All news with #ransomware tag

SpyCloud: Identity Blind Spots Raise Ransomware Risk

🔒 The SpyCloud 2025 Identity Threat Report exposes a gap between confidence and capability: 86% of security leaders say they can prevent identity-based attacks, yet 85% of organizations experienced ransomware in the past year, with over one-third hit six to ten times. A survey of 500+ security leaders in North America and the UK highlights identity sprawl across SaaS, unmanaged devices and third-party ecosystems. The report notes phishing, credential reuse and exposed sessions increasingly enable persistent access. It warns that most organizations lack automated remediation, repeatable workflows and formal investigation protocols.

Co-op Reports £80M Operating Loss After Cyberattack

🔒 The Co-operative Group reported an £80 million operating profit loss in H1 2025 after an April cyberattack disrupted systems and trading. Management attributed the shortfall to £20 million of one‑off remediation costs and £60 million in lost sales while systems were offline, and said revenue fell by £206 million. The breach, linked to DragonForce and affiliates of Scattered Spider, exposed personal data for all 6.5 million members; four suspects have since been arrested. Despite the impact, Co-op reported £800 million of available liquidity and no immediate funding concerns.

Talos: New PlugX Variant Targets Telecom and Manufacturing

🔍 Cisco Talos revealed a new PlugX malware variant active since 2022 that targets telecommunications and manufacturing organizations across Central and South Asia. The campaign leverages abuse of legitimate software, DLL-hijacking techniques and stealthy persistence to evade detection, and it shares technical fingerprints with the RainyDay and Turian backdoors. Talos describes the activity as sophisticated and ongoing. Organizations should update endpoint, email and network protections, review DLL-hijack mitigations and proactively hunt for related indicators.

17-Year-Old Suspected in Vegas Casino Cyberattacks Released

🔒 A 17-year-old hacker who surrendered on charges tied to sophisticated cyber intrusions against Las Vegas casinos between August and October 2023 has been released into his parents' custody under family court supervision. Authorities link the incidents to the Scattered Spider group and the deployment of BlackCat/ALPHV ransomware that disrupted operations and exposed staff and customer data. The judge imposed strict conditions including residence at a registered parental address, prohibition on leaving Clark County, internet use limited to educational purposes, and restrictions on phones and electronics, with immediate detention for violations. Prosecutors say the suspect may still control about $1.8 million in Bitcoin and are seeking additional charges and to try him as an adult.

Threatsday Bulletin: Rootkits, Supply Chain, and Arrests

🛡️ SonicWall released firmware 10.2.2.2-92sv for SMA 100-series appliances to add file checks intended to remove an observed rootkit, and moved SMA 100 end-of-support to 31 October 2025. The bulletin also flags an unpatched OnePlus SMS permission bypass (CVE-2025-10184), a GeoServer RCE compromise affecting a U.S. federal agency, and ongoing npm supply-chain and RAT campaigns. Defenders are urged to apply patches, rotate credentials, and enforce phishing-resistant MFA.

Co-op Reports £206m Revenue Loss After Cyberattack

🛒 The Co-op revealed a £206m revenue shortfall resulting from a “malicious” cyber-attack in April after it temporarily shut down multiple systems to contain the threat. The retailer recorded an overall six-month loss of £80m to 5 July 2025 and said sales disruption is likely to continue into H2 2025. No remediation breakdown was provided, although a one-off non-underlying cost of £20m was logged. The intrusion has been linked to Scattered Spider, and UK authorities have made several arrests related to this and similar retail attacks.

Tech Surpasses Gaming as Top DDoS Target Q1-Q2 2025

🛡️ The Gcore Radar Q1–Q2 2025 report shows a 41% year-on-year rise in DDoS attacks, with total incidents reaching 1.17 million and a record 2.2 Tbps peak. Attacks are getting longer, more sophisticated, and increasingly multi-vector, with technology (≈30%) overtaking gaming (19%) as the primary target. Gcore emphasizes integrated WAAP and global filtering capacity to mitigate these risks.

Report: Many Indian Suppliers Pose Global Supply Risks

🔍 SecurityScorecard's assessment found that 53% of selected Indian vendors experienced at least one third-party breach in the past year, with outsourced IT operations and managed service providers representing 63% of those incidents. The study evaluated 15 prominent Indian suppliers across 10 industries using security ratings based on patching cadence, DNS health, IP reputation, and endpoint, network and app security, and concluded that 27% of vendors received an F while 25% earned an A. It recommends continuous monitoring of third- and fourth-party ecosystems, prioritizing certificate management and patching, and using cybersecurity ratings to inform procurement and ongoing vendor oversight.

NCA Arrests Man Linked to HardBit Ransomware Disruption

🔒 British investigators arrested a man in his forties in West Sussex in connection with a suspected ransomware outbreak that disrupted flights across Europe. The National Crime Agency said the suspect was released on conditional bail and the probe remains at an early stage. Security researchers have linked the incident to the HardBit variant, which affected ARINC vMUSE systems and forced airlines to revert to paper processes amid repeated reinfections.

Top Cyber Recovery Vendors and Platform Capabilities

🔒 Ineffective recovery processes and increasingly sophisticated ransomware are driving adoption of Cyber Recovery approaches that isolate and validate backups before restoring systems. Modern platforms combine immutable snapshots, sandboxed restores, and automated forensics with AI/ML-based detection to identify safe restore points and reduce downtime. Vendors highlighted include Acronis, Cohesity, Commvault, Dell, Druva, Rubrik, Veeam, Zerto.

