All news with #ransomware tag

🛡️ This article outlines practical, scalable recommendations to prepare and harden environments against destructive malware, wipers, and modified ransomware. It emphasizes resilience through verified, immutable backups, out-of-band incident communication, and prioritized recovery plans. The post recommends strengthening external-facing assets with multi-factor authentication and continuous attack-surface discovery, protecting Domain Controllers and virtualization infrastructure, and applying network and cloud segmentation alongside tuned detections. It also highlights available detections in Google SecOps and Mandiant rule packs.

🏥 The University of Mississippi Medical Center (UMMC) says it has resumed normal operations nine days after a ransomware attack that disrupted electronic medical records and multiple IT systems. Phone lines were restored and clinics reopened with extended hours to reschedule missed appointments. UMMC is investigating the intrusion with FBI and CISA, and confirmed attackers had communicated with staff; no group has claimed responsibility.

🔎 The Huntress Tactical Response Team describes how a seemingly routine RDP brute-force alert exposed a larger ransomware-as-a-service ecosystem. Investigators found one successful login used from multiple geographically distributed IPs, domain enumeration activity, and unusual manual searches for credential files rather than typical credential dumping tools. Further pivots on TLS certificates and domains tied the activity to a privacy-focused VPN service and related infrastructure, and the report provides specific IOCs for defenders.

🔒 A representative survey by the Centre for European Economic Research (ZEW) found that a notable share of German companies experienced cyberattacks in 2025. In the information economy about one in seven firms and in industry about one in eight reported damage. Larger firms (100+ employees) were more frequently affected. The most common consequence was operational downtime, alongside financial losses, ransom demands, and data exfiltration.

🔒 The University of Hawaii Cancer Center confirmed a ransomware breach that exposed data for nearly 1.2 million individuals after attackers accessed systems supporting its Epidemiology Division. Compromised files include names, Social Security numbers, driver's license numbers, and historical research health records collected in the 1990s and 2000s. UH says clinical operations, patient care, and student records were not affected and that it paid the actors for a decryption tool and to secure destruction of the stolen information.

⚠ John Hultquist, chief analyst of Google’s Threat Intelligence Group, warned that Iran will "absolutely" respond to recent US and Israeli air strikes with cyber-attacks targeting a broad array of organisations across the Middle East and beyond. He said the focus will shift from well-defended states like Israel to nations with less mature security, expanding the global attack surface. Hultquist highlighted the blurred lines between state actors, criminal groups and hacktivist fronts, noting the likely use of ransomware and proxy operations by the IRGC to obfuscate attribution. The UK’s NCSC has advised organisations with Middle East ties to urgently review and strengthen their cybersecurity posture.

🌐 A sharp escalation in the Middle East has entered a hybrid phase combining military strikes with large-scale cyber operations following joint Israeli–US strikes on Iran on 28 February 2026. CloudSek reported a sweeping cyber campaign that reduced Iran's internet to roughly 4% of normal capacity, disrupting government services, media and parts of energy and aviation. Security firm Halcyon warns of rising DDoS, hacktivist and ransomware activity and urges organisations to increase monitoring, enforce multi-factor authentication and maintain offline backups against supply-chain and regional spillover risks.

🔒 Chainalysis reports that total ransomware cryptocurrency payments fell 8% year-on-year to $820m in 2025, even as the number of victims surged 50% to make 2025 the most active year on record. Payment rates dropped from 63% in 2024 to 29% in 2025, while the median ransom rose 368% to $59,556. The firm attributes these shifts to improved incident response, global disruption of infrastructure and laundering networks, cryptographic flaws in strains like VolkLocker, and fragmentation of ransomware-as-a-service into numerous smaller groups.

🔍 Chainalysis reports ransomware actors collected $820 million in 2025, a 28% decline from 2024 despite a roughly 50% rise in reported attacks year-over-year. Analysts attribute the drop to broader adherence to guidance discouraging ransom payments and to legal risks associated with payouts. At the same time, the average ransom payment jumped 368% to nearly $60,000, suggesting individual victims who do pay are settling for much larger sums to prevent data resale or exposure.

🔒 Picus Security's annual red-teaming report finds ransomware operators shifting from noisy encryption to stealthy, long-term access, favoring persistence, defense evasion and data exfiltration. The firm reports a 38% drop in encryption as attackers prioritize double-extortion and silent leaks, often routing C2 traffic through trusted services like OpenAI and AWS. Experts urge stronger identity controls, monitoring of third-party integrations, and detections tuned to persistence and exfiltration.

