< ciso
brief />
Tag Banner

All news with #ransomware tag

463 articles · page 9 of 24

Lazarus Group Expands Ransomware Operations Using Medusa

🔐 Symantec and Carbon Black researchers linked a new wave of Medusa ransomware activity to North Korean state-backed actors within the broader Lazarus umbrella, noting deployments against a Middle East target and attempted intrusions into US healthcare. Medusa, a 2023 ransomware-as-a-service operated by Spearwing, has been tied to more than 366 incidents and recent listings of US healthcare and non-profit victims with average demands near $260,000. Analysts observed a toolkit—including Comebacker, Blindingcan, ChromeStealer and Mimikatz—that resembles previous Stonefly operations but cautioned the components are not exclusive to a single sub-group.
read more →

AI Speeds Attacker Breakouts to Minutes, ReliaQuest Finds

🔍 ReliaQuest's Annual Cyber‑Threat Report 2026 found attackers are using AI and automation to reduce average breakout time to 34 minutes (29% faster than 2024), with the fastest lateral movement recorded at four minutes and the quickest exfiltration at six minutes. The firm says 80% of ransomware groups used automation or AI last year. Defenders can respond faster using agentic AI, achieving average containment in four minutes versus 16 hours without automation, and should prioritise visibility, inventory management and stronger identity controls.
read more →

Lazarus Group Uses Medusa Ransomware in Middle East Attack

🔒 Broadcom's Symantec and Carbon Black Threat Hunter Team reports the North Korea-linked Lazarus Group used Medusa ransomware in an attack against an unnamed Middle East entity and mounted an unsuccessful attempt against a U.S. healthcare organization. Medusa is a RaaS launched by Spearwing in 2023 and has been tied to hundreds of incidents. Analysts say this reflects a tactical shift toward off-the-shelf ransomware and affiliate operations, with the campaign leveraging tools such as RP_Proxy, Mimikatz, Comebacker, InfoHook, BLINDINGCAN, and ChromeStealer.
read more →

Lazarus-linked Medusa Ransomware Hits U.S. Healthcare

🔒 Symantec says a North Korean Lazarus subgroup is using Medusa ransomware to extort U.S. healthcare organizations, marking the first public linkage between Lazarus and Medusa. The attacks combine commodity utilities with custom tools — Comebacker, Blindingcan, ChromeStealer, Infohook, Mimikatz and RP_Proxy — and have hit multiple healthcare and non-profit victims. Symantec published IoCs and warns demands can reach $15 million.
read more →

Advantest hit by ransomware; investigation under way

🔒 Advantest Corporation, the Tokyo-based maker of semiconductor test equipment, disclosed on 19 February that it is responding to a cybersecurity incident involving ransomware after detecting unusual activity in its IT environment on 15 February. The company says it isolated affected systems and engaged third-party cybersecurity experts to investigate and contain the event; preliminary findings indicate unauthorized access and possible ransomware deployment. As of 23 February no data breach has been confirmed, and Advantest says it will notify impacted customers or employees if exposure is found.
read more →

UMMC Offline After Ransomware, Patient Services Disrupted

🔒 The University of Mississippi Medical Center (UMMC) has taken many IT systems offline following a ransomware attack that disrupted access to electronic medical records and forced clinics and elective procedures to be cancelled. UMMC activated its Emergency Operations Plan and is working with the FBI and the Department of Homeland Security while hospitals operate using downtime procedures. The organisation has taken network systems offline for risk assessments and has not confirmed whether patient or employee data was exfiltrated.
read more →

AI-Assisted Actor Uses Generative AI to Compromise FortiGate

🔐 A Russian-speaking, financially motivated actor used commercial generative AI to scale scans and credential guessing against exposed FortiGate management ports, compromising over 600 devices across 55 countries. Amazon Threat Intelligence observed the activity between January 11 and February 18, 2026, noting no FortiGate zero-day exploits were used — the campaign relied on internet-exposed interfaces and weak single-factor credentials. Post-compromise activity included Active Directory theft, credential harvesting, NTLM relay and attempts to target Veeam backup servers, consistent with ransomware preparation.
read more →

Amazon: AI-assisted actor breached 600 FortiGate firewalls

🔍 Amazon says a Russian-speaking threat actor used commercial AI services to help breach over 600 FortiGate firewalls across 55 countries during a five-week campaign in early 2026. The attacker did not rely on zero-day exploits but instead scanned internet-facing management ports and used brute-force attempts against weak credentials lacking MFA. After gaining access, the actor extracted device configurations (including SSL‑VPN and administrative credentials) and deployed AI-assisted Python and Go tools to parse settings, map networks, and automate reconnaissance. Amazon urges administrators to remove exposed management interfaces, enable MFA, ensure VPN passwords differ from Active Directory credentials, and harden backup systems.
read more →

AI-Augmented Actor Compromises FortiGate Devices at Scale

🔐 Amazon Threat Intelligence observed a Russian-speaking, financially motivated actor using commercial generative AI to compromise over 600 FortiGate devices across 55+ countries from 2026-01-11 to 2026-02-18. The campaign did not exploit FortiGate vulnerabilities; it abused exposed management ports and weak single-factor credentials. The actor used AI-generated plans, scripts, and developer assistance to scale credential-based access and automate post-exploitation tasks.
read more →

CISA: BeyondTrust RCE Now Exploited in Ransomware Attacks

🔒 CISA warns that CVE-2026-1731, a pre-authentication remote code execution flaw in BeyondTrust Remote Support and Privileged Remote Access, is being actively exploited in ransomware attacks. The issue is an OS command injection reachable via specially crafted client requests and was added to the Known Exploited Vulnerabilities catalog on February 13. BeyondTrust reports the cloud (SaaS) was auto-patched on February 2; self-hosted customers must enable updates or install Remote Support 25.3.2 or Privileged Remote Access 25.1.1 and later.
read more →

