All news with #ransomware tag

🔒 Backup is now the backbone of business resilience, not just an IT routine. The article presents seven priorities—data prioritization, off-site and immutable copies, automated RPO/RTO, realistic recovery testing, SOC integration, and scalable playbooks—to reduce downtime and ransomware risk. It advocates a modern 3-2-1 approach with immutable cloud copies and daily automated recovery verification. N-able’s Cove Data Protection is cited as an example of a cyber-resilient solution.

🛡️ Google has made its AI-powered Google Drive ransomware detection generally available and enabled it by default for paying Workspace customers. The feature scans files as they sync from desktop computers and pauses Drive syncing when ransomware-encrypted files are detected, alerting users and admins. It provides guided instructions and a Drive restoration tool to recover corrupted files, and Google says its latest model detects 14x more infections. Admins may disable the feature in the Admin console, and endpoints need Drive for desktop v.114+ for full alerting functionality.

🔒 Ransomware increasingly targets home backups and personal NAS units, using automated scans, weak credentials, and social engineering to encrypt photos, documents, and synced cloud folders. Once inside, malware removes Windows shadow copies, encrypts connected external drives and mapped network shares, and corrupts cloud sync clients so remote copies mirror the damage. Follow the updated 3-2-1-1 rule: keep an offline copy, unplug external backups after each use, enable cloud versioning, enforce strong passwords and firmware updates, and back up authenticator data. Also enable features like System Watcher, avoid pirated installers, and test restore procedures regularly.

🔒 Ransomware in 2025 has shifted from noisy breaches to measured, identity-centric operations that mimic legitimate user activity. Attackers commonly gain initial access (about 40% via phishing) then use built-in tools like RDP, PowerShell, and PsExec to move laterally while using valid accounts. Talos highlights manufacturing and professional services as top targets and identifies Qilin as the most prolific group, frequently using double-extortion. Defenders should prioritize identity protections, continuous anomaly monitoring, accurate asset inventories, robust backups, EDR, segmentation, and regular ransomware response testing.

🔒 In the March 2026 edition Tony Anscombe reviews several high-impact incidents and trends that should shape organizational defenses. He summarizes the reported Stryker intrusion claimed by the Iran-linked Handala group, new research from the Google Threat Intelligence Group showing a rise in data theft tied to ransomware, Instagram's plan to stop encrypting private messages in May, and a Europol-led takedown of the Tycoon 2FA phishing platform. Watch the video for practical lessons and related coverage.

🔎 Investigators have launched a worldwide manhunt for two suspects believed to be central figures in ransomware campaigns that hit 130 companies and institutions in Germany between 2019 and 2021. Authorities at the Cybercrime Center of the Karlsruhe Public Prosecutor's Office and the State Criminal Police Office of Baden-Württemberg say the men include an alleged group leader and the suspected programmer of the malware. Victims paid about €1.8 million in 25 cases, with estimated overall damage of around €35 million.

🔒Bearlyfy, a pro-Ukrainian group also tracked as Labubu, has been linked to more than 70 attacks on Russian companies and began deploying a proprietary Windows ransomware called GenieLocker in March 2026. The group combines extortion and sabotage, often gaining initial access via vulnerable external services and deploying remote tools like MeshAgent. According to vendor F6, about one in five victims pay ransoms, and demand amounts have grown substantially.

🔒 The Talos 2025 Year in Review synthesizes Cisco telemetry, incident response cases, and Talos research into a free, cross‑functional report highlighting identity-focused attacks, supply‑chain risks, and phishing trends. Key findings include React2Shell as the most targeted CVE, ToolShell ranking third, and Qilin as the dominant ransomware variant. The report warns that attackers increasingly compromise network infrastructure — especially ADCs and management platforms — to bypass MFA and escalate across environments, and recommends prioritizing patching and treating these devices as identity control points.

🔍 In this episode of Talos Takes, Amy is joined by William Largent (Cisco Talos) and Lou Stella (Splunk) for a double-header review of the newly released Cisco Talos 2025 Year in Review and the Splunk Top 50 Cybersecurity Threats. The conversation draws on Cisco telemetry, Talos original research, and Talos Incident Response engagements to move beyond headlines and identify actionable trends. Highlights include the professionalization of ransomware-as-a-service, the persistent exploitation of decade-old vulnerabilities, and practical guidance to help defenders prioritize mitigations and shrink their attack surface for the year ahead.

🔒 In episode 460 of the Smashing Security podcast, Graham Cluley and guest Jenny Radcliffe examine a string of notable security stories, including an alleged insider who stole a company payroll database and demanded $2.5 million in Bitcoin while signing extortion messages as 'Loot'. They also cover an incident in which two people were charged after attempting to approach the gates of the UK's Faslane nuclear submarine base. The show mixes incident analysis with cultural items — a spotlight on the Muslim punk group LadyParts and a recommendation of Lee McIntyre's On Disinformation — drawing practical lessons for security professionals and the public.

