All news with #ransomware tag

Nikkei Slack Account Compromise Exposes Employee Data

🔒 Nikkei disclosed that unauthorized actors used malware to infect an employee’s computer, obtain Slack credentials, and access accounts on the company's Slack workspace. The firm reports that data for possibly more than 17,000 employees and business partners — including names, email addresses and chat logs — may have been stolen. Nikkei discovered the incident in September and implemented password resets and other remediation measures. The company said there's no confirmation that sources or journalistic activities were affected.

Hacktivist DDoS Drives Majority of Public Sector Attacks

🛡️ ENISA's study of 586 public administration incidents found DDoS attacks made up roughly 60% of events, with 63% attributed to hacktivist groups. Central government incidents accounted for 69% of the total, while data breaches (17%) and ransomware (10%) caused disproportionate disruption. ENISA warns the sector's low maturity and recent inclusion in NIS2 increase risk and recommends CDNs/WAFs for DDoS mitigation, MFA/PAM/DLP for data protection, and EDR, segmentation and backups to combat ransomware.

ThreatsDay Bulletin: Cybercrime Trends and Major Incidents

🛡️ This bulletin catalogues a broad set of 2025 incidents showing cybercrime’s increasing real-world impacts. Microsoft patched three Windows GDI flaws (CVE-2025-30388, CVE-2025-53766, CVE-2025-47984) rooted in gdiplus.dll and gdi32full.dll, while Check Point warned partial fixes can leave data leaks lingering. Threat actors expanded toolsets and infrastructure — from RondoDox’s new exploits and TruffleNet’s AWS abuse to FIN7’s SSH backdoor and sophisticated phishing campaigns — and law enforcement action ranged from large fraud takedowns to prison sentences and cross-border crackdowns.

AI-Powered Malware Emerges: Google Details New Threats

🛡️ Google Threat Intelligence Group (GTIG) reports that cybercriminals are actively integrating large language models into malware campaigns, moving beyond mere tooling to generate, obfuscate, and adapt malicious code. GTIG documents new families — including PROMPTSTEAL, PROMPTFLUX, FRUITSHELL, and PROMPTLOCK — that query commercial APIs to produce or rewrite payloads and evade detection. Researchers also note attackers use social‑engineering prompts to trick LLMs into revealing sensitive guidance and that underground marketplaces increasingly offer AI-enabled “malware-as-a-service,” lowering the bar for less skilled threat actors.

Google: Cyber-Physical Attacks to Rise in Europe 2026

🚨 Google Cloud Security's Cybersecurity Forecast 2026 warns of a rise in cyber-physical attacks across EMEA targeting energy grids, transport and digital infrastructure. The report highlights increased state-sponsored espionage from Russia and China and anticipates these operations may form hybrid warfare combined with information operations to erode public trust. It also flags supply-chain compromises of managed service providers and software dependencies, and notes that cybercrime — including ransomware aimed at ERP systems — will remain a major disruptive threat to ICS/OT. Analysts further expect adversaries to increasingly leverage AI and multimodal deepfakes.

SonicWall Attributes September Backup Breach to State Actor

🔐 SonicWall has confirmed a state-sponsored threat actor was responsible for a September breach that exposed cloud-stored firewall configuration backup files. The company said the unauthorized access used an API call against a specific cloud environment and affected backups for fewer than 5% of customers. SonicWall engaged Google-owned Mandiant, implemented recommended mitigations, and released an Online Analysis Tool and a Credentials Reset Tool. Customers are advised to log in to MySonicWall.com to review devices and reset impacted credentials.

Smashing Security #442: Clock Hack and Rogue Negotiators

🕒 In episode 442 of Smashing Security, Graham Cluley and guest Dave Bittner examine a state-backed actor that spent two years tunnelling toward a nation's master clock, creating the potential for widespread disruption to time-sensitive systems. They also discuss a disturbing case where ransomware negotiators allegedly turned rogue and carried out their own hacks. The discussion highlights investigative findings, operational impacts, and lessons for defenders tasked with protecting critical infrastructure.

Gootloader Returns After Seven Months With Evasion Tricks

🛡️ Gootloader has resumed operations after a seven-month pause, using SEO poisoning to promote fake legal-document sites that trick users into downloading malicious ZIP archives containing JScript loaders. The campaign now employs novel evasion techniques — a custom web font that renders readable keywords in the browser while the HTML source remains gibberish, and malformed ZIPs that extract a .js in Windows Explorer but a benign .txt for many analysis tools. Infected hosts receive follow-on payloads such as Cobalt Strike, backdoors including the Supper SOCKS5 implant, and bots that provide initial access for ransomware affiliates.

Google: New AI-Powered Malware Families Deployed

⚠️Google's Threat Intelligence Group reports a surge in malware that integrates large language models to enable dynamic, mid-execution changes—what Google calls "just-in-time" self-modification. Notable examples include the experimental PromptFlux VBScript dropper and the PromptSteal data miner, plus operational threats like FruitShell and QuietVault. Google disabled abused Gemini accounts, removed assets, and is hardening model safeguards while collaborating with law enforcement.

GTIG: Threat Actors Shift to AI-Enabled Runtime Malware

🔍 Google Threat Intelligence Group (GTIG) reports an operational shift from adversaries using AI for productivity to embedding generative models inside malware to generate or alter code at runtime. GTIG details “just-in-time” LLM calls in families like PROMPTFLUX and PROMPTSTEAL, which query external models such as Gemini to obfuscate, regenerate, or produce one‑time functions during execution. Google says it disabled abusive assets, strengthened classifiers and model protections, and recommends monitoring LLM API usage, protecting credentials, and treating runtime model calls as potential live command channels.

