< ciso
brief />
Tag Banner

All news with #ransomware tag

463 articles · page 5 of 24

Top Techniques Attackers Use to Infiltrate Systems

🔒 Much reporting on cyber risk focuses on AI, but frontline incidents remain grounded in social engineering and identity exploitation. Experts say attackers increasingly abuse legitimate tools — including trojanized RMM clients — and target network security appliances, OAuth flows, and machine identities to bypass defenses. Techniques like ClickFix, phishing, token theft and supply‑chain worms enable lateral movement and ransomware. Defenders should combine user training, RMM allowlists and layered, phishing‑resistant authentication.
read more →

Gentlemen Ransomware Uses SystemBC Botnet for Corporates

🔒 Check Point Research uncovered a SystemBC proxy botnet of over 1,570 infected hosts tied to a Gentlemen ransomware affiliate, with telemetry indicating primarily corporate victims across the US, UK, Germany, Australia, and Romania. The discovery shows affiliates pairing SystemBC SOCKS5 tunneling with Cobalt Strike for covert payload delivery and lateral movement. Check Point published IoCs and a YARA signature to help defenders identify related activity.
read more →

The Gentlemen Ransomware: Rapid Rise and Widespread Impact

🔒 Check Point Research reports that the Gentlemen ransomware-as-a-service operation has claimed over 320 victims since mid-2025, including 240 incidents in 2026, while access to a live C2 server revealed a botnet of more than 1,570 likely corporate victims. The group targets internet-facing devices (VPNs, firewalls) and can encrypt entire networks within hours, focusing on manufacturing, technology and an increasing number of healthcare organizations. Organizations should prioritize patching, MFA, segmentation, proactive detection, and reliable offline backups to reduce exposure.
read more →

Ransomware as Industry: The Business Behind Attacks

🔐 The article argues that modern ransomware operates like an industry, with affiliates, suppliers, marketplaces and subscription services coordinating long before a ransom note appears. It cites the March 2024 Change Healthcare incident and disputes between affiliates and operators to illustrate franchise dynamics. It details technical enablers such as BYOVD EDR killers and emerging AI-assisted tooling, and urges defenders to map actors, tools and supply‑chain exposure rather than treat incidents as isolated break‑ins.
read more →

NAKIVO v11.2 Adds Ransomware Defenses and vSphere 9 Support

🔒 NAKIVO has released Backup & Replication v11.2, introducing an automated real-time replication engine and expanded hypervisor support. The update delivers full compatibility with VMware vSphere 9 and Proxmox VE 9.0 (with 9.1 in scope), plus immutable backups, pre-recovery malware scanning, and air-gapped options to strengthen ransomware resilience. v11.2 also adopts OAuth 2.0 for email notifications and upgrades core platform components to improve stability and recovery speed.
read more →

Payouts King Abuses QEMU VMs to Evade Endpoint Security

🛡️ Researchers report the Payouts King ransomware is leveraging QEMU as a covert reverse SSH backdoor, running hidden Alpine Linux VMs to execute tools and bypass host security. Operators create a scheduled task named TPMProfiler to launch the VM as SYSTEM, use virtual disks disguised as benign files, and forward ports for remote access. The campaign—linked to STAC4713 and observed alongside a separate STAC3725 activity exploiting CitrixBleed 2—employs credential theft, robust obfuscation, and AES-256/RSA-4096 encryption. Sophos recommends hunting for unauthorized QEMU installs, suspicious SYSTEM tasks, and unusual SSH tunnels.
read more →

Webinar: Why MSPs Must Rethink Security and Recovery

🔒 BleepingComputer will host a live webinar on May 14, 2026 at 2:00 PM ET that examines why managed service providers must align security and recovery strategies. Experts from Kaseya will explain how AI-driven phishing, BEC, and ransomware are evading traditional controls and how integrating backup and disaster recovery with detection reduces downtime. Attendees will receive practical guidance to strengthen MSP cyber resilience.
read more →

Ransomware Emerges as Top Threat to Automotive Sector

🔒 A new report from Halcyon warns that ransomware has become the fastest-growing and most disruptive cyber threat to the automotive sector, accounting for 44% of attacks on carmakers in 2025 after incidents more than doubled that year. The vendor links the surge to connected vehicle platforms, OTA update mechanisms, cloud services and insecure third-party suppliers. Recommended mitigations include patching edge devices, deploying phishing-resistant MFA, hardening EDR, maintaining immutable offline backups and enforcing supplier security requirements.
read more →

Rolling Networks: Securing Cyber Risks in Transport

🚚 Modern trucks are "rolling networks" loaded with communications systems, sensors, cloud-connected devices and Wi-Fi, creating expansive attack surfaces. Ben Wilkens of NMFTA warns that cybercriminals exploit the sector’s uptime pressure with ransomware, extortion and cyber-enabled cargo theft. Core hygiene—MFA, network segmentation, social engineering training and timely patching—can significantly reduce risk but must be adapted for small carriers. NMFTA advances research, guidance and an annual conference to help the industry collaborate and strengthen defenses.
read more →

7 Biggest Healthcare Security Threats and Emerging Risks

🔒 Cyberattacks on healthcare have surged since COVID-19, driven by telehealth adoption, cloud migration, and interconnected medical devices. Experts identify seven primary threats — ransomware, cloud misconfigurations, web application exploits, bad bots, phishing, insecure smart devices, and generative AI misuse — that target EHRs, PHI, and clinical availability. Under-resourced teams and extensive third-party dependencies amplify the operational and patient-safety impacts.
read more →

