All news with #ransomware tag

Defeating BLOCKADE SPIDER: Stopping Cross-Domain Attacks

🔒 CrowdStrike describes how OverWatch detected and disrupted BLOCKADE SPIDER, a financially motivated eCrime group that has used cross-domain techniques since at least April 2024 to access unmanaged systems, dump credentials, and deploy Embargo ransomware. By correlating endpoint, identity, and cloud telemetry in Falcon Next-Gen SIEM and Falcon Identity Threat Protection, analysts traced a compromised VPN service account and observed MFA bypass and AD manipulation. The account underscores the value of unified visibility to stop lateral movement and protect critical assets.

Dutch Police Seize 250 Servers Used by Bulletproof Hosting

🛑 Dutch police seized around 250 physical servers and thousands of virtual machines tied to a bulletproof hosting service that allegedly catered exclusively to cybercriminals. Authorities say the infrastructure has been used since 2022 in more than 80 investigations and facilitated ransomware, botnets, phishing, and distribution of child abuse content. Investigators will perform forensic analysis on the seized systems to identify operators and clients. No arrests have been announced; the provider CrazyRDP has reportedly gone offline after the action.

Kraken Uses Benchmarking to Optimize Ransomware Attacks

🔒 Cisco Talos reported August 2025 activity by Kraken, a Russian‑speaking ransomware operation linked to the remnants of HelloKitty. The group exploits SMB flaws for initial access, uses Cloudflare for persistence and SSHFS to exfiltrate data, then deploys cross‑platform encryptors across Windows, Linux and VMware ESXi. Notably, Kraken benchmarks victim machines to tune encryption speed and reduce detection and instability. Victims span multiple countries and attackers operate a new leak forum called Last Haven Board.

Pennsylvania AG Data Breach After INC Ransom Attack

🔒 The Pennsylvania Office of the Attorney General (OAG) confirmed that files containing personal and medical information were accessed during an August 9 ransomware attack and that the office refused to pay the ransom. The incident encrypted systems and disrupted the OAG website, employee email accounts, and landline phones. Researcher Kevin Beaumont identified public-facing Citrix NetScaler appliances vulnerable to CVE-2025-5777 (Citrix Bleed 2) that may have been exploited. The threat actor INC Ransom later claimed responsibility and posted about 5.7TB of alleged stolen data.

Weekly Recap: Fortinet Exploited, Global Threats Rise

🔒 This week's recap highlights a surge in quiet, high-impact attacks that abused trusted software and platform features to evade detection. Researchers observed active exploitation of Fortinet FortiWeb (CVE-2025-64446) to create administrative accounts, prompting CISA to add it to the KEV list. Law enforcement disrupted major malware infrastructure while supply-chain and AI-assisted campaigns targeted package registries and cloud services. The guidance is clear: scan aggressively, patch rapidly, and assume features can be repurposed as attack vectors.

Akira Ransomware Expands to Nutanix AHV and Linux Servers

⚠️CISA, the FBI and international partners warn that the Akira ransomware gang has extended its attack surface beyond Windows, VMware ESXi and Hyper‑V to now target Nutanix AHV and Linux servers. The group exploits exposed VPNs, unpatched network appliances and backup platforms, rapidly exfiltrates data and employs a double‑extortion model. Akira uses tunneling tools like Ngrok, remote‑access abuse (AnyDesk, LogMeIn), and cryptography (ChaCha20 with RSA) to encrypt and leak files. Organizations should prioritize MFA, timely patching, segmented networks and protection of backup and hypervisor consoles.

JLR Posts £485m Q2 Losses After September Ransomware Attack

🔒 Jaguar Land Rover reported a £485m ($639m) Q2 loss after a September ransomware attack that halted production at its three UK plants for weeks. The company said the incident generated £196m ($258m) in cyber-related costs, contributing to a 24% year‑on‑year revenue decline to £4.9bn ($6.5bn). JLR set up a loan-backed financing scheme for suppliers and secured government loan guarantees, and confirmed production has now resumed.

Logitech Confirms Data Breach After Clop Extortion Campaign

🚨 Logitech International S.A. confirmed a data breach claimed by the extortion gang Clop and disclosed the incident in a Form 8‑K filing with the U.S. SEC. The company says data was exfiltrated but that the incident has not impacted its products, business operations, or manufacturing, and that highly sensitive fields such as national ID numbers and credit card data were not stored or accessed. Logitech engaged external cybersecurity firms, attributes the intrusion to a third‑party zero‑day that was patched, and Clop has posted nearly 1.8 TB of alleged stolen data.

Akira ransomware linked to $244M in illicit proceeds

🔒 A joint US and international advisory on 14 November attributes approximately $244.17m in illicit proceeds to the Akira ransomware group since late September 2025. The advisory reports rapid data exfiltration in some incidents and details exploitation of SonicWall CVE-2024-40766, expansion to Nutanix AHV disk encryption, and attacks leveraging SSH and unpatched Veeam servers. Operators employ initial access brokers, tunnelling tools and remote access software such as AnyDesk to persist and evade detection. Organisations are urged to prioritise patching, enforce phishing-resistant MFA, and maintain offline backups.

Ransomware Fragmentation Peaks as LockBit Re-emerges

🔒 Q3 2025 saw an unprecedented decentralization of ransomware, with Check Point Research tracking a record 85 active groups and roughly 1,592 disclosed victims across numerous leak sites. Despite enforcement actions and multiple takedowns, affiliates quickly reconstitute or rebrand, spawning 14 new ransomware brands this quarter. The return of LockBit 5.0 — with updated Windows, Linux and ESXi variants and individualized negotiation portals — suggests a possible shift back toward centralization, while marketing-driven actors like DragonForce further complicate attribution and response.