U.S. Sanctions 10 North Korean Financial and IT Facilitators

🛡️ The U.S. Treasury on Tuesday sanctioned eight individuals and two entities tied to North Korea's global financial network for laundering proceeds from cybercrime and fraudulent IT-worker schemes. The list names Jang Kuk Chol and Ho Jong Son, linked to $5.3 million in cryptocurrency managed for First Credit Bank, as well as Korea Mangyongdae Computer Technology Company (KMCTC), its president U Yong Su, and Ryujong Credit Bank. Treasury said the funds help finance Pyongyang's weapons and cyber programs, while blockchain firm TRM Labs reported sustained crypto inflows indicative of salary-routing activity.

U.S. Treasury Sanctions North Korean Bankers, IT Scammers

⚖️ The U.S. Treasury's OFAC imposed sanctions on two North Korean financial institutions and eight individuals accused of laundering cryptocurrency stolen in cyberattacks and operating fraudulent IT worker schemes. Designated entities include Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company (KMCTC), plus named bankers linked to ransomware proceeds. The actions block property under U.S. jurisdiction and warn financial institutions of secondary sanctions and enforcement risk for transacting with the listed parties.

10 Promising Cybersecurity Startups CISOs Should Know

🔒 This roundup profiles ten cybersecurity startups founded in 2020 or later that CISOs should watch, chosen for funding, leadership, customer traction, and strategic clarity. It highlights diverse categories including non-human identity, software supply chain, data security posture, and AI agent security. Notable vendors such as Astrix, Chainguard, Cyera, and Drata have raised substantial capital and achieved rapid enterprise adoption. The list underscores investor enthusiasm and the rise of runtime‑focused and agentic defenses.

CrowdStrike: Rise in Physical Attacks on Privileged Users

🔒 CrowdStrike's 2025 analysis documents a sharp rise in physical attacks and kidnappings tied to cyber intrusions, concentrated in Europe. The report cites the January 2025 kidnapping of a Ledger co‑founder and records 17 similar incidents in Europe from January through September 2025, 13 of them in France. Consultants warn attackers increasingly pair cyber operations with real‑world violence, driving organizations to strengthen physical and executive security and adjust incident response playbooks.

Asset Management: The Essential Foundation for Defense

🔍 Threat intelligence is valuable but only effective when organizations maintain reliable asset management. Asset management—the inventory, monitoring, and administration of hosts—provides the foundational visibility needed to detect, patch, and prevent intrusions. Bradley Duncan cites historic malware like Emotet and Qakbot to show how poor asset hygiene enabled massive infections and urges proactive measures such as Unit 42's Attack Surface Assessment.

Apache OpenOffice Denies Akira Ransomware Breach Claims

🔒 The Apache Software Foundation says there is no evidence that Apache OpenOffice was breached after the Akira ransomware gang claimed on October 30 that it had stolen 23 GB of corporate documents. The Foundation notes it does not maintain payroll-style employee records or the types of financial and identity documents described, and it has not received a ransom demand. An internal investigation so far has found no compromise and Akira has not published any of the alleged data.

Scattered Spider, LAPSUS$, and ShinyHunters: SLH Collective

🕸 The nascent Scattered LAPSUS$ Hunters (SLH) collective — a merging of Scattered Spider, LAPSUS$, and ShinyHunters — has repeatedly recreated its Telegram presence, cycling channels at least 16 times since August 8, 2025. The group markets an extortion-as-a-service offering to affiliates, targets organizations including those using Salesforce, and has teased a custom ransomware family called Sh1nySp1d3r. Trustwave SpiderLabs assesses SLH as blending financially motivated crime with attention-seeking hacktivism and sophisticated brand management.

Scattered LAPSUS$ Hunters Unite ShinyHunters Alliance

🔎 Trustwave SpiderLabs has identified a coordinated alliance now operating as Scattered LAPSUS$ Hunters (SLH), merging reputational capital from Scattered Spider, ShinyHunters and LAPSUS$. The collective presents a unified operational brand, complete with a named "Operations Centre," centralized narrative and affiliate-driven extortion model. Analysis attributes fewer than five core operators managing roughly 30 personas and highlights Telegram as a persistent command-and-branding hub. Trustwave warns this consolidation aims to fill the vacuum left by the collapse of BreachForums and to sustain public, intimidation-based extortion tactics.

Cybersecurity Forecast 2026: AI, Cybercrime, Nation-State

🔒 The Cybersecurity Forecast 2026 synthesizes frontline telemetry and expert analysis from Google Cloud security teams to outline the most significant threats and defensive shifts for the coming year. The report emphasizes how adversaries will broadly adopt AI to scale attacks, with specific risks including prompt injection and AI-enabled social engineering. It also highlights persistent cybercrime trends—ransomware, extortion, and on-chain resiliency—and evolving nation‑state campaigns. Organizations are urged to adapt IAM, secure AI agents, and harden virtualization controls to stay ahead.

DragonForce Emerges as Conti-Derived Ransomware Cartel

🛡️DragonForce, a ransomware operation built from leaked Conti source code, has restructured into a self-styled cartel that recruits affiliates and encourages branded variants. Researchers at Acronis report it retains Conti’s ChaCha20/RSA encryption, SMB-based network spreading, and multiple encryption modes while employing a hidden configuration system. Operators have pursued aggressive tactics — including defacing rival leak sites and aligning with access brokers like Scattered Spider — and have threatened victims with decryptor deletion and data leaks.