groups. Attackers used spearphishing with a ZIP containing a legitimately signed PDF24 Creator executable and a malicious cryptbase.dll to achieve DLL side-loading and bypass EDRs. The in-memory backdoor uses AES-256-GCM for encrypted C2, exfiltrates system data over DNS, launches commands via anonymous pipes to CMD, and employs anti-analysis checks to maintain long-term covert access.
read more →

At Davos: Cybersecurity as a Leadership Imperative

🔐At Davos, cybersecurity has risen to the top of the leadership agenda as geopolitical tensions, rapid AI adoption, and escalating cybercrime converge. Fortinet says this is now a systemic strategic challenge that requires board-level accountability, cross-sector collaboration, and resilience designed into operations. The company emphasizes responsible, enterprise-wide adoption of AI in security and stronger intelligence sharing. Initiatives like Fortinet’s Cybercrime Bounty and a Davos panel led by Derek Manky highlight practical, ecosystem-wide approaches to deter and disrupt cybercriminal markets.
read more →

Grubhub Confirms Data Theft, Faces Extortion Demand

🔒 Grubhub confirmed unauthorized actors downloaded data from certain systems and said it investigated, halted the activity, and is taking steps to strengthen its security posture. The company stated that financial information and order histories were not affected but declined to answer further questions about timing, affected users, or extortion. Grubhub said it is working with a third-party cybersecurity firm and law enforcement, while sources tell BleepingComputer that threat actors are demanding payment.
read more →

Ransomware gangs extort victims with compliance threats

🛡️ Ransomware groups are increasingly threatening victims with regulatory complaints in addition to data leaks, citing alleged violations of rules such as GDPR. Security vendors including Akamai report the tactic has grown over the past two years and is used by gangs like Anubis and Ransomhub to pressure high-compliance sectors such as healthcare. Experts warn AI accelerates the process by quickly identifying 'material' issues and producing legally framed complaints, tightening deadlines and raising stakes for victims.
read more →