< ciso
brief />
Tag Banner

All news with #ransomware tag

464 articles · page 15 of 24

Trend Micro: Agentic AI Poised to Power Ransomware

🚨 Trend Micro warns agentic AI will increasingly automate attacks next year, with state-backed actors leading innovation before cybercriminals adopt the approach. Researchers say agentic systems — capable of taking autonomous actions — could chain discovery, exploitation and persistence steps, enabling less-skilled operators to run complex intrusions. The firm urges defenders to treat agents as privileged users and apply least-privilege, monitoring and assume-breach practices.
read more →

Ransomware Targets AWS S3 via Cloud Key Abuse Tactics

🔐 A Trend Micro report warns that ransomware groups are shifting from on-premises targets to cloud object storage, particularly AWS S3, by abusing integrated encryption and key management. Attackers probe configurations from AWS-managed KMS keys to customer-provided and external key stores to encrypt or irreversibly lock data. The report urges hardening S3 settings, enforcing least privilege, enabling versioning and Object Lock, and isolating backups.
read more →

Qilin Ransomware Investigation: Huntress Forensics Analysis

🔍 Huntress Labs detailed a Qilin ransomware investigation in which visibility was constrained because their agent was installed after the compromise and only on a single endpoint. Analysts correlated managed antivirus alerts, Windows Event Logs, AmCache, PCA logs, and VirusTotal to reconstruct a timeline showing a rogue ScreenConnect RMM deployment, attempts to run infostealer binaries, tampering with Windows Defender, and likely ransomware execution from another host. The report stresses validating artifacts across multiple sources to avoid false assumptions and inform accurate remediation.
read more →

Ransomware Shifts Focus to AWS S3 Buckets and Keys

🔐 A Trend Micro analysis warns ransomware actors are increasingly targeting cloud storage by abusing AWS-native encryption and key management to render S3 data unrecoverable. Attackers probe buckets with disabled versioning or Object Lock, exploit wide write permissions, and weaponize SSE-KMS, SSE-C, BYOK and XKS to seize control of keys. Researchers recommend least-privilege IAM, enable versioning/Object Lock, isolate backups, and continuously monitor audit logs. An "assume breach" posture and short-lived credentials are urged to limit impact.
read more →

UK, US and Allies Sanction Russian Bulletproof Hosters

🔒 Western allies have announced coordinated sanctions targeting three bulletproof hosting providers — Media Land, ML.Cloud and Aeza Group — and four associated Russian executives, including Alexander Volosovik (aka Yalishanda). The measures, backed by the UK, US and Australia, also named UK-registered front Hypercore and aim to seize assets and cut access to legitimate banking channels. Authorities say the hosts supported numerous ransomware and infostealer operations, and Five Eyes nations published guidance to help ISPs and defenders mitigate malicious activity enabled by such services.
read more →

ShinySp1d3r RaaS Emerges - New Encryptor by ShinyHunters

🕷️ An in-development build of the ShinySp1d3r ransomware-as-a-service has surfaced, revealing a Windows encryptor developed by threat actors linked to ShinyHunters and affiliates. The sample shows ChaCha20 file encryption with RSA-2048 key protection, per-file headers beginning with "SPDR" and ending with "ENDS", and automated propagation methods via SCM, WMI, and GPO. The build includes process-killing, EtwEventWrite hooking, free-space overwriting, shadow-copy deletion, anti-analysis measures, and deploys a ransom note (R3ADME_1Vks5fYe.txt) plus a wallpaper; Linux and ESXi versions are reportedly in progress.
read more →

Hijacked VPN Credentials Drive Half of Ransomware Access

🔐 Beazley's Q3 2025 analysis shows ransomware activity rose, with three groups — Akira, Qilin and INC Ransomware — responsible for 65% of leak posts and an 11% increase in leaks versus the prior quarter. Initial access increasingly relied on valid VPN credentials (48% of incidents, up from 38%), with external service exploits accounting for 23%. The report highlights an Akira campaign abusing SonicWall SSLVPNs via credential stuffing where MFA and lockout controls were absent, and warns that stolen credentials and new infostealer variants like Rhadamanthys are fuelling the underground market. Beazley urges adoption of comprehensive MFA, conditional access and continuous vulnerability management to mitigate risk.
read more →

Akira Ransomware Expands to Nutanix AHV and Linux Servers

⚠️CISA, the FBI and international partners warn that the Akira ransomware gang has extended its attack surface beyond Windows, VMware ESXi and Hyper‑V to now target Nutanix AHV and Linux servers. The group exploits exposed VPNs, unpatched network appliances and backup platforms, rapidly exfiltrates data and employs a double‑extortion model. Akira uses tunneling tools like Ngrok, remote‑access abuse (AnyDesk, LogMeIn), and cryptography (ChaCha20 with RSA) to encrypt and leak files. Organizations should prioritize MFA, timely patching, segmented networks and protection of backup and hypervisor consoles.
read more →

U.S. Launches Strike Force Against Chinese Crypto Scams

🚨The U.S. Department of Justice, U.S. Attorney's Office, FBI and Secret Service have created the Scam Center Strike Force to disrupt Chinese-operated cryptocurrency scam networks that reportedly steal nearly $10 billion from Americans annually. The team focuses on tracing illicit funds, seizing cryptocurrency and coordinating international partners to dismantle scam infrastructure based in Southeast Asia. Authorities say many operations run from criminal compounds where workers are victims of trafficking. More than $401 million in crypto has already been seized and additional forfeiture actions are underway.
read more →

