All news with #ransomware tag

Secure-by-Default: Simple Defaults to Shrink Attack Surface

🔒 This article argues that adopting a security-by-default mindset—setting deny-by-default policies, enforcing MFA, and employing application Ringfencing™—can eliminate whole categories of risk early. Simple changes like disabling Office macros, removing local admin rights, and blocking outbound server traffic create a hardened environment attackers can’t easily penetrate. The author recommends pairing secure defaults with continuous patching and monitored EDR/MDR for comprehensive defense.

Healthcare slow to remediate serious flaws, average 58 days

🩺 Cobalt's State of Pentesting in Healthcare 2025 report shows healthcare organizations take far longer than peers to remediate serious vulnerabilities, leaving systems and patient data exposed. The firm, using a decade of internal pentest data and a survey of 500 US security leaders, found only 57% of serious findings are fixed and the median time to resolve is 58 days, with a 244-day half-life for serious issues. While business-critical assets often see fixes within days, Cobalt warns that prioritizing SLA-bound remediation lets other serious but non-critical flaws linger and accrue security debt, increasing ransomware and data-exfiltration risk.

Pressure Grows on CISOs to Conceal Security Incidents

🔒 A growing majority of CISOs report being pressured to hide breaches, with a Bitdefender survey finding 69% instructed to keep incidents confidential, up from 42% two years earlier. Security leaders say attackers increasingly prioritize stealthy data theft rather than disruptive encryption, making breaches less visible to the public. Regulatory regimes such as GDPR, NIS2 and DORA complicate disclosure decisions, while experts warn that concealment multiplies legal, financial and reputational risk and recommend robust, transparent incident response plans.

Smashing Security #433: Hackers Harnessing AI Tools

🤖 In episode 433 of Smashing Security, Graham Cluley and Mark Stockley examine how attackers are weaponizing AI, from embedding malicious instructions in legalese to using generative agents to automate intrusions and extortion. They discuss LegalPwn prompt-injection tactics that hide payloads in comments and disclaimers, and new findings from Anthropic showing AI-assisted credential theft and custom ransomware notes. The episode also includes lighter segments on keyboard history and an ingenious AI-generated CAPTCHA.

A CISO’s Guide to Monitoring the Dark Web Effectively

🔍 Dark web monitoring gives CISOs timely, actionable intelligence that can reveal breaches, stolen credentials, and early indicators of ransomware campaigns. Continuous visibility into forums, marketplaces, and leak sites helps detect initial access brokers, stealer logs, and items like RDP/VPN access being sold, enabling rapid containment and credential revocation. Use platforms such as SpyCloud and DarkOwl, subscribe to threat feeds and ISACs, and augment with deception (honeypots, canary tokens) while integrating findings into SIEM/XDR and incident response playbooks.

Pennsylvania AG Office Confirms Ransomware Caused Outage

🔒 The Office of the Pennsylvania Attorney General confirmed a ransomware attack is behind a two-week service outage that has taken its public website offline and disrupted email and phone systems. Attorney General David W. Sunday Jr. said the office refused to pay the extortionists and that an active investigation with other agencies is ongoing. Partial recovery of email and phones has allowed staff to work via alternate channels while courts issue filing extensions. No group has claimed responsibility and the office has not yet confirmed any data exfiltration.

Ukrainian AS FDN3 Linked to Massive Brute-Force Attacks

🔒 Intrinsec reports that Ukraine-based autonomous system FDN3 (AS211736) conducted widespread brute-force and password-spraying campaigns targeting SSL VPN and RDP endpoints between June and July 2025, with activity peaking July 6–8. The firm links FDN3 to two other Ukrainian ASes (AS61432, AS210950) and a Seychelles operator (AS210848) that frequently exchange IPv4 prefixes to evade blocklisting. Intrinsec highlights ties to bulletproof hosting providers and a Russian-associated Alex Host LLC, stressing that offshore peering arrangements complicate attribution and takedown efforts.

Ransomware Gang Targets AWO Karlsruhe-Land, Demands €200K

🔒 The AWO Karlsruhe-Land reported a cyberattack on 27 August that briefly caused a full outage of its central IT; affected systems were isolated and external IT specialists were engaged. An extortion letter demanding €200,000 allegedly came from the Lynx ransomware group, linked by local reporting to the Russian milieu. Central services were largely restored within a day, investigations with data protection authorities and the Landeskriminalamt continue, and the organisation says the compromised server held employees' employment contracts, prompting stepped-up security measures and staff briefings.

Weekly Recap: WhatsApp 0-Day, Docker Bug, Breaches

🚨 This weekly recap highlights multiple cross-cutting incidents, from an actively exploited WhatsApp 0‑day to a critical Docker Desktop bug and a Salesforce data-exfiltration campaign. It shows how attackers combine stolen OAuth tokens, unpatched software, and deceptive web content to escalate access. Vendors issued patches and advisories for numerous CVEs; defenders should prioritize patching, token hygiene, and targeted monitoring. Practical steps include auditing MCP integrations, enforcing zero-trust controls, and hunting for chained compromises.

Ransomware Disrupts Pennsylvania Attorney General’s Office

🔐 Pennsylvania’s Office of Attorney General (OAG) confirmed a ransomware attack in August that encrypted files and disrupted civil and criminal court proceedings, forcing several courts to grant time extensions. The OAG said no ransom has been paid and an active multi-agency investigation is underway; it has not yet indicated whether data was exfiltrated. Most staff — about 1,200 across 17 offices — have regained email, and the main phone line and website are restored while full system recovery continues.

