All news with #ransomware tag

Google: Cyber-Physical Attacks to Rise in Europe 2026

🚨 Google Cloud Security's Cybersecurity Forecast 2026 warns of a rise in cyber-physical attacks across EMEA targeting energy grids, transport and digital infrastructure. The report highlights increased state-sponsored espionage from Russia and China and anticipates these operations may form hybrid warfare combined with information operations to erode public trust. It also flags supply-chain compromises of managed service providers and software dependencies, and notes that cybercrime — including ransomware aimed at ERP systems — will remain a major disruptive threat to ICS/OT. Analysts further expect adversaries to increasingly leverage AI and multimodal deepfakes.

SonicWall Attributes September Backup Breach to State Actor

🔐 SonicWall has confirmed a state-sponsored threat actor was responsible for a September breach that exposed cloud-stored firewall configuration backup files. The company said the unauthorized access used an API call against a specific cloud environment and affected backups for fewer than 5% of customers. SonicWall engaged Google-owned Mandiant, implemented recommended mitigations, and released an Online Analysis Tool and a Credentials Reset Tool. Customers are advised to log in to MySonicWall.com to review devices and reset impacted credentials.

Smashing Security #442: Clock Hack and Rogue Negotiators

🕒 In episode 442 of Smashing Security, Graham Cluley and guest Dave Bittner examine a state-backed actor that spent two years tunnelling toward a nation's master clock, creating the potential for widespread disruption to time-sensitive systems. They also discuss a disturbing case where ransomware negotiators allegedly turned rogue and carried out their own hacks. The discussion highlights investigative findings, operational impacts, and lessons for defenders tasked with protecting critical infrastructure.

Gootloader Returns After Seven Months With Evasion Tricks

🛡️ Gootloader has resumed operations after a seven-month pause, using SEO poisoning to promote fake legal-document sites that trick users into downloading malicious ZIP archives containing JScript loaders. The campaign now employs novel evasion techniques — a custom web font that renders readable keywords in the browser while the HTML source remains gibberish, and malformed ZIPs that extract a .js in Windows Explorer but a benign .txt for many analysis tools. Infected hosts receive follow-on payloads such as Cobalt Strike, backdoors including the Supper SOCKS5 implant, and bots that provide initial access for ransomware affiliates.

Google: New AI-Powered Malware Families Deployed

⚠️Google's Threat Intelligence Group reports a surge in malware that integrates large language models to enable dynamic, mid-execution changes—what Google calls "just-in-time" self-modification. Notable examples include the experimental PromptFlux VBScript dropper and the PromptSteal data miner, plus operational threats like FruitShell and QuietVault. Google disabled abused Gemini accounts, removed assets, and is hardening model safeguards while collaborating with law enforcement.

GTIG: Threat Actors Shift to AI-Enabled Runtime Malware

🔍 Google Threat Intelligence Group (GTIG) reports an operational shift from adversaries using AI for productivity to embedding generative models inside malware to generate or alter code at runtime. GTIG details “just-in-time” LLM calls in families like PROMPTFLUX and PROMPTSTEAL, which query external models such as Gemini to obfuscate, regenerate, or produce one‑time functions during execution. Google says it disabled abusive assets, strengthened classifiers and model protections, and recommends monitoring LLM API usage, protecting credentials, and treating runtime model calls as potential live command channels.

U.S. Sanctions 10 North Korean Financial and IT Facilitators

🛡️ The U.S. Treasury on Tuesday sanctioned eight individuals and two entities tied to North Korea's global financial network for laundering proceeds from cybercrime and fraudulent IT-worker schemes. The list names Jang Kuk Chol and Ho Jong Son, linked to $5.3 million in cryptocurrency managed for First Credit Bank, as well as Korea Mangyongdae Computer Technology Company (KMCTC), its president U Yong Su, and Ryujong Credit Bank. Treasury said the funds help finance Pyongyang's weapons and cyber programs, while blockchain firm TRM Labs reported sustained crypto inflows indicative of salary-routing activity.

U.S. Treasury Sanctions North Korean Bankers, IT Scammers

⚖️ The U.S. Treasury's OFAC imposed sanctions on two North Korean financial institutions and eight individuals accused of laundering cryptocurrency stolen in cyberattacks and operating fraudulent IT worker schemes. Designated entities include Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company (KMCTC), plus named bankers linked to ransomware proceeds. The actions block property under U.S. jurisdiction and warn financial institutions of secondary sanctions and enforcement risk for transacting with the listed parties.

10 Promising Cybersecurity Startups CISOs Should Know

🔒 This roundup profiles ten cybersecurity startups founded in 2020 or later that CISOs should watch, chosen for funding, leadership, customer traction, and strategic clarity. It highlights diverse categories including non-human identity, software supply chain, data security posture, and AI agent security. Notable vendors such as Astrix, Chainguard, Cyera, and Drata have raised substantial capital and achieved rapid enterprise adoption. The list underscores investor enthusiasm and the rise of runtime‑focused and agentic defenses.

CrowdStrike: Rise in Physical Attacks on Privileged Users

🔒 CrowdStrike's 2025 analysis documents a sharp rise in physical attacks and kidnappings tied to cyber intrusions, concentrated in Europe. The report cites the January 2025 kidnapping of a Ledger co‑founder and records 17 similar incidents in Europe from January through September 2025, 13 of them in France. Consultants warn attackers increasingly pair cyber operations with real‑world violence, driving organizations to strengthen physical and executive security and adjust incident response playbooks.

