mybroadband.co.za
29.03.2026
By Jan Vermeulen

Statistics South Africa has become the latest government entity to fall victim to a ransomware attack by the emerging cybercrime group known as XP95.

The threat actors claim to have successfully breached the agency responsible for conducting South Africa’s census, as well as producing and disseminating other official statistics, like the Consumer Price Index.

It was established by the 1999 Statistics Act to produce comprehensive data about South Africa’s people, economy, and society to support informed decision-making by government and business.

According to XP95’s dark web leak site, the hackers have stolen 453,362 files totaling 154 GB of data from an unspecified Stats SA server.

The cyber-extortionists have demanded a ransom payment of $100,000 (R1.7 million) to prevent the public release of the stolen data.

Given their claim that it was a ransomware attack, it is possible that they left the breached server encrypted and unusable.

XP95 has set a 20 April 2026 deadline for the payment, after which the group threatens to leak the full archive online.

Based on the samples of the exfiltrated data, the hackers obtained another trove of personally identifying information from what appears to be a human resources file server.

This is similar to the attack by the same group on the Gauteng Provincial Government, which saw terabytes of personal data from what appeared to be job seekers put up for sale.

The XP95 group is a relatively new actor in the cyber-extortion space, having first emerged in March 2026 with a unique interface that mimics legacy Microsoft Windows operating systems.

“What makes XP95 stand out immediately is its leak site design,” cyber threat intelligence company DarkFeed said in an analysis published shortly after the group first emerged.

“It is a striking throwback, heavily mimicking an old desktop operating system interface complete with classic teal backgrounds, old-school folders, and a vintage taskbar.”

From the site design, it appears that the group’s name is an amalgamation of two old versions of Microsoft’s operating system: Windows XP and Windows 95.

“Stats SA is aware of a cybersecurity breach affecting one Human Resources database,” stated Semakaleng Thulare, acting DDG Statistical Support and Informatics.

“The system that was breached is exclusively the HR system available for job seekers to apply online.”

Thulare explained that the national statistics office is part of a wider government response to matters dealing with cybersecurity breaches.

“Stats SA will not pay any ransom. Deployment of state financial resources is done in line with PFMA. Stats SA will notify the information regulator and will be guided by their processes.”

Gauteng Provincial Government server breach

Screenshot of XP95 dark web leak site announcing the Stats SA breach and ransom
In the previous attack on Gauteng, the hackers claimed to have stolen 3.8TB of data and demanded a lower payment of $25,000 (around R420,000 at the time) for the release of the information.

However, in that case, the group was selling the data to third parties, rather than holding the sensitive information to ransom.

Cybersecurity experts have warned that South African government departments remain prime targets for ransomware gangs and other cybercriminals.

Orange Cyberdefense highlighted in its Security Navigator Report 2025 that cyber extortion remains a pervasive threat that is impacting organisations of all sizes and sectors.

Small and medium-sized enterprises faced a 53% rise in ransomware incidents last year, and 2025 also marked the largest ransom ever paid to a ransomware group: $75 million to Dark Angels.

“With the emergence of AI tools designed specifically for fraud, extortion, and impersonation, AI has enabled an increase in the volume and sophistication of extortion incidents across sectors,” Orange Cyberdefense stated.

“The impact of these attacks reaches beyond the immediate target, with disruptions cascading through supply chains and posing risks to larger companies.”

Orange Cyberdefense also observed growing cynicism, as criminals no longer avoid critical services such as healthcare.

“We need resilience-building strategies to counter these risks,” the company stated.

“This includes the implementation of robust recovery protocols and reliable backup systems to reduce downtime and data loss after an attack.”

securityweek.com
ByEduard Kovacs| March 16, 2026 (11:44 AM ET)

Several global giants listed as victims of the recent hacking campaign targeting Oracle E-Business Suite (EBS) customers have remained mum on the impact of the cybersecurity incident.

The Cl0p ransomware and extortion group has taken credit for the EBS hacking campaign, which involved exploiting zero-day vulnerabilities to access data stored by organizations in Oracle’s enterprise management software. The compromised data was then leveraged for extortion.

While Cl0p serves as the public-facing extortion brand for the campaign, the cybersecurity community believes the operation may have been driven by a cluster of threat actors, most notably FIN11.