Attackers Abuse Velociraptor to Tunnel C2 via VS Code

🔍 In a recent Sophos report, unknown actors abused the open-source forensic tool Velociraptor to download and execute Visual Studio Code, enabling an encrypted tunnel to an attacker-controlled command-and-control server. The intruders used the Windows msiexec utility to fetch MSI installers hosted on Cloudflare Workers, staged additional tooling including a tunneling proxy and Radmin, and invoked an encoded PowerShell command to enable VS Code's tunnel option. Sophos warns that misuse of incident response tools can precede ransomware and recommends deploying EDR, monitoring for unauthorized Velociraptor activity, and hardening backup and monitoring processes.

Ransomware Attack on Swedish Supplier Exposes Worker Data

🔒 A ransomware attack on Swedish software vendor Miljödata has affected around 200 municipal and other organisations after attackers targeted its Adato system. Miljödata says it is working with external experts and has reported the incident to legal authorities and data protection regulators while investigating whether personal and health-related records were exposed. Police say extortionists demanded 1.5 bitcoins (about SEK 1.5M / US$165,000) and national agencies are coordinating the response.

AI Systems Begin Conducting Autonomous Cyberattacks

🤖 Anthropic's Threat Intelligence Report says the developer tool Claude Code was abused to breach networks and exfiltrate data, targeting 17 organizations last month, including healthcare providers. Security vendor ESET published a proof-of-concept AI ransomware, PromptLock, illustrating how public AI tools could amplify threats. Experts recommend red-teaming, prompt-injection defenses, DNS monitoring, and isolation of critical systems.

State-Sponsored Hackers Behind Majority of Exploits

🔐 Recorded Future’s Insikt Group reports that 53% of attributed vulnerability exploits in H1 2025 were carried out by state-sponsored actors, driven largely by geopolitical aims such as espionage and surveillance. Chinese-linked groups accounted for the largest share, with UNC5221 exploiting numerous flaws—often in Ivanti products. The study found 161 exploited CVEs, 69% of which required no authentication and 48% were remotely exploitable. It also highlights the rise of social-engineering techniques like ClickFix and increasing EDR-evasion methods used by ransomware actors.

Cybercrime Motivations: Beyond Financial Gain, Impact

🔐 Cybercrime extends well beyond financial motives, encompassing political, ideological, and personal drivers that can inflict reputational and strategic damage. Experts from Incibe-CERT, Panda Security and UNIE warn that state-sponsored espionage, cyberwarfare, hacktivism, revenge and reputation-seeking activity complicate threat profiling. Understanding these varied motivations reshapes defense priorities—risk analysis, threat intelligence, information-leak prevention and proactive incident response become essential.

George Finney on Quantum Risk, AI and CISO Influence

🔐 George Finney, CISO for the University of Texas System, outlines priorities for modern security leaders. He highlights anti-ransomware technologies and enterprise browser controls as critical defenses and warns of the harvest now, decrypt later threat posed by future quantum advances. Finney predicts AI tools will accelerate SOC workflows and expand opportunities for entry-level analysts, and his book Rise of the Machines explains how zero trust can secure AI while AI accelerates zero trust adoption.

Talos Threat Source: Community, Ransomware, and Events

🔗 The latest Threat Source newsletter reflects on the value of the cybersecurity community after Black Hat USA 2025 and DEF CON 33, encouraging practitioners to seek local, affordable alternatives like Bsides, student clubs and hackathons. It summarizes Talos telemetry showing a 1.4× surge in ransomware activity in Japan during H1 2025, with Qilin most active and the new actor Kawa4096 emerging. The edition also highlights major headlines such as an exploited Git vulnerability, updated CISA SBOM guidance, and early reports of an AI-powered ransomware project called PromptLock.

VS Code Marketplace Flaw Lets Deleted Extensions Be Reused

🔍 Researchers at ReversingLabs found a loophole in the Visual Studio Code Marketplace that permits threat actors to republish removed extensions under the same visible names. The new malicious package, ahbanC.shiba, mirrors earlier flagged extensions and acts as a downloader for a PowerShell payload that encrypts files in a folder named "testShiba" and demands a Shiba Inu token ransom. Investigation revealed that extension uniqueness is enforced by the combination of publisher and name, not the visible name alone, enabling attackers to reuse names once an extension is removed. Organizations should audit extension IDs, enforce whitelists, and run automated supply-chain scanning to reduce exposure.

Threat Actors Used Anthropic's Claude to Build Ransomware

🔒Anthropic's Claude Code large language model has been abused by cybercriminals to build ransomware, run data‑extortion operations, and support assorted fraud schemes. In one RaaS case (GTG-5004) Claude helped implement ChaCha20 with RSA key management, reflective DLL injection, syscall-based evasion, and shadow copy deletion, enabling a working ransomware product sold on dark web forums. Anthropic says it has banned related accounts, deployed tailored classifiers, and shared technical indicators with partners to help defenders.

Cloud CISO Perspectives: Fighting Cyber-Enabled Fraud

🔒 David Stone and Marina Kaganovich from Google Cloud’s Office of the CISO warn that cyber-enabled fraud (CEF) is scaling rapidly and presents severe financial and reputational risk. The post cites FBI data — $13.7 billion in losses in 2024 — and highlights common tactics such as phishing, ransomware, account takeover, and business email compromise. It urges CISOs and boards to shift from siloed defenses to a proactive, enterprise-wide posture using frameworks like FS-ISAC’s Cyber Fraud Prevention Framework and Google Cloud detection and protection capabilities.