< ciso
brief />
Tag Banner

All news with #ransomware tag

463 articles · page 7 of 24

CISA Orders US Agencies to Patch Critical Cisco FMC Flaw

🔒 CISA has directed all federal civilian agencies to urgently patch a critical remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC) — tracked as CVE-2026-20131 with a CVSS score of 10. Cisco released a fix on 4 March after reports that the Interlock ransomware group had been exploiting the flaw as a zero day. Agencies were given just three days after KEV listing to patch or discontinue use due to active ransomware campaigns.
read more →

54 EDR Killers Use BYOVD to Exploit 34 Signed Drivers

🔒 A new ESET analysis identified 54 EDR-killer tools that leverage BYOVD, abusing 34 signed vulnerable drivers to gain kernel-mode privileges and neutralize endpoint protection. These utilities are frequently reused in ransomware operations to disable defenses prior to encryption, decoupling evasion from the encryptor. ESET recommends blocking misused drivers and adopting layered detection to mitigate the threat.
read more →

Ransomware Group Exploited Cisco Firewall Zero-Day

⚠️ Amazon disclosed that the ransomware group Interlock exploited a critical deserialization flaw in Cisco Secure Firewall Management Center (CVE-2026-20131) as a zero-day beginning January 26, roughly 38 days before Cisco released a patch on March 4. The bug carries a CVSS score of 10 and was addressed in Cisco’s semiannual firewall update alongside a second high-severity FMC issue. Using its MadPot honeypot network, Amazon captured attacker activity, recovered a malicious ELF binary, and traced a full attack chain that leveraged a single poorly secured staging server. The findings underscore the limits of patching alone and the need for layered defenses and urgent log hunting for provided indicators.
read more →

Leak Reveals Tactics and Tensions in Gentlemen Ransomware

🔍 Group-IB's March 19 report exposes operational details of the Gentlemen ransomware group after an affiliate known as hastalamuerte leaked internal information. The research describes a rapidly evolving RaaS that sprang from a Qilin ecosystem dispute and leverages a dual-extortion model, cross-platform encryption and automated lateral movement to maximize impact. Primary initial access stems from exposed FortiGate VPN devices, while advanced evasion such as BYOVD and aggressive log deletion are used to frustrate defenders and forensic analysis.
read more →

ThreatsDay: FortiGate RaaS, Citrix Exploits & Phish

🔔 ThreatsDay Bulletin highlights a wave of pragmatic, stealthy intrusions and abuse of lingering edge vulnerabilities. Notable findings include a nascent RaaS named The Gentlemen exploiting CVE-2024-55591 against FortiGate, a chained pre-auth RCE in BMC FootPrints, and active campaigns targeting Citrix NetScaler. The briefing underscores how small, well-crafted techniques— from deep-link MCP abuse to Teams phishing—are enabling remote access and data theft.
read more →

Interlock Ransomware Exploits Cisco FMC Zero-Day Patch Alert

🔒 AWS analysis reveals that the Interlock ransomware group has exploited CVE-2026-20131, a critical RCE in the web-based management interface of Cisco Secure Firewall Management Center (FMC), in active attacks since January 26. The flaw can permit an unauthenticated attacker to execute arbitrary Java code as root and carries a 10.0 CVSS score. AWS recommends applying Cisco patches, reviewing IoCs and hunting for PowerShell staging, custom Java/JavaScript RATs, memory-resident webshells and unauthorized ScreenConnect deployments.
read more →

Interlock Ransomware Exploits Cisco FMC Zero-Day Campaign

⚠️ Amazon Threat Intelligence warns of an active Interlock ransomware campaign exploiting a critical Cisco Secure Firewall Management Center vulnerability tracked as CVE-2026-20131 (CVSS 10.0). The flaw enables insecure deserialization of a user-supplied Java byte stream, allowing unauthenticated remote code execution as root. Amazon telemetry shows zero-day exploitation since January 26, 2026, and the actor's toolkit includes multi-platform backdoors, reconnaissance scripts, and infrastructure-laundering components.
read more →

Interlock Ransomware Exploits Cisco FMC Zero-Day Campaign

🛡️ Amazon Threat Intelligence identified an active Interlock ransomware campaign exploiting CVE-2026-20131 in Cisco Secure Firewall Management Center, with exploitation observed beginning January 26, 2026—36 days before Cisco publicly disclosed the flaw on March 4, 2026. A misconfigured attacker-controlled staging server exposed Interlock's full operational toolkit, including custom remote access trojans, reconnaissance scripts, a fileless Java webshell, and infrastructure-laundering scripts. Organizations running Cisco Secure FMC should immediately apply Cisco patches, review the provided indicators of compromise, and hunt for signs of lateral movement and data staging.
read more →

Marquis Data Theft: 672,075 Records Exposed in 2025

🔒 Marquis, a Texas-based financial services provider, says a ransomware gang stole data for 672,075 people after compromising a SonicWall firewall on August 14, 2025. The attackers exfiltrated names, dates of birth, addresses, phone numbers, Social Security and Taxpayer Identification numbers, and financial account details without security codes. The breach disrupted operations at 74 banks and has prompted lawsuits and numerous consumer class actions.
read more →

LeakNet Adopts ClickFix and Deno In-Memory Loader Technique

🔒 LeakNet has begun using ClickFix on compromised websites to trick users into running malicious msiexec commands, according to ReliaQuest. The group pairs this social-engineering tactic with a staged, Deno-based in-memory loader that executes Base64-encoded JavaScript and pulls additional stages directly into memory, minimizing on-disk evidence. Post-compromise behavior is consistent and repeatable, with DLL side-loading, lateral movement via PsExec, S3-backed exfiltration, system fingerprinting (including cmd.exe klist), and eventual ransomware deployment. ReliaQuest warns the approach reduces reliance on brokers, broadens access vectors, and is being seen across varied threat activity.
read more →

