All news with #ransomware tag

Microsoft 365: Why Its Dominance Creates Major Risk

🔒 Microsoft 365 has become the central nervous system of modern business, and its market dominance has turned the platform into a lucrative target for attackers. With over 400 million paid seats and tightly integrated apps like Outlook, SharePoint, Teams and OneDrive, a single compromise can cascade across services. Organizations must close backup gaps, adopt zero trust, enforce MFA and deploy cross-application threat detection to reduce catastrophic exposure.

CountLoader Expands Use by Russian Ransomware Groups

🔒 Researchers have identified CountLoader, a multi‑language malware loader used by Russian ransomware affiliates and initial access brokers to deploy post‑exploit tools such as Cobalt Strike, AdaptixC2 and the commercial PureHVNC RAT. Appearing in .NET, PowerShell and JavaScript flavors, the loader has been observed in PDF phishing campaigns targeting Ukraine and employs LOLBins and multiple download/execution methods to evade detection. The JavaScript variant is most feature‑complete, offering diverse downloaders, execution paths and persistence via a Google‑update‑named scheduled task.

Microsoft Takedown Disrupts RaccoonO365 Phishing Service

🛡️ Microsoft's Digital Crimes Unit has seized 338 domains to dismantle the Phishing‑as‑a‑Service platform RaccoonO365, which enabled low‑skilled actors to deploy convincing Microsoft login pages. The DCU reports the service compromised more than 5,000 accounts across 94 countries since July 2024 and could bypass MFA to maintain persistent access. Operators marketed AI enhancements to scale attacks and collected at least $100,000 in cryptocurrency, prompting legal action to disrupt the infrastructure and seize control of the platform.

Zscaler ThreatLabz: Global Ransomware Surge 2024–2025

🔒 Zscaler's annual ThreatLabz Ransomware Report (April 2024–April 2025) warns of a marked rise in extortion-focused attacks: incidents increased 146% year-over-year while exfiltrated data grew 92%. The vendor attributes this to a strategic shift from pure encryption to data theft and public shaming, with criminals using stolen files as leverage. Researchers also report that generative AI is increasingly incorporated into attackers' playbooks to enable more targeted and efficient campaigns. The U.S. accounted for half of all recorded attacks, Germany saw a nearly 75% rise and is the EU's most affected country, and the most-targeted sectors were manufacturing, technology and healthcare.

Insight Partners Discloses 2024 Ransomware Breach Impacting

🔒 Insight Partners disclosed a ransomware attack that occurred around 25 October 2024 but was first detected on 16 January 2025. The firm says a sophisticated social engineering attack enabled a threat actor to exfiltrate data and encrypt servers before being expelled the same day. About 12,657 individuals may be affected; the firm offers free identity-theft protection and urges password resets and MFA.

Protecting SMBs From Ransomware: Trends and Defenses

🔒 Small and medium-sized businesses are increasingly targeted by ransomware gangs that exploit weak defenses, offer Ransomware-as-a-Service, and adapt tactics with AI-driven tools. RaaS industrialization and discoveries like ESET's PromptLock demonstrate how attackers can scale reconnaissance, exploitation and social engineering. SMBs face double-extortion, DDoS and coercive pressures while repeat payments remain an issue despite a decline in aggregate crypto payouts. Practical defenses—Zero Trust, timely patching, reliable backups, EDR/MDR and tested incident response—can materially reduce risk.

NCA to Lead Five Eyes Effort Against 'The Com' Networks

🔒 The UK's National Crime Agency will chair the Five Eyes Law Enforcement Group (FELEG) and concentrate on disrupting cybercrime, money laundering and online sexual abuse of children over the next two years. The NCA singled out loosely affiliated native-English networks known as 'The Com', which operate across messaging apps, gaming platforms and forums and share violent and child-abuse material. It also linked these groups to data-theft and extortion campaigns involving actors such as Scattered Spider, ShinyHunters and Lapsus$, citing incidents affecting retailers and luxury brands. FELEG has promoted the UK's Counter Terrorism Policing to full member status to strengthen responses to hybrid threats.

Brute-force Attacks Target SonicWall Cloud Backups

🔒 SonicWall warned that brute-force attacks against its firewall API used for cloud backups may have exposed preference files stored in customers' MySonicWall.com portals. The vendor has disabled the cloud backup capability and is urging admins to restrict or disable SSLVPN and Web/SSH management over the WAN, then reset passwords, keys, and secrets. Less than 5% of the install base had backups in the cloud, but that could still affect thousands of organizations. SonicWall has provided remediation guidance and will notify customers if their accounts show impacted serial numbers.

Insight Partners Notifies Thousands After Ransomware Breach

🔒 Insight Partners is notifying thousands of people after a ransomware incident in which a threat actor gained network access via a sophisticated social engineering attack. The attackers reportedly exfiltrated sensitive data — including banking and tax records, personal information of current and former employees, and details related to limited partners, funds, management companies, and portfolio companies — before encrypting servers on January 16, 2025. The firm says formal notification letters and complimentary credit or identity monitoring are being mailed; if you do not receive a letter by the end of September 2025, your personal data was determined not to be impacted. State filings indicate 12,657 individuals were affected, and no group has publicly claimed responsibility.

Evolving ClickFix Variants Lead to MetaStealer Deployments

🔍 Huntress analysts observed an uptick in attacks that combine classic ClickFix social engineering with more advanced deployment techniques over the past fifteen business days. A fake AnyDesk installer used a Cloudflare Turnstile lure that opened Windows File Explorer via the search-ms protocol to deliver an LNK payload disguised as a PDF and install an MSI that dropped MetaStealer. Separately, operators deployed Cephalus ransomware using DLL sideloading through the legitimate SentinelOne host binary, illustrating evolving tradecraft that mixes manual user interaction and technical evasion.

