< ciso
brief />
Tag Banner

All news with #ransomware tag

463 articles · page 20 of 24

LockBit 5.0 Emerges as Most Dangerous Ransomware Variant

🔒 Trend Micro has identified a new LockBit variant, LockBit 5.0, which it calls significantly more dangerous than prior releases and has observed in the wild. The vendor confirmed Windows, Linux, and ESXi binaries featuring faster encryption, removal of infection markers, randomized 16-character extensions and enhanced evasion. The Windows build includes a cleaner affiliate UI with detailed execution options, while the ESXi variant represents a critical escalation by enabling encryption of multiple virtual machines from a single payload. Researchers note substantial code reuse from 4.0, suggesting an evolutionary update rather than a rebrand.
read more →

SpyCloud: Identity Blind Spots Raise Ransomware Risk

🔒 The SpyCloud 2025 Identity Threat Report exposes a gap between confidence and capability: 86% of security leaders say they can prevent identity-based attacks, yet 85% of organizations experienced ransomware in the past year, with over one-third hit six to ten times. A survey of 500+ security leaders in North America and the UK highlights identity sprawl across SaaS, unmanaged devices and third-party ecosystems. The report notes phishing, credential reuse and exposed sessions increasingly enable persistent access. It warns that most organizations lack automated remediation, repeatable workflows and formal investigation protocols.
read more →

17-Year-Old Suspected in Vegas Casino Cyberattacks Released

🔒 A 17-year-old hacker who surrendered on charges tied to sophisticated cyber intrusions against Las Vegas casinos between August and October 2023 has been released into his parents' custody under family court supervision. Authorities link the incidents to the Scattered Spider group and the deployment of BlackCat/ALPHV ransomware that disrupted operations and exposed staff and customer data. The judge imposed strict conditions including residence at a registered parental address, prohibition on leaving Clark County, internet use limited to educational purposes, and restrictions on phones and electronics, with immediate detention for violations. Prosecutors say the suspect may still control about $1.8 million in Bitcoin and are seeking additional charges and to try him as an adult.
read more →

NCA Arrests Man Linked to HardBit Ransomware Disruption

🔒 British investigators arrested a man in his forties in West Sussex in connection with a suspected ransomware outbreak that disrupted flights across Europe. The National Crime Agency said the suspect was released on conditional bail and the probe remains at an early stage. Security researchers have linked the incident to the HardBit variant, which affected ARINC vMUSE systems and forced airlines to revert to paper processes amid repeated reinfections.
read more →

Ransomware-Enabled Heist and npm Worm Supply-Chain Threats

🔒 Ransomware can do more than encrypt files — it can disable alarms and create physical security vulnerabilities. In a recent episode of the Smashing Security podcast, hosts discuss how a ransomware-related outage at the Natural History Museum in Paris preceded a late-night theft of €600,000 in gold. The show also covers a new npm supply-chain worm dubbed Shai Hulud that has infected over 180 packages and quietly exfiltrated secrets, plus odd stories about ads appearing on consumer appliances.
read more →

Interpol-led Operation Seizes $439M From Cybercrime

🕵️‍♂️ In a five-month international campaign, Operation HAECHI VI led by Interpol and partner agencies recovered more than $439 million in cash and cryptocurrency tied to cyber-enabled financial crimes. Investigators from 40 countries across five continents targeted a broad range of scams — including voice phishing, investment fraud, BEC, sextortion and romance scams — freezing 400 crypto wallets and blocking over 68,000 bank accounts. The action included 45 arrests in Portugal and multimillion-dollar recoveries in Thailand, building on prior HAECHI phases that netted hundreds of millions and thousands of arrests.
read more →

Obscura: New Ransomware Variant Targeting Domains Globally

🔒 On 29 August 2025 Huntress analysts identified a previously unseen ransomware variant they named Obscura after its embedded ransom note. The binary was placed in the domain NETLOGON scripts folder, enabling propagation via AD replication, and the actor created scheduled tasks to run it across hosts. Obscura requires administrative privileges, attempts to delete volume shadow copies and terminates roughly 120 security and backup processes. It uses Curve25519/X25519 key exchange and XChaCha20 for file encryption and writes a decoded ransom note to C:\README-OBSCURA.txt.
read more →

UK Arrests Suspect After RTX MUSE Ransomware Hits Airports

🛫 The UK's National Crime Agency arrested a man in his forties in West Sussex on suspicion of Computer Misuse Act offences linked to a ransomware attack that disrupted airports across Europe. RTX Corporation confirmed the incident affected its Collins Aerospace MUSE passenger processing software, first detected on September 19. The suspect has been released on conditional bail while the probe, supported by the South East ROCU and other agencies, remains in its early stages. Affected customers shifted to backup and manual processes while RTX and external cybersecurity experts work to contain and remediate the impact.
read more →

Ransomware Speed Crisis: Defending at Machine Pace

⚠️ Ransomware attacks have accelerated to machine speed, often completing exfiltration and impact in minutes rather than days. Unit 42 research documents a dramatic decline in mean time to exfiltrate, driven by AI automation, initial access brokers and RaaS, which together enable highly targeted, fast-moving campaigns. Organizations now need AI-powered detection, automated containment and unified XDR visibility across endpoints, network and cloud to stop threats in real time. Human analysts remain vital but must operate alongside automated systems to focus on hunting and strategic response.
read more →

Extending Zero Trust to the Storage Layer: Resilience

🔒 Applying zero trust to the storage layer is no longer theoretical — it is now essential to ensure recovery. The author describes ransomware incidents, including Change Healthcare in February 2024, where attackers deliberately targeted backups and recovery points, exposing storage as a primary attack surface. He recommends three operational principles — control where data is touched, control who and when, and make critical backups immutable — and ties those measures to governance, policy-as-code, and executive outcomes.
read more →

