All news with #ransomware tag

🔒 Advantest Corporation, the Tokyo-based maker of semiconductor test equipment, disclosed on 19 February that it is responding to a cybersecurity incident involving ransomware after detecting unusual activity in its IT environment on 15 February. The company says it isolated affected systems and engaged third-party cybersecurity experts to investigate and contain the event; preliminary findings indicate unauthorized access and possible ransomware deployment. As of 23 February no data breach has been confirmed, and Advantest says it will notify impacted customers or employees if exposure is found.

🔒 The University of Mississippi Medical Center (UMMC) has taken many IT systems offline following a ransomware attack that disrupted access to electronic medical records and forced clinics and elective procedures to be cancelled. UMMC activated its Emergency Operations Plan and is working with the FBI and the Department of Homeland Security while hospitals operate using downtime procedures. The organisation has taken network systems offline for risk assessments and has not confirmed whether patient or employee data was exfiltrated.

🔐 A Russian-speaking, financially motivated actor used commercial generative AI to scale scans and credential guessing against exposed FortiGate management ports, compromising over 600 devices across 55 countries. Amazon Threat Intelligence observed the activity between January 11 and February 18, 2026, noting no FortiGate zero-day exploits were used — the campaign relied on internet-exposed interfaces and weak single-factor credentials. Post-compromise activity included Active Directory theft, credential harvesting, NTLM relay and attempts to target Veeam backup servers, consistent with ransomware preparation.

🔍 Amazon says a Russian-speaking threat actor used commercial AI services to help breach over 600 FortiGate firewalls across 55 countries during a five-week campaign in early 2026. The attacker did not rely on zero-day exploits but instead scanned internet-facing management ports and used brute-force attempts against weak credentials lacking MFA. After gaining access, the actor extracted device configurations (including SSL‑VPN and administrative credentials) and deployed AI-assisted Python and Go tools to parse settings, map networks, and automate reconnaissance. Amazon urges administrators to remove exposed management interfaces, enable MFA, ensure VPN passwords differ from Active Directory credentials, and harden backup systems.

🔐 Amazon Threat Intelligence observed a Russian-speaking, financially motivated actor using commercial generative AI to compromise over 600 FortiGate devices across 55+ countries from 2026-01-11 to 2026-02-18. The campaign did not exploit FortiGate vulnerabilities; it abused exposed management ports and weak single-factor credentials. The actor used AI-generated plans, scripts, and developer assistance to scale credential-based access and automate post-exploitation tasks.

🔒 CISA warns that CVE-2026-1731, a pre-authentication remote code execution flaw in BeyondTrust Remote Support and Privileged Remote Access, is being actively exploited in ransomware attacks. The issue is an OS command injection reachable via specially crafted client requests and was added to the Known Exploited Vulnerabilities catalog on February 13. BeyondTrust reports the cloud (SaaS) was auto-patched on February 2; self-hosted customers must enable updates or install Remote Support 25.3.2 or Privileged Remote Access 25.1.1 and later.

🚨 Operation Red Card 2.0 demonstrates how synchronized public‑ and private‑sector action can disrupt transnational fraud. Between December 2025 and January 2026, authorities across 16 African countries used shared intelligence and operational coordination to identify victims, arrest operators, seize devices, and dismantle malicious infrastructure. Fortinet supported the effort through data contributions and the Cybercrime Atlas, helping turn intelligence into enforcement outcomes.

🔍 A coordinated operation led by INTERPOL and the African Joint Operation against Cybercrime (AFJOC) arrested 651 suspects across 16 countries between December 8 and January 30. Authorities recovered over $4.3 million and identified 1,247 victims linked to schemes responsible for more than $45 million in losses. Investigators seized 2,341 devices, dismantled networks of fraudulent accounts and took down 1,442 malicious websites, domains, and servers.

🔒 Searchlight Cyber's report found a 30% year-on-year increase in ransomware victims listed on extortion sites in 2025, recording 7,458 incidents split virtually 50:50 across the year. The number of active groups reached a record 124, with 73 newly observed, and the firm warned that AI is lowering the barrier to entry by aiding social engineering, data analysis and malware refinement. The report urged organizations to address insider risk, patching, MFA and compromised accounts to reduce exposure.

🔐 Researchers at Dragos warn of a marked increase in ransomware groups targeting industrial organizations in 2025, tracking 119 distinct groups — a 49% rise from 2024. The firm reports 3,300 industrial victims last year, with manufacturing and transportation most affected, followed by oil & gas, electricity and communications. Dragos attributes many compromises to abuse of legitimate credentials via VPNs, vendor tunnels and infostealers, and highlights an average OT dwell time of 42 days. The report also names three new threat groups: Sylvanite, Azurite and Pyroxene.

