< ciso
brief />
Tag Banner

All news with #ransomware tag

463 articles · page 4 of 24

Canvas Breach and Extortion Disrupts US Schools Nationwide

🔒 Instructure's Canvas platform was taken offline on May 7 after the cybercrime group ShinyHunters defaced login pages and posted a ransom demand claiming to hold data on 275 million students and faculty at nearly 9,000 institutions. Instructure had acknowledged a breach on May 6, saying the stolen records include names, email addresses, student ID numbers and user messages but not passwords or financial information. The outage, timed during many institutions' final exams, disrupted coursework while schools and the vendor evaluated exposure and potential extortion responses.
read more →

Webinar: Why MSPs Must Rethink Security and Recovery

🔒 On May 14, 2026 at 2:00 PM ET, BleepingComputer will host a live webinar titled From phishing to fallout: Why MSPs must rethink both security and recovery with Austin O'Saben and Adam Marget of Kaseya. The session examines how AI-driven phishing, business email compromise, ransomware, and SaaS compromise are reshaping the threat landscape for managed service providers. Attendees will learn why prevention and recovery must operate together and how SaaS backups and a formal BCDR plan can reduce downtime and data loss.
read more →

ThreatsDay: Stealers, AI-Powered Exploits, and Patching

⚠️ ThreatsDay reports a mix of blunt‑force commodity attacks and high‑impact technical flaws this week. A new MicroStealer campaign is targeting education and telecom organizations, exfiltrating browser credentials, active sessions and wallets via Discord webhooks and attacker servers. Researchers disclosed critical ICS and MOVEit vulnerabilities while analysis shows the VECT 2.0 ransomware encryptor is broken. Browsers and AI are accelerating risk vectors — patch and verify installs urgently.
read more →

Why Ransomware Succeeds Even When Backups Exist: Fixes

🔒 Modern ransomware campaigns routinely target backup infrastructure before launching encryption, leaving organizations without viable recovery despite having backups. The article details an attack sequence — initial access, credential theft, lateral movement, backup discovery and destruction, then encryption — and identifies recurring failures like weak isolation, overprivileged credentials, lack of immutability, and untested restores. It recommends identity separation, network segmentation, immutable storage, continuous monitoring, and regular recovery testing, and highlights Acronis Cyber Platform as an integrated example that combines backup, immutability, and threat detection to reduce complexity and improve resilience.
read more →

MuddyWater Uses Chaos Ransomware as Decoy in Attacks

🔍 The Iranian state-sponsored group MuddyWater disguised a cyber-espionage operation as a Chaos ransomware attack, leveraging Microsoft Teams social engineering to harvest credentials and manipulate MFA. Attackers used fake Quick Assist phishing pages or tricked victims into typing passwords into local files, then moved laterally via AnyDesk, DWAgent, and RDP to establish persistence. Rapid7 links the campaign to MuddyWater with moderate confidence, noting a signed loader (ms_upd.exe) that drops a backdoor (Game.exe) with anti-analysis checks.
read more →

Phishing Campaign Leverages RMM to Maintain Persistent Access

🛡️ Securonix warns of an active phishing campaign codenamed VENOMOUS#HELPER that has compromised over 80 organizations, primarily in the U.S., by abusing legitimate Remote Monitoring and Management tools. Attackers deliver a JWrapper-packaged executable via phishing links hosted on a compromised Mexican site to install SimpleHelp RMM with Safe Mode persistence and a self-healing watchdog. Operators elevate to SYSTEM using AdjustTokenPrivileges and deploy ConnectWise ScreenConnect as a fallback, creating redundant remote access for potential ransomware or extortion follow-on activity.
read more →

Two Cybersecurity Workers Jailed for BlackCat Ransomware

🔒 Two American cybersecurity workers, Ryan Goldberg and Kevin Martin, were each sentenced to four years in prison for helping the BlackCat (ALPHV) ransomware gang carry out attacks in 2023, the US Department of Justice said. The pair — who pleaded guilty in December 2025 — worked with a former negotiator, Angelo Martino, and shared proceeds from ransoms, including a $1.2m Bitcoin payout. Prosecutors said they abused specialist cyber skills; the FBI tracked Goldberg across ten countries before his arrest.
read more →

Negotiator Pleads Guilty to Aiding Ransomware Gang

⚖️ He pleaded guilty after secretly working for a ransomware gang while ostensibly negotiating payments for victims. The arrangement permitted a trusted intermediary to funnel information and influence negotiations in the gang’s favor, undermining client trust and incident response. Prosecutors say the conduct included clandestine communications that advantaged criminals and complicated recovery. The plea underscores risks in relying on third-party negotiators without robust oversight.
read more →

Two Cybersecurity Experts Get 4-Year Terms in BlackCat Case

🔒 The U.S. Department of Justice has sentenced two cybersecurity professionals to four years in prison for their roles in deploying ALPHV/BlackCat ransomware against multiple U.S. victims between April and December 2023. Ryan Goldberg and Kevin Martin pleaded guilty in December 2025 after conspiring with Angelo Martino to gain access to the ransomware in exchange for a share of ransoms. Authorities say one extortion yielded approximately $1.2 million in Bitcoin, which the defendants laundered, and that the men abused their security expertise while employed by Sygnia and DigitalMint.
read more →

Critical Flaw Turns Vect Ransomware into Data Wiper

⚠ Check Point Research discovered a critical implementation bug in Vect 2.0 that causes files larger than 131,072 bytes (128 KB) to be permanently destroyed rather than recoverably encrypted. The ransomware uses raw ChaCha20-IETF without the Poly1305 MAC and a faulty nonce-handling routine that discards three of four decryption nonces, effectively turning the RaaS into a wiper across Windows, Linux and ESXi variants. Researchers also identified multiple additional coding and design errors that undermine the group's RaaS ambitions and affiliate program.
read more →

