Kryptina's adoption by Mallox affiliates complicates malware tracking as ransomware operators blend different codebases into new variants.

• Kryptina evolved from a free tool on public forums to being actively used in enterprise attacks, particularly under the Mallox ransomware family.
• In May 2024, a Mallox affiliate leaked staging server data, revealing that their Linux ransomware was based on a modified version of Kryptina.
• The affiliate made superficial changes to source code and documentation, stripping Kryptina branding but retaining core functionality.
• The adoption of Kryptina by Mallox affiliates exemplifies the commoditization of ransomware tools, complicating malware tracking as affiliates blend different codebases into new variants.
• This original research was presented by the author at LABScon 2024 in Scottsdale, Arizona.

Threat actors called Vanir Ransomware Group posted a few listings in July. Tonight, however, their onion site has a seized message:

” THIS HIDDEN SITE HAS BEEN SEIZED
by the State Bureau of Investigation Baden-Württemberg as a part of a law enforcement action taken against Vanir Ransomware Group “

The personal information of a million individuals was leaked online following a ransomware attack that in June hit NHS hospitals in London.

Radio Geretsried, a local station in Bavaria, said it was trying to save music files and restore systems after an apparent ransomware attack.

Kawasaki Motors Europe has announced that it's recovering from a cyberattack that caused service disruptions as the RansomHub ransomware gang threatens to leak stolen data.

At the start of September, Kawasaki Motors Europe, (KME) was the subject of a cyber-attack which, although not successful, resulted in the company’s servers being temporarily isolated until a strategic recovery plan was initiated later on the same day.
KME and its country Branches operate a large number of servers and, as a precaution, it was decided to isolate each one and put a cleansing process in place whereby all data was checked and any suspicious material identified and dealt with.

ESET découvre que le groupe CosmicBeetle s'associe à d'autres gangs de ransomwares et cible des entreprises en France. Tribune ESET. Les chercheurs d'ESET ont mené l’enquête sur ScRansom, un nouveau ransomware développé par le groupe CosmicBeetle. CosmicBeetle a débuté avec les outils Lockbit qui ont fuité. CosmicBeetle est probablement devenu récement un affilié RansomHub ScRansom

August 2024 witnessed a noticeable increase in ransomware activity, with emerging groups like Lynx and RansomHub showing dramatic...

In recent threat activity observed by Arctic Wolf, Akira ransomware affiliates carried out ransomware attacks with an initial access vector involving the compromise of SSLVPN user accounts on SonicWall devices.

Comme d’autres services publics avant elle, l’université Paris-Saclay a subi une cyberattaque par le biais d’un ransomware sur ses serveurs. L’attaque qui a eu lieu le 11 août a affecté les services centraux de l’établissement, ainsi que ses composantes (facultés, IUT, Polytech Paris-Saclay, Observatoire des sciences de l’univers). Sont notamment indisponibles un certain nombre de services comme la messagerie électronique, l’intranet, les espaces partagés et certaines applications métier. Un site provisoire a été mis en ligne afin d’assurer, durant les prochaines semaines, la communication auprès des personnels et des étudiants. Une foire aux questions, relative à la cyberattaque, régulièrement complétée et actualisée y est affichée.

Discover the latest insights on the emerging ransomware group Cicada3301, first detected in June 2024. Truesec's investigation reveals key findings about this group, named after a famous cryptography game, now targeting multiple victims.

The deployment of ransomware remains the greatest serious and organised cybercrime threat, the largest cybersecurity threat, and also poses a risk to the UK’s national security. Ransomware attacks can have a significant impact on victims due to financial, data, and service losses, which can lead to business closure, inaccessible public services, and compromised customer data. Threat actors are typically based in overseas jurisdictions where limited cooperation makes it challenging for UK law enforcement to disrupt their activities.

• In December 2023, we observed an intrusion that started with the execution of a Cobalt Strike beacon and ended in the deployment of BlackSuit ransomware.
• The threat actor leveraged various tools, including Sharphound, Rubeus, SystemBC, Get-DataInfo.ps1, Cobalt Strike, and ADFind, along with built-in system tools.
• Command and control traffic was proxied through CloudFlare to conceal their Cobalt Strike server.
• Fifteen days after initial access, BlackSuit ransomware was deployed by copying files over SMB to admin shares and executing them through RDP sessions.
• Three rules were added to our private ruleset related to this case.

Familiar ransomware develops an appetite for passwords to third-party sites

Le réseau informatique de l'entreprise suisse de fabrication de machines Schlatter a été attaqué via un logici

Sophos discovers the threat actors behind RansomHub ransomware using EDRKillShifter in attacks

CVE-2024-23897 is an unauthenticated arbitary file read vulnerability in Jenkins CLI used by RansomEXX to target small Indian banks.

The “Mad Liberator” ransomware group leverages social-engineering moves to watch out for

The vulnerabilities allowed one security researcher to peek inside the leak sites without having to log in.

Jon DiMaggio used sockpuppet accounts, then his own identity, to infiltrate LockBit and gain the trust of its alleged admin, Dmitry Khoroshev.