🛡️ Huntress researchers report a threat actor abusing employee-monitoring software and an RMM platform to gain persistent access, tamper with defenses, and pursue ransomware and cryptocurrency theft. The attackers combined Net Monitor for Employees Professional and SimpleHelp, leveraging Net Monitor’s reverse connections and masquerading plus SimpleHelp’s lightweight agent and common-port operation. Incidents included an attempted Crazy ransomware deployment and targeted searches for crypto-related data; shared infrastructure and tradecraft suggest a single actor.

🔒 Data leak sites (DLSs) have become the backbone of modern ransomware's double‑extortion strategy, combining data theft with public blackmail to force payment. Attackers publish carefully curated samples, use timers and deadlines, and exploit urgency to magnify reputational, regulatory, and financial harm. Law enforcement agencies and security teams warn that DLS content fuels follow‑on crimes like phishing and identity fraud. Organizations are urged to adopt EDR/XDR, Zero Trust, patched systems, resilient air‑gapped backups, and targeted user training.

🛡️ Researchers at Huntress found the Crazy ransomware gang abusing legitimate employee-monitoring software alongside the SimpleHelp remote support tool to maintain persistence, evade detection, and prepare ransomware deployment. Attackers installed Net Monitor for Employees Professional via msiexec.exe to view desktops, transfer files, and execute commands, then added SimpleHelp for redundant access. Huntress warns organizations to enforce MFA and monitor for unauthorized remote-management tools.

📎 Forcepoint observed a high-volume phishing campaign using the subject "Your Document" that delivers weaponised Windows shortcut (.lnk) attachments to initiate a multi-stage Phorpiex infection. The .lnk files exploit hidden extensions and copied Windows icons to turn a single click into silent execution: the shortcut launches cmd.exe, which invokes PowerShell to download and run a second-stage binary saved as windrv.exe. The retrieved payload is linked to the long-running Phorpiex MaaS botnet and, in these incidents, deployed Global Group ransomware that encrypts files and alters the desktop without contacting a C2 server.

🔒 Researchers have identified a Reynolds ransomware campaign that embeds a vulnerable NsecSoft NSecKrnl driver as a built‑in BYOVD component to terminate EDR and antivirus processes from vendors such as CrowdStrike, Symantec, Palo Alto, Sophos and Avast. Unlike typical attacks that deploy BYOVD separately, Reynolds bundles the signed but flawed driver inside the ransomware payload to quietly disable defenses. The intrusion also involved a suspicious side‑loaded loader before deployment and a subsequent GotoHTTP remote access tool, suggesting persistence and further post‑compromise activity.

⚠️ Check Point Research reports a global increase in cyber attacks in January 2026, with organizations experiencing an average of 2,090 attacks per organization per week — a 3% increase from December and 17% above January 2025. The rise is driven by expanding ransomware operations and mounting data‑exposure risks linked to widespread GenAI adoption. Critical sectors are under intensified pressure as threat activity accelerates and adversaries move faster.

📄 Forcepoint X‑Labs researchers have uncovered a Phorpiex‑backed phishing campaign that weaponizes Windows shortcut (.lnk) files to deploy Global Group ransomware. Attackers send messages with the subject "Your Document" and attachments like "Document.doc.lnk", exploiting hidden file extensions and a Word‑style icon to trick recipients. The .lnk uses built‑in utilities (cms.exe and PowerShell) and heavily obfuscated commands to fetch and run a second‑stage payload, leveraging Living‑off‑the‑Land techniques so the ransomware executes locally without external C2 communication.

🔒 SmarterTools confirmed a network breach by the Warlock (aka Storm-2603) ransomware group after attackers exploited an unpatched SmarterMail instance on January 29, 2026. A single, unpatched VM allowed lateral movement to about a dozen Windows servers across the office network and a secondary QC data center, with hosted SmarterTrack customers most affected. Operators staged tools including Velociraptor and deployed a locker after gaining Active Directory control. SmarterTools urges immediate upgrade to Build 9526 and isolation of mail servers to limit further ransomware deployment.

🔒 SmarterTools confirmed that the Warlock ransomware group breached its network after exploiting an authentication-bypass flaw in a single, unpatched SmarterMail VM (CVE-2026-23760) on January 29, allowing attackers to reset admin passwords and obtain full privileges. The intrusion led to compromise of 12 Windows servers in the company’s office network and a secondary data center used for testing and hosting, while the company’s Linux infrastructure was not affected. Security tooling, including SentinelOne, blocked the final encryption payload, impacted systems were isolated, and data was restored from backups; SmarterTools urges administrators to upgrade to Build 9511 or later.

⚠️ CISA warns that ransomware actors are actively exploiting CVE-2026-24423, a critical unauthenticated remote code execution vulnerability in SmarterTools SmarterMail via the ConnectToHub API. SmarterTools released a fix on January 15 (Build 9511) and issued further updates through Build 9526 on January 30. Agencies must apply updates or stop using the product by February 26, 2026, under KEV and BOD 22-01 guidance.