All news with #ransomware tag

Why Muddled Libra Draws Disproportionate Media Attention

🛡️Unit 42 explains why Muddled Libra receives outsized attention: the group uses a consistent playbook, industry-focused waves of attacks, and unusually convincing English-language vishing that makes attribution and impact more visible. In 2025 cases, about 50% led to DragonForce ransomware deployment and data exfiltration, heightening executive concern. The report highlights practical defenses such as Conditional Access Policies and analytic correlation with tools like Cortex XSIAM to detect and disrupt operations.

Ransomware Forces German Insurance Firm into Bankruptcy

⚠ A ransomware attack attributed to the Royal group forced German insurer Einhaus Gruppe into insolvency after encrypted systems and locked servers halted operations. The spring 2023 incident left printers displaying a takeover message, prevented staff access to critical data, and generated a mid-seven-figure business disruption. Einhaus paid a ransom of roughly US $230,000, but prosecutors later seized cryptocurrency allegedly tied to the perpetrators, and the withheld funds impeded restructuring efforts and helped drive the company into bankruptcy.

Arrest in Raid on XSS Forum: Who Was Detained and Why

🔍 Europol and Ukrainian authorities announced the arrest of a 38-year-old suspect tied to the Russian-language XSS crime forum after a July 22, 2025 operation led by French investigators. Authorities say the detainee served as a trusted third party, arbitrating disputes and assuring transaction security for members linked to multiple ransomware groups. Reporting traces forum activity and multiple domain registrations tied to the handle 'Toha', but investigation suggests the arrested man is likely Anton Medvedovskiy rather than alternate identities circulated online. The takedown yielded Jabber server logs and forum backups, prompting a wary, contested relaunch.

Project AK47 Linked to SharePoint ToolShell Exploits

🔍Unit 42 links a modular malware suite dubbed Project AK47 to SharePoint exploitation activity observed alongside Microsoft’s ToolShell reporting. The toolset includes a dual-protocol backdoor (AK47C2 with dnsclient and httpclient), a ransomware family (AK47 / X2ANYLOCK), and DLL side‑loading loaders. Analysts found high-confidence overlaps with Microsoft’s Storm-2603 indicators, evidence of LockBit 3.0 artifacts in an evidence archive, and a matching Tox ID on a Warlock leak site. Recommended actions include applying patches for the referenced SharePoint CVEs and enabling updated protections from endpoint, URL, and DNS defenses.

ESET Threat Report H1 2025: ClickFix and Ransomware

🔍 ESET's H1 2025 Threat Report highlights a sharp rise in manipulative social-engineering techniques, coordinated infostealer takedowns, and aggressive infighting among ransomware groups. Hosts Aryeh Goretsky and Ondrej Kubovič analyze the rapid emergence of ClickFix, including the FakeCaptcha variant that coaxes victims into executing commands. They also summarize law enforcement disruptions of RedLine/Meta Stealer and other services, and recount a brazen “deathmatch” in which the small actor Dragonforce defaced and dismantled rival data leak sites.

Threat Actor Groups Tracked by Unit 42 — Updated 2025

📌 This Unit 42 reference catalog enumerates selected threat actor groups tracked by Palo Alto Networks, organized by assigned constellation and primary motivation (nation-state, cybercrime, ransomware). It lists aliases, activity summaries, typical sectors impacted and observed TTPs, and highlights recent additions through Aug. 1, 2025. Use of Unit 42 telemetry and the Attribution Framework informs assessments and updates.

ToolShell SharePoint Vulnerabilities and Ongoing Exploitation

🔔 Unit 42 reports active exploitation of multiple on‑premises SharePoint vulnerabilities collectively dubbed ToolShell, enabling unauthenticated remote code execution, authentication bypass, and path traversal. Activity observed from mid‑July 2025 includes web shell deployment, theft of ASP.NET MachineKeys and ViewState material, and delivery of the 4L4MD4R ransomware in at least one chain. Organizations with internet‑exposed SharePoint servers should assume potential compromise and follow containment, patching, cryptographic rotation, and incident response guidance immediately.

Unit 42 Attribution Framework: Systematic Attribution

🔎 Unit 42's Attribution Framework defines a structured, repeatable process for linking observed cyber activity to clusters, temporary groups, or formally named threat actors. It pairs the Diamond Model with the Admiralty System to score source reliability and information credibility, guiding analysts through minimum standards, naming conventions, and promotion criteria to reduce premature attribution.

July 2025 Cybersecurity Roundup: Key Incidents and Risks

🛡️ In July 2025, ESET Chief Security Evangelist Tony Anscombe highlighted major cybersecurity incidents, including exploitation of ToolShell zero‑day vulnerabilities in on‑premises Microsoft SharePoint and the confirmed return of Lumma Stealer. Other critical stories included a ransomware attack that closed UK transport firm KNP, a massive data exposure in McDonald's hiring chatbot McHire, and the discovery of PerfektBlue Bluetooth flaws affecting vehicles. The UK also proposed banning ransom payments by public bodies.

Unmasking AsyncRAT: Mapping Forks and Variants in the Wild

🛡️ ESET Research reviews the sprawling ecosystem of AsyncRAT, an open-source C# remote access trojan first published in 2019, and the many forks that have proliferated since. The post maps major families—most notably DcRat and VenomRAT—and outlines rapid identification techniques based on client configuration, embedded certificates, and behavior. It highlights uncommon plugins (USB spreaders, screamers, clipboard clippers, distributed brute modules) and stresses evolving obfuscation and evasion tactics.

ESET Threat Report H1 2025: Key Cyberthreat Findings

🛡️ The ESET research team has released the H1 2025 Threat Report, summarizing cyberthreat activity from December 2024 through May 2025. The report highlights a rapid rise in a new social engineering technique, ClickFix, with detections increasing more than fivefold, and a 160% surge in Android adware linked to evil twin fraud and PUAs. It also notes growing numbers of ransomware attacks and gangs even as overall payment values trended downward. Watch ESET Chief Security Evangelist Tony Anscombe's video overview and consult the full report for details and mitigation guidance.

LockBit, Hiveleaks and BlackBasta Drive Ransomware Spike

🚨 Ransomware activity rebounded in July, with NCC Group recording 198 successful campaigns — a 47% increase from June. The surge was led by LockBit 3.0 (62 attacks), followed by Hiveleaks (27) and BlackBasta (24), which showed rapid month‑over‑month growth. Researchers link the fluctuation to restructuring after U.S. pressure on Conti, with affiliates and replacement strains reemerging under new identities.