All news with #ransomware tag

September 2025 Cyber Threats: Ransomware and GenAI Rise

🔍 In September 2025, global cyber-attack volumes eased modestly, with organizations facing an average of 1,900 attacks per organization per week — a 4% decline from August but a 1% increase year-over-year. Beneath this apparent stabilization, ransomware activity jumped sharply (up 46%), while emerging GenAI-related data risks expanded rapidly, changing attacker tactics. The report warns that evolving techniques and heightened data exposure are creating a more complex and consequential threat environment for organizations worldwide.

ThreatsDay: Teams Abuse, MFA Hijack, $2B Crypto Heist

🛡️ Microsoft and researchers report threat actors abusing Microsoft Teams for extortion, social engineering, and financial theft after hijacking MFA with social engineering resets. Separate campaigns use malicious .LNK files to deliver PowerShell droppers and DLL implants that establish persistent command-and-control. Analysts also link over $2 billion in 2025 crypto thefts to North Korean‑linked groups and identify AI-driven disinformation, IoT flaws, and cloud misconfigurations as multiplying risk. Defenders are urged to harden identity, secure endpoints and apps, patch exposed services, and limit long-lived cloud credentials.

Velociraptor Abused in Ransomware Attacks by Storm-2603

🔐 Cisco Talos confirmed ransomware operators abused Velociraptor, an open-source DFIR endpoint tool, to gain arbitrary command execution in August 2025 by deploying an outdated agent vulnerable to CVE-2025-6264. Talos links the activity with moderate confidence to Storm-2603 based on overlapping tooling and TTPs. Operators used the tool to stage lateral movement, deploy fileless PowerShell encryptors, and deliver multiple ransomware families, severely disrupting VMware ESXi and Windows servers.

Kantsu’s Ransomware Crisis: Recovery, Costs, and Lessons

🔒 Kantsu, a midsize Japanese logistics firm, was hit by ransomware on Sept. 12, 2024 that encrypted servers, cut communications, and halted shipping operations for hundreds of clients. The company refused to pay a ransom, shut down networks, replaced PCs, and rebuilt its cloud WMS Cloud Thomas on AWS while using analog processes to maintain critical shipments. Executives prioritized speed, cash availability, and employee welfare during an expensive recovery process that exposed gaps in cyber insurance.

Smashing Security: Mouse Eavesdropping and Ransomware

🖱️ A recent episode of the Smashing Security podcast examines how commonplace devices and online behaviour can create unexpected security risks. Hosts discuss academic work that turns a standard computer mouse into an acoustic eavesdropping sensor, showing how a malicious webpage could exploit peripheral hardware. They also consider a ransomware crew’s reputation problems, and round out the episode with lighter items such as a quirky baked potato hack and a literary detour to Paraguay.

Qilin Ransomware Claims Data Theft from Asahi Brewery

🔒 The Qilin ransomware group has added Japanese brewer Asahi to its data leak site, claiming exfiltration of over 9,300 files totaling 27GB and publishing 29 images of internal financial documents, employee IDs, contracts, and reports. Asahi suspended operations at six facilities after a September 29 cyberattack and confirmed a ransomware-caused disruption with evidence of data theft. The company says production of its flagship Super Dry has resumed via a temporary manual ordering system, though full operations are not yet restored and new product launches are postponed.

London police arrest teenagers after nursery data doxing

🔒 Two 17-year-old suspects were arrested in Bishop's Stortford on suspicion of blackmail and computer misuse after an investigation into the doxing of children following a ransomware attack on a chain of London nurseries. The incident aligns with a September 25 breach affecting Kido nurseries, where a group known as Radiant Group claimed to have stolen sensitive data and photos of over 1,000 children. Attackers posted some images and addresses on a dark web leak site and later removed the files on October 2 after failing to extort the company and making threatening calls to parents. Nursery software provider Famly said its infrastructure was not breached, while UK authorities described the case as deeply distressing and said investigations continue.

Chaos Ransomware Evolves: Faster, Smarter, More Destructive

⚠️ Chaos-C++ is a resurfaced C++ ransomware strain identified in 2025 that combines fast AES encryption, deliberate deletion of very large files, and a clipboard-hijacking capability to steal cryptocurrency payments. It employs a stealthy downloader that masquerades as a system optimizer, uses Windows CryptoAPI where available and a weaker XOR fallback otherwise, and appends a .chaos extension to affected files. Victims also see destructive post-infection commands that remove shadow copies and hinder recovery, and ForsGuard detections are available for protection.

LockBit, Qilin and DragonForce Form Ransomware Alliance

🔒 Three major ransomware groups — LockBit, Qilin, and DragonForce — have announced a strategic alliance aimed at sharing techniques, infrastructure, affiliates, and operational resources to amplify extortion campaigns worldwide. The announcement follows LockBit's resurgence and the unveiling of LockBit 5.0, which is advertised to target Windows, Linux, and ESXi systems. Security firms warn the partnership could rebuild affiliate trust, increase attacks on critical infrastructure and diversify threats across multiple industry sectors.

Met Police Arrest Two Teens Over Nursery Ransomware

🔒 Two teenage boys were arrested in Bishop's Stortford on suspicion of computer misuse and blackmail following a ransomware attack on the Kido nursery group, the Metropolitan Police said. Referred to the Met by Action Fraud on 25 September, investigators allege attackers demanded £600,000 in Bitcoin after stealing names, addresses, contact details and photos of around 8,000 children via a Famly account. The group, which called itself "Radiant," reportedly contacted parents directly and posted some images on the dark web before blurring and later claiming deletion; the app provider says its infrastructure was not breached. The Met described the arrests as a significant step while inquiries continue alongside partner agencies.