INTERPOL's Operation Red Card 2.0: Coordinated Disruption

🚨 Operation Red Card 2.0 demonstrates how synchronized public‑ and private‑sector action can disrupt transnational fraud. Between December 2025 and January 2026, authorities across 16 African countries used shared intelligence and operational coordination to identify victims, arrest operators, seize devices, and dismantle malicious infrastructure. Fortinet supported the effort through data contributions and the Cybercrime Atlas, helping turn intelligence into enforcement outcomes.
read more →

INTERPOL's Red Card 2.0: 651 Arrests in Africa Crackdown

🔍 A coordinated operation led by INTERPOL and the African Joint Operation against Cybercrime (AFJOC) arrested 651 suspects across 16 countries between December 8 and January 30. Authorities recovered over $4.3 million and identified 1,247 victims linked to schemes responsible for more than $45 million in losses. Investigators seized 2,341 devices, dismantled networks of fraudulent accounts and took down 1,442 malicious websites, domains, and servers.
read more →

Record Year for Ransomware Victims as AI Lowers Barrier

🔒 Searchlight Cyber's report found a 30% year-on-year increase in ransomware victims listed on extortion sites in 2025, recording 7,458 incidents split virtually 50:50 across the year. The number of active groups reached a record 124, with 73 newly observed, and the firm warned that AI is lowering the barrier to entry by aiding social engineering, data analysis and malware refinement. The report urged organizations to address insider risk, patching, MFA and compromised accounts to reduce exposure.
read more →

Sharp Rise in Ransomware Targeting Industrial Systems

🔐 Researchers at Dragos warn of a marked increase in ransomware groups targeting industrial organizations in 2025, tracking 119 distinct groups — a 49% rise from 2024. The firm reports 3,300 industrial victims last year, with manufacturing and transportation most affected, followed by oil & gas, electricity and communications. Dragos attributes many compromises to abuse of legitimate credentials via VPNs, vendor tunnels and infostealers, and highlights an average OT dwell time of 42 days. The report also names three new threat groups: Sylvanite, Azurite and Pyroxene.
read more →

Hackers Abuse Monitoring and RMM Tools to Deploy Ransomware

🛡️ Huntress researchers report a threat actor abusing employee-monitoring software and an RMM platform to gain persistent access, tamper with defenses, and pursue ransomware and cryptocurrency theft. The attackers combined Net Monitor for Employees Professional and SimpleHelp, leveraging Net Monitor’s reverse connections and masquerading plus SimpleHelp’s lightweight agent and common-port operation. Incidents included an attempted Crazy ransomware deployment and targeted searches for crypto-related data; shared infrastructure and tradecraft suggest a single actor.
read more →

Ransomware leak sites escalate pressure on victims

🔒 Data leak sites (DLSs) have become the backbone of modern ransomware's double‑extortion strategy, combining data theft with public blackmail to force payment. Attackers publish carefully curated samples, use timers and deadlines, and exploit urgency to magnify reputational, regulatory, and financial harm. Law enforcement agencies and security teams warn that DLS content fuels follow‑on crimes like phishing and identity fraud. Organizations are urged to adopt EDR/XDR, Zero Trust, patched systems, resilient air‑gapped backups, and targeted user training.
read more →

Crazy ransomware gang exploits employee monitoring

🛡️ Researchers at Huntress found the Crazy ransomware gang abusing legitimate employee-monitoring software alongside the SimpleHelp remote support tool to maintain persistence, evade detection, and prepare ransomware deployment. Attackers installed Net Monitor for Employees Professional via msiexec.exe to view desktops, transfer files, and execute commands, then added SimpleHelp for redundant access. Huntress warns organizations to enforce MFA and monitor for unauthorized remote-management tools.
read more →

Phorpiex Phishing Campaign Deploys Global Group Ransomware

📎 Forcepoint observed a high-volume phishing campaign using the subject "Your Document" that delivers weaponised Windows shortcut (.lnk) attachments to initiate a multi-stage Phorpiex infection. The .lnk files exploit hidden extensions and copied Windows icons to turn a single click into silent execution: the shortcut launches cmd.exe, which invokes PowerShell to download and run a second-stage binary saved as windrv.exe. The retrieved payload is linked to the long-running Phorpiex MaaS botnet and, in these incidents, deployed Global Group ransomware that encrypts files and alters the desktop without contacting a C2 server.
read more →

Reynolds Ransomware Bundles BYOVD Driver to Evade EDR

🔒 Researchers have identified a Reynolds ransomware campaign that embeds a vulnerable NsecSoft NSecKrnl driver as a built‑in BYOVD component to terminate EDR and antivirus processes from vendors such as CrowdStrike, Symantec, Palo Alto, Sophos and Avast. Unlike typical attacks that deploy BYOVD separately, Reynolds bundles the signed but flawed driver inside the ransomware payload to quietly disable defenses. The intrusion also involved a suspicious side‑loaded loader before deployment and a subsequent GotoHTTP remote access tool, suggesting persistence and further post‑compromise activity.
read more →

January 2026: Global Attacks Rise; Ransomware, GenAI Risk

⚠️ Check Point Research reports a global increase in cyber attacks in January 2026, with organizations experiencing an average of 2,090 attacks per organization per week — a 3% increase from December and 17% above January 2025. The rise is driven by expanding ransomware operations and mounting data‑exposure risks linked to widespread GenAI adoption. Critical sectors are under intensified pressure as threat activity accelerates and adversaries move faster.
read more →