All news with #ransomware tag

🔍 The Iranian state-sponsored group MuddyWater disguised a cyber-espionage operation as a Chaos ransomware attack, leveraging Microsoft Teams social engineering to harvest credentials and manipulate MFA. Attackers used fake Quick Assist phishing pages or tricked victims into typing passwords into local files, then moved laterally via AnyDesk, DWAgent, and RDP to establish persistence. Rapid7 links the campaign to MuddyWater with moderate confidence, noting a signed loader (ms_upd.exe) that drops a backdoor (Game.exe) with anti-analysis checks.

🛡️ Securonix warns of an active phishing campaign codenamed VENOMOUS#HELPER that has compromised over 80 organizations, primarily in the U.S., by abusing legitimate Remote Monitoring and Management tools. Attackers deliver a JWrapper-packaged executable via phishing links hosted on a compromised Mexican site to install SimpleHelp RMM with Safe Mode persistence and a self-healing watchdog. Operators elevate to SYSTEM using AdjustTokenPrivileges and deploy ConnectWise ScreenConnect as a fallback, creating redundant remote access for potential ransomware or extortion follow-on activity.

🔒 Two American cybersecurity workers, Ryan Goldberg and Kevin Martin, were each sentenced to four years in prison for helping the BlackCat (ALPHV) ransomware gang carry out attacks in 2023, the US Department of Justice said. The pair — who pleaded guilty in December 2025 — worked with a former negotiator, Angelo Martino, and shared proceeds from ransoms, including a $1.2m Bitcoin payout. Prosecutors said they abused specialist cyber skills; the FBI tracked Goldberg across ten countries before his arrest.

⚖️ He pleaded guilty after secretly working for a ransomware gang while ostensibly negotiating payments for victims. The arrangement permitted a trusted intermediary to funnel information and influence negotiations in the gang’s favor, undermining client trust and incident response. Prosecutors say the conduct included clandestine communications that advantaged criminals and complicated recovery. The plea underscores risks in relying on third-party negotiators without robust oversight.

🔒 The U.S. Department of Justice has sentenced two cybersecurity professionals to four years in prison for their roles in deploying ALPHV/BlackCat ransomware against multiple U.S. victims between April and December 2023. Ryan Goldberg and Kevin Martin pleaded guilty in December 2025 after conspiring with Angelo Martino to gain access to the ransomware in exchange for a share of ransoms. Authorities say one extortion yielded approximately $1.2 million in Bitcoin, which the defendants laundered, and that the men abused their security expertise while employed by Sygnia and DigitalMint.

⚠ Check Point Research discovered a critical implementation bug in Vect 2.0 that causes files larger than 131,072 bytes (128 KB) to be permanently destroyed rather than recoverably encrypted. The ransomware uses raw ChaCha20-IETF without the Poly1305 MAC and a faulty nonce-handling routine that discards three of four decryption nonces, effectively turning the RaaS into a wiper across Windows, Linux and ESXi variants. Researchers also identified multiple additional coding and design errors that undermine the group's RaaS ambitions and affiliate program.

⚠️ VECT 2.0 ransomware contains a nonce-handling defect that overwrites per-chunk nonces when encrypting files, leaving only the final nonce saved. As a result, files larger than about 128 KB are partially unrecoverable — roughly only the last quarter can be decrypted — causing the malware to act like a wiper for many enterprise assets. Check Point researchers report the flaw affects Windows, Linux and ESXi builds and means victims cannot recover corrupted data even if they pay.

⚠️ VECT 2.0 is effectively a destructive wiper rather than recoverable ransomware due to a critical implementation bug that discards key nonces during encryption. Check Point found that any file larger than 131,072 bytes loses three of four ChaCha20 nonces, rendering those chunks irrecoverable even if victims pay. The RaaS's Windows, Linux, and ESXi variants and affiliate model raise broad operational risk, but the technical flaw means payment will not restore most enterprise data.

🛑 VECT is a destructive ransomware family that permanently destroys large files instead of producing recoverable encrypted copies, so paying the ransom will not restore data. The group leveraged partnerships with TeamPCP and BreachForums to build a massive affiliate pipeline to thousands of potential victims. An encryption bug affects Windows, Linux, and ESXi variants and has persisted since before the public 2.0 release. Check Point's Threat Emulation and Harmony Endpoint provide full protection against known variants.

🔒 Calm does not equal secure — organizations often mistake a long period without incidents for strong defenses. This article warns that mental shortcuts like WYSIATI (What You See Is All There Is) and overreliance on compliance can blind teams to active threats, such as credentials appearing in infostealer logs before attacks. Remediation requires behavioral detection, continuous threat intelligence, and disciplined vigilance to prevent costly ransomware and data‑leak consequences.