Ransomware Fragmentation Peaks as LockBit Re-emerges

🔒 Q3 2025 saw an unprecedented decentralization of ransomware, with Check Point Research tracking a record 85 active groups and roughly 1,592 disclosed victims across numerous leak sites. Despite enforcement actions and multiple takedowns, affiliates quickly reconstitute or rebrand, spawning 14 new ransomware brands this quarter. The return of LockBit 5.0 — with updated Windows, Linux and ESXi variants and individualized negotiation portals — suggests a possible shift back toward centralization, while marketing-driven actors like DragonForce further complicate attribution and response.
read more →

Kraken Ransomware Benchmarks Hosts to Choose Encryption

🔒 The Kraken ransomware targets Windows and Linux/VMware ESXi hosts and runs on-host benchmarks to decide whether to perform full or partial encryption. Cisco Talos researchers found it creates temporary files, times encryption of random data, and uses the result to select an encryption mode that maximizes damage while avoiding overloads. Before encrypting it deletes shadow volumes, stops backup services, appends .zpsc to files, and drops a readme_you_ws_hacked.txt ransom note. The group continues big‑game hunting and data theft for double extortion and has launched a forum called 'The Last Haven Board'.
read more →

CISA: Akira Ransomware Now Targets Nutanix AHV VMs

🛡️ U.S. cybersecurity agencies warn that the Akira ransomware operation has expanded to encrypt Nutanix AHV virtual machine disk files, with the first confirmed incident in June 2025. Akira Linux encryptors have been observed targeting .qcow2 virtual disk files directly rather than using AHV management commands. The advisory cites exploitation of SonicWall CVE-2024-40766 and includes new IOCs and mitigation recommendations.
read more →

Ransomware Fragmentation and Rising Attacks in Q3 2025

🔍 The ransomware landscape in Q3 2025 reached a critical inflection point: despite law enforcement takedowns earlier in the year, attacks remained at historically high levels. Check Point Research identified 1,592 new victims across 85 active extortion groups, a 25% year‑over‑year increase. While major brands such as RansomHub and 8Base disappeared, numerous smaller actors rapidly filled the void, driving unprecedented RaaS fragmentation and complicating response efforts.
read more →

CISA Updates Advisory: Akira Ransomware Evolution Update

🔐 CISA and partner agencies published an updated advisory on Nov. 13, 2025, detailing new indicators, tactics, and detection guidance related to Akira ransomware. The update documents expanded targeting across Manufacturing, Education, IT, Healthcare, Financial, and Food and Agriculture, and links activity to groups such as Storm-1567 and Punk Spider. Key findings include exploitation of edge and backup vulnerabilities, use of remote management tools for defense evasion, and a faster, more destructive Akira_v2 variant that complicates recovery.
read more →

CISA, FBI and Partners Issue Guidance on Akira Ransomware

🛡️ CISA, FBI, DC3, HHS and international partners released updated guidance to help organizations mitigate the evolving Akira ransomware threat. The advisory details new indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used by the group, which primarily targets small and medium-sized businesses but has also struck larger organizations across multiple sectors. It strongly urges immediate actions such as regular backups, enforcing multifactor authentication, and prioritizing remediation of known exploited vulnerabilities.
read more →

Kraken Ransomware: Cross-Platform Big-Game Hunting

🐙 Kraken is a Russian-speaking ransomware group active since February 2025 that conducts double-extortion, big-game hunting campaigns across multiple regions. In a documented intrusion Talos observed, attackers exploited SMB flaws for access, used Cloudflared for persistence, exfiltrated data via SSHFS, then deployed cross-platform encryptors for Windows, Linux and ESXi. The family includes on-host benchmarking to tune encryption, and Talos maps detections and IOCs to Cisco protections to aid response.
read more →

UK Cyber Insurance Payouts Surge 230% to £197m in 2024

🔍 The UK cyber insurance sector paid £197m to policyholders in 2024, a 230% increase on the previous year, driven largely by more damaging malware and ransomware incidents that now account for 51% of claims. The ABI says insurers issued 17% more policies over the period while higher payouts reflect growing threat sophistication and larger recovery costs. Insurers are tightening underwriting and requiring stronger resilience, offering services such as expert advice, threat monitoring and incident response support as part of coverage to reduce future losses.
read more →

Synnovis Notifies NHS of Patient Data Theft After Ransomware

🔒 Synnovis has notified NHS organisations that a June 2024 ransomware incident resulted in the theft of patient data, including names, NHS numbers, dates of birth, and some test results. The company says the exfiltrated files were unstructured and fragmented, requiring specialist analysis to reassemble. Synnovis confirmed no ransom was paid, is coordinating notifications with affected trusts and expects to complete notifications by 21 November 2025. The incident has been linked to the Qilin ransomware operation.
read more →

Qilin Ransomware Activity Surges, Targeting SMEs in 2025

🔐 Researchers at S-RM report a surge in activity by the Qilin ransomware-as-a-service operation, which leverages unpatched VPNs, single-factor remote access and exposed management interfaces to gain initial access. While some high-profile incidents hit healthcare, most victims are small-to-medium businesses in construction, healthcare and finance. S-RM also observed affiliates from Scattered Spider using Qilin’s platform, and noted new extortion channels including Telegram and public leak sites. The firm urges routine patching, widespread MFA adoption, network segmentation and proactive monitoring.
read more →

CPU Spike Reveals RansomHub Intrusion Before Ransomware

🔍 Varonis responded after a server CPU spike exposed an active intrusion later attributed to RansomHub affiliates. The attacker gained initial access via a SocGholish JavaScript masquerading as a browser update, then deployed a persistent Python-based SOCKS proxy and automated reconnaissance to hunt credentials and enumerate Active Directory. Within hours the actor obtained Domain Admin privileges and initiated broad discovery and exfiltration; Varonis developed an unpacker, identified IOCs, and coordinated containment and remediation that prevented ransomware with zero downtime.
read more →