The hackers have listed more than 100 alleged victims of the Oracle EBS campaign on the Cl0p leak website, including organizations in sectors such as technology, telecommunications, software, heavy industry, manufacturing, engineering, retail, consumer goods, energy, utilities, media, finance, and entertainment.

For most of the victims, the cybercriminals published torrent files pointing to information allegedly stolen from their systems. This indicates that these victims have refused to pay a ransom.

A majority of the large organizations targeted in the campaign have issued a public statement confirming a data breach. Many claimed that the impact of the incident is limited, but still notified affected individuals about the potential risks.

However, a handful of very large companies do not appear to have issued any public statements on the matter, neither to confirm nor deny being hit, nor even to say that an investigation is being conducted.

This includes semiconductor and infrastructure software company Broadcom, engineering and construction firm Bechtel, cosmetics group Estée Lauder Companies, and medical devices and healthcare solutions provider Abbott Laboratories.

They were all listed on the Cl0p website on or around November 20, 2025.

It may take several months and even as much as a year for companies to investigate data breaches and determine their full extent. However, major companies typically acknowledge at least that an investigation is ongoing.

Broadcom, Bechtel, Estée Lauder, and Abbott have not responded to repeated requests for comment.

Data leaked by hackers
SecurityWeek has not downloaded any of the leaked data, but has conducted a brief metadata and file-tree analysis of data allegedly obtained from some of the larger companies named on the Cl0p website and found that the files indeed originate from an Oracle EBS environment.

In the case of Broadcom, the cybercriminals made public more than 2TB of archives allegedly storing files stolen from the company. The Estée Lauder torrent file points to 870GB of archive files.

At the time of writing, the torrents pointing to Bechtel and Abbott files are still available, but no data could be retrieved for analysis. However, that does not mean the files are no longer accessible to cybercriminals, as they may also be circulated privately on underground forums.

On the one hand, cybercrime groups like Cl0p frequently exaggerate the scope of their breaches, prompting many companies to quickly issue statements denying or downplaying the allegations to reassure customers and stakeholders that any impact was limited.

Moreover, if no regulated data (such as health information, Social Security numbers, or payment details) was compromised, companies face no legal obligation to disclose the incident publicly. If the breach did not qualify as material, there is also no requirement under SEC rules to report it to investors.

On the other hand, some organizations may deliberately maintain silence for strategic, PR, and legal reasons. Even acknowledging an ongoing investigation could invite lawsuits, short-seller pressure, or additional regulatory scrutiny.

securityweek.com
ByEduard Kovacs| March 2, 2026 (8:53 AM ET)

The company is one of the many victims of the 2025 Oracle E-Business Suite (EBS) hacking campaign.

Madison Square Garden has confirmed being impacted by a data breach stemming from a cybercrime campaign targeting customers of Oracle’s E-Business Suite (EBS) solution.

In the Oracle EBS hacking campaign, the Cl0p ransomware and extortion group exploited zero-day vulnerabilities to gain access to data stored by more than 100 organizations in the enterprise management software.

Madison Square Garden (MSG), the world-famous arena located in New York City, was named by the hackers as a victim of the campaign in November 2025.

Data allegedly stolen from the company — more than 210GB of archive files — was leaked by the cybercriminals soon after, indicating that it had refused to pay a ransom.

MSG did not respond to repeated requests for comment at the time. However, it has now confirmed suffering a data breach and it has started notifying individuals whose personal information was compromised as a result of the cybersecurity incident.

According to notifications from MSG Entertainment, the impacted Oracle EBS instance is hosted and managed by a third-party vendor, whose investigation found that hackers stole data in August 2025.

The entertainment company said personal information, including names and SSNs, was compromised.

It’s unclear how many people are affected in total, but MSG Entertainment told the Maine Attorney General’s Office that 11 of the state’s residents are impacted.

bleepingcomputer.com
By Bill Toulas
March 3, 2026

The multinational Dutch paint company AkzoNobel has confirmed to BleepingComputer that hackers breached the network of one of its U.S. sites.

Following a data leak from the Anubis ransomware gang, a company spokesperson said that the intrusion has been contained and that the impact is limited.

“AkzoNobel has identified a security incident at one of our sites in the United States. The incident was limited to the respective site and was already contained,” the company told BleepingComputer.