Kraken Ransomware Benchmarks Hosts to Choose Encryption

🔒 The Kraken ransomware targets Windows and Linux/VMware ESXi hosts and runs on-host benchmarks to decide whether to perform full or partial encryption. Cisco Talos researchers found it creates temporary files, times encryption of random data, and uses the result to select an encryption mode that maximizes damage while avoiding overloads. Before encrypting it deletes shadow volumes, stops backup services, appends .zpsc to files, and drops a readme_you_ws_hacked.txt ransom note. The group continues big‑game hunting and data theft for double extortion and has launched a forum called 'The Last Haven Board'.

CISA: Akira Ransomware Now Targets Nutanix AHV VMs

🛡️ U.S. cybersecurity agencies warn that the Akira ransomware operation has expanded to encrypt Nutanix AHV virtual machine disk files, with the first confirmed incident in June 2025. Akira Linux encryptors have been observed targeting .qcow2 virtual disk files directly rather than using AHV management commands. The advisory cites exploitation of SonicWall CVE-2024-40766 and includes new IOCs and mitigation recommendations.

Viasat KA-SAT Attack and Satellite Cybersecurity Lessons

🛰️ Cisco Talos revisits the Feb. 24, 2022 KA‑SAT incident where attackers abused a VPN appliance vulnerability to access management systems and deploy the AcidRain wiper. The malware erased modem and router firmware and configs, disrupting satellite communications for many Ukrainian users and unexpectedly severing remote monitoring for ~5,800 German Enercon wind turbines. The piece highlights forensic gaps, links to VPNFilter-era tooling, and the operational choices defenders face when repair or replacement are on the table.

Washington Post Oracle Breach Exposes Nearly 10,000

🔒 The Washington Post says a zero-day in Oracle E-Business Suite was used to access parts of its network, exposing personal and financial records for 9,720 employees and contractors. The intrusion occurred between July 10 and August 22, and attackers attempted extortion in late September. The activity has been tied to the Clop group exploiting CVE-2025-61884, and impacted individuals are being offered 12 months of identity protection and advised to consider credit freezes.

Ransomware Fragmentation and Rising Attacks in Q3 2025

🔍 The ransomware landscape in Q3 2025 reached a critical inflection point: despite law enforcement takedowns earlier in the year, attacks remained at historically high levels. Check Point Research identified 1,592 new victims across 85 active extortion groups, a 25% year‑over‑year increase. While major brands such as RansomHub and 8Base disappeared, numerous smaller actors rapidly filled the void, driving unprecedented RaaS fragmentation and complicating response efforts.

CISA, FBI and Partners Issue Guidance on Akira Ransomware

🛡️ CISA, FBI, DC3, HHS and international partners released updated guidance to help organizations mitigate the evolving Akira ransomware threat. The advisory details new indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used by the group, which primarily targets small and medium-sized businesses but has also struck larger organizations across multiple sectors. It strongly urges immediate actions such as regular backups, enforcing multifactor authentication, and prioritizing remediation of known exploited vulnerabilities.

CISA Updates Advisory: Akira Ransomware Evolution Update

🔐 CISA and partner agencies published an updated advisory on Nov. 13, 2025, detailing new indicators, tactics, and detection guidance related to Akira ransomware. The update documents expanded targeting across Manufacturing, Education, IT, Healthcare, Financial, and Food and Agriculture, and links activity to groups such as Storm-1567 and Punk Spider. Key findings include exploitation of edge and backup vulnerabilities, use of remote management tools for defense evasion, and a faster, more destructive Akira_v2 variant that complicates recovery.

Kraken Ransomware: Cross-Platform Big-Game Hunting

🐙 Kraken is a Russian-speaking ransomware group active since February 2025 that conducts double-extortion, big-game hunting campaigns across multiple regions. In a documented intrusion Talos observed, attackers exploited SMB flaws for access, used Cloudflared for persistence, exfiltrated data via SSHFS, then deployed cross-platform encryptors for Windows, Linux and ESXi. The family includes on-host benchmarking to tune encryption, and Talos maps detections and IOCs to Cisco protections to aid response.

ThreatsDay Bulletin: Key Cybersecurity Developments

🔐 This ThreatsDay Bulletin surveys major cyber activity shaping November 2025, from exploited Cisco zero‑days and active malware campaigns to regulatory moves and AI-related leaks. Highlights include CISA's emergency directive after some Cisco updates remained vulnerable, a large-scale study finding 65% of AI firms leaked secrets on GitHub, and a prolific phishing operation abusing Facebook Business Suite. The roundup stresses practical mitigations—verify patch versions, enable secret scanning, and strengthen incident reporting and red‑teaming practices.

Synnovis Notifies NHS Clients After 2024 Ransomware

🔔 Synnovis has begun notifying its NHS customers and affected data controllers about the volume of patient information compromised in a June 2024 ransomware attack. The incident, attributed to a Qilin affiliate, saw roughly 400GB of data published and caused widespread disruption to blood services, cancelled appointments and at least one reported death. Synnovis said notifications will be completed by 21 November, citing the 'exceptional scale and complexity' of an unstructured and fragmented dataset, a delay that has drawn sharp criticism from security experts.