< ciso
brief />
Tag Banner

All news with #ransomware tag

464 articles · page 13 of 24

INTERPOL Nets 574 Arrests Across Africa, Ransomware Case

🛡️ INTERPOL coordinated Operation Sentinel between Oct. 27 and Nov. 27, 2025, recovering $3 million and prompting the arrest of 574 suspects across 19 African countries. The campaign targeted business email compromise, digital extortion and ransomware, taking down over 6,000 malicious links and decrypting six ransomware variants. Authorities disrupted fraud rings that stole more than $400,000 and seized devices and servers. Separately, a Ukrainian national pleaded guilty for his role as a Nefilim ransomware affiliate.
read more →

Interpol Operation Sentinel Leads to 574 Arrests in Africa

🔍 Operation Sentinel, coordinated by Interpol, resulted in 574 arrests across Africa during the month-long campaign from 27 October to 27 November. Authorities recovered $3m in alleged cybercrime proceeds, decrypted six ransomware variants and removed around 6,000 malicious links and domains. Key interventions included halting a $7.9m fraudulent wire transfer in Senegal and recovering 30TB of data encrypted in an attack on a Ghanaian financial institution. The operation involved national forces and industry partners such as Team Cymru and Trend Micro.
read more →

Interpol Sentinel: Decrypts Ransomware, 574 Arrests

🔐 Interpol-led Operation Sentinel, run from October 27 to November 27 across 19 countries, resulted in 574 arrests and the recovery of $3 million tied to business email compromise, extortion, and ransomware. Investigators decrypted six ransomware strains and removed more than 6,000 malicious links. Private-sector partners such as Trend Micro, TRM Labs and Team Cymru supported attribution, takedowns and freezing of proceeds. Multiple country-level seizures and arrests targeted prolific scam infrastructures in West and Central Africa.
read more →

RansomHouse upgrades to multi-layered dual-key RaaS

🔐 Palo Alto Networks' Unit42 reports that RansomHouse has upgraded its ransomware-as-a-service to a multi-layered, dual-key encryption model that significantly complicates recovery. The new encryptor, tracked as Mario, generates a 32-byte primary and an 8-byte secondary key and performs interlocking encryption passes that hinder linear decryption. Targeting VMware ESXi hosts and backups (e.mario files) and paired with the MrAgent deployment utility, the change raises impact and undermines static signature detection.
read more →

RansomHouse upgrades encryptor with multi-layered processing

🔒 RansomHouse has upgraded its encryptor to a multi-layered variant called 'Mario', shifting from a single-pass linear transform to a two-stage process that uses a 32-byte primary key and an 8-byte secondary key. The change increases entropy, speeds processing, and aims to improve reliability on modern targets. It also introduces dynamic chunk sizing with intermittent encryption for files over 8GB, complicating static analysis. The updated binary targets VM files, appends the .emario extension, drops a How To Restore Your Files.txt ransom note, and Unit 42 warns this upgrade makes decryption and reverse engineering notably harder.
read more →

Clop Targets Internet-Exposed Gladinet CentreStack Servers

🔒 The Clop ransomware gang is actively targeting Internet-exposed Gladinet CentreStack file servers in a new extortion campaign, with incident responders reporting ransom notes on compromised systems. Gladinet has issued multiple security updates since April to address several flaws, some disclosed as zero-days. It remains unclear whether Clop is exploiting a fresh zero-day or targeting unpatched instances. Threat data shows 200+ IPs exposing CentreStack login pages and potentially at risk.
read more →

Adios 2025: Ransomware, AI Abuse, and Manufacturing Hits

📌 2025 left a clear imprint: ransomware operations matured into highly organized, profitable cartels such as Qilin, industrial targets like Jaguar Land Rover suffered major operational and financial damage, and early reports of AI-orchestrated espionage raised concerns about automated, scalable kill chains. Talos highlights week’s headlines—Fortinet zero-days (CVE-2025-59718, CVE-2025-59719), Microsoft update regressions affecting WSL VPNs, and a large AWS crypto-mining campaign driven by compromised IAM credentials. The guidance is pragmatic: double down on identity and access management, monitor service accounts, prioritize incident response basics, and care for your people to reduce burnout heading into 2026.
read more →

US Seizes E-Note Exchange Linked to Ransomware Laundering

🛑 Law enforcement seized servers and domains of the E-Note cryptocurrency exchange, accused of laundering more than $70 million originating from ransomware attacks and account takeovers. Authorities confiscated e-note.com, e-note.ws and jabb.mn, removed mobile apps, and obtained customer databases and transaction records. The DOJ has indicted Russian national Mykhalio Petrovich Chudnovets on one count of money laundering conspiracy; he faces up to 20 years in prison but has not been arrested. The seized records may help identify additional cybercriminals and the network of money mules used to move and convert illicit funds.
read more →

North Korea Steals Over $2bn in Crypto During 2025

🚨Chainalysis reports North Korea's crypto thefts surged in 2025, exceeding $2bn and pushing the regime's cumulative haul to over $6.7bn. The firm says DPRK actors accounted for 60% of funds stolen this year, with the Bybit breach alone yielding an unprecedented $1.5bn; attackers are increasingly embedding IT workers inside exchanges and custodians to gain privileged access. They favor Chinese-language services, cross-chain bridges and mixers for laundering, while personal wallet thefts tripled in incidents but fell in average value to $713m overall.
read more →