“The impact is limited, and we are taking the appropriate steps to notify and support impacted parties, and will work closely with relevant authorities.”

AkzoNobel is a major paints and coatings company with 35,000 employees. It has an annual revenue exceeding $12 billion and active operations in over 150 countries. Brands under its corporate umbrella include Dulux, Sikkens, International, and Interpon.

Anubis ransomware claims to have stolen from AkzoNobel 170GB of data, almost 170,000 files, and leaked on its leak site samples that include screenshots of select documents and a list of the stolen files.

The published data contains confidential agreements with high-profile clients, email addresses and phone numbers, private email correspondence, passport scans, material testing documents, and internal technical specification sheets.

At the time of writing, the Anubis leak is only partial. AkzoNobel did not share with BleepingComputer any information on whether it engaged with the threat actor.

Anubis is a ransomware-as-a-service (RaaS) operation that launched in December 2024, offering affiliates 80% of the paid ransoms.

In February 2025, the operators launched an affiliate program on the RAMP forum, boosting its activity and influence in the cybercrime space.

In June the same year, Anubis added to its arsenal a data wiper that destroys the victim’s files to make recovery impossible.

BridgePay Network Solutions's Status Page - BridgePay Gateway - Outage - Under Investigation.

Update
We are continuing to work with our internal teams and external partners to address the issue.

At this time, we do not have any new information to share. We understand the impact this disruption may have and sincerely appreciate your patience as our teams continue their work.

We will provide another status update tomorrow with any new information available.
Posted 12 hours ago. Feb 08, 2026 - 18:06 EST
Update
At this time, there is no new confirmed information to report. Our teams, along with federal authorities and cybersecurity specialists, are working diligently on forensic analysis, system security, and recovery planning. Restoration efforts are actively underway, and all work is being conducted with care to ensure systems are brought back online safely and securely. We not have an ETA on when this process will be completed. Because of the nature of attack - ransomware - we are still in the early stages of this process.

We do want to reiterate this was not a card data breach. No card data was compromised and any file that may have been accessed was encrypted.

We understand the disruption this causes and truly appreciate your continued patience, support, and understanding during this process.

We remain committed to transparent communication and will provide further updates as soon as meaningful new information becomes available.
Posted 2 days ago. Feb 07, 2026 - 16:14 EST
Update
We want to provide a further update regarding the cybersecurity incident affecting our systems.
It is very unfortunate that we are all facing this situation in today’s world, and we are deeply grateful for the patience, understanding, and support we have received — especially from our partners, who have offered assistance and expertise during this time.
We can now confirm that this incident was the result of a ransomware attack. As previously noted, we have engaged both local and federal authorities, along with specialized forensic and recovery teams, to assist with investigation, containment, and system restoration. We are also working closely with leading cybersecurity firms to restore operations as quickly and safely as possible.
Initial forensic findings indicate that no payment card data has been compromised, and any files that may have been accessed were encrypted. At this time, there is no evidence of usable data exposure.
We recognize that recovery may be a lengthy process, and we are working with urgency and diligence to restore systems and services in a secure and responsible manner. Our priority remains protecting our customers, partners, and operations.
We will continue to provide updates as restoration efforts progress and additional verified information becomes available.
Thank you again for your patience, trust and continued support.
Posted 2 days ago. Feb 06, 2026 - 19:08 EST
Identified
At this time, our systems are temporarily unavailable. We are actively working with the U.S. Secret Service forensic team and cybersecurity professionals to secure our environment and obtain clearance to access our systems so we can fully assess the scope of the incident. This will allow us to better understand the extent of the impact and determine the appropriate restoration and recovery process.
Please know that this matter is being treated with the highest priority, and every available resource is being dedicated to resolving the situation safely and responsibly. We do not believe there is a threat or vulnerability for our integrators at this time.
We sincerely appreciate your patience and understanding during this time. We will provide updates as soon as new information becomes available and as restoration efforts progress.
Thank you for your continued trust and support.
Posted 3 days ago. Feb 06, 2026 - 12:00 EST
Update
We are currently experiencing a system-wide service disruption. We have identified that this outage is related to a cybersecurity incident and are actively investigating with our internal teams and external specialists including the FBI.

