< ciso
brief />
Tag Banner

All news with #ransomware tag

464 articles · page 16 of 24

Global Cyber Attacks Surge in October 2025: Ransomware Rise

📈 Check Point Research found a continued uptick in global cyber assaults in October 2025, with organizations experiencing an average of 1,938 attacks per week. That represents a 2% increase from September and a 5% rise year‑over‑year. The report attributes the growth to an explosive expansion of ransomware operations and emerging risks tied to generative AI, while the education sector remained the most heavily targeted. Security teams are urged to strengthen detection, patching and access controls to counter increasingly automated and AI‑assisted threats.
read more →

Yanluowang Broker Pleads Guilty to Ransomware Access

🔒 Aleksey Olegovich Volkov, a Russian national who used aliases including chubaka.kor and nets, has agreed to plead guilty to acting as an initial access broker for the Yanluowang ransomware group. Between July 2021 and November 2022 he sold credentials that enabled intrusions at eight U.S. companies and facilitated ransom demands ranging from $300,000 to $15 million. FBI warrants seized server logs, stolen data, chat histories and iCloud records linking Volkov to the scheme and to partial Bitcoin payments. He faces up to 53 years in prison and must pay more than $9.1 million in restitution.
read more →

Yanluowang Access Broker Pleads Guilty in Ransomware Case

🔒 A Russian national has pleaded guilty to acting as an initial access broker for the Yanluowang ransomware group, admitting to selling corporate network access used in attacks on at least eight U.S. companies between July 2021 and November 2022. FBI searches of a server tied to the operation recovered chat logs, stolen files, and victim credentials that linked payments and access to the defendant. Investigators traced the suspect through Apple iCloud data, cryptocurrency exchange records, and social media accounts, and blockchain analysis tied portions of ransom payments to addresses he provided. He faces decades in prison and more than $9.1 million in restitution.
read more →

Vibe-coded Ransomware Found in Microsoft VS Code Marketplace

🔒 Security researcher Secure Annex discovered a malicious extension in the Microsoft Marketplace that embeds "Ransomvibe" ransomware for Visual Studio Code. Once the extension activates, a zipUploadAndEcnrypt routine runs, applying typical ransomware techniques and using hard-coded C2 URLs, encryption keys and bundled decryption tools. The package appears to be a test build, limiting immediate impact, but researchers warn it can be updated or triggered remotely. Microsoft has removed the extension and says it will blacklist and uninstall malicious extensions.
read more →

Cyberattack Halts Dutch Broadcaster, Forces Vinyl Use

🎧 RTV Noord, a regional Dutch TV and radio broadcaster, reported a cyber incident on November 6, 2025, that blocked staff access to critical systems. Presenters on the "De Ochtendploeg" breakfast show resorted to playing CDs and LPs to stay on air. The attackers left a message on the network, prompting suspicion of ransomware, and the newsroom confirmed internal channels were limited to WhatsApp while services were restored.
read more →

Malicious Ransomvibe Extension Found in VSCode Marketplace

⚠️ A proof-of-concept ransomware strain dubbed Ransomvibe was published as a Visual Studio Code extension and remained available in the VSCode Marketplace after being reported. Secure Annex analysts found the package included blatant indicators of malicious functionality — hardcoded C2 URLs, encryption keys, compression and exfiltration routines — alongside included decryptors and source files. The extension used a private GitHub repository as a command-and-control channel, and researchers say its presence highlights failures in Microsoft’s marketplace review process.
read more →

Susvsex Ransomware Test Published on VS Code Marketplace

🔒 A malicious VS Code extension named susvsex, published by 'suspublisher18', was listed on Microsoft's official marketplace and included basic ransomware features such as AES-256-CBC encryption and exfiltration to a hardcoded C2. Secure Annex researcher John Tuckner identified AI-generated artifacts in the code and reported it, but Microsoft did not remove the extension. The extension also polled a private GitHub repo for commands using a hardcoded PAT.
read more →

Ransomware Breach: How Nevada's Systems Were Encrypted

🔒 The State of Nevada published a detailed after-action report describing how attackers used a trojanized system administration utility to establish persistent access and deploy ransomware across state infrastructure. The initial compromise occurred on May 14 and was detected on August 24, impacting more than 60 agencies and prompting a 28-day recovery that restored 90% of required data without paying a ransom. Nevada engaged external responders including Microsoft DART and Mandiant, and has since implemented account cleanups, password resets, certificate removals, and tightened access controls.
read more →

Cybersecurity Forecast 2026: AI, Cybercrime, Nation-State

🔒 The Cybersecurity Forecast 2026 synthesizes frontline telemetry and expert analysis from Google Cloud security teams to outline the most significant threats and defensive shifts for the coming year. The report emphasizes how adversaries will broadly adopt AI to scale attacks, with specific risks including prompt injection and AI-enabled social engineering. It also highlights persistent cybercrime trends—ransomware, extortion, and on-chain resiliency—and evolving nation‑state campaigns. Organizations are urged to adapt IAM, secure AI agents, and harden virtualization controls to stay ahead.
read more →

Ransomware Defense with the Wazuh Open Source Platform

🛡️Wazuh is a free, open-source security platform that provides SIEM and XDR capabilities to detect, prevent, and respond to ransomware. The article highlights Wazuh features such as file integrity monitoring, vulnerability detection, security configuration assessment, and automated active responses. It illustrates rule-based detections and automated remediation using practical examples (DOGE Big Balls, Gunra) and discusses Windows integration for VSS-based recovery. The coverage frames Wazuh as a practical, extensible tool for multi-layered ransomware defense.
read more →