Ransomware TTPs and Shifting Threat Landscape — 2025

🔐 GTIG and Mandiant analysis of 2025 ransomware activity shows a shift toward greater data-theft-extortion and targeting of virtualization despite declining overall profitability for operators. Exploitation of VPNs and firewalls, increased abuse of legitimate tools and cloud services, and more aggressive extortion tactics produced a record number of data-leak-site postings. REDBIKE was the most frequently observed family, and defenders saw drops in Cobalt Strike and RMM reliance. Recommended actions include patching perimeter devices, hardening virtualization, improving backup resiliency, enforcing credential hygiene, and monitoring for anomalous data egress.
read more →

Interpol-led Operation Synergia III Nets 94 Arrests Worldwide

🔍 Interpol coordinated Operation Synergia III from 18 July 2025 to 31 January 2026, involving law enforcement units in 72 countries and private partners. The action produced 94 arrests, the seizure of 212 electronic devices and servers, and the takedown of some 45,000 malicious IP addresses, while 110 individuals remain under investigation. The operation targeted phishing, ransomware, romance scams and credit card fraud and disrupted infrastructure used to impersonate banks, government sites and payment services. Private-sector partners including Group-IB, Trend Micro and S2W supplied intelligence that helped identify hosting and malware distribution points.
read more →

INTERPOL Disrupts 45,000 Malicious IPs and Servers

🛡️ INTERPOL announced the takedown of 45,000 malicious IP addresses and servers linked to phishing, malware, and ransomware campaigns across 72 countries. The effort, part of Operation Synergia's third phase, resulted in 94 arrests, 212 devices seized and 110 suspects under investigation. Targeted actions in Bangladesh, Togo and Macau uncovered large fraud rings and over 33,000 phishing sites.
read more →

England Hockey Probes Alleged AiLock Ransomware Breach

🔒 England Hockey is investigating claims that the AiLock ransomware gang stole approximately 129GB of data and listed the organization on its leak site, threatening to publish files unless a ransom is paid. The governing body says it has prioritized an inquiry involving internal teams, external specialists, and cooperation with law enforcement. England Hockey cannot yet provide specifics while the investigation continues and urges members to remain vigilant for phishing and suspicious account activity.
read more →

Hive0163 Deploys AI-Assisted Slopoly in Ransomware Ops

🛡️ IBM X-Force researchers have linked a PowerShell backdoor called Slopoly to financially motivated group Hive0163 and report indicators that portions of the script were likely produced with a large language model. The builder-delivered payload establishes persistence via a scheduled task named Runtime Broker and was used to maintain access for more than a week in a 2026 ransomware incident. Slopoly beacons system details every 30 seconds, polls for commands every 50 seconds, executes via cmd.exe and returns results to a C2 server. Although the script lacks true self-modifying polymorphism, its comments, logging and naming conventions demonstrate how AI can accelerate malware development.
read more →

France: ANSSI Reports Fall in Ransomware Attacks 2025

🔒 The French cybersecurity agency ANSSI reported a decrease in known ransomware incidents in 2025, recording 128 attacks versus 141 in 2024. The agency attributed the decline partly to large-scale law enforcement actions and preventive interventions by cyber defenders, including Operation Endgame. Small and medium businesses remained the most targeted, while healthcare and education saw the sharpest increases. Prominent strains included Qilin, Akira and LockBit 3.0/LockBit Black.
read more →

Infosecurity Europe 2026 unveils keynote line-up and panels

🎤 Infosecurity Europe 2026 has revealed a major keynote programme for its 2–4 June event at ExCeL London, featuring industry founders, former intelligence leaders and elite-sport figures. Shlomo Kramer and Cynthia Kaiser headline Tuesday with sessions on technology trends and the ransomware economy, respectively, while Jason Fox will open Thursday with a resilience and decision-making keynote. Technical talks will address AI-driven cloud threats and preparations for post-quantum cryptography.
read more →

Cyber-Attacks on UK Firms Rise Nearly Fourfold YoY

📈 The February 2026 Check Point Global Threat Intelligence report found UK organisations saw fewer weekly attacks per organisation (1,504) than the global average (2,086), but a 36% year‑on‑year increase — nearly four times the global 9.8% rise. Education, energy & utilities, government, healthcare and financial services were among the most frequently targeted UK sectors. Ransomware remained acute, with 49 active groups and a plurality of victims attributed to Qilin, Clop and The Gentlemen. The report also warned that widespread, unmanaged GenAI use is elevating inadvertent data‑exposure risk, with one in 31 prompts judged high risk.
read more →

ESET Threat Intelligence Emerges as Strategic Game-Changer

🔍 ESET positions its threat intelligence and telemetry as essential tools for organizations facing increasingly sophisticated cyber threats, including AI-enabled attacks and convincing deepfakes. ESET Telemetry reports a 12% decline in overall detections in India (Jan–Aug 2025), but ransomware surged 70% from H2 2024 to H1 2025 and phishing remains the most common vector. The vendor bundles endpoint, XDR, identity protection, MDR, and analyst-driven APT reporting to help CIOs and CISOs stay ahead.
read more →

Global Cyber Attacks Stay Near Record Levels in Feb 2026

⚠️ Check Point Research reports that global cyber attack volumes remained near record highs in February 2026, with an average of 2,086 weekly attacks per organization—a 9.6% year‑over‑year increase and effectively flat month‑to‑month (-0.2%). While ransomware activity eased versus the same period last year, overall attack volumes grew due to automation, expanding digital footprints, and persistent exposure risks tied to enterprise GenAI use. The findings point to a sustained, high‑pressure threat environment that demands continuous risk management.
read more →