All news with #ransomware tag

ENISA: Phishing Drives Most EU Cyber Intrusions in 2024–25

📣 The EU security agency's ENISA Threat Landscape 2025 report, analyzing 4,875 incidents from 1 July 2024 to 30 June 2025, finds phishing was the initial access vector in 60% of intrusions, with vulnerability exploitation at 21%. Botnets and malicious applications accounted for 10% and 8% respectively, and 68% of intrusions led to follow-up malware deployment. ENISA highlights AI-powered phishing exceeded 80% of social engineering globally by early 2025 and warns of attacks aimed at critical digital supply chain dependencies and high-value targets such as outdated mobile and OT systems.

Modern Business Continuity and Disaster Recovery Basics

🛡️ Modern disaster recovery and business continuity require a ground-up rebuild to address distributed data, evolving cyberthreats, climate-driven disruptions, and strict breach-reporting obligations. Key elements include executive sponsorship, standing interdisciplinary teams, AI-assisted discovery and classification, continuous and immutable backups aligned with a 3-2-1-1-0 approach, and the design of a minimum viable business to restore core functions. Frequent, gamified tabletop exercises and automated validation complete a resilient program.

Clop-Linked Extortion Emails Claim Oracle E-Business Theft

📧 Mandiant and Google are tracking a high-volume extortion email campaign that began on or before September 29, 2025, in which executives received messages claiming sensitive data was stolen from Oracle E-Business Suite systems. The emails are being sent from hundreds of compromised accounts and include contact addresses tied to the Clop data leak site, indicating a potential connection to the Clop/FIN11 extortion operation. Investigators caution there is not yet sufficient evidence to confirm actual data theft and recommend organizations check their Oracle environments for unusual access or compromise.

Ransomware Incident at Dealer Software Vendor Exposes Data

🔒 A ransomware attack on Motility Software Solutions on August 19, 2025, encrypted portions of its systems and may have exposed personal information for approximately 766,000 customers. The DMS vendor supports about 7,000 dealerships and stores data including names, emails, phone numbers, dates of birth, Social Security numbers, and driver’s license numbers. Motility restored systems from backups, implemented additional security measures, and is offering one year of identity monitoring through LifeLock to affected individuals.

Google Drive for Desktop Adds AI Ransomware Detection

🔒 Google has begun rolling out an AI-powered ransomware detection feature for Google Drive for desktop. The feature automatically pauses syncing of affected files on Windows and macOS when it detects signs of ransomware, protecting cloud copies though it does not prevent local file encryption. Administrators may disable detection or file restoration via the Admin console, and alerts require Drive version 114 or later.

EU Agency: Cyber Threat Landscape in Europe Worsens

⚠️ ENISA reports the EU cyber threat landscape has worsened, identifying ransomware as the single most damaging threat due to widespread encryption and costly recoveries. By frequency, DDoS incidents dominate (77% of reported cases), though they typically cause shorter-lived outages. The agency's analysis of 4,875 incidents from July 2024 to June 2025 also highlights concentrated attacks on public administration and a rapid rise in AI-assisted social engineering.

Manufacturing Disruptions from Targeted Cyberattacks

⚠️Recent cyberattacks forced production halts at Jaguar Land Rover and Asahi, underscoring that operational disruption is now a primary objective for threat actors. JLR paused production after an August 31 compromise attributed to the Scattered Lapsus$ Hunters group, reportedly using vishing to obtain credentials, while Asahi halted orders and shipments following a systems failure. Experts emphasize that attackers exploit phishing, unpatched systems, and supply‑chain weaknesses, and urge layered defenses such as zero trust, MFA, PAM, micro‑segmentation, continuous monitoring, and air‑gapped backups to preserve business continuity.

Data Leak at Kido Kindergartens Exposes Children's Data

🚨 A ransomware group calling itself Randiant claims to have attacked UK childcare operator Kido, publishing names, photos, addresses and family contact details for ten children from one of Kido's London nurseries and threatening to release further data unless a ransom is paid. The attackers' leak page alleges data on more than 8,000 children was exfiltrated. Kido has not yet issued a public statement; London police say an investigation is ongoing. Kido also operates sites in the United States, India and China.

Manufacturing Cyber Risk Escalates: Executive Priorities

⚠️Manufacturing organizations now face an average of 1,585 cyberattacks per week, a 30% year‑over‑year rise, and ransomware remains the predominant threat. Incidents can incur losses that reach hundreds of millions and in some cases force insolvency. Deep supplier connectivity amplifies exposure because a single compromised vendor can cascade disruption across industries. The report urges executives to prioritize resilience, segmentation, and third‑party risk management.

Medusa Ransomware Tried to Recruit BBC Journalist Insider

🧑‍💻 Threat actors claiming to represent Medusa contacted BBC cybersecurity correspondent Joe Tidy via Signal in July, offering him a cut of any ransom in exchange for providing access to BBC systems. They initially offered 15% of the paid ransom, later adding an extra 10% and even proposing 0.5 BTC placed in escrow. When Tidy hesitated, the actors launched MFA bombing attempts; he alerted the BBC security team and was disconnected from corporate systems as a precaution.