Ransomware-Enabled Heist and npm Worm Supply-Chain Threats

🔒 Ransomware can do more than encrypt files — it can disable alarms and create physical security vulnerabilities. In a recent episode of the Smashing Security podcast, hosts discuss how a ransomware-related outage at the Natural History Museum in Paris preceded a late-night theft of €600,000 in gold. The show also covers a new npm supply-chain worm dubbed Shai Hulud that has infected over 180 packages and quietly exfiltrated secrets, plus odd stories about ads appearing on consumer appliances.

Retail at Risk: Single Alert Reveals Persistent Threat

🔍 A single Microsoft Defender alert triggered an investigation that uncovered a persistent cyberthreat against retail customers. Attackers exploited unpatched SharePoint flaws CVE-2025-49706 and CVE-2025-49704 using obfuscated ASPX web shells while also compromising identities through self-service password reset abuse and Microsoft Entra ID reconnaissance. DART swiftly contained the intrusions—removing web shells, isolating Entra ID, deprivileging accounts, and recommending Zero Trust measures, MFA enforcement, timely patching, and EDR deployment.

Obscura: New Ransomware Variant Targeting Domains Globally

🔒 On 29 August 2025 Huntress analysts identified a previously unseen ransomware variant they named Obscura after its embedded ransom note. The binary was placed in the domain NETLOGON scripts folder, enabling propagation via AD replication, and the actor created scheduled tasks to run it across hosts. Obscura requires administrative privileges, attempts to delete volume shadow copies and terminates roughly 120 security and backup processes. It uses Curve25519/X25519 key exchange and XChaCha20 for file encryption and writes a decoded ransom note to C:\README-OBSCURA.txt.

UK Arrests Suspect After RTX MUSE Ransomware Hits Airports

🛫 The UK's National Crime Agency arrested a man in his forties in West Sussex on suspicion of Computer Misuse Act offences linked to a ransomware attack that disrupted airports across Europe. RTX Corporation confirmed the incident affected its Collins Aerospace MUSE passenger processing software, first detected on September 19. The suspect has been released on conditional bail while the probe, supported by the South East ROCU and other agencies, remains in its early stages. Affected customers shifted to backup and manual processes while RTX and external cybersecurity experts work to contain and remediate the impact.

Ransomware Speed Crisis: Defending at Machine Pace

⚠️ Ransomware attacks have accelerated to machine speed, often completing exfiltration and impact in minutes rather than days. Unit 42 research documents a dramatic decline in mean time to exfiltrate, driven by AI automation, initial access brokers and RaaS, which together enable highly targeted, fast-moving campaigns. Organizations now need AI-powered detection, automated containment and unified XDR visibility across endpoints, network and cloud to stop threats in real time. Human analysts remain vital but must operate alongside automated systems to focus on hunting and strategic response.

One Weak Password Topples 158-Year-Old Transport Firm

🔒 KNP Logistics Group, a 158-year-old UK transport firm, collapsed after the Akira ransomware group accessed an employee account by guessing a weak password. Attackers bypassed protections by targeting an internet-facing account without MFA, deployed ransomware across the estate, and destroyed backups, halting operations across 500 trucks and precipitating administration and 700 job losses. The incident underscores the urgent need for strong password policies, MFA, and isolated, tested backups.

Feds Tie Scattered Spider Duo to $115M in Ransoms

🔒 U.S. prosecutors have charged 19‑year‑old Thalha Jubair as a core member of Scattered Spider, alleging the group extorted at least $115 million from victims. Jubair and an alleged co‑conspirator, 18‑year‑old Owen Flowers, appeared in London court facing accusations tied to high‑profile attacks on retailers, public transit and U.S. healthcare providers. Authorities say the complaint links Jubair to a network of SIM‑swapping, SMS phishing and ransomware operations and to cryptocurrency servers used to launder proceeds.

YiBackdoor Linked to IcedID and Latrodectus Code Overlaps

🔒 Zscaler ThreatLabz disclosed a new malware family named YiBackdoor that shares notable source-code overlaps with IcedID and Latrodectus. First observed in June 2025 with limited deployments, YiBackdoor can execute arbitrary commands, collect system information, capture screenshots, and load encrypted plugins to expand capabilities. It uses anti-analysis checks, injects into svchost.exe, persists via a Run registry entry that invokes regsvr32.exe with a randomized name, and fetches commands from an embedded encrypted configuration over HTTP. Zscaler warns it could be leveraged to gain initial access for follow-on exploitation, including ransomware.

Extending Zero Trust to the Storage Layer: Resilience

🔒 Applying zero trust to the storage layer is no longer theoretical — it is now essential to ensure recovery. The author describes ransomware incidents, including Change Healthcare in February 2024, where attackers deliberately targeted backups and recovery points, exposing storage as a primary attack surface. He recommends three operational principles — control where data is touched, control who and when, and make critical backups immutable — and ties those measures to governance, policy-as-code, and executive outcomes.

Hoppegarten IT outage continues after August cyberattack

🔒 The municipality of Hoppegarten in Brandenburg is still recovering from a hacker attack that forced its IT systems to be shut down on August 10. As of September 22, remediation remains ongoing, with central services such as email, telephone, and citizen services restored. Communication with subordinate institutions, including schools and daycare centers, remains disrupted. Authorities say the State Criminal Police Office is investigating a suspected attempted data encryption, possibly tied to an extortion attempt.