At this time, we do not have an estimated timeframe for full restoration of services. Our teams are working diligently to assess the impact, contain the issue, and restore systems as quickly and safely as possible.

We will provide additional updates as more information becomes available. We appreciate your patience and understanding during this time.
Posted 3 days ago. Feb 06, 2026 - 06:34 EST
Investigating
BridgePay systems are currently experiencing an outage.
Our team is engaged and investigating the cause.
Expected time for resolution is unknown at this time.
Posted 3 days ago. Feb 06, 2026 - 05:48 EST
This incident affects: PathwayLink Gateway (T-Gate) - Production (Gateway.Itstgate.com - Virtual Terminal, Reporting, API, PathwayLink Boarding Portal), PathwayLink (T-Gate) UAT - Certification Environment (GatewayStage.Itstgate.com - Virtual Terminal, Reporting, API, PathwayLink UAT Boarding Portal), BridgePay Gateway - Production (BridgePay Gateway API - BridgeComm, PayGuardian Cloud API, MyBridgePay Portal - Virtual Terminal and Reporting, BridgePay Gateway WebLink 3.0 - Hosted Payment Page), BridgePay UAT - Certification Environment (BridgePay UAT API - BridgeComm, PayGuardian Cloud UAT API, MyBridgePay UAT Portal - Virtual Terminal and Reporting, BridgePay UAT WebLink 3.0 - Hosted Payment Page), and BridgePay Support (BridgePay Integration Support Portal, BridgePay Phone Support, BridgePay Email Support).

techcrunch.com
Zack Whittaker
7:25 AM PST · February 5, 2026

The ransomware attack at Conduent allowed hackers to steal a "significant number of individuals’ personal information" from the govtech giant's systems. Conduent handles personal and health data of more than 100 million people across America.

A data breach at government technology giant Conduent appears to affect far more people than first disclosed, with the number of victims potentially stretching to dozens of millions of people across the United States.

The January 2025 ransomware attack, which knocked out Conduent’s operations for several days, is now known to affect at least 15.4 million people in Texas alone, accounting for about half of the state’s population. Conduent said in October that 4 million people across the state were affected.

Another 10.5 million people are affected across Oregon, per the state’s attorney general.

Conduent has also notified hundreds of thousands of people across Delaware, Massachusetts, New Hampshire, and other states, according to data breach notifications seen by TechCrunch.

The stolen data includes individuals’ names, Social Security numbers, medical data, and health insurance information.

One of the largest government contractors today, Conduent handles and processes large amounts of personal and sensitive information on behalf of large corporations, government departments, and several U.S. states. The company says its technology and operational support services reach more than 100 million people in the United States across various government healthcare programs.

When contacted with several questions about the data breach, Conduent spokesperson Sean Collins provided a boilerplate statement that did not address the questions, nor did they answer if Conduent knows how many individuals are affected by the cyberattack. The spokesperson would not say if the breach affects more than 100 million people.

Collins said that the company has been working to “conduct a detailed analysis of the affected files to identify the personal information” taken in the breach but would not say how many data breach notifications the company has sent out to date.

Little else is known about the breach, and the company has disclosed few details. Conduent disclosed the cyberattack in April, months after hackers knocked out the company’s systems, which resulted in outages to government services across the United States.

The Safeway ransomware gang took credit for the breach, claiming to have stolen over 8 terabytes of data.

In a later SEC filing, the company said that the stolen datasets “contained a significant number of individuals’ personal information associated with our clients’ end-users,” referring to its corporate and government customers.

Conduent also said it is continuing to notify individuals whose data was stolen in the breach, and plans to conclude alerting individuals by early 2026. The company did not give a more specific timeline.

bleepingcomputer.com
By Lawrence Abrams
January 28, 2026

The FBI has seized the notorious RAMP cybercrime forum, a platform used to advertise a wide range of malware and hacking services, and one of the few remaining forums that openly allowed the promotion of ransomware operations.

Both the forum's Tor site and its clearnet domain, ramp4u[.]io, now display a seizure notice stating, "The Federal Bureau of Investigation has seized RAMP."

"This action has been taken in coordination with the United States Attorney's Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice," the notice reads.

The seizure banner also appears to taunt the forum's operators by displaying RAMP's own slogan: "THE ONLY PLACE RANSOMWARE ALLOWED!," followed by a winking Masha from the popular Russian "Masha and the Bear" kid's cartoon.

