< ciso
brief />
Tag Banner

All news with #ransomware tag

463 articles · page 21 of 24

Protecting SMBs From Ransomware: Trends and Defenses

🔒 Small and medium-sized businesses are increasingly targeted by ransomware gangs that exploit weak defenses, offer Ransomware-as-a-Service, and adapt tactics with AI-driven tools. RaaS industrialization and discoveries like ESET's PromptLock demonstrate how attackers can scale reconnaissance, exploitation and social engineering. SMBs face double-extortion, DDoS and coercive pressures while repeat payments remain an issue despite a decline in aggregate crypto payouts. Practical defenses—Zero Trust, timely patching, reliable backups, EDR/MDR and tested incident response—can materially reduce risk.
read more →

Insight Partners Notifies Thousands After Ransomware Breach

🔒 Insight Partners is notifying thousands of people after a ransomware incident in which a threat actor gained network access via a sophisticated social engineering attack. The attackers reportedly exfiltrated sensitive data — including banking and tax records, personal information of current and former employees, and details related to limited partners, funds, management companies, and portfolio companies — before encrypting servers on January 16, 2025. The firm says formal notification letters and complimentary credit or identity monitoring are being mailed; if you do not receive a letter by the end of September 2025, your personal data was determined not to be impacted. State filings indicate 12,657 individuals were affected, and no group has publicly claimed responsibility.
read more →

Evolving ClickFix Variants Lead to MetaStealer Deployments

🔍 Huntress analysts observed an uptick in attacks that combine classic ClickFix social engineering with more advanced deployment techniques over the past fifteen business days. A fake AnyDesk installer used a Cloudflare Turnstile lure that opened Windows File Explorer via the search-ms protocol to deliver an LNK payload disguised as a PDF and install an MSI that dropped MetaStealer. Separately, operators deployed Cephalus ransomware using DLL sideloading through the legitimate SentinelOne host binary, illustrating evolving tradecraft that mixes manual user interaction and technical evasion.
read more →

HybridPetya: Petya/NotPetya Copycat Adds UEFI Bypass Threat

🔒 ESET researchers have identified a new ransomware strain named HybridPetya that mimics the Petya/NotPetya family while adding UEFI-targeting capabilities. The malware weaponizes CVE-2024-7344 to bypass UEFI Secure Boot on unpatched systems, enabling persistent bootkit-style compromise. HybridPetya is not currently observed spreading in the wild but represents at least the fourth known bootkit with Secure Boot bypass functionality.
read more →

HybridPetya Bootkit Bypasses Secure Boot to Encrypt MFT

🔒 Researchers at ESET have identified HybridPetya, a bootkit-style ransomware that mimics Petya/NotPetya by targeting the NTFS Master File Table (MFT). Unlike destructive predecessors, HybridPetya functions as true ransomware and can reconstruct victim decryption keys from an installation key, with an analyzed sample demanding €850 in Bitcoin. The threat bypasses UEFI Secure Boot by exploiting CVE-2024-7344 in a Microsoft-signed EFI component to load an unsigned cloak.dat, replace the Windows bootloader, crash the system to force a reboot, and run prior to OS startup to encrypt the disk with Salsa20 while displaying a fake CHKDSK message.
read more →

HybridPetya Resembles NotPetya and Adds UEFI Bootkit

🔒 ESET Research identified HybridPetya on VirusTotal in February 2025, with filenames implying a connection to the destructive NotPetya outbreak. The strain encrypts the NTFS Master File Table using Salsa20 and deploys a UEFI bootkit on the EFI System Partition to ensure firmware‑level persistence. One variant exploits CVE-2024-7344 to bypass UEFI Secure Boot via a signed but vulnerable Microsoft component, yet retains a working decryption mechanism for victims. Analysts found no signs of self-propagation like NotPetya, but the combination of pre-boot compromise and MFT encryption raises significant concern.
read more →