UK backs Jaguar Land Rover with £1.5 billion loan guarantee

🔒 The UK Government has granted Jaguar Land Rover a £1.5 billion loan guarantee via UK Export Finance's Export Development Guarantee (EDG) to help the automaker recover after a severe cyberattack halted production and forced system shutdowns. The guarantee backs a commercial bank loan rather than direct state lending, reducing lender risk so JLR can secure larger, better-priced financing and immediate liquidity to pay suppliers. Repaid over five years, the measure is intended to stabilise the supply chain and protect thousands of jobs while JLR works with the NCSC, law enforcement and cybersecurity specialists during a phased return to manufacturing.

Weekly Recap: Cisco 0-day, Record DDoS, New Malware

🛡️ Cisco firewalls were exploited in active zero-day attacks that delivered previously undocumented malware families including RayInitiator and LINE VIPER by chaining CVE-2025-20362 and CVE-2025-20333. Infrastructure and cloud environments faced major pressure this week: Cloudflare mitigated a record 22.2 Tbps DDoS while misconfigured Docker instances enabled ShadowV2 bot operations. Researchers also disclosed Supermicro BMC flaws that could allow malicious firmware implants, and ransomware actors increasingly abuse exposed AWS keys. Prioritize patching, firmware updates, and cloud identity hygiene now.

September 2025 security roundup — key incidents and guidance

🔐 Tony Anscombe reviews the top cybersecurity stories for September 2025 and highlights their implications for defenders. Incidents include disruptions at major European airports after a ransomware attack on Collins Aerospace, a prolonged outage at Jaguar Land Rover following an IT breach, and a large npm supply‑chain compromise that drew a CISA alert. He also notes impersonation campaigns targeting macOS users with LastPass‑themed information‑stealers.

Surge in SonicWall SSL VPN Attacks by Akira Actors

🔒 Security experts warn of a sharp increase in activity from Akira ransomware operators targeting SonicWall SSL VPN appliances, with intrusions traced to late July. Arctic Wolf links initial access to exploitation of CVE-2024-40766 and describes rapid credential harvesting that can enable access even to patched devices. Observed traces include hosting-provider-origin VPN logins, internal scanning, Impacket SMB activity and Active Directory discovery; organizations are advised to monitor hosting-related ASNs, block VPS/anonymizer logins and watch for SMB session patterns consistent with Impacket to detect and disrupt attacks early.

Akira Bypasses MFA on SonicWall VPNs via Reused Logins

🔐Akira ransomware operators are successfully authenticating to SonicWall SSL VPN accounts even when one-time password (OTP) multi-factor authentication is enabled. Arctic Wolf links the logins to credentials and OTP seeds harvested via an improper access control flaw tracked as CVE-2024-40766, and notes attackers can reuse those secrets after devices are patched. Once inside, actors rapidly scan internal networks, harvest backup server credentials, and use techniques such as BYOVD to sideload vulnerable drivers and disable protections. Administrators are urged to install the latest SonicOS (recommended 7.3.0) and reset all SSL VPN credentials immediately.

LockBit 5.0 Released: Faster ESXi Encryption, Evasion

🔒 LockBit 5.0 introduces faster ESXi drive encryption and enhanced evasion techniques, according to Trend Micro. The release includes Windows, Linux and VMware ESXi variants featuring heavy obfuscation, ETW patching, DLL reflection and hypervisor-targeted encryption designed to amplify impact. Researcher Jon DiMaggio describes the update as largely incremental fine-tuning and self-branding aimed at restoring affiliate trust after Operation Cronos.

Hidden Cybersecurity Risks of Deploying Generative AI

⚠️ Organizations eager to deploy generative AI often underestimate the cybersecurity risks, from AI-driven phishing to model manipulation and deepfakes. The article, sponsored by Acronis, warns that many firms—especially smaller businesses—lack processes to assess AI security before deployment. It urges embedding security into development pipelines, continuous model validation, and unified defenses across endpoints, cloud and AI workloads.

New COLDRIVER ClickFix Campaign Uses BAITSWITCH, SIMPLEFIX

🔍 Zscaler details a new COLDRIVER ClickFix campaign that deploys two lightweight families: BAITSWITCH, a DLL downloader, and SIMPLEFIX, a PowerShell backdoor. Victims are lured to execute a malicious DLL via a fake CAPTCHA; BAITSWITCH fetches SIMPLEFIX while presenting a Google Drive decoy. The chain stores encrypted payloads in the Windows Registry, uses a PowerShell stager, and clears the Run dialog to erase traces. Zscaler notes the campaign targets NGOs, human-rights defenders, think tanks, and exiles connected to Russia.

Roblox executors: cheat tools that bring security risks

⚠️ Downloading third-party Roblox "executors" — tools that inject and run unauthorized scripts in games — can lead to account bans and serious security incidents. Malicious actors distribute fake or trojanised versions of popular tools such as Synapse X and Solara, sometimes bundling ransomware or backdoors. These installers may ask users to disable antivirus protections, which is a clear warning sign. Parents should steer children toward official features and avoid unverified downloads to keep accounts and devices safe.

LockBit 5.0 Emerges as Most Dangerous Ransomware Variant

🔒 Trend Micro has identified a new LockBit variant, LockBit 5.0, which it calls significantly more dangerous than prior releases and has observed in the wild. The vendor confirmed Windows, Linux, and ESXi binaries featuring faster encryption, removal of infection markers, randomized 16-character extensions and enhanced evasion. The Windows build includes a cleaner affiliate UI with detailed execution options, while the ESXi variant represents a critical escalation by enabling encryption of multiple virtual machines from a single payload. Researchers note substantial code reuse from 4.0, suggesting an evolutionary update rather than a rebrand.