While there has been no official announcement by law enforcement regarding this seizure, the domain name servers have now been switched to those used by the FBI when seizing domains:

Name Server: ns1.fbi.seized.gov
Name Server: ns2.fbi.seized.gov
If so, law enforcement now has access to a significant amount of data tied to the forum's users, including email addresses, IP addresses, private messages, and other potentially incriminating information.

For threat actors who failed to follow proper operational security (opsec), this could lead to identification and arrests.

In a forum post to the XSS hacking forum, one of the alleged former RAMP operators known as "Stallman" confirmed the seizure.

"I regret to inform you that law enforcement has seized control of the Ramp forum," reads the translated forum post.

"This event has destroyed years of my work building the freest forum in the world, and while I hoped this day would never come, I always knew in my heart it was possible. It's a risk we all take.

BleepingComputer contacted the FBI with question regarding the seizure but they declined to comment.

The RAMP cybercrime forum
The RAMP cybercrime forum launched in July 2021, following the banning of the promotion of ransomware operations by popular Russian-speaking Exploit and XSS hacking forums.

This ban was due to heightened pressure from Western law enforcement following the DarkSide ransomware attack on Colonial Pipeline.

Exploit banning ransomware promotion
Exploit banning ransomware promotion
In July 2021, a new Russian-speaking forum called RAMP launched, promoting itself as one of the last remaining places where ransomware could be openly promoted. This led to multiple ransomware gangs using the forum to promote their operations, recruit affiliates, and buy and sell access to networks.

RAMP was launched by a threat actor known as Orange, who also operated under the aliases Wazawaka and BorisElcin.

Orange was previously the administrator of the Babuk ransomware operation, which shut down after its ransomware attack on the D.C. Metropolitan Police Department.

Internal disputes allegedly erupted within the group over whether stolen law enforcement data should be publicly leaked, and after the data was leaked, the group splintered.

Following the split, Orange launched the RAMP forum on a Tor onion domain that Babuk had previously used.

Soon after its launch, RAMP experienced distributed denial-of-service (DDoS) attacks that disrupted its availability. Orange publicly blamed former Babuk partners for the attacks, though the previous members denied responsibility to BleepingComputer, stating they had no interest in the forum.

The individual behind the Orange and Wazawaka aliases was later publicly identified by cybersecurity journalist Brian Krebs as Russian national Mikhail Matveev.

In an interview with Recorded Future's Dmitry Smilyanets, Matveev confirmed that he previously operated under the alias Orange and that he created RAMP using the former Babuk onion domain.

Matveev explained that the forum was initially created to repurpose Babuk's existing infrastructure and traffic. He claimed that RAMP ultimately generated no profit and was subjected to constant DDoS attacks, which led him to step away from managing it after it gained popularity.

In 2023, Matveev was indicted by the U.S. Department of Justice for his involvement in multiple ransomware operations, including Babuk, LockBit, and Hive, which targeted U.S. healthcare organizations, law enforcement agencies, and other critical infrastructure.

He was also sanctioned by the U.S. Treasury's Office of Foreign Assets Control and placed on the FBI's most-wanted list, with the U.S. State Department offering a reward of up to $10 million for information leading to his arrest or conviction.

ctrlaltnod.com
Emanuel DE ALMEIDA
January 29, 2026

SonicWall cloud breach led to ransomware attack affecting 74+ US banks and 400,000+ individuals via Marquis Software Solutions compromise.