Yurei Ransomware Uses Open-Source Tools for Extortion

🔒 A newly identified ransomware group called Yurei is conducting double-extortion attacks, encrypting files and exfiltrating sensitive data before demanding payment. First observed by Check Point Research on September 5, Yurei has targeted organizations in Sri Lanka, India and Nigeria and may have ties to Morocco. Built largely from open-source Prince-Ransomware code, the malware encrypts each file using per-file ChaCha20 keys protected with ECIES, appending a .Yurei extension, and attempts to provide a ransom page and .onion contact. Although the early variant omits some operational features (for example it fails to set a ransom wallpaper and does not remove Windows shadow copies), the group still threatens publication of stolen data to pressure victims.
read more →

HybridPetya UEFI Bootkit Bypasses Secure Boot on PCs

🔒 HybridPetya is a newly identified UEFI bootkit that can bypass Secure Boot by exploiting CVE-2024-7344, enabling installation of malicious components into the EFI System Partition. ESET located a sample on VirusTotal and describes it as possibly a proof-of-concept, research project, or an early-stage criminal tool. The bootkit replaces the Windows bootloader, forces reboots to execute at startup, encrypts MFT clusters with Salsa20 while showing a fake CHKDSK, and then presents a ransom screen demanding a Bitcoin payment and a 32-character key to restore the bootloader and decrypt data.
read more →

Yurei Ransomware: Rapid Rise from Open-Source Code

🛡️ Yurei ransomware emerged on September 5, quickly claiming victims in Sri Lanka, India and Nigeria within its first week. The payload is largely copied from the open-source Prince-Ransomware project, illustrating how easily attackers can deploy commodity code. Although technical flaws allow partial recovery, Yurei focuses on data theft and public exposure to coerce payments. Early indicators point to links with Morocco, signaling a geographically shifting threat landscape.
read more →

HybridPetya Bootkit Bypasses Secure Boot on UEFI Systems

🔒 ESET researchers identified HybridPetya, a new ransomware strain that blends Petya-style MFT encryption with a UEFI bootkit that can bypass Secure Boot by abusing a patched flaw (CVE-2024-7344) in the Howyar Reloader EFI component. The malware installs a malicious EFI application, uses a three-state flag to track encryption and ransom status, displays a fake CHKDSK screen, and demands $1,000 in Bitcoin. Select variants load a cloak.dat payload into reloader.efi to evade integrity checks; Microsoft revoked the vulnerable binary via dbx updates. ESET found no evidence of widespread active abuse but warned Secure Boot bypasses are increasingly common and urged prompt patching and boot integrity monitoring.
read more →

HybridPetya: Petya-like Ransomware Targets UEFI Secure Boot

🛡️ ESET researchers identified HybridPetya in late July 2025 after suspicious samples were uploaded to VirusTotal. The malware resembles Petya/NotPetya and encrypts the NTFS Master File Table (MFT), while also capable of installing a malicious EFI application on the EFI System Partition to persist on UEFI systems. One analyzed variant exploits CVE-2024-7344 using a crafted cloak.dat to bypass UEFI Secure Boot on outdated systems. ESET telemetry shows no evidence of active, widespread deployments.
read more →

Akira Ransomware Exploits Unpatched SonicWall VPNs

🚨 The Australian Cyber Security Centre has observed increased exploitation of SonicWall SSL VPNs by the Akira ransomware group, leveraging CVE-2024-40766. The vulnerability, patched over a year ago, affects SonicWall Gen 5 and Gen 6 appliances and Gen 7 devices running SonicOS 7.0.1-5035 and earlier. Organisations remain at risk if they did not both install firmware updates and immediately rotate administrative credentials after migration. Security vendors Rapid7 and Recorded Future report automated intrusions tied to this issue; operators are advised to patch, reset passwords, restrict VPN access and enable robust MFA.
read more →

Akira Ransomware Reuses Critical SonicWall SSLVPN Bug

🔒 The Akira ransomware gang is actively exploiting CVE-2024-40766 to target unpatched SonicWall SSL VPN endpoints and gain unauthorized network access. SonicWall released a patch in August 2024 and warned that exposed credentials could allow attackers to configure MFA or TOTP and bypass protections. Administrators should apply the vendor update, rotate local SSLVPN passwords, enforce MFA, mitigate Default Group risks, and restrict Virtual Office Portal access.
read more →