Hoppegarten IT outage continues after August cyberattack

🔒 The municipality of Hoppegarten in Brandenburg is still recovering from a hacker attack that forced its IT systems to be shut down on August 10. As of September 22, remediation remains ongoing, with central services such as email, telephone, and citizen services restored. Communication with subordinate institutions, including schools and daycare centers, remains disrupted. Authorities say the State Criminal Police Office is investigating a suspected attempted data encryption, possibly tied to an extortion attempt.
read more →

Allianz: Attackers Shift From Large Firms to Easier Targets

🛡️ Allianz warns that cybercriminals are increasingly shifting focus from well‑defended large organizations to smaller, less secure firms and to regions beyond the US and Europe. The insurer's Cyber report says customer losses in H1 2025 were about half those in H1 2024, even as active ransomware groups may have risen by roughly 50%. Double extortion and data theft now account for a growing share of large losses, and attackers often exploit third‑party IT providers to reach hardened targets.
read more →

Attacker Breakout Time Drops to 18 Minutes, ReliaQuest

🔒 ReliaQuest's Threat Spotlight (June–August 2025) reports average attacker breakout time — the period from initial access to lateral movement — has fallen to 18 minutes, with one Akira incident taking just six minutes. The vendor warns adversaries are becoming faster and more adept at bypassing endpoint protections, noting an increase in ransomware using the SMB protocol (from 20% to 29%). Drive-by compromise was the leading initial vector at 34%, and USB-based malware, notably Gamarue, is resurging due to weak policy enforcement and inconsistent endpoint controls.
read more →

Ransomware Attack Disrupts Check-in at Major EU Airports

🛫 Over the weekend several major European airports experienced check-in and boarding disruptions after a ransomware attack on the external vendor Collins Aerospace. Attackers targeted the MUSE multi-airline check-in system, forcing manual processing of thousands of passengers and causing delays and cancellations to more than 100 flights. Airports affected included Heathrow, Brussels and Berlin Brandenburg, with only minor impact reported in Cork and Dublin. Authorities and the vendor are investigating while restoration efforts continue.
read more →

Ransomware Still Evades Defenses Despite Protections

🔒 Picus Security's Blue Report 2025 shows ransomware continues to outpace defenses: overall prevention fell from 69% to 62% year-over-year, while data exfiltration prevention collapsed to just 3%. Both established families (BlackByte, BabLock, Maori) and emerging strains (FAUST, Valak, Magniber) bypass controls using credential theft, fileless techniques and staged execution. Picus recommends continuous Breach and Attack Simulation (BAS) to validate controls, deliver actionable fixes, and provide measurable evidence of readiness.
read more →

Ransomware Extortion Claim Targets BMW Group Servers

🔒 The BMW Group has been named on the darknet by the Everest ransomware group, which claims to have stolen critical BMW audit documents, according to screenshots reported by Cybernews. The gang placed two countdown timers on its onion site—one running to Sept. 14 and a second giving BMW 48 hours to make contact. BMW has not commented and the extortionists have not confirmed whether customer or personal data were taken; Cybernews researcher Aras Nazarovas advises waiting for a published sample to assess the scope.
read more →

HybridPetya ransomware bypasses Windows Secure Boot

🔒 Researchers at ESET have identified a new bootkit-style ransomware named HybridPetya that targets the NTFS Master File Table (MFT) and can override UEFI Secure Boot to install a malicious EFI component. The malware abuses a patched vulnerability (CVE-2024-7344) in a signed Microsoft EFI file to load an unsigned payload called cloak.dat. The installer replaces the Windows bootloader, triggers a crash and, on reboot, the compromised loader executes a bootkit that encrypts the disk with Salsa20, using a fake CHKDSK message to conceal activity. ESET observed a ransom demand of €850 in Bitcoin but regards the sample as likely a research proof-of-concept.
read more →

US and UK Charge Two Suspects in Scattered Spider Attacks

🔒 US and UK authorities have charged two UK-based teenagers linked to the Scattered Spider cybercrime group in connection with multiple high-profile intrusions. Thalha Jubair, 19, and Owen Flowers, 18, face US and UK charges including conspiracy to commit computer fraud, wire fraud, money laundering and offences under the UK Computer Misuse Act. Authorities allege extensive social engineering, ransomware extortion and transfers of victim cryptocurrency, with investigators attributing at least $115m in ransom payments to the group. The arrests follow a multinational probe and earlier detentions of other alleged members.
read more →

Zscaler ThreatLabz: Global Ransomware Surge 2024–2025

🔒 Zscaler's annual ThreatLabz Ransomware Report (April 2024–April 2025) warns of a marked rise in extortion-focused attacks: incidents increased 146% year-over-year while exfiltrated data grew 92%. The vendor attributes this to a strategic shift from pure encryption to data theft and public shaming, with criminals using stolen files as leverage. Researchers also report that generative AI is increasingly incorporated into attackers' playbooks to enable more targeted and efficient campaigns. The U.S. accounted for half of all recorded attacks, Germany saw a nearly 75% rise and is the EU's most affected country, and the most-targeted sectors were manufacturing, technology and healthcare.
read more →

Insight Partners Discloses 2024 Ransomware Breach Impacting

🔒 Insight Partners disclosed a ransomware attack that occurred around 25 October 2024 but was first detected on 16 January 2025. The firm says a sophisticated social engineering attack enabled a threat actor to exfiltrate data and encrypt servers before being expelled the same day. About 12,657 individuals may be affected; the firm offers free identity-theft protection and urges password resets and MFA.
read more →