All news with #ransomware tag

Feds Tie Scattered Spider Duo to $115M in Ransoms

🔒 U.S. prosecutors have charged 19‑year‑old Thalha Jubair as a core member of Scattered Spider, alleging the group extorted at least $115 million from victims. Jubair and an alleged co‑conspirator, 18‑year‑old Owen Flowers, appeared in London court facing accusations tied to high‑profile attacks on retailers, public transit and U.S. healthcare providers. Authorities say the complaint links Jubair to a network of SIM‑swapping, SMS phishing and ransomware operations and to cryptocurrency servers used to launder proceeds.

YiBackdoor Linked to IcedID and Latrodectus Code Overlaps

🔒 Zscaler ThreatLabz disclosed a new malware family named YiBackdoor that shares notable source-code overlaps with IcedID and Latrodectus. First observed in June 2025 with limited deployments, YiBackdoor can execute arbitrary commands, collect system information, capture screenshots, and load encrypted plugins to expand capabilities. It uses anti-analysis checks, injects into svchost.exe, persists via a Run registry entry that invokes regsvr32.exe with a randomized name, and fetches commands from an embedded encrypted configuration over HTTP. Zscaler warns it could be leveraged to gain initial access for follow-on exploitation, including ransomware.

Extending Zero Trust to the Storage Layer: Resilience

🔒 Applying zero trust to the storage layer is no longer theoretical — it is now essential to ensure recovery. The author describes ransomware incidents, including Change Healthcare in February 2024, where attackers deliberately targeted backups and recovery points, exposing storage as a primary attack surface. He recommends three operational principles — control where data is touched, control who and when, and make critical backups immutable — and ties those measures to governance, policy-as-code, and executive outcomes.

Hoppegarten IT outage continues after August cyberattack

🔒 The municipality of Hoppegarten in Brandenburg is still recovering from a hacker attack that forced its IT systems to be shut down on August 10. As of September 22, remediation remains ongoing, with central services such as email, telephone, and citizen services restored. Communication with subordinate institutions, including schools and daycare centers, remains disrupted. Authorities say the State Criminal Police Office is investigating a suspected attempted data encryption, possibly tied to an extortion attempt.

What Happens When You Engage Talos Incident Response

🔐 Cisco Talos Incident Response (Talos IR) provides rapid, 24/7 crisis support and proactive services to contain, investigate, and remediate cybersecurity incidents. Talos combines deep threat intelligence, digital forensics, and a vendor-agnostic approach to work with existing tools and environments. Engagements follow a structured IR lifecycle—Preparation, Identification, Containment, Eradication, Recovery, and Lessons learned—to minimize disruption and build long-term resilience.

Allianz: Attackers Shift From Large Firms to Easier Targets

🛡️ Allianz warns that cybercriminals are increasingly shifting focus from well‑defended large organizations to smaller, less secure firms and to regions beyond the US and Europe. The insurer's Cyber report says customer losses in H1 2025 were about half those in H1 2024, even as active ransomware groups may have risen by roughly 50%. Double extortion and data theft now account for a growing share of large losses, and attackers often exploit third‑party IT providers to reach hardened targets.

SonicWall SMA100 Firmware Removes OVERSTEP Rootkit

🛡️ SonicWall has released firmware 10.2.2.2-92sv for the SMA 100 series that adds additional file checking and the ability to remove known user‑mode rootkit malware. The update targets the OVERSTEP rootkit observed by Google's GTIG and is recommended for SMA 210, 410, and 500v customers. SonicWall urges immediate upgrade and adherence to earlier mitigations, including credential resets and forensic review.

Attacker Breakout Time Drops to 18 Minutes, ReliaQuest

🔒 ReliaQuest's Threat Spotlight (June–August 2025) reports average attacker breakout time — the period from initial access to lateral movement — has fallen to 18 minutes, with one Akira incident taking just six minutes. The vendor warns adversaries are becoming faster and more adept at bypassing endpoint protections, noting an increase in ransomware using the SMB protocol (from 20% to 29%). Drive-by compromise was the leading initial vector at 34%, and USB-based malware, notably Gamarue, is resurging due to weak policy enforcement and inconsistent endpoint controls.

Jaguar Land Rover Extends Production Pause After Cyberattack

🚗 Jaguar Land Rover has extended a production shutdown until Wednesday 1 October 2025 after a major cyber incident that halted its Solihull, Halewood and Wolverhampton plants. The company said teams are working with cybersecurity specialists, the NCSC and law enforcement while it investigates, and warned the outage has already cost an estimated £120m in profits and £1.7bn in revenue. Unions have called for government-backed support for suppliers facing bankruptcy amid cascading supply-chain risk.

Ransomware Attack Disrupts Check-in at Major EU Airports

🛫 Over the weekend several major European airports experienced check-in and boarding disruptions after a ransomware attack on the external vendor Collins Aerospace. Attackers targeted the MUSE multi-airline check-in system, forcing manual processing of thousands of passengers and causing delays and cancellations to more than 100 flights. Airports affected included Heathrow, Brussels and Berlin Brandenburg, with only minor impact reported in Cork and Dublin. Authorities and the vendor are investigating while restoration efforts continue.

Experts Urge Updated Defenses Against Scattered Spider

🔐 Organizations should urgently update defenses to counter the Scattered Spider collective, experts warned at the Gartner Security & Risk Management Summit 2025. The group used social engineering, helpdesk vishing, and push notification fatigue to bypass MFA and abuse SSO, compromising accounts like Okta and stealing tokens from LastPass. Firms are advised to implement stronger identity protections, number-matching MFA, stricter password-reset procedures, and tighter third-party vendor monitoring to reduce exposure.