VECT 2.0 Ransomware Bug Destroys Large Files in Enterprises

⚠️ VECT 2.0 ransomware contains a nonce-handling defect that overwrites per-chunk nonces when encrypting files, leaving only the final nonce saved. As a result, files larger than about 128 KB are partially unrecoverable — roughly only the last quarter can be decrypted — causing the malware to act like a wiper for many enterprise assets. Check Point researchers report the flaw affects Windows, Linux and ESXi builds and means victims cannot recover corrupted data even if they pay.
read more →

VECT 2.0 Flaw Turns Ransomware into Irreversible Wiper

⚠️ VECT 2.0 is effectively a destructive wiper rather than recoverable ransomware due to a critical implementation bug that discards key nonces during encryption. Check Point found that any file larger than 131,072 bytes loses three of four ChaCha20 nonces, rendering those chunks irrecoverable even if victims pay. The RaaS's Windows, Linux, and ESXi variants and affiliate model raise broad operational risk, but the technical flaw means payment will not restore most enterprise data.
read more →

VECT Ransomware Destroys Files; Paying Won't Recover Data

🛑 VECT is a destructive ransomware family that permanently destroys large files instead of producing recoverable encrypted copies, so paying the ransom will not restore data. The group leveraged partnerships with TeamPCP and BreachForums to build a massive affiliate pipeline to thousands of potential victims. An encryption bug affects Windows, Linux, and ESXi variants and has persisted since before the public 2.0 release. Check Point's Threat Emulation and Harmony Endpoint provide full protection against known variants.
read more →

Calm Ransom: When Confidence Hides Cybersecurity Risk

🔒 Calm does not equal secure — organizations often mistake a long period without incidents for strong defenses. This article warns that mental shortcuts like WYSIATI (What You See Is All There Is) and overreliance on compliance can blind teams to active threats, such as credentials appearing in infostealer logs before attacks. Remediation requires behavioral detection, continuous threat intelligence, and disciplined vigilance to prevent costly ransomware and data‑leak consequences.
read more →

Trigona Ransomware Adopts Custom Tool to Steal Data

🔒 Symantec researchers observed Trigona ransomware affiliates using a custom command-line exfiltration utility, uploader_client.exe, in March to siphon high-value documents to a hardcoded server. The tool supports parallel uploads, TCP rotation after 2GB, selective file-type exclusion, and an authentication key to control access to stolen data. The shift from public utilities like Rclone appears intended to reduce detection during double-extortion operations. Symantec has published IoCs to aid defenders.
read more →

Global Higher Education Cyberattacks Surge 63% Yearly

🔒 Quorum Cyber's 2026 Global Cyber Risk Outlook for Higher Education reports a 63% rise in recorded incidents between Nov 2023–Oct 2024 and Nov 2024–Oct 2025, increasing from 260 to 425. Across 67 countries, data breaches rose 73%, hacktivism 75% and ransomware 21%. FunkSec, Cl0p, INC and Nova were the most prolific groups. The report urges intelligence-led vulnerability management, dark web monitoring, robust backups and regular incident response exercises.
read more →

Kyber Ransomware Uses Kyber1024 Post-Quantum on Windows

🔒 Rapid7 analyzed two Kyber ransomware variants discovered in March 2026 that were deployed on the same network: one targeting VMware ESXi and one targeting Windows file servers. The ESXi build advertises post‑quantum Kyber1024 but instead uses ChaCha8 for file encryption and RSA‑4096 for key wrapping. The Windows variant, written in Rust, implements Kyber1024 and X25519 to protect symmetric keys while using AES‑CTR for bulk file encryption, and includes destructive routines such as service termination, backup deletion and an experimental Hyper‑V shutdown.
read more →

SystemBC C2 Server Reveals Over 1,570 Compromised Hosts

🔍Check Point researchers found a SystemBC C2 server linked to an affiliate of the The Gentlemen RaaS operation controlling a botnet of more than 1,570 compromised corporate hosts worldwide. SystemBC establishes SOCKS5 tunnels and communicates with its C2 using a custom RC4‑encrypted protocol, enabling payload download or in‑memory execution. The activity aligns with The Gentlemen’s multi‑platform double‑extortion campaigns that abuse GPOs, exposed services, and compromised credentials to escalate access and deploy ransomware.
read more →

Ransomware Negotiator Pleads Guilty After Betrayal

🔒 Angelo Martino, a former ransomware negotiator, pleaded guilty to conspiring with the BlackCat ransomware group to extort U.S. companies in 2023. From April through November 2023, he provided confidential negotiation details — including victims' insurance limits and internal bargaining positions — to maximize ransom demands in exchange for payment. Martino admitted collaborating with incident responders Ryan Goldberg and Kevin Martin while working at DigitalMint and Sygnia, and authorities say the defendants extorted at least $1.2 million in a single case. Investigators seized roughly $10 million in assets; Martino faces up to 20 years and is scheduled for sentencing on July 9, 2026.
read more →

The Gentlemen RaaS Expands, Targeting Enterprise Systems

🔐 Check Point researchers report that The Gentlemen, a ransomware-as-a-service operation first identified in mid-2025, has claimed over 320 victims with the majority of attacks occurring in early 2026. Affiliates are supplied with cross-platform ransomware written in Go for Windows, Linux, NAS and BSD, plus a C-based ESXi encryptor. The toolkit enables automated lateral movement, Group Policy deployment and credential reuse to achieve rapid, domain-wide encryption, and incidents frequently show defense evasion and post-exploitation tools such as SystemBC and Cobalt Strike.
read more →