< ciso
brief />
Tag Banner

All news with #ransomware tag

464 articles · page 14 of 24

DroidLock Android Malware Locks Devices, Demands Ransom

🔒 Zimperium researchers uncovered a new Android malware family called DroidLock that locks victims’ screens, steals messages and call data, and can remotely control devices via VNC. The threat targets Spanish-speaking users and is distributed through malicious websites that impersonate legitimate apps and deliver a dropper which installs a secondary payload. The payload requests Device Admin and Accessibility privileges to perform actions such as wiping devices, changing lock credentials, recording audio, starting the camera, and placing overlays that capture lock patterns. Operators serve a ransom WebView directing victims to contact a Proton email and threaten permanent file destruction within 24 hours if unpaid.
read more →

November 2025: Ransomware and GenAI Drive Cyber Attacks

🛡️ In November 2025, organizations faced an average of 2,003 cyber-attacks per week, a 3% rise from October and 4% above November 2024. Check Point Research attributes the increase to a surge in ransomware, broader attack surfaces and growing exposure from internal use of generative AI tools. The education sector was hit hardest, averaging 4,656 attacks per organization per week. These trends elevate operational, data and recovery risks across industries.
read more →

01flip: Rust-Based Multi-Platform Ransomware Targeting APAC

🔐 Unit 42 identified 01flip, a new Rust‑based ransomware family observed in June 2025 that targets both Windows and Linux via Rust cross‑compilation. The malware enumerates writable directories, drops RECOVER-YOUR-FILE.TXT ransom notes, renames files with a .01flip extension, and encrypts victims with AES‑128‑CBC while protecting session keys with an embedded RSA‑2048 public key. Observed victims are a limited set in the Asia‑Pacific region, and an alleged data dump appeared on a dark‑web forum after at least one infection.
read more →

DeadLock Ransomware Uses BYOVD to Disable Endpoint Defenses

🔒 Cisco Talos detailed a campaign where a financially motivated actor deployed DeadLock ransomware using a Bring Your Own Vulnerable Driver (BYOVD) technique to disable endpoint protections by exploiting a Baidu driver flaw (CVE-2024-51324). A custom loader invoked the vulnerable driver to issue kernel-level commands that killed security processes; PowerShell scripts then escalated privileges, stopped backup and security services, and erased shadow copies. The C++ payload (compiled July 2025) injects into rundll32.exe, uses a custom stream cipher with time-based keys to append ".dlock" and waits roughly 50 seconds to evade sandboxes; communications and ransom negotiations occurred via Session. Organizations should enforce MFA, maintain strong endpoint controls and keep regular offline backups.
read more →

BYOVD Loader Used to Disable EDR in DeadLock Ransomware

🔐 Cisco Talos reported a novel Bring Your Own Vulnerable Driver (BYOVD) loader used to disable endpoint security and deliver DeadLock ransomware. The attacker exploited a Baidu Antivirus driver vulnerability (CVE-2024-51324) via a loader named EDRGay.exe and driver DriverGay.sys to terminate EDR processes at kernel level. A PowerShell payload bypassed UAC, disabled Windows Defender, stopped backup and database services, and removed all volume shadow copies. DeadLock uses a custom timing-based stream cipher and extensive kill and exclusion lists to encrypt files while avoiding system corruption.
read more →

STAC6565 Targets Canada; Gold Blade Deploys QWCrypt

🛡️ Sophos links nearly 40 intrusions from Feb 2024 to Aug 2025 to STAC6565, a cluster assessed to overlap the criminal group Gold Blade (aka RedCurl/Red Wolf). The campaign shows an unusually narrow geographic focus — almost 80% of attacks targeted Canadian organizations — and combines targeted data theft with selective ransomware deployment using QWCrypt. Attack chains abuse recruitment platforms to deliver multi‑stage loaders such as RedLoader and tools designed to evade AV and disable recovery, often leveraging WebDAV, Cloudflare Workers and program‑compatibility execution paths.
read more →

Manufacturing Sees Fewer Encryptions but Ransom Risks

🔒 A recent Sophos study finds the manufacturing sector is blocking more ransomware before encryption, with only 40% of attacks resulting in data encryption this year versus 74% in 2024. Despite improved containment, data theft remains high (39% of encrypted cases) and more than half of affected firms paid ransoms; the median payment was about €861,000. Shortages of skilled staff, unknown vulnerabilities and inadequate protections are cited as root causes, and attacks are increasing stress and leadership pressures within IT teams.
read more →

Ransomware in Manufacturing: Lower Encryption, High Payouts

🔒 A Sophos study finds manufacturing firms are increasingly able to stop ransomware before encryption occurs, with only 40% of attacks leading to data encryption — the lowest rate in five years and down from 74% the prior year. Despite improved defenses, data theft remains a major concern: 39% of encrypted incidents resulted in data loss. More than half of affected companies still paid ransoms, with a median payment of about €861,000 versus median demands near €1 million. Respondents cited skills shortages, unknown vulnerabilities and missing protections as key contributors, and attacks continue to strain IT and leadership teams.
read more →

Marquis data breach affects over 74 US banks, credit unions

🔒 Financial software provider Marquis Software Solutions disclosed a ransomware intrusion on August 14, 2025, after attackers breached a SonicWall firewall and exfiltrated certain files. The incident potentially impacted roughly 400,000 customers across 74 banks and credit unions and involved names, contact details, Social Security and Taxpayer IDs, account information (no security codes), and dates of birth. Marquis says there is no confirmed misuse or publication of the data to date and is notifying affected institutions and state regulators while implementing enhanced security measures, including MFA, patching, account cleanup, and tightened firewall policies.
read more →