Wyden Urges FTC Probe of Microsoft After Ascension Hack

🛡️ US Senator Ron Wyden has asked the Federal Trade Commission to investigate Microsoft following the 2024 ransomware attack on healthcare operator Ascension, which exposed data for 5.6 million patients after a contractor clicked a malicious Bing search result. Wyden says default Microsoft settings and support for the outdated RC4 standard enabled a Kerberoasting technique that granted administrative access. He notes Microsoft was warned in July 2024 and posted a blog in October announcing a planned update, but nearly a year later no update has been issued nor direct customer outreach made. The letter frames Microsoft’s control over default configurations as a systemic national security risk.
read more →

Senator Wyden Urges FTC Probe of Microsoft Ransomware Lapses

🔍 Senator Ron Wyden has asked the Federal Trade Commission to investigate Microsoft for what he describes as "gross cybersecurity negligence" that he says facilitated ransomware attacks on U.S. critical infrastructure, including healthcare. Wyden's four-page letter to FTC Chair Andrew Ferguson cites the 2024 Ascension breach attributed to Black Basta and details an attack chain that began when a contractor clicked a malicious link after using Microsoft's Bing search. The senator highlights exploitation of insecure default Kerberos settings and legacy RC4 support enabling Kerberoasting, and criticizes Microsoft for not enforcing stronger defaults and minimum password requirements while noting the company's published mitigations and planned deprecations.
read more →

Senator Wyden Urges FTC Probe into Microsoft's Security

🚨 Senator Ron Wyden has asked the FTC to investigate Microsoft for what he calls "gross cybersecurity negligence," arguing insecure defaults enabled widespread ransomware attacks. He cites the February 2024 Ascension Health breach that exposed 5.6 million patient records and describes how a single click enabled lateral movement via Kerberoasting and lingering RC4 support. Wyden criticizes Microsoft for building a >$20 billion security business of add-on protections while leaving core products vulnerable and says promised fixes and plain-language guidance were inadequate. The letter warns this pattern poses national-security and industry-wide risks.
read more →

US Charges Alleged Ransomware Kingpin; $10M Reward

🚨 A US federal court has unsealed charges against Ukrainian national Volodymyr Viktorovich Tymoshchuk, accused of orchestrating ransomware campaigns using LockerGoga, MegaCortex, and Nefilim. Authorities say these campaigns, active between December 2018 and October 2021, targeted over 250 US companies and hundreds more worldwide. Tymoshchuk — also known by aliases such as 'deadforz', 'Boba', and 'msfv' — remains at large. The US is offering a $10 million reward for information leading to his arrest and conviction.
read more →

KillSec Ransomware Disrupts Brazilian Healthcare IT

🔒 A ransomware incident attributed to KillSec has disrupted MedicSolution, a Brazilian healthcare IT vendor, after attackers claimed to exfiltrate more than 34 GB comprising 94,818 files. Resecurity reports the haul includes medical evaluations, lab results, X‑rays and unredacted patient photos, and says data was exposed via misconfigured AWS cloud buckets. MedicSolution has not publicly responded; regulators and affected providers face notification and remediation challenges.
read more →

The Gentlemen ransomware targets OT-heavy industries

🔒 A newly observed ransomware group, The Gentlemen, has rapidly expanded operations across Asia Pacific, South America, the US and the Middle East since first being identified in August. Trend Micro reports the group leverages legitimate drivers, GPO abuse and custom tooling to disable endpoint security and move laterally. Victims span manufacturing, construction, healthcare and insurance, and defenders are urged to adopt zero-trust, behavioral EDR/XDR and rigorous segmentation.
read more →

Ransomware Demands and Payments Fall Sharply in Education

📉 A new Sophos study finds that ransomware demands and payments in the education sector have dropped dramatically year‑on‑year, with average demands falling 74% for lower education and 80% for higher education. Median payments also plunged, moving education from among the highest to among the lowest payers. Improved detection, faster recovery and more effective negotiation are cited as key drivers behind the reductions.
read more →