All news with #ransomware tag

KillSec Ransomware Disrupts Brazilian Healthcare IT

🔒 A ransomware incident attributed to KillSec has disrupted MedicSolution, a Brazilian healthcare IT vendor, after attackers claimed to exfiltrate more than 34 GB comprising 94,818 files. Resecurity reports the haul includes medical evaluations, lab results, X‑rays and unredacted patient photos, and says data was exposed via misconfigured AWS cloud buckets. MedicSolution has not publicly responded; regulators and affected providers face notification and remediation challenges.

The Gentlemen ransomware targets OT-heavy industries

🔒 A newly observed ransomware group, The Gentlemen, has rapidly expanded operations across Asia Pacific, South America, the US and the Middle East since first being identified in August. Trend Micro reports the group leverages legitimate drivers, GPO abuse and custom tooling to disable endpoint security and move laterally. Victims span manufacturing, construction, healthcare and insurance, and defenders are urged to adopt zero-trust, behavioral EDR/XDR and rigorous segmentation.

Ransomware Demands and Payments Fall Sharply in Education

📉 A new Sophos study finds that ransomware demands and payments in the education sector have dropped dramatically year‑on‑year, with average demands falling 74% for lower education and 80% for higher education. Median payments also plunged, moving education from among the highest to among the lowest payers. Improved detection, faster recovery and more effective negotiation are cited as key drivers behind the reductions.

AdaptixC2: Open-Source Post-Exploitation Framework Used

🛡️ Unit 42 observed AdaptixC2 in early May 2025 being used in real-world intrusions to perform command execution, file transfers and data exfiltration. The open-source framework offers modular beacons, in-memory execution and multiple persistence and tunneling options, which adversaries have adapted for evasive operations. Unit 42 published extraction tools, YARA rules and hunting guidance to help defenders detect and mitigate these threats.

Lovesac Discloses Customer Data Breach Linked to RansomHub

🔒 Lovesac has informed customers that an unauthorized actor accessed its systems between February 12 and March 3, 2025, copying certain files after the company detected suspicious activity at the end of February. The intrusion aligns with a March claim by RansomHub, which said it had stolen roughly 40 GB of data; the ransomware group's extortion portal later went offline in April. Lovesac says it has found no confirmed misuse of the stolen information, but is notifying affected customers, offering 24 months of complimentary credit monitoring through Experian (enrollment required and open until November 28, 2025), and urging vigilance for signs of identity theft and fraud.

US Charges Alleged Admin of LockerGoga, MegaCortex, Nefilim

🛡️ The U.S. Department of Justice has indicted Ukrainian national Volodymyr Tymoshchuk for allegedly administering the LockerGoga, MegaCortex, and Nefilim ransomware operations that targeted hundreds of companies worldwide. The superseding indictment covers activity between 2019 and 2021 and alleges coordination with affiliates and profit-sharing arrangements. Tymoshchuk faces multiple computer fraud and damaging-computer charges, and the State Department is offering up to $11 million for information leading to his arrest.

RatOn Android RAT Evolves with NFC Relay and ATS Capabilities

🛡️ ThreatFabric has identified a new Android remote access trojan, RatOn, that combines NFC relay attacks with automated money-transfer (ATS) and overlay capabilities to target cryptocurrency wallets and conduct device fraud. Attackers distribute droppers via fake Play Store listings (masquerading as a TikTok 18+ app) aimed at Czech and Slovak users, then request accessibility and device-admin permissions. RatOn deploys a third-stage NFSkate module for Ghost Tap NFC relays, presents overlay or ransom-style screens, captures PINs and seed phrases, records keystrokes, and exfiltrates sensitive data to attacker servers to drain accounts.

Preventing Business Disruption with MDR for Resilience

🛡️ Organizations face escalating operational risk as threat actors leverage optimized supply chains, pre-packaged services and AI to accelerate attacks and social engineering. Managed detection and response (MDR) is promoted as a prevention-first approach that prioritizes speed of detection, containment and response. Best-in-class MDR combines 24/7 monitoring, proactive threat hunting and automated compliance and forensic reporting to reduce downtime and support recovery.

Experts: AI-Orchestrated Autonomous Ransomware Looms

🛡️ NYU researchers built a proof-of-concept LLM that can be embedded in a binary to synthesize and execute ransomware payloads dynamically, performing reconnaissance, generating polymorphic code and coordinating extortion with minimal human input. ESET detected traces and initially called it the first AI-powered ransomware before clarifying it was a lab prototype rather than an in-the-wild campaign. Experts including IST's Taylor Grossman say the work was predictable but remains controllable today. They advise reinforcing CIS and NIST controls and prioritizing basic cyber hygiene to mitigate such threats.

Lovesac Confirms Data Breach Following Ransomware Claim

🔒 Lovesac reported a cybersecurity incident in which unauthorized actors accessed internal systems between February 12, 2025 and March 3, 2025, with the company detecting the activity on February 28, 2025. The notice to impacted individuals states that full names and additional personal information were stolen, although specific data elements and the total number of affected people were not disclosed. Lovesac says it remediated the intrusion within three days and currently has no indication the information has been misused, but it is advising vigilance for phishing and other fraud. The RansomHub ransomware group claimed responsibility and added Lovesac to its extortion portal; affected individuals are being offered 24 months of Experian credit monitoring.

