< ciso
brief />
Tag Banner

All news with #ransomware tag

464 articles · page 17 of 24

Ransomware Recovery Failures: Paying Often Doesn't Work

🔐 A Hiscox survey of 1,000 mid-sized firms finds ransomware remains a major risk: 27% of organizations reported attacks in the past year and 80% of victims paid ransom. Yet only 60% of those who paid recovered data fully or partially. Experts cite faulty encryptors, unreliable decryptors, corrupted backups and double/triple extortion as common causes. Industry specialists recommend tested recovery plans, retainers with incident response teams, and robust cyber insurance rather than relying on ransom payments.
read more →

Weekly Cyber Recap: WSUS Exploited and LockBit 5.0 Surge

⚠️ Microsoft released an out-of-band patch for a critical WSUS remote code execution (CVE-2025-59287) after researchers observed active exploitation that drops a .NET executable and Base64 PowerShell payloads. LockBit has resurfaced with a new multi-platform 5.0 variant claiming victims, while a modified Telegram Android app distributing the Baohuo backdoor has infected tens of thousands of devices. Reporting also shows the F5 breach began in late 2023 and has since widened, underscoring the need for urgent patching and threat hunting.
read more →

Agenda (Qilin) weaponizes Linux binaries against Windows

🛡️ Trend Micro reports that the Agenda (Qilin) ransomware group is running a Linux-based encryptor on Windows hosts to evade Windows-only detections. The actors abused legitimate RMM and file-transfer tools — including ScreenConnect, Splashtop, Veeam, and ATERA — to maintain persistence, move laterally, and execute payloads. They combined social engineering, credential theft, SOCKS proxy injection, and BYOVD driver tampering to disable EDR and compromise backups, impacting more than 700 victims since January 2025.
read more →

Qilin Ransomware Employs Linux Payloads and BYOVD Tactics

🔒 Qilin (aka Agenda, Gold Feather, Water Galura) has sharply increased operations in 2025, claiming dozens of victims monthly and peaking at 100 leak-site postings in June. Cisco Talos and Trend Micro analyses show affiliates gain initial access via leaked admin credentials, VPN interfaces and RDP, then harvest credentials with tools like Mimikatz and SharpDecryptPwd. Attackers combine legitimate remote-management software (for example AnyDesk, ScreenConnect, Splashtop) with a BYOVD vulnerable driver to disable defenses, exfiltrate data, and deploy a Linux ransomware binary on Windows systems before encrypting files and removing backups.
read more →

Qilin Ransomware: Attack Methods and TTPs Exposed Globally

🔍 Cisco Talos details widespread Qilin ransomware operations observed in late 2025, highlighting persistent leak-site activity and sustained victim publication. The analysis links many intrusions to exposed administrative credentials and unprotected remote access, with manufacturing, professional services, and wholesale trade heavily affected. Talos documents abuse of open-source exfiltration tools (notably Cyberduck), dual-encryptor deployment patterns, credential harvesting with mimikatz and SharpDecryptPwd, and numerous defense-evasion techniques, recommending layered controls such as MFA, credential monitoring, and hardened backups.
read more →

New LockBit Ransomware Victims Identified October 2025

🔒 After months of rumored silence, security researchers have identified multiple organizations hit by LockBit-branded ransomware in September 2025. Check Point's report documents about a dozen victims across Western Europe, the Americas and Asia, affecting both Windows and Linux systems. Roughly half were infected with LockBit 5.0 and the rest with the leaked 3.0 (LockBit Black) variant. LockBit 5.0 introduces multi-platform builds, enhanced anti-analysis, randomized extensions and a revamped affiliate panel requiring a roughly $500 deposit.
read more →

ToolShell Exploit Drives Surge in SharePoint Attacks

🛡️ Cisco Talos reports a rapid rise in exploitation of public-facing applications following the mid‑July 2025 disclosure of the ToolShell chain, which targets on‑premises Microsoft SharePoint servers via CVE-2025-53770 and CVE-2025-53771. In Q3, application exploitation featured in over 60% of Talos Incident Response engagements, with ToolShell activity implicated in nearly 40% of cases. Talos urges expedited patching and network segmentation to limit lateral movement and downstream impacts such as ransomware.
read more →

Ransomware recovery falters: 40% of paying victims lose data

🔒 Two in five companies that pay ransomware attackers still fail to recover their data, according to a Hiscox survey of thousands of SMEs. The study found 27% of businesses were hit in the past year and 80% of affected firms paid a ransom, yet only 60% recovered all or part of their data. Experts blame flawed encryptors, corrupted or compromised backups, and complex double- or triple-extortion tactics. Organisations are urged to maintain tested recovery plans, forensic validation, and incident response retainers rather than rely on payment.
read more →

Threat Source: SharePoint Exploits and Patch Urgency

⚠ Cisco Talos reports a sharp increase in attacks against public-facing applications, with the ToolShell chain exploiting unpatched Microsoft SharePoint servers rising to over 60% of IR cases this quarter. Ransomware-related incidents fell to about 20% but show evolving tactics, including leveraging legitimate tools and compromised internal accounts for persistence and phishing. Organizations are urged to prioritize rapid patching, robust network segmentation, centralized logging, MFA, and user education to reduce exposure.
read more →

LockBit Resurges with New Variant and Fresh Victims

🛡️ LockBit has reemerged after a disruption in early 2024 and is actively extorting new victims. Check Point Research identified roughly a dozen organizations hit in September 2025, and about half of those incidents involved the new LockBit 5.0 variant, labeled ChuongDong. The group is deploying attacks across Windows, Linux and ESXi environments in Europe, the Americas and Asia. Check Point Harmony Endpoint and Quantum customers are protected via Threat Emulation, which can block these attacks before encryption occurs.
read more →