U.S. Prosecutors Indict Three Over BlackCat Ransomware

🔒 Federal prosecutors have indicted three U.S. nationals accused of using BlackCat (ALPHV) ransomware to breach five companies between May and November 2023 and extort payments. The defendants—Ryan Clifford Goldberg, Kevin Tyler Martin, and an unnamed co‑conspirator—allegedly targeted firms in medical devices, pharmaceuticals, clinical care, engineering, and drone manufacturing. Two were employed by cybersecurity firms at the time; both employers say they cooperated with investigators.
read more →

Ex-Incident Response Staff Indicted for BlackCat Attacks

🔒 Three former incident response employees from DigitalMint and Sygnia have been indicted for allegedly carrying out ALPHV/BlackCat ransomware attacks on five U.S. companies between May and November 2023. Prosecutors say the defendants accessed networks, exfiltrated data, deployed encryption malware, and demanded ransoms ranging from $300,000 to $10 million, with one victim paying $1.27 million. Two named defendants face federal extortion and computer-damage charges that carry up to 20 and 10 years in prison respectively.
read more →

Rhysida Ransomware Uses Microsoft Signing to Evade Defenses

🛡️ Rhysida ransomware operators have shifted to malvertising and the abuse of Microsoft Trusted Signing certificates to slip malware past defenses. By buying Bing search ads that point to convincing fake download pages for Microsoft Teams, PuTTY and Zoom, they deliver initial access tools such as OysterLoader (formerly Broomstick/CleanUpLoader) and Latrodectus. Signed, packaged binaries evade static detection and often run without scrutiny on Windows endpoints.
read more →

European Ransomware Leak-Site Victims Spike in 2025

🔒 CrowdStrike's 2025 European Threat Landscape Report found a 13% year-on-year rise in ransomware victims across Europe, with the UK hardest hit. The study, covering leak sites from September 2024 to August 2025, identified 1,380 victims and noted that since January 2024 more than 2,100 organisations were named on extortion sites, with 92% involving file encryption and data theft. The report highlights Akira and LockBit as the most active groups and warns of persistent big-game hunting, growing vishing campaigns and an emerging Violence-as-a-Service threat landscape.
read more →

CISA: High-Severity Linux Privilege Flaw Used by Ransomware

🔒 CISA confirmed that CVE-2024-1086, a high-severity use-after-free bug in the nf_tables component of the Linux kernel, is being exploited in ransomware campaigns. The flaw, introduced in 2014 and patched in January 2024, enables local attackers to escalate to root. A publicly released PoC targets kernels 5.14–6.6. CISA added the issue to its KEV list and recommended mitigations such as blocklisting nf_tables, restricting user namespaces, or loading the LKRG module.
read more →

Ukrainian Extradited from Ireland on Conti Ransomware Charges

🔒 A 43-year-old Ukrainian national, Oleksii Lytvynenko, has been extradited from Ireland to the United States on charges tied to the Conti ransomware operation. U.S. authorities allege he controlled stolen data and participated in sending ransom notes during double-extortion attacks between 2020 and June 2022. Arrested by An Garda Síochána in July 2023, Lytvynenko could face up to 25 years in prison if convicted. Prosecutors say the conspiracy extorted cryptocurrency and targeted victims across multiple jurisdictions.
read more →

Ransomware Profits Decline as Fewer Victims Pay through 2024

🔍 A new Coveware study shows the ransomware economy is shifting: despite an increase in attacks, both average ransom amounts and the share of victims paying demands have fallen. In Q3 only 23% of victims paid, down from 28% in Q1 2024, and average payments dropped from around $377,000 last year to roughly $140,000 this year. Coveware attributes the change to better prevention and incident handling by organizations and growing pressure from authorities. Insurance provider Hiscox warns that 40% of paying victims still lose data, underscoring persistent recovery risks.
read more →

Ransomware Hits Swedish Grid Operator Svenska kraftnät

🔒 On October 25, 2025 the ransomware group Everest listed state grid operator Svenska kraftnät on its darknet leak site, claiming about 280 GB of stolen data. Svenska kraftnät confirmed on October 26 that attackers accessed certain sensitive information via an isolated external file-transfer solution and said investigations are underway. The utility — which operates roughly 16,000 km of high-voltage lines — said there is currently no indication the physical grid was affected and that it is coordinating with police and national cybersecurity authorities.
read more →

Qilin Ransomware Uses WSL to Run Linux Encryptors in Windows

🔐 Qilin ransomware operators have been observed using the Windows Subsystem for Linux (WSL) to execute Linux ELF encryptors on compromised Windows hosts, allowing them to bypass many Windows-focused EDR solutions. Trend Micro and Cisco Talos report attackers enable or install WSL, transfer payloads with WinSCP, and launch the ELF encryptor via Splashtop (SRManager.exe). Affiliates also deploy signed vulnerable drivers and DLL sideloading to disable security tools and escalate privileges, while the encryptor targets VMware ESXi environments.
read more →

Ransomware Payments Plunge as Victims Stop Paying Ransoms

🔒 Coveware reports ransomware payment rates have fallen to a record low — just 23% of victims paid in Q3 2025, continuing a multi-year decline from 28% in Q1 2024. Over 76% of incidents now involve data exfiltration, and theft-only cases see payments drop to 19%. Average and median ransoms fell to $377,000 and $140,000, respectively, as attackers pursue more targeted victims.
read more →