🔒 Symantec researchers observed Trigona ransomware affiliates using a custom command-line exfiltration utility, uploader_client.exe, in March to siphon high-value documents to a hardcoded server. The tool supports parallel uploads, TCP rotation after 2GB, selective file-type exclusion, and an authentication key to control access to stolen data. The shift from public utilities like Rclone appears intended to reduce detection during double-extortion operations. Symantec has published IoCs to aid defenders.

🔒 Quorum Cyber's 2026 Global Cyber Risk Outlook for Higher Education reports a 63% rise in recorded incidents between Nov 2023–Oct 2024 and Nov 2024–Oct 2025, increasing from 260 to 425. Across 67 countries, data breaches rose 73%, hacktivism 75% and ransomware 21%. FunkSec, Cl0p, INC and Nova were the most prolific groups. The report urges intelligence-led vulnerability management, dark web monitoring, robust backups and regular incident response exercises.

🔒 Rapid7 analyzed two Kyber ransomware variants discovered in March 2026 that were deployed on the same network: one targeting VMware ESXi and one targeting Windows file servers. The ESXi build advertises post‑quantum Kyber1024 but instead uses ChaCha8 for file encryption and RSA‑4096 for key wrapping. The Windows variant, written in Rust, implements Kyber1024 and X25519 to protect symmetric keys while using AES‑CTR for bulk file encryption, and includes destructive routines such as service termination, backup deletion and an experimental Hyper‑V shutdown.

🔍Check Point researchers found a SystemBC C2 server linked to an affiliate of the The Gentlemen RaaS operation controlling a botnet of more than 1,570 compromised corporate hosts worldwide. SystemBC establishes SOCKS5 tunnels and communicates with its C2 using a custom RC4‑encrypted protocol, enabling payload download or in‑memory execution. The activity aligns with The Gentlemen’s multi‑platform double‑extortion campaigns that abuse GPOs, exposed services, and compromised credentials to escalate access and deploy ransomware.

🔒 Angelo Martino, a former ransomware negotiator, pleaded guilty to conspiring with the BlackCat ransomware group to extort U.S. companies in 2023. From April through November 2023, he provided confidential negotiation details — including victims' insurance limits and internal bargaining positions — to maximize ransom demands in exchange for payment. Martino admitted collaborating with incident responders Ryan Goldberg and Kevin Martin while working at DigitalMint and Sygnia, and authorities say the defendants extorted at least $1.2 million in a single case. Investigators seized roughly $10 million in assets; Martino faces up to 20 years and is scheduled for sentencing on July 9, 2026.

🔐 Check Point researchers report that The Gentlemen, a ransomware-as-a-service operation first identified in mid-2025, has claimed over 320 victims with the majority of attacks occurring in early 2026. Affiliates are supplied with cross-platform ransomware written in Go for Windows, Linux, NAS and BSD, plus a C-based ESXi encryptor. The toolkit enables automated lateral movement, Group Policy deployment and credential reuse to achieve rapid, domain-wide encryption, and incidents frequently show defense evasion and post-exploitation tools such as SystemBC and Cobalt Strike.

🔒 Much reporting on cyber risk focuses on AI, but frontline incidents remain grounded in social engineering and identity exploitation. Experts say attackers increasingly abuse legitimate tools — including trojanized RMM clients — and target network security appliances, OAuth flows, and machine identities to bypass defenses. Techniques like ClickFix, phishing, token theft and supply‑chain worms enable lateral movement and ransomware. Defenders should combine user training, RMM allowlists and layered, phishing‑resistant authentication.

🔒 Check Point Research uncovered a SystemBC proxy botnet of over 1,570 infected hosts tied to a Gentlemen ransomware affiliate, with telemetry indicating primarily corporate victims across the US, UK, Germany, Australia, and Romania. The discovery shows affiliates pairing SystemBC SOCKS5 tunneling with Cobalt Strike for covert payload delivery and lateral movement. Check Point published IoCs and a YARA signature to help defenders identify related activity.

🔒 Check Point Research reports that the Gentlemen ransomware-as-a-service operation has claimed over 320 victims since mid-2025, including 240 incidents in 2026, while access to a live C2 server revealed a botnet of more than 1,570 likely corporate victims. The group targets internet-facing devices (VPNs, firewalls) and can encrypt entire networks within hours, focusing on manufacturing, technology and an increasing number of healthcare organizations. Organizations should prioritize patching, MFA, segmentation, proactive detection, and reliable offline backups to reduce exposure.

🔐 The article argues that modern ransomware operates like an industry, with affiliates, suppliers, marketplaces and subscription services coordinating long before a ransom note appears. It cites the March 2024 Change Healthcare incident and disputes between affiliates and operators to illustrate franchise dynamics. It details technical enablers such as BYOVD EDR killers and emerging AI-assisted tooling, and urges defenders to map actors, tools and supply‑chain exposure rather than treat incidents as isolated break‑ins.