Weekly Recap: Chrome 0-day, AI Threats, and Supply Chain Risk

🔒 This week's recap highlights rapid attacker innovation and urgent remediation: Google patched an actively exploited Chrome zero-day (CVE-2025-10585), while researchers demonstrated a DDR5 RowHammer variant that undermines TRR protections. Dual-use AI tooling and model namespace reuse risks surfaced alongside widespread supply-chain and phishing disruptions. Defenders should prioritize patching, harden model dependencies, and monitor for stealthy loaders.

Researchers Find GPT-4-Powered MalTerminal Malware

🛡️ SentinelOne researchers disclosed MalTerminal, a Windows binary that integrates OpenAI GPT-4 via a deprecated chat completions API to dynamically generate either ransomware or a reverse shell. The sample, presented at LABScon 2025 and accompanied by Python scripts and a defensive utility called FalconShield, appears to be an early — possibly pre-November 2023 — example of LLM-embedded malware. There is no evidence it was deployed in the wild, suggesting a proof-of-concept or red-team tool. The finding highlights operational risks as LLMs are embedded into offensive tooling and phishing chains.

Fortra patches critical GoAnywhere MFT deserialization bug

⚠ Users of GoAnywhere MFT are urged to install an urgent patch for a critical insecure deserialization vulnerability tracked as CVE-2025-10035, rated CVSS 10. The flaw resides in the License Servlet and can allow an attacker with access to the Admin Console to submit a forged license response that deserializes an arbitrary, actor-controlled object, enabling remote command execution. Fortra released fixes in versions 7.8.4 and 7.6.3 and advises customers not to expose the Admin Console directly to the internet. The issue closely mirrors a 2023 vulnerability that was widely exploited by ransomware groups, elevating the risk of rapid exploitation.

SystemBC Powers REM Proxy, Compromising ~1,500 VPS

🛡️ Lumen Technologies' Black Lotus Labs reports that SystemBC, a C-based SOCKS5 proxy malware, powers roughly 80% of the REM Proxy network and averages about 1,500 compromised hosts per day. The botnet operates through more than 80 C2 servers and mainly targets VPS instances from major commercial providers, often via dropped shell scripts that install the proxy implant. REM Proxy also advertises pools of compromised Mikrotik routers and open proxies and has been used by actors tied to TransferLoader and the Morpheus ransomware group.

Ransomware Still Evades Defenses Despite Protections

🔒 Picus Security's Blue Report 2025 shows ransomware continues to outpace defenses: overall prevention fell from 69% to 62% year-over-year, while data exfiltration prevention collapsed to just 3%. Both established families (BlackByte, BabLock, Maori) and emerging strains (FAUST, Valak, Magniber) bypass controls using credential theft, fileless techniques and staged execution. Picus recommends continuous Breach and Attack Simulation (BAS) to validate controls, deliver actionable fixes, and provide measurable evidence of readiness.

Ransomware Extortion Claim Targets BMW Group Servers

🔒 The BMW Group has been named on the darknet by the Everest ransomware group, which claims to have stolen critical BMW audit documents, according to screenshots reported by Cybernews. The gang placed two countdown timers on its onion site—one running to Sept. 14 and a second giving BMW 48 hours to make contact. BMW has not commented and the extortionists have not confirmed whether customer or personal data were taken; Cybernews researcher Aras Nazarovas advises waiting for a published sample to assess the scope.

HybridPetya ransomware bypasses Windows Secure Boot

🔒 Researchers at ESET have identified a new bootkit-style ransomware named HybridPetya that targets the NTFS Master File Table (MFT) and can override UEFI Secure Boot to install a malicious EFI component. The malware abuses a patched vulnerability (CVE-2024-7344) in a signed Microsoft EFI file to load an unsigned payload called cloak.dat. The installer replaces the Windows bootloader, triggers a crash and, on reboot, the compromised loader executes a bootkit that encrypts the disk with Salsa20, using a fake CHKDSK message to conceal activity. ESET observed a ransom demand of €850 in Bitcoin but regards the sample as likely a research proof-of-concept.

UK Arrests Two Teens Linked to Scattered Spider Hacks

🔒 UK law enforcement has arrested two teenagers allegedly tied to the Scattered Spider hacking group over an August 2024 cyberattack on Transport for London (TfL). Nineteen-year-old Thalha Jubair and 18-year-old Owen Flowers were detained; authorities say Jubair faces U.S. charges for dozens of intrusions, extortion and money laundering while Flowers faces additional charges linked to U.S. healthcare targets. Prosecutors allege the group extorted at least $115 million in ransoms and that law enforcement previously seized roughly $36 million in cryptocurrency tied to Jubair.

Smart Cities Face Growing Cybersecurity Risks and Gaps

🏙️ Smart cities are expanding rapidly—69% of municipalities report strategic agendas and an estimated 83,000 sensors were deployed in 2024—significantly enlarging the attack surface. High-profile incidents (Dallas alarm hack, Washington, DC ransomware, Florida water-treatment manipulation, and Olsztyn transport disruption) show that networked devices can lead to both digital and physical harm. Experts from Accenture, Zebra Technologies, and S2GRUPO warn that legacy devices, fragmented governance, and IT/OT convergence demand zero-trust, segmentation, and coordinated incident response to reduce systemic risk.