Autonomous AI Hacking: How Agents Will Reshape Cybersecurity

⚠️ AI agents are increasingly automating cyberattacks, performing reconnaissance, exploitation, and data theft at machine speed and scale. In 2023 examples include XBOW's mass vulnerability reports, DARPA teams finding dozens of flaws in hours, and reports of adversaries using Claude and HexStrike-AI to orchestrate ransomware and persistent intrusions. This shift threatens accelerated attacks beyond traditional patch cycles while presenting new defensive opportunities such as AI-assisted vulnerability discovery, VulnOps, and even self-healing networks.

Responding to Cloud Incidents: Investigation and Recovery

🔍 Unit 42 outlines a structured approach to investigating and responding to cloud incidents, noting that 29% of 2024 incident investigations involved cloud or SaaS environments. The guidance emphasizes a shift from endpoint-centric forensics to focus on identities, misconfigurations and service interactions. It recommends enabling and centralizing logs, retaining them for at least 90 days, and preparing for rapid evidence collection and VM/container imaging. The article stresses identity forensics, behavioral baselining and surgical containment to avoid alerting adversaries.

ShinyHunters Launch Extortion Site Targeting Corporates

🔓 A cybercrime collective known as ShinyHunters has launched a public extortion blog threatening to publish data stolen from dozens of major companies if ransoms are not paid. The group claims to have harvested Salesforce customer records via a May voice-phishing campaign, and also says it exfiltrated terabytes of files from a Red Hat GitLab server and Discord user data tied to a third-party provider. Security firms and affected vendors including Salesforce, Red Hat and Discord are investigating, while Google and other investigators link the activity to several related UNC clusters and warn of additional token thefts tied to Salesloft. Victim shaming, published exploit scripts for an Oracle E-Business Suite zero-day, and malware-laced threats have amplified the incident’s severity.

Oracle EBS Zero-Day Exploited by Clop Since August

🔒 CrowdStrike reports the Clop ransomware gang has been exploiting an Oracle E-Business Suite zero-day, CVE-2025-61882, since early August to steal sensitive documents. The flaw resides in the BI Publisher Integration of Concurrent Processing and allows unauthenticated remote code execution via a single HTTP request. Oracle issued a patch and warned customers to apply updates immediately as extortion emails tied to stolen EBS data are being circulated.

Qilin Claims Responsibility for Asahi Cyber Attack

🔒 The Qilin ransomware group has claimed responsibility for a cyber-attack on Japan's Asahi Group, asserting it exfiltrated about 27 GB of files containing employee personal data and sensitive business documents. Consumer site Comparitech listed the data on Qilin's leak site on October 7, and Asahi has confirmed an earlier ransomware incident involving an 'unauthorized transfer of data'. The breach disrupted order, shipment and call-centre operations as the brewer implemented manual processes while investigating.

Disrupting Threats Targeting Microsoft Teams Environments

🛡️ Microsoft Threat Intelligence details how adversaries exploit Microsoft Teams collaboration capabilities—chat, calls, meetings, and screen sharing—at multiple stages of the attack chain. The post chronicles 2024–2025 campaigns and toolsets (phishing, malvertising, deepfakes, device code phishing, and red‑team tool reuse) that enable initial access, persistence, and exfiltration. It emphasizes layered defenses across identity, endpoints, apps, data, and network controls, and provides detection guidance, hunting queries, and product-specific recommendations to help defenders disrupt these operations.

Qilin Ransomware Disrupts Mecklenburg County Schools

🔒 A Russian-linked ransomware group, Qilin, has claimed responsibility for a September 2, 2025 attack that disrupted Mecklenburg County Public Schools and said it exfiltrated 305 GB of data, including financial records, grant documents, budgets and children’s medical files. The attack forced teachers offline for about a week while internet systems were restored. Superintendent Scott Worner said the district does not currently intend to pay the ransom and is still assessing the scope, urging other districts to review cyber-insurance and preparedness.

From Ransom to Revenue Loss and Recovery Costs for Business

🔒 Ransomware now inflicts costs far beyond ransom payments, driving operational downtime, reputational damage, and regulatory exposure that directly erode the bottom line. The 2025 Unit 42 report shows median initial extortion demands rose to $1.25M and commonly equate to about 2% of perceived annual revenue. While roughly 48% of victims paid in 2024, Unit 42 negotiation reduced median paid demands to about 0.6% of PAR, yet attackers’ disruptive tactics increasingly amplify recovery costs. Strengthening backups, segmentation, and an incremental zero trust posture are key to limiting impact and shortening recovery timelines.

XWorm 6.0 Returns with 35+ Plugins and Enhanced Theft

🛡️ Trellix researchers detail the return of XWorm 6.0, a modular Windows malware now supporting more than 35 in‑memory DLL plugins and expanded data-theft and persistence capabilities. The actor associated with earlier releases, known as XCoder, is of uncertain status, but v6.0—advertised on forums in June 2025—appears to address a prior RCE flaw while enabling credential theft, keylogging, screen capture, and optional ransomware. Campaigns use phishing, malicious JavaScript, LNK-based PowerShell chains, and process injection to evade detection and execute plugins directly in memory.

Discord Confirms Customer Data Breach via Third-Party

🔒 Discord has disclosed a data breach after a third-party customer support provider was compromised, allowing a ransomware actor to access limited customer information. Potentially exposed data includes names, Discord usernames, contact details, last four digits of payment cards, IP addresses, messages with support agents and a small number of government ID images submitted for age appeals. Discord says no passwords, full card numbers or CVVs were accessed and is contacting affected users and authorities.