Deep Dive: DragonForce Ransomware Cartel and Spider

🔍 DragonForce is a ransomware-as-a-service group that re-emerged in 2023 and has rebranded as a self-described "ransomware cartel," recruiting affiliates with generous revenue shares and customizable encryptors. Recent variants exploit vulnerable drivers like truesight.sys and rentdrv2.sys to disable security controls and shore up earlier encryption flaws. Its partnership with Scattered Spider combines elite social-engineering initial access with deployable ransomware, elevating risk to organizations globally.
read more →

UK Plans Ransomware Payment Ban With Security Exemptions

🔒 The UK government plans to ban ransomware payments for public sector and critical national infrastructure, while requiring other businesses to notify authorities if they intend to pay attackers. Announced after a public consultation and detailed in a September policy paper, the measure will include national security exemptions to avoid creating impossible choices for essential services. Security Minister Dan Jarvis said the move is a priority and that adoption will proceed when parliamentary time allows, with ongoing coordination across government and allied states.
read more →

AI, Automation and Integration: Cyber Protection 2026

🔒 In 2025 threat actors increasingly used AI—deepfakes, automated scripts, and AI-generated lures—to scale ransomware, phishing, and data-exfiltration attacks, exposing gaps between siloed security and backup tools. Publicly disclosed ransomware victims rose sharply and phishing remained the dominant initial vector, overwhelming legacy protections. Organizations are moving to AI-driven automation and unified detection, response, and recovery platforms to shorten dwell time and streamline compliance.
read more →

German, Swiss Authorities Shut Crypto Mixer, Seize €25M

🔒 Investigators from Germany and Switzerland have shut down a cryptocurrency mixing service and seized server infrastructure, securing crypto assets with a converted value of around €25 million. Authorities say the platform, cryptomixer.io, was active since 2016 and allowed anonymous deposits and withdrawals. The operators are suspected of commercial money laundering and running a criminal trading platform; evidence including servers and email accounts was seized in Switzerland.
read more →

Europol Takes Down Cryptomixer Bitcoin Mixing Service

🔒 Europol, working with Swiss and German authorities, has seized over €25m in Bitcoin and taken control of the Cryptomixer service following coordinated actions in Zurich between 24 and 28 November. Three servers, the cryptomixer.io domain and more than 12 terabytes of data were confiscated, and a seizure banner replaced the site after law enforcement shut down the hybrid mixing platform. Since its founding in 2016, Cryptomixer is believed to have processed more than €1.3bn in Bitcoin and was widely used to obfuscate proceeds from ransomware, drug and weapons trafficking, and payment card fraud.
read more →

Police Seize Cryptomixer and €24M in Bitcoin Servers

🔒 Law enforcement in Switzerland and Germany dismantled the Cryptomixer cryptocurrency-mixing service during Operation Olympia, seizing three servers, the cryptomixer.io domain, and about €24 million in Bitcoin. Europol and Eurojust supported the operation. Cryptomixer had been used to obfuscate proceeds from ransomware, drug and weapons trafficking, and payment card fraud by pooling and redistributing funds across many addresses, often taking a commission for the service.
read more →

Asahi Data Breach Exposes Personal Details of 1.9M

🔒Asahi Group Holdings confirmed a ransomware-driven data breach discovered in September that affected up to 1.9 million people. The company says personal information including names, genders, addresses, phone numbers and email addresses was exfiltrated, and the Qilin ransomware group claimed responsibility and published sample files. Production and shipping were suspended during the incident and system restoration is ongoing. Asahi reports no payment card data was exposed and has opened a dedicated contact line for affected individuals.
read more →

Malicious LLMs Equip Novice Hackers with Advanced Tools

⚠️ Researchers at Palo Alto Networks Unit42 found that uncensored models like WormGPT 4 and community-driven KawaiiGPT can generate functional tools for ransomware, lateral movement, and phishing. WormGPT 4 produced a PowerShell locker and a convincing ransom note, while KawaiiGPT generated scripts for credential harvesting and remote command execution. Both are accessible via subscriptions or local installs, lowering the bar for novice attackers.
read more →

Retailers Brace for Holiday Fraud, Not Major Breach Spike

🔒 Huntsman Security's analysis of ICO reports from Q3 2024 to Q2 2025 indicates the retail and manufacturing sector experienced only minor seasonal peaks, with 1,381 incidents overall and quarterly counts clustered in the mid-300s. The firm reported 618 breaches caused by brute force, misconfigurations, malware, phishing and ransomware, and urged a shift to continuous assurance so defenses do not drift into vulnerable states. Other vendors cautioned that more than half of recent ransomware incidents occurred on weekends or holidays, while researchers warned of AI-enabled fake e-commerce sites, typosquatted domains and package-tracking scams targeting shoppers.
read more →

Multiple London councils' IT systems hit by cyberattack

🔒 The Royal Borough of Kensington and Chelsea and Westminster City Council are experiencing widespread service disruptions after a cybersecurity incident that also affected the London Borough of Hammersmith and Fulham. Several systems including phone lines were taken offline and councils activated emergency plans to preserve critical services. Officials say they shut down affected systems as a precaution while working with specialist incident responders and the National Cyber Security Centre. Security researchers indicate the outage stems from a ransomware attack on a shared services provider; investigations and efforts to restore services are ongoing.
read more →

Ransomware Alliances Drive Large October Attack Surge

🔴 A seasonal surge and new alliances between ransomware groups drove a 41% month-on-month jump in attacks from September to October, NCC Group reports. Qilin was the most active actor, blamed for 170 of 594 incidents (29%), followed by Sinobi and Akira. The rise coincides with LockBit 5.0 realigning with DragonForce and Qilin, and the emergence of newcomers such as The Gentlemen. Organisations are urged to reinforce monitoring, staff awareness, and secure backups ahead of the peak threat season.
read more →