Asset Management: The Essential Foundation for Defense

🔍 Threat intelligence is valuable but only effective when organizations maintain reliable asset management. Asset management—the inventory, monitoring, and administration of hosts—provides the foundational visibility needed to detect, patch, and prevent intrusions. Bradley Duncan cites historic malware like Emotet and Qakbot to show how poor asset hygiene enabled massive infections and urges proactive measures such as Unit 42's Attack Surface Assessment.

Apache OpenOffice Denies Akira Ransomware Breach Claims

🔒 The Apache Software Foundation says there is no evidence that Apache OpenOffice was breached after the Akira ransomware gang claimed on October 30 that it had stolen 23 GB of corporate documents. The Foundation notes it does not maintain payroll-style employee records or the types of financial and identity documents described, and it has not received a ransom demand. An internal investigation so far has found no compromise and Akira has not published any of the alleged data.

Scattered Spider, LAPSUS$, and ShinyHunters: SLH Collective

🕸 The nascent Scattered LAPSUS$ Hunters (SLH) collective — a merging of Scattered Spider, LAPSUS$, and ShinyHunters — has repeatedly recreated its Telegram presence, cycling channels at least 16 times since August 8, 2025. The group markets an extortion-as-a-service offering to affiliates, targets organizations including those using Salesforce, and has teased a custom ransomware family called Sh1nySp1d3r. Trustwave SpiderLabs assesses SLH as blending financially motivated crime with attention-seeking hacktivism and sophisticated brand management.

Scattered LAPSUS$ Hunters Unite ShinyHunters Alliance

🔎 Trustwave SpiderLabs has identified a coordinated alliance now operating as Scattered LAPSUS$ Hunters (SLH), merging reputational capital from Scattered Spider, ShinyHunters and LAPSUS$. The collective presents a unified operational brand, complete with a named "Operations Centre," centralized narrative and affiliate-driven extortion model. Analysis attributes fewer than five core operators managing roughly 30 personas and highlights Telegram as a persistent command-and-branding hub. Trustwave warns this consolidation aims to fill the vacuum left by the collapse of BreachForums and to sustain public, intimidation-based extortion tactics.

Cybersecurity Forecast 2026: AI, Cybercrime, Nation-State

🔒 The Cybersecurity Forecast 2026 synthesizes frontline telemetry and expert analysis from Google Cloud security teams to outline the most significant threats and defensive shifts for the coming year. The report emphasizes how adversaries will broadly adopt AI to scale attacks, with specific risks including prompt injection and AI-enabled social engineering. It also highlights persistent cybercrime trends—ransomware, extortion, and on-chain resiliency—and evolving nation‑state campaigns. Organizations are urged to adapt IAM, secure AI agents, and harden virtualization controls to stay ahead.

DragonForce Emerges as Conti-Derived Ransomware Cartel

🛡️DragonForce, a ransomware operation built from leaked Conti source code, has restructured into a self-styled cartel that recruits affiliates and encourages branded variants. Researchers at Acronis report it retains Conti’s ChaCha20/RSA encryption, SMB-based network spreading, and multiple encryption modes while employing a hidden configuration system. Operators have pursued aggressive tactics — including defacing rival leak sites and aligning with access brokers like Scattered Spider — and have threatened victims with decryptor deletion and data leaks.

Cybersecurity Experts Charged Over BlackCat Ransomware

🔒 Three cybersecurity professionals have been indicted for allegedly operating an ALPHV/BlackCat ransomware affiliate network that attacked at least five U.S. companies between May and November 2023. Prosecutors named former Sygnia incident response manager Ryan Clifford Goldberg and negotiator Kevin Tyler Martin of DigitalMint, accusing them of exfiltrating data, encrypting systems, and demanding cryptocurrency extortion payments. An FBI affidavit describes encrypted dark‑web negotiations, multi‑hop transfers using privacy coins such as Monero, and meticulous spreadsheets that tracked ransoms, receipts, and wallet addresses. Charges include conspiracy to extort and intentional damage to protected computers, with potential forfeiture of crypto assets.

Ransomware Defense with the Wazuh Open Source Platform

🛡️Wazuh is a free, open-source security platform that provides SIEM and XDR capabilities to detect, prevent, and respond to ransomware. The article highlights Wazuh features such as file integrity monitoring, vulnerability detection, security configuration assessment, and automated active responses. It illustrates rule-based detections and automated remediation using practical examples (DOGE Big Balls, Gunra) and discusses Windows integration for VSS-based recovery. The coverage frames Wazuh as a practical, extensible tool for multi-layered ransomware defense.

Rhysida Ransomware Abuses Microsoft Code-Signing Trust

🔒Rhysida, a known enterprise-focused ransomware gang, is distributing malware via malvertising on Microsoft's Bing that redirects users to fake download pages for common tools such as Microsoft Teams, PuTTY, and Zoom. Victims who download receive an initial access trojan called OysterLoader, which establishes a persistent backdoor and is signed with Microsoft-like certificates to appear legitimate. The campaign pairs obfuscation/packing to lower static detection with trusted code signing to bypass allow-lists and AV. Experts urge behavior-based EDR, certificate pinning, DNS filtering, and tighter certificate oversight.

U.S. Prosecutors Indict Three Over BlackCat Ransomware

🔒 Federal prosecutors have indicted three U.S. nationals accused of using BlackCat (ALPHV) ransomware to breach five companies between May and November 2023 and extort payments. The defendants—Ryan Clifford Goldberg, Kevin Tyler Martin, and an unnamed co‑conspirator—allegedly targeted firms in medical devices, pharmaceuticals, clinical care, engineering, and drone manufacturing. Two were employed by cybersecurity firms at the time; both employers say they cooperated with investigators.