All news with #ransomware tag

Malicious LLMs Equip Novice Hackers with Advanced Tools

⚠️ Researchers at Palo Alto Networks Unit42 found that uncensored models like WormGPT 4 and community-driven KawaiiGPT can generate functional tools for ransomware, lateral movement, and phishing. WormGPT 4 produced a PowerShell locker and a convincing ransom note, while KawaiiGPT generated scripts for credential harvesting and remote command execution. Both are accessible via subscriptions or local installs, lowering the bar for novice attackers.

Asahi breach: personal data of nearly two million exposed

🔒 Asahi Group Holdings has confirmed that personal data for approximately 1.914 million people, including 1.525 million customers, may have been exposed after a September ransomware incident that forced temporary suspension of operations. The company spent two months on containment, integrity checks and system restoration, and says credit card details were not affected. Qilin has claimed responsibility; Asahi warns customers to monitor for unsolicited communications and anticipates ongoing operational impacts.

Retailers Brace for Holiday Fraud, Not Major Breach Spike

🔒 Huntsman Security's analysis of ICO reports from Q3 2024 to Q2 2025 indicates the retail and manufacturing sector experienced only minor seasonal peaks, with 1,381 incidents overall and quarterly counts clustered in the mid-300s. The firm reported 618 breaches caused by brute force, misconfigurations, malware, phishing and ransomware, and urged a shift to continuous assurance so defenses do not drift into vulnerable states. Other vendors cautioned that more than half of recent ransomware incidents occurred on weekends or holidays, while researchers warned of AI-enabled fake e-commerce sites, typosquatted domains and package-tracking scams targeting shoppers.

ThreatsDay: AI Malware, Voice Scam Flaws, and IoT Botnets

🔍 This week's briefing highlights resurgent Mirai variants, AI-enabled malware, and large-scale social engineering and laundering operations. Security vendors reported ShadowV2 and RondoDox infecting IoT devices, while researchers uncovered the QuietEnvelope mail-server backdoors and a Retell AI API flaw enabling automated deepfake calls. Regulators and vendors are pushing fixes, bans, and protocol upgrades as defenders race to close gaps.

Gainsight Expands Customer Impact After Salesforce Alert

🔒 Gainsight disclosed that suspicious activity affecting its Salesforce-connected applications has expanded beyond an initial three-customer list provided by Salesforce, with the company saying it presently knows of "only a handful" of customers whose data were affected. Salesforce revoked access and refreshed tokens for impacted Gainsight-published apps after detecting "unusual activity" claimed by the ShinyHunters group. Several vendors suspended integrations while investigations continue; Gainsight advised rotating credentials, resetting non‑SSO passwords, and reauthorizing connectors as preventive measures.

SonicWall Ransomware Incidents Highlight M&A Risk for CSOs

🛡️ A Reliaquest analysis of June–October incidents links multiple Akira ransomware intrusions to compromised SonicWall SSL VPNs that were inherited through acquisitions. In nearly every case, acquiring organizations did not know the devices remained on their networks and attackers leveraged legacy administrative credentials. The report warns that routine financial due diligence misses such cyber risks, and urges early security-led inventory, segmentation, and credential rotation during M&A onboarding.

Multiple London councils' IT systems hit by cyberattack

🔒 The Royal Borough of Kensington and Chelsea and Westminster City Council are experiencing widespread service disruptions after a cybersecurity incident that also affected the London Borough of Hammersmith and Fulham. Several systems including phone lines were taken offline and councils activated emergency plans to preserve critical services. Officials say they shut down affected systems as a precaution while working with specialist incident responders and the National Cyber Security Centre. Security researchers indicate the outage stems from a ransomware attack on a shared services provider; investigations and efforts to restore services are ongoing.

Meet Rey, Admin of Scattered LAPSUS$ Hunters Exposed

🔍 A prolific operator known as "Rey," one of three administrators of the Scattered LAPSUS$ Hunters (SLSH) Telegram channel, has confirmed his real-world identity after investigative outreach. Rey is tied to the recent release of the group's new RaaS offering ShinySp1d3r, which he says is derived from Hellcat ransomware code modified with AI tools. Reporting shows Rey made multiple operational security mistakes that allowed analysts to link him to a shared family PC in Amman, Jordan, revealing his name as Saif Al‑Din Khader and that he is a mid‑teens minor who says he is cooperating with law enforcement.

Care That You Share: Holiday Risks and Mitigations

🛡️ This edition of Talos Threat Source urges a simple behavioral shift: practice care in what, how, and why you share information during the holiday season and beyond. The briefing highlights operational pressures as teams run lean and attackers intensify phishing and supply‑chain campaigns, and it outlines practical changes such as retiring obsolete ClamAV signatures and encouraging feature‑release container tags for better security maintenance. Thoughtful, timely sharing of tips, IOCs, and status updates can materially improve collective resilience when resources are constrained.

Cyberattack Disrupts OnSolve CodeRED Emergency Alerts

⚠️ A cyber-attack on the OnSolve CodeRED platform disrupted emergency alerts used by state and local agencies across the US and exposed user data. Crisis24 shut down the legacy environment and is rebuilding the system in a new, isolated infrastructure. Investigators confirmed data theft — including names, addresses, emails, phone numbers and passwords — though there is no evidence the data has been posted online. The threat actor INC Ransom claims responsibility and has published screenshots and is selling samples of the files.