Manufacturing Cybersecurity: Complexity Surges in 2025

🔒 The global manufacturing sector entered 2025 confronting one of the most aggressive cyber threat environments in its history. Digital transformation, smart factories, and interconnected supply chains have expanded operational reach but introduced unprecedented attack surfaces, making ransomware and supply-chain compromises a primary concern. According to the Manufacturing Threat Landscape 2025 report, incidents rose sharply year over year, placing manufacturing at the center of global ransomware activity and forcing organizations to reassess defenses and incident readiness.
read more →

Securing Manufacturing Operations Against Ransomware in 2026

🔒 Modern manufacturing is increasingly targeted by fast, high-impact cyberattacks: Clorox production lines went dark in 2023 and a global automaker halted factories across five countries in 2025 from stolen credentials. Ransomware incidents against manufacturers rose 56% in 2025, with average European demands exceeding $1.16 million. The analysis highlights structural weaknesses—legacy OT, credential sprawl, and inadequate segmentation—and recommends pragmatic, non-disruptive defenses to protect operations without causing downtime.
read more →

Dutch EHR Vendor ChipSoft Disrupts Services After Ransomware

🔒 Dutch healthcare software vendor ChipSoft has confirmed a ransomware incident that forced it to take its website and patient-facing digital services offline. The provider of the HiX EHR platform warned of "possible unauthorized access" and advised customers to disconnect affected systems while it investigates. The national healthcare CERT, Z-CERT, is coordinating response efforts with ChipSoft and impacted hospitals.
read more →

Talos Takes: 2025 Ransomware Trends and Vulnerabilities

🔒 Talos analysts Amy Ciminnisi and Pierre Cadieux review the ransomware and vulnerability patterns that shaped 2025. They emphasize persistent campaigns against the manufacturing sector, increased targeting of management infrastructure, and the rise of stealthy living-off-the-land techniques that evade traditional controls. The hosts explain how to spot the difference between a system administrator and a threat actor and outline steps organizations can take to move beyond reactive defenses toward a more resilient, proactive security posture.
read more →

Storm-1175 (Medusa) Accelerates Ransomware Attacks

⚠️ Microsoft warns that Storm-1175 — an actor linked to Medusa ransomware — is rapidly exploiting internet-facing systems, often moving from initial access to data theft and encryption within 24 hours. The group has abused more than 16 vulnerabilities since 2023, including zero-days, and frequently chains exploits to establish persistence and accelerate operations. Targets include healthcare, education, professional services, and finance in Australia, the UK and the US.
read more →

Storm-1175 Weaponizes n-day and Zero-day Flaws Worldwide

⚠️ Microsoft says financially motivated actor Storm-1175 has run a high-tempo campaign that weaponizes both n-day and zero-day vulnerabilities to deliver Medusa ransomware against internet-facing systems. The group has exploited at least 16 flaws since 2023, including the zero-day CVE-2025-10035 affecting GoAnywhere MFT, and has impacted healthcare, education, professional services and finance in Australia, the UK and the US. Recommended protections include perimeter scanning, isolating web-facing systems behind VPNs, WAFs or a DMZ, enforcing MFA for RMM tools, enabling tamper protection and configuring XDR to detect and block common ransomware tactics.
read more →

Storm-1175 Targets Vulnerable Web-Facing Assets with Medusa

🔒Storm-1175 conducts high-tempo ransomware campaigns that rapidly weaponize recently disclosed and, in some cases, pre-disclosure zero-day vulnerabilities to gain initial access to web-facing systems. After exploitation the actor moves quickly to establish persistence, perform credential theft, tamper with security controls, and exfiltrate data before deploying Medusa ransomware. Microsoft observed intrusions affecting healthcare, education, professional services, and finance across Australia, the United Kingdom, and the United States, often completing impact within days or less. Recommended defenses include perimeter asset discovery, robust patching, RMM hardening, and tamper protection for endpoint security.
read more →

Qilin and Warlock Ransomware Use Vulnerable Drivers

🔒 Cisco Talos and Trend Micro say Qilin and Warlock ransomware groups have adopted a bring-your-own vulnerable driver (BYOVD) approach to disable endpoint security on compromised hosts. Talos identified a malicious DLL named msimg32.dll that side-loads a PE loader which decrypts and executes an in-memory EDR killer. The payload leverages renamed drivers such as rwdrv.sys (a repackaged ThrottleStop.sys) and hlpdrv.sys to access physical memory and terminate over 300 EDR drivers. Warlock has similarly used NSecKrnl.sys and a suite of legitimate tools to persist, move laterally, and exfiltrate data.
read more →

BKA Identifies REvil Leaders Behind 130 Attacks in Germany

🕵️ Germany's Federal Criminal Police Office (BKA) has named the alleged primary operators of the REvil (aka Sodinokibi) ransomware ring as Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk. Shchukin, widely known by aliases including UNKN and Oneiilk2, is accused of acting as a group leader while Kravchuk is alleged to have served as a developer. The BKA links the two to 130 attacks in Germany, €1.9 million in paid ransoms across 25 cases, and total losses exceeding €35.4 million, situating the announcement within earlier international actions that disrupted REvil.
read more →

Germany Identifies 'UNKN' as Head of REvil and GandCrab

🔍 German authorities have identified 31‑year‑old Daniil Maksimovich Shchukin as the hacker known as 'UNKN', alleging he led the GandCrab and REvil ransomware operations. The Bundeskriminalamt says Shchukin and an associate extorted nearly €2 million in roughly two dozen attacks between 2019 and 2021, causing over €35 million in damage. Investigators cite cryptocurrency traces, forum links and a mugshot match; he is believed to be abroad, likely in Russia.
read more →