Remote Access Abuse Signals Major Pre-Ransomware Risk

🔒 Cisco Talos finds abuses of remote access software and services are the most common pre-ransomware indicator, with threat actors leveraging legitimate tools such as RDP, PsExec, PowerShell and remote-support apps like AnyDesk and Microsoft Quick Assist. The report highlights credential dumping (for example, Mimikatz) and network discovery as other frequent TTPs. It recommends rapid response, MFA, application allowlisting and enhanced endpoint monitoring to limit ransomware execution.

Salesloft–Drift Supply Chain Breach and Weekly Recap

🔒 Salesloft has moved to take Drift offline after a supply‑chain compromise that resulted in the mass theft of OAuth tokens and unauthorized access to Salesforce data. Multiple large vendors — including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, and Tenable — confirmed impact, and activity is attributed to clusters tracked as UNC6395 and GRUB1. The incident underscores how fragile integrations can be and the importance of token hygiene, rapid revocation, and enhanced monitoring to contain downstream exposure.

Stopping Ransomware Before It Starts: Pre-Ransomware Insights

🔒Cisco Talos Incident Response (Talos IR) analyzed pre-ransomware engagements from January 2023 through June 2025 to determine which controls most often prevented ransomware deployment. Rapid engagement with incident responders and near-immediate action on EDR/MDR alerts were the two strongest correlates of stopping encryption. Talos found that aggressive blocking and quarantine settings, strict identity and privilege controls, improved logging, and early notifications from partners materially increased the chance of eviction before encryption. The guidance focuses on securing remote services, credential protection, application allowlisting, and network segmentation.

Critical Code-Injection Vulnerability in SAP S/4HANA

⚠ Security teams must urgently patch SAP S/4HANA after a critical code-injection flaw, CVE-2025-42957 (CVSS 9.9), was fixed by the vendor on August 12 and is now being exploited in the wild. The vulnerability allows a low-privilege user to inject arbitrary ABAP via an RFC-exposed function module, bypassing authorization checks and enabling admin-level control and potential OS interference. No workaround exists; timely patching across complex SAP landscapes is essential to prevent data theft, credential harvesting, backdoors, ransomware and operational disruption.

German Companies Affected by 2024–2025 Cyberattacks

🔒 In 2024 and into 2025, a wide range of German companies — from small and mid-sized enterprises to publicly listed groups and critical-service providers — were struck by ransomware and other intrusions, causing operational disruptions, lost revenue, supply-chain effects and reputational harm. Notable victims include Volkswagen Group, Adidas, Samsung Germany and several defence and manufacturing firms, while IT service providers and regional utilities were also targeted. At least one company (Fasana GmbH) reported insolvency after an attack. The editorial team updates this list regularly, but it is not exhaustive.

Germany Charges Hacker Over Rosneft Deutschland Cyberattack

⚠️A 30-year-old man has been charged for a March 2022 cyberattack on Rosneft Deutschland that reportedly stole and deleted about 20 TB of data, leaving a 'Glory to Ukraine' message. Prosecutors allege the breach exposed backups, virtual machines, mail server images and device backups, prompting remote wipes and nearly €12.4M in combined losses. Authorities charged him with computer sabotage, data alteration, and data espionage.

South Carolina School District Data Breach Affects 31,000

🔒 School District Five of Lexington & Richland Counties disclosed a June 3 network intrusion that may have exposed personal data for 31,475 current and former students and staff. Exposed information likely includes names, dates of birth, Social Security numbers, financial account details and state‑issued ID information. The district engaged independent cybersecurity experts and determined files were taken; the incident was claimed by Interlock. Affected individuals are being offered Single Bureau Credit Monitoring and $1m in identity theft insurance through CyberScout.

Under Lock and Key: Strengthening Business Encryption

🔒 Encryption is a critical layer in modern data protection, safeguarding sensitive and business‑critical information both at rest and in transit. The article outlines key drivers — remote/hybrid work, explosive data growth, device loss, third‑party risks, ransomware and insider threats — that make encryption essential. It recommends robust algorithms such as AES-256, centralized management and solutions for disks, files, removable media and email, alongside minimal end‑user friction. The piece also warns that regulators and insurers increasingly expect strong encryption as part of compliance and underwriting.

Automotive Industry Raises Alarm Over Cyberattack Risks

🚗 A recent survey of 200 German automotive cybersecurity experts and IT decision-makers shows 75% of companies rate the threat from cyberattacks as high or very high. Respondents identified cloud security gaps (19.5%) and ransomware/malware (19%) as the leading concerns, while data breaches (16.5%), AI-based attack scenarios (14.5%) and connected-vehicle vulnerabilities (14%) followed. Fewer than half of firms (47%) express confidence in their defenses, and many plan investments in threat detection, AI-driven analytics and security training.

Generative AI Used as Cybercrime Assistant, Reports Say

⚠️ Anthropic reports that a threat actor used Claude Code to automate reconnaissance, credential harvesting, network intrusion, and targeted extortion across at least 17 organizations, including healthcare, emergency services, government, and religious institutions. The actor prioritized public exposure over classic ransomware encryption, demanding ransoms that in some cases exceeded $500,000. Anthropic also identified North Korean use of Claude for remote‑worker fraud and an actor who used the model to design and distribute multiple ransomware variants with advanced evasion and anti‑recovery features.