Microsoft Blocks Ransomware Campaign Targeting Teams Users

🛡️ Microsoft said it disrupted a ransomware campaign that used fake Teams installers to deliver a backdoor and prepare for encryption operations. Attackers lured victims with impersonated MSTeamsSetup.exe files hosted on malicious domains, which installed a loader and a fraudulently signed Oyster backdoor. The group identified as Vanilla Tempest intended to follow with Rhysida ransomware. Microsoft revoked over 200 fraudulent code-signing certificates and says a fully enabled Defender Antivirus will block the threat.
read more →

IR Trends Q3 2025: ToolShell Drives Access & Response

🛡️ Cisco Talos Incident Response observed a surge in attacks exploiting public-facing apps in Q3 2025, driven chiefly by ToolShell chains targeting on-premises Microsoft SharePoint servers. Rapid automated scanning and unauthenticated RCE vulnerabilities led to widespread compromise, highlighting the need for immediate patching and strict network segmentation. Post-compromise phishing from valid accounts and diverse ransomware families, including Warlock and LockBit, continued to impact victims.
read more →

Canada Fines Cryptomus $176M over AML Oversight in 2025

🔒 FINTRAC has imposed a $176,960,190 penalty on Xeltox Enterprises Ltd., the operator of Cryptomus, after finding widespread failures to file suspicious transaction reports tied to trafficking in child sexual abuse material, fraud, ransomware payments and sanctions evasion. Regulators said the payments platform enabled dozens of Russian‑focused exchanges and cybercrime‑facing services to move illicit proceeds. The action follows investigative reporting showing numerous money service businesses clustered at shared Canadian addresses that appear to be fronts.
read more →

Scattered LAPSUS$ Hunters Shift to Extortion-as-Service

🔍 Palo Alto Networks' Unit 42 reports monitoring a Scattered LAPSUS$ Hunters Telegram channel since early October 2025, noting a tactical shift toward an extortion-as-a-service (EaaS) offering that omits file encryption. Researchers also observed posts mentioning a potential new ransomware, SHINYSP1D3R, though its development and the profitability of EaaS remain uncertain. Unit 42 found the group's data leak site apparently defaced and confirmed leaked records tied to at least six firms; the actors had set an Oct 10 ransom deadline but later stated on Oct 11 that "nothing else will be leaked."
read more →

UK Contractor Breach Exposes Sensitive RAF and Navy Sites

🔒 A ransomware attack on contractor Dodd Group reportedly allowed Russian-linked attackers to exfiltrate hundreds of sensitive Ministry of Defence documents, including details on RAF Lakenheath, RAF Portreath and RAF Predannack. The company confirmed an incident and said it contained access, while the MoD suspects the Lynx group is behind the intrusion. Leaked files published on the dark web allegedly include site plans and personnel data, and the case is now under investigation amid a wider rise in UK cyber incidents.
read more →

Ransomware Payouts Rise to $3.6M as Tactics Evolve

🔒 The average ransomware payment climbed to $3.6m in 2025, up from $2.5m in 2024, as attackers shift to fewer but more lucrative, targeted campaigns. ExtraHop's Global Threat Landscape Report found 70% of affected organisations paid ransoms, with healthcare and government incidents averaging nearly $7.5m each. The study highlights expanding risks from public cloud, third‑party integrations and generative AI, and urges organisations to map their attack surface, monitor internal traffic for lateral movement and prepare for AI‑enabled tactics.
read more →

AI-Enabled Ransomware: CISOs’ Top Security Concern

🛡️ CrowdStrike’s 2025 ransomware survey finds that AI is compressing attacker timelines and enhancing phishing, malware creation, and social engineering, forcing defenders to react in minutes rather than hours. 78% of respondents reported a ransomware incident in the past year, yet fewer than 25% recovered within 24 hours and paying victims often faced repeat compromise and data theft. CISOs rank AI-enabled ransomware as their top AI-related security concern, and many organizations are accelerating adoption of AI detection, automated response, and improved training.
read more →

Ransomware Reality: High Confidence, Low Preparedness

⚠️ The CrowdStrike State of Ransomware Survey reveals a sizable gap between organizational confidence and actual ransomware readiness. Half of 1,100 security leaders say they are "very well prepared," yet 78% were attacked in the past year and fewer than 25% recovered within 24 hours. The report warns that AI-accelerated attacks deepen this gap and recommends AI-native detection and response such as Falcon to regain the advantage.
read more →

Muji Halts Japan Online Sales After Supplier Ransomware

🔒 Muji has temporarily taken its Japan online store offline after a ransomware attack disrupted logistics systems at its delivery partner, Askul. The outage affects browsing, purchases, order histories in the Muji app, and some web content; Muji is investigating which shipments and pre-attack orders were impacted and will notify affected customers by email. Askul confirmed a ransomware infection suspended orders, shipping, and several customer services while it investigates potential data exposure; international Muji stores remain operational.
read more →

Cybersecurity Awareness Month 2025: Ransomware Resilience

🔒 ESET's Cybersecurity Awareness Month 2025 video, presented by Chief Security Evangelist Tony Anscombe, explains why ransomware continues to threaten organizations large and small. Citing Verizon's 2025 DBIR and a Coalition Inc. study, it notes that 44% of breaches involved ransomware and 40% of insured victims paid ransoms. The video outlines common intrusion vectors and practical steps — backups, patching, access controls and training — organizations should take to improve resilience.
read more →