Critical React2Shell Vulnerability Used in Ransomware Attack

🔴 Researchers observed the critical React2Shell vulnerability (CVE-2025-55182) being exploited to gain initial access and deploy the Weaxor ransomware in under a minute. The attacker executed an obfuscated PowerShell command to stage a Cobalt Strike beacon, disabled Windows Defender real‑time protection, and launched the encryptor. Encrypted files used the .WEAX extension while shadow copies were removed and event logs cleared to impede recovery and forensic analysis.
read more →

RansomHouse Upgrades: From Linear to Layered Encryption

🔒 Unit 42 analyzes a notable upgrade to RansomHouse (tracked as Jolly Scorpius) that replaces a simple linear encryptor with a more complex, multi-layered design. The revised encryptor, Mario, implements a two-stage scheme using a 32-byte primary key and an 8-byte secondary key, plus chunked and sparse file processing. These changes complicate static analysis and decryption and specifically target ESXi virtual and backup artifacts. Unit 42 highlights detection controls and mitigation guidance for defenders.
read more →

Hypervisors as Ransomware Targets: Risks and Controls

🔒 Hypervisors are increasingly attractive targets for ransomware because a single host compromise can expose dozens or hundreds of VMs. Huntress Labs reports hypervisor ransomware involvement jumped from 3% to 25% in the second half of 2025, with the Akira group a major driver. The article urges treating hypervisor security with the same rigor as endpoints: strict access controls, runtime hardening, timely patching, and immutable backups. It also recommends improved monitoring, SIEM integration, and annual recovery drills to ensure rapid restoration.
read more →

ESET Threat Report H2 2025: AI, Ransomware Trends Outlook

🔍 ESET's H2 2025 threat report documents rapid attacker innovation, including the first known AI-driven ransomware, PromptLock, which can generate malicious scripts on demand. The report also highlights a near-collapse of Lumma Stealer, a roughly thirtyfold surge in the CloudEyE downloader, and a sharp rise in ransomware victims and NFC-based Android fraud. It underscores evolving distribution and evasion techniques across platforms.
read more →

Creating a Practical Ransomware Playbook for Response

🛡️ Organizations must build a ransomware playbook that pairs planning, technology, and people to reduce disruption and protect business continuity. Regular tabletop exercises create the muscle memory experts recommend, clarifying decision authority, communications, and containment steps across legal, IT, and executive stakeholders. Prevention should be layered — prioritized patching, behavior-based EDR, email/phishing defenses, MFA, least-privilege controls, and verified offline backups — while recovery playbooks, pre-engaged legal and forensics contacts, and tested restore procedures speed remediation and limit reputational harm.
read more →

Maritime Cyber Crisis: US Ports at Systemic Risk Now

🛳️ A single vessel carrying orange juice concentrate illustrates systemic risk at US ports: one weekly ship supplies millions and a localized outage would ripple across supply chains. Recent policy gaps — a furlough of CISA/FEMA staff and the lapse of the Cybersecurity Information Sharing Act — increase exposure, while nation-state malware is reportedly pre-positioned. New Title 33 CFR mandates and scarce maritime cybersecurity talent create urgent operational shortfalls; facilities must prioritize practical resilience testing, penetration tests, and cross-sector collaboration.
read more →

Asahi Plans Cybersecurity Overhaul After Ransomware

🛡️ Asahi Group Holdings is accelerating a major cybersecurity overhaul after a ransomware attack in late September that exposed personal data for around two million people and disrupted operations. CEO Atsushi Katsuki told Bloomberg he will elevate cybersecurity to a top management priority and is considering a dedicated internal cybersecurity unit. The company plans to abandon VPNs in favor of a stricter zero-trust model and expects recovery and reconstruction efforts to run through February 2026.
read more →

VolkLocker Ransomware Exposed: Hard-Coded Master Key

🔓 VolkLocker, a new RaaS from the pro‑Russian group CyberVolk (GLORIAMIST), contains a critical implementation flaw that lets victims recover files without paying. Test samples embed a master key and write it in plaintext to the %TEMP% folder (system_backup.key), while using that same key for AES‑256‑GCM encryption. The Golang-built strain targets Windows and Linux, modifies the registry, deletes shadow copies, and uses Telegram automation for command-and-control and victim management.
read more →

VolkLocker RaaS Stumbles on Embedded Cryptography Flaw

🔐 SentinelOne researchers discovered that VolkLocker, a new RaaS from the pro-Russia group CyberVolk, embeds a master encryption key in the binary and also writes it in plaintext to a hidden file (%TEMP%\system_backup.key) on infected systems. The ransomware uses AES-256 in GCM but reuses the same master key for all files and never deletes the backup key, allowing some victims to decrypt files without paying. The public disclosure may help current victims but could prompt operators to fix the flaw.
read more →

DeadLock Ransomware Campaign and Weekly Threat Roundup

🛡️ Cisco Talos describes a new financially motivated campaign deploying DeadLock ransomware that uses a custom stream cipher with time-based keys to encrypt Windows hosts. The actor employs a Bring Your Own Vulnerable Driver (BYOVD) approach with a previously unseen loader to exploit the Baidu Antivirus driver vulnerability (CVE-2024-51324), enabling termination of EDR processes. Talos publishes Snort SIDs and multiple ClamAV detections and details lateral movement, anti-forensics, and selective encryption tactics aimed at complicating recovery.
read more →

Black Hat Europe 2025: Reputation and the Ransomware Economy

🔐 At Black Hat Europe 2025, Max Smeets of Virtual Rotes presented 'Inside the Ransomware Machine', examining LockBit and its affiliate-driven RaaS operations from 2022–2024. He highlighted how reputation shapes victim decisions and the attackers' need to be seen as reliable to secure payments. The talk warned that exposed cyber insurance details can guide extortion amounts and recommended segregating or air‑gapping insurance documentation.
read more →