🔒 Chainalysis reports that the proportion of ransomware victims who paid extortionists fell to a record low of 28% in 2025, even as claimed attacks rose sharply. The blockchain intelligence firm says total on-chain ransomware receipts currently total $820 million and may approach or exceed $900 million as more events are attributed. While total payment counts remained relatively stable, the median ransom surged 368% to $59,556, and analysts flagged growing fragmentation and several high-impact breaches.

🔒 Chainalysis reports the ransomware victim payment rate fell to 28% in 2025, an all-time low, even as claimed attacks rose about 50% year-over-year. On-chain ransomware receipts totaled $820 million so far and may approach $900 million, while the median ransom jumped to $59,556, up 368% from 2024. Analysts point to improved incident response, regulatory scrutiny, law enforcement actions, and market fragmentation. The report also notes 85 active extortion groups and that initial access brokers earned roughly $14 million in 2025.

🛡️ In episode 456 of Smashing Security, Graham Cluley and guest Paul Ducklin examine allegations that an internet archiving service operator weaponised its own CAPTCHA to DDoS a Finnish blogger, tampered with archive content to smear them, and issued bizarre threats about AI-generated pornography. The hosts also cover a ransomware crew that accidentally corrupted victims' decryption keys, rendering extortion efforts ineffective. The episode closes with a calm Pick of the Week and a furious rant about web forms.

⚠️ Steaelite is a browser-based remote access trojan marketed on underground forums that consolidates remote access, credential harvesting, data exfiltration, and a planned ransomware module into a single management pane. Researchers at BlackFog say the toolkit includes live screen streaming, webcam and microphone access, password recovery, Defender-disable capabilities, and persistence options, and it’s been available since last November. The seller offers access as malware-as-a-service (about $200/month), and defenders are urged to prioritize stopping data exfiltration over relying solely on perimeter defenses.

🔒 Marquis Software Solutions has filed suit against SonicWall, alleging gross negligence and misrepresentation after a ransomware attack on August 14, 2025 that followed a compromise of a SonicWall firewall. Investigators say the attacker accessed configuration backups stored in SonicWall’s MySonicWall cloud—an exposure Marquis attributes to an API code change in February 2025—and used configuration data and AES-256-encrypted credentials to bypass MFA. The stolen files included extensive personal and financial information; Marquis says the incident disrupted operations for 74 U.S. banks and forced the firm to defend more than 36 consumer class actions while seeking monetary damages, indemnification and equitable relief.

🔒 This article profiles major ransomware varieties — including crypto, double extortion, encryptionless, locker, scareware and Ransomware-as-a-Service — and explains how they operate. It outlines common detection approaches such as behavioral, signature, heuristic, and deception techniques. The piece also situates ransomware within the broader malware landscape and describes how Huntress’ 24/7 human-led monitoring and containment reduce risk.

🔐 Symantec and Carbon Black researchers linked a new wave of Medusa ransomware activity to North Korean state-backed actors within the broader Lazarus umbrella, noting deployments against a Middle East target and attempted intrusions into US healthcare. Medusa, a 2023 ransomware-as-a-service operated by Spearwing, has been tied to more than 366 incidents and recent listings of US healthcare and non-profit victims with average demands near $260,000. Analysts observed a toolkit—including Comebacker, Blindingcan, ChromeStealer and Mimikatz—that resembles previous Stonefly operations but cautioned the components are not exclusive to a single sub-group.

🔍 ReliaQuest's Annual Cyber‑Threat Report 2026 found attackers are using AI and automation to reduce average breakout time to 34 minutes (29% faster than 2024), with the fastest lateral movement recorded at four minutes and the quickest exfiltration at six minutes. The firm says 80% of ransomware groups used automation or AI last year. Defenders can respond faster using agentic AI, achieving average containment in four minutes versus 16 hours without automation, and should prioritise visibility, inventory management and stronger identity controls.

🔒 Broadcom's Symantec and Carbon Black Threat Hunter Team reports the North Korea-linked Lazarus Group used Medusa ransomware in an attack against an unnamed Middle East entity and mounted an unsuccessful attempt against a U.S. healthcare organization. Medusa is a RaaS launched by Spearwing in 2023 and has been tied to hundreds of incidents. Analysts say this reflects a tactical shift toward off-the-shelf ransomware and affiliate operations, with the campaign leveraging tools such as RP_Proxy, Mimikatz, Comebacker, InfoHook, BLINDINGCAN, and ChromeStealer.

🔒 Symantec says a North Korean Lazarus subgroup is using Medusa ransomware to extort U.S. healthcare organizations, marking the first public linkage between Lazarus and Medusa. The attacks combine commodity utilities with custom tools — Comebacker, Blindingcan, ChromeStealer, Infohook, Mimikatz and RP_Proxy — and have hit multiple healthcare and non-profit victims. Symantec published IoCs and warns demands can reach $15 million.