🔒 Security researchers warn that the Iran-linked Pay2Key ransomware group has re-emerged with enhanced evasion, execution and anti-forensics capabilities. A Halcyon and Beazley Security analysis of a recent US healthcare provider incident describes interactive access via TeamViewer, credential theft with Mimikatz, LaZagne and ExtPassword, and host discovery using Advanced IP Scanner and ns.exe. Operators used the AD console (dsa.msc) to blend in, deployed an SFX payload (abc.exe) to encrypt systems within three hours, and removed a 'No Defender' toolkit to hide tracks. Report authors found no clear evidence of data exfiltration and warn defenders to monitor this unpredictable, politically motivated threat.

🔒 Ilya Angelov, a 40-year-old Russian national who used the handles milan and okart, was sentenced to two years in prison after admitting he managed the Mario Kart phishing botnet that helped deliver ransomware. The botnet distributed malware via massive spam campaigns—up to 700,000 emails per day—and at its peak infected about 3,000 machines daily. Authorities linked the botnet to BitPaymer attacks on 72 U.S. companies, resulting in over $14 million in extortion payments.

🔒 Aleksei Olegovich Volkov, a 26-year-old Russian national, was sentenced in the U.S. to 81 months in prison after pleading guilty to facilitating dozens of ransomware attacks as an initial access broker. Authorities say he helped breach networks and sell access to ransomware groups, resulting in over $9 million in actual losses and more than $24 million in intended losses. He was arrested in Italy in January 2024, extradited to the U.S., and agreed to pay restitution and forfeit tools used in the crimes.

🛡️Microsoft Defender's predictive shielding disrupted a GPO-based ransomware campaign targeting a large educational institution with more than a couple thousand devices. The attacker created malicious GPOs to disable protections and deploy scheduled tasks via the SYSVOL share; Defender detected policy tampering and applied GPO hardening, temporarily pausing policy propagation. Roughly 700 devices were hardened within hours, preventing any encryption via the GPO path and contributing to an overall ~97% protection rate. Combined with attack disruption that blocked compromised accounts and lateral movement, the intervention contained the incident and limited impact from concurrent SMB-based ransomware activity.

🔒 Mandiant's M‑Trends 2026 report, released at the RSA Conference, finds attackers compressing attack timelines, collaborating more, and increasingly targeting the systems organizations rely on for recovery. Hand-offs between initial access and secondary operators now occur in seconds, voice-based social engineering and token harvesting are on the rise, and ransomware actors emphasize recovery denial by attacking backups, identity, and virtualization control planes. The report urges faster triage, behavioral detection, stronger identity governance, and expanded telemetry to reduce dwell time and mitigate impact.

🔍 Mandiant's M-Trends 2026 report finds the high-tech sector overtook finance as the most targeted industry in 2025, accounting for 17% of incident response investigations. The report also records a global median dwell time increase to 14 days and highlights widespread adoption of the ClickFix social-engineering technique. Analysts observed a surge in vishing and a strategic ransomware shift toward deliberate recovery denial, with attackers specifically targeting backups, identity services and virtualization management planes.

🔒 CISA has directed all federal civilian agencies to urgently patch a critical remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC) — tracked as CVE-2026-20131 with a CVSS score of 10. Cisco released a fix on 4 March after reports that the Interlock ransomware group had been exploiting the flaw as a zero day. Agencies were given just three days after KEV listing to patch or discontinue use due to active ransomware campaigns.

🔒 A new ESET analysis identified 54 EDR-killer tools that leverage BYOVD, abusing 34 signed vulnerable drivers to gain kernel-mode privileges and neutralize endpoint protection. These utilities are frequently reused in ransomware operations to disable defenses prior to encryption, decoupling evasion from the encryptor. ESET recommends blocking misused drivers and adopting layered detection to mitigate the threat.

⚠️ Amazon disclosed that the ransomware group Interlock exploited a critical deserialization flaw in Cisco Secure Firewall Management Center (CVE-2026-20131) as a zero-day beginning January 26, roughly 38 days before Cisco released a patch on March 4. The bug carries a CVSS score of 10 and was addressed in Cisco’s semiannual firewall update alongside a second high-severity FMC issue. Using its MadPot honeypot network, Amazon captured attacker activity, recovered a malicious ELF binary, and traced a full attack chain that leveraged a single poorly secured staging server. The findings underscore the limits of patching alone and the need for layered defenses and urgent log hunting for provided indicators.

🔍 Group-IB's March 19 report exposes operational details of the Gentlemen ransomware group after an affiliate known as hastalamuerte leaked internal information. The research describes a rapidly evolving RaaS that sprang from a Qilin ecosystem dispute and leverages a dual-extortion model, cross-platform encryption and automated lateral movement to maximize impact. Primary initial access stems from exposed FortiGate VPN devices, while advanced evasion such as BYOVD and aggressive log deletion are used to frustrate defenders and forensic analysis.