Qilin Ransomware Targets South Korean MSP, Hits Finance

🛡️ South Korea's financial sector was struck by a coordinated supply-chain campaign that deployed Qilin ransomware via a compromised MSP, Bitdefender reports. The operation, self-styled as 'Korean Leaks', unfolded in three publication waves in September–October 2025 and resulted in the theft of over 1 million files (about 2 TB) from 28 victims. Analysis ties the clustered intrusions to a single upstream MSP compromise and notes possible involvement by North Korean-affiliated actors alongside Qilin affiliates operating under a RaaS model.

SLSH Resurgence: ShinySp1d3r RaaS Ahead of Holidays

⚠️ Unit 42 documents a renewed campaign by the Scattered LAPSUS$ Hunters (SLSH) that combines a supply-chain driven data theft affecting Gainsight/Salesforce integrations with the emergence of a new Windows-focused ransomware-as-a-service, ShinySp1d3r. The actors publicly threatened mass ransomware deployment and set a leak deadline while also actively recruiting insiders and claiming hundreds of additional victim accesses. Organizations should prioritize rotating exposed tokens, enforcing strong insider controls, and engaging incident response if they suspect compromise.

Serious Cyber Incidents Hit Multiple London Councils

⚠️ Multiple London local authorities, including the Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council, are responding to a serious cybersecurity incident identified on Monday. Both councils have informed the ICO and are working with the NCSC while invoking business continuity and emergency plans to protect critical services. A number of systems, including phone lines and shared IT services, are affected across boroughs. RBKC reports successful mitigations are in place and recovery work is continuing.

Ransomware Alliances Drive Large October Attack Surge

🔴 A seasonal surge and new alliances between ransomware groups drove a 41% month-on-month jump in attacks from September to October, NCC Group reports. Qilin was the most active actor, blamed for 170 of 594 incidents (29%), followed by Sinobi and Akira. The rise coincides with LockBit 5.0 realigning with DragonForce and Qilin, and the emergence of newcomers such as The Gentlemen. Organisations are urged to reinforce monitoring, staff awareness, and secure backups ahead of the peak threat season.

OnSolve CodeRED Cyberattack Disrupts U.S. Alert Systems

🚨 Crisis24 confirmed its CodeRED emergency-notification platform was breached, disrupting alerts for state and local governments, police, and fire agencies nationwide. The company decommissioned the legacy environment and is rebuilding from a March 31, 2025 backup, so recent accounts may be missing. Crisis24 says the incident was contained to CodeRED, but names, addresses, emails, phone numbers and passwords were stolen; no public posting has been confirmed.

Dartmouth Confirms Data Breach After Clop Extortion

🔒 Dartmouth College says threat actors linked to the Clop extortion gang exploited a zero-day in Oracle E-Business Suite to steal files and leak them on a dark web site. The college reported unauthorized access between August 9 and August 12, 2025, and on October 30 identified files containing names and Social Security numbers. A filing with Maine's Attorney General lists 1,494 individuals whose data was found in reviewed files and notes that financial account information was also taken. Dartmouth has not provided details on any ransom demand or the full scope of impacted people.

The Dilemma of AI: Malicious LLMs and Security Risks

🛡️ Unit 42 examines the growing threat of malicious large language models that have been intentionally stripped of safety controls and repackaged for criminal use. These tools — exemplified by WormGPT and KawaiiGPT — generate persuasive phishing, credential-harvesting lures, polymorphic malware scaffolding, and end-to-end extortion workflows. Their distribution ranges from paid subscriptions and source-code sales to free GitHub deployments and Telegram promotion. The report urges stronger alignment, regulation, and defensive resilience and offers Unit 42 incident response and AI assessment services.

What Keeps CISOs Awake - Zurich's Approach to Resilience

😴 At the Global Cyber Conference 2025 in Zurich, CISOs openly confronted a profession-wide exhaustion tied to escalating cyber risk. Tim Brown distilled the anxiety into five core threats: shrinking exploit windows, persistent adversaries, third-party risk, an AI arms race, and staff burnout. The Swiss Cyber Institute's vendor-free format created a trust-based forum where peers share IOCs, run joint table-tops and adopt risk-based patching and UEBA to speed response and restore resilience.

Ransomware Targets AWS S3 via Cloud Key Abuse Tactics

🔐 A Trend Micro report warns that ransomware groups are shifting from on-premises targets to cloud object storage, particularly AWS S3, by abusing integrated encryption and key management. Attackers probe configurations from AWS-managed KMS keys to customer-provided and external key stores to encrypt or irreversibly lock data. The report urges hardening S3 settings, enforcing least privilege, enabling versioning and Object Lock, and isolating backups.

Cox Enterprises Discloses Oracle E-Business Suite Breach

🔒 Cox Enterprises says hackers accessed its network after exploiting a zero-day in Oracle E‑Business Suite, with activity occurring between Aug. 9–14 and detected on Sept. 29, 2025. The company notified 9,479 impacted individuals and is offering 12 months of credit monitoring and identity protection through IDX. The Cl0p ransomware gang has claimed responsibility and posted stolen files after Oracle issued a patch on Oct. 5. Cox did not specify the types of data exposed in the notice.