Last month, Sophos X-Ops reported several MDR cases where threat actors exploited a vulnerability in Veeam backup servers. We continue to track the activities of this threat cluster, which recently…

A relatively new ransomware operation named Interlock attacks organizations worldwide, taking the unusual approach of creating an encryptor to target FreeBSD servers.

Microchip Technology (NASDAQ: MCHP) revealed in its latest financial report on Tuesday that expenses related to the recent cybersecurity incident reached $21.4 million.

AEP GmbH was the victim of a targeted cyber attack on October 28, which led to the partial encryption of the company's IT systems. The company's own security systems detected the attack. The company provides information about this on its website.

A first-ever collaboration between DPRK-based Jumpy Pisces and Play ransomware signals a possible shift in tactics.

Change Healthcare updated filings with the federal government to warn that about 100 million people had information accessed by hackers during a ransomware attack in February.

The Department of Health and Human Services’s (HHS) Office for Civil Rights said Change Healthcare notified them on October 22 that “approximately 100 million individual notices have been sent regarding this breach.”

A report by Secureworks revealed a 30% year-over-year rise in active ransomware groups, which demonstrates fragmentation of an established criminal ecosystem.

As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the group's attack chain, targeted verticals, and potential future TTPs.

ESET researchers uncover new Rust-based tools that we named MDeployer and MS4Killer and that are actively utilized by a new ransomware group called Embargo.

An unknown threat actor is developing ransomware to lock files and steal data on macOS, and it's not LockBit.

Threat actors exploit Amazon S3 in ransomware attacks, using AWS credentials for data theft.

Researchers uncover flaw in Mallox ransomware, offering free file recovery for early victims

Discover recent attacks using Lynx ransomware, a rebrand of INC, targeting multiple crucial sectors in the U.S. and UK with prevalent double-extortion tactics. Discover recent attacks using Lynx ransomware, a rebrand of INC, targeting multiple crucial sectors in the U.S. and UK with prevalent double-extortion tactics.

If someone asked me what was the best way to make money from a compromised AWS Account (assume root access even) — I would have answered “dump the data and hope that no-one notices you before you finish it up.”

This answer would have been valid until ~8 months ago when I stumbled upon a lesser known feature of AWS KMS which allows an attacker to do devastating ransomware attacks on a compromised AWS account.

Now I know that ransomware attacks using cross-account KMS keys is already known (checkout the article below)— but even then, the CMK is managed by AWS and they can just block the attackers access to the CMK and decrypt data for the victim because the key is OWNED by AWS and attacker is just given API access to it under AWS TOS. Also there’s no way to delete the CMK but only schedule the key deletion (min 7 days) which means there’s ample time for AWS to intervene.

Homeland Security Investigations is stopping hacks before they occur.

The difficult part of the initial response to a human-operated ransomware attack is identifying the attack vector. You may already know from recent security incident trends that the vulnerabilities of VPN devices are likely to be exploited, but it often...

One of the largest hospitals in West Texas has been forced to divert ambulances after a ransomware attack shut down many of its systems last Thursday.

The University Medical Center Health System in Lubbock confirmed on Friday that IT outages are being caused by a ransomware incident.

Microsoft has observed the threat actor tracked as Storm-0501 launching a multi-staged attack where they compromised hybrid cloud environments and performed lateral movement from on-premises to cloud environment, leading to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. The said attack targeted multiple sectors in the United States, including government, manufacturing, transportation, and law enforcement. Storm-0501 is a financially motivated cybercriminal group that uses commodity and open-source tools to conduct ransomware operations.

in light of the escalating frequency and complexity of ransomware attacks, are security leaders confident in their organization’s defenses? According to Group-IB’s Hi-Tech Crime Trends 2023/2024 Report, ransomware will have an increasingly significant impact in 2024 and beyond. Key trends driving this include the expansion of the Ransomware-as-a-Service (RaaS) market, the proliferation of stolen data on Dedicated Leak Sites (DLS), and a rise in affiliate programs.

In November 2023, we identified a BlackCat ransomware intrusion started by Nitrogen malware hosted on a website impersonating Advanced IP Scanner.
Nitrogen was leveraged to deploy Sliver and Cobalt Strike beacons on the beachhead host and perform further malicious actions. The two post-exploitation frameworks were loaded in memory through Python scripts.
After obtaining initial access and establishing further command and control connections, the threat actor enumerated the compromised network with the use of PowerSploit, SharpHound, and native Windows utilities. Impacket was employed to move laterally, after harvesting domain credentials.
The threat actor deployed an opensource backup tool call Restic on a file server to exfiltrate share data to a remote server.
Eight days after initial access the threat actor modified a privileged user password and deployed BlackCat ransomware across the domain using PsExec to execute a batch script.
Six rules were added to our Private Ruleset related to this intrusion.