Microsoft and Cloudflare Disrupt RaccoonO365 Phishing

🔒 Microsoft and Cloudflare executed a coordinated takedown of RaccoonO365, a Nigerian-run phishing-as-a-service platform tracked by Microsoft as Storm-2246. The joint effort seized 338 domains and dismantled infrastructure that reportedly generated hundreds of millions of malicious messages and could bypass some MFA protections. Cloudflare removed intermediary Cloudflare Workers shields and deployed phish warning pages, while Microsoft pursued legal action and criminal referrals. The disruption exposed risks to healthcare providers and highlighted cross-border enforcement limits.

Why a Cisco Talos Incident Response Retainer Matters

🔒 A Cisco Talos Incident Response (IR) Retainer provides organizations with prioritized access to Talos' global threat intelligence and incident response specialists, combining proactive preparedness with rapid 24/7 mobilization. The retainer includes tailored IR plans, playbooks, readiness assessments, and tabletop exercises, plus proactive threat hunting using the PEAK Framework. Clients receive vendor-agnostic integration guidance, optional Cisco technology deployment, coordinated legal and PR support, and detailed post-incident reviews to reduce downtime and reputational harm.

RaccoonO365 Phishing Network Disrupted; 338 Domains Seized

🔒 Microsoft and Cloudflare coordinated a court-ordered disruption that seized 338 domains used by RaccoonO365, a phishing-as-a-service accused of harvesting over 5,000 Microsoft 365 credentials across 94 countries since July 2024. The takedown, executed between September 2–8, 2025, removed malicious Workers scripts, placed interstitial phish warnings, and suspended accounts to cut criminal access. RaccoonO365 was marketed by subscription and used legitimate services like Cloudflare Turnstile and Workers to harden phishing pages and evade detection.

Fifteen Ransomware Groups Announce Retirement Plans

🔒 Fifteen prominent ransomware groups, including Scattered Spider, ShinyHunters and Lapsus$, posted a collective statement on BreachForums announcing they are ceasing operations and entering a period of “silence.” The announcement framed their activity as exposing systemic vulnerabilities rather than pure extortion and said some members intend to retire on accumulated funds while others will continue studying systems quietly. Analysts and threat intelligence experts cautioned this could be a temporary PR move, noting past groups have rebranded or spawned successors rather than vanishing permanently.

Jaguar Land Rover Extends Production Pause After Cyberattack

🔒 Jaguar Land Rover has extended a pause in production for another week as it continues a forensic investigation into a severe cyberattack disclosed on 2 September 2025. The automaker said operations will remain suspended until Wednesday 24th September 2025 while it prepares a controlled global restart. JLR confirmed some data was stolen but has not attributed the breach to a known group. A group calling itself Scattered Lapsus$ Hunters posted screenshots and claimed to have deployed ransomware.

HybridPetya: Petya/NotPetya Copycat Adds UEFI Bypass Threat

🔒 ESET researchers have identified a new ransomware strain named HybridPetya that mimics the Petya/NotPetya family while adding UEFI-targeting capabilities. The malware weaponizes CVE-2024-7344 to bypass UEFI Secure Boot on unpatched systems, enabling persistent bootkit-style compromise. HybridPetya is not currently observed spreading in the wild but represents at least the fourth known bootkit with Secure Boot bypass functionality.

HybridPetya Bootkit Bypasses Secure Boot to Encrypt MFT

🔒 Researchers at ESET have identified HybridPetya, a bootkit-style ransomware that mimics Petya/NotPetya by targeting the NTFS Master File Table (MFT). Unlike destructive predecessors, HybridPetya functions as true ransomware and can reconstruct victim decryption keys from an installation key, with an analyzed sample demanding €850 in Bitcoin. The threat bypasses UEFI Secure Boot by exploiting CVE-2024-7344 in a Microsoft-signed EFI component to load an unsigned cloak.dat, replace the Windows bootloader, crash the system to force a reboot, and run prior to OS startup to encrypt the disk with Salsa20 while displaying a fake CHKDSK message.

Senator Probes Microsoft over Continued RC4 Use in Kerberos

🔒 Senator Ron Wyden has asked the Federal Trade Commission to investigate Microsoft for its continued use of the RC4 encryption algorithm. The letter highlights a technique called Kerberoasting, which exploits Kerberos ticket encryption to extract service account credentials. The complaint raises concerns about lingering support for weak ciphers in enterprise authentication.

HybridPetya Resembles NotPetya and Adds UEFI Bootkit

🔒 ESET Research identified HybridPetya on VirusTotal in February 2025, with filenames implying a connection to the destructive NotPetya outbreak. The strain encrypts the NTFS Master File Table using Salsa20 and deploys a UEFI bootkit on the EFI System Partition to ensure firmware‑level persistence. One variant exploits CVE-2024-7344 to bypass UEFI Secure Boot via a signed but vulnerable Microsoft component, yet retains a working decryption mechanism for victims. Analysts found no signs of self-propagation like NotPetya, but the combination of pre-boot compromise and MFT encryption raises significant concern.

Experts Say Scattered Spider 'Retirement' Is a Smokescreen

🕵️ Scattered Spider and roughly 15 affiliated ransomware and cybercrime groups posted a joint manifesto on BreachForums claiming to 'go dark' after recent arrests. Experts point to inconsistencies — an unlikely coalition, rapid timing, and no observed money‑movement — and call the announcement a likely smokescreen. They warn organizations not to lower their guard and to assume tactics and infrastructure remain active, taking immediate hardening steps.