TL;DR
Marquis Software Solutions suffered a ransomware attack on August 14, 2025, affecting over 74 U.S. banks and credit unions and compromising data of 400,000+ individuals
Investigation revealed attackers exploited configuration data stolen from SonicWall's cloud backup service breach in September 2025
State-sponsored hackers accessed SonicWall's MySonicWall cloud service via API calls, initially affecting "less than 5%" but later confirmed to impact all cloud backup customers
The attack bypassed Marquis's firewall defenses using stolen configuration files rather than exploiting CVE-2024-40766 as initially suspected
Marquis is pursuing legal recourse against SonicWall and evaluating options to recover expenses from the incident
Verified Timeline
August 14, 2025 — Marquis Software Solutions detected suspicious network activity and confirmed ransomware attack, initiated investigation with cybersecurity experts
September 17, 2025 — SonicWall disclosed security incident involving unauthorized access to MySonicWall cloud backup files, initially reporting less than 5% of firewall customers affected
October 9, 2025 — SonicWall updated disclosure, confirming all customers using cloud backup service were impacted
November 5, 2025 — SonicWall attributed breach to state-sponsored hackers who accessed cloud backup files via API call
December 3, 2025 — Marquis began notifying affected banks and credit unions about data breach from August ransomware attack
January 29, 2026 — Marquis publicly attributed ransomware attack to exploitation of configuration data from SonicWall's cloud backup breach
What We Know vs. What's Unclear
Confirmed
State-sponsored hackers breached SonicWall's MySonicWall cloud service in September 2025
All SonicWall customers using cloud backup service were affected, not just 5% as initially reported
Attackers accessed firewall configuration backup files via API calls
Marquis ransomware attack on August 14, 2025 affected 74+ U.S. financial institutions
Over 400,000 individuals had personal information compromised
Attackers used stolen SonicWall configuration data to circumvent Marquis firewall defenses
CVE-2024-40766 was not the primary attack vector as initially suspected
Unclear or Unconfirmed
Identity of the state-sponsored threat group behind SonicWall breach
Specific ransomware family used in Marquis attack
Exact method attackers used configuration data to bypass security controls
Whether the same threat actors were responsible for both SonicWall breach and Marquis attack
Full scope of additional organizations potentially compromised using stolen SonicWall data
Timeline between SonicWall data theft and Marquis attack initiation
Who Is Affected
This interconnected breach affected multiple stakeholder groups across the financial services sector:

Primary Victims: Marquis Software Solutions, a Texas-based financial services provider, serves as the central victim of the ransomware attack that leveraged stolen SonicWall configuration data.

Financial Institutions: Over 74 U.S. banks and credit unions that utilize Marquis services experienced data exposure. These institutions face potential regulatory scrutiny, customer trust erosion, and compliance obligations under financial data protection regulations.

Individual Consumers: More than 400,000 individuals associated with affected financial institutions had sensitive personal information compromised, including Social Security numbers, Taxpayer Identification Numbers, financial account details, and personal identifiers.

SonicWall Customers: All customers using SonicWall's MySonicWall cloud backup service experienced configuration file exposure, potentially enabling similar attacks against other organizations using compromised firewall settings.

Broader Impact: The incident demonstrates supply chain vulnerability risks, where third-party service breaches can enable downstream attacks against customers who may have maintained otherwise secure configurations.

Technical Details
SonicWall Breach Vector: State-sponsored hackers accessed SonicWall's MySonicWall cloud service through API calls, successfully extracting firewall configuration backup files stored in the cloud environment. The breach occurred in September 2025, with SonicWall initially underestimating the scope before confirming all cloud backup customers were affected.

CVE-2024-40766 Context: Initially suspected as the attack vector, CVE-2024-40766 represents an improper access control vulnerability in SonicWall's SSLVPN feature that allows authentication bypass. This critical vulnerability was patched by SonicWall in August 2024, but investigators determined it was not the primary attack method used against Marquis.

Attack Methodology: Rather than exploiting unpatched vulnerabilities, attackers leveraged configuration data stolen from SonicWall's cloud service to understand and circumvent Marquis's firewall defenses. The specific technical methods used to weaponize configuration files have not been disclosed.

Ransomware Details: The specific ransomware family deployed against Marquis has not been publicly disclosed. The incident reflects broader trends where ransomware groups adopt new tactics to maximize impact and evade traditional security measures. Technical indicators of compromise and malware signatures remain unavailable in public reporting.

CVSS Scoring: CVE-2024-40766 maintains critical severity ratings, though specific CVSS scores were not confirmed in available sources. The vulnerability's critical classification reflects its potential for authentication bypass in SSLVPN implementations.

Detection & Validation
Organizations can implement several detection strategies to identify potential exploitation of stolen configuration data:

Firewall Configuration Monitoring: Implement continuous monitoring of firewall rule changes, VPN configuration modifications, and access control list updates. Establish alerts for unauthorized configuration changes or suspicious administrative access patterns.

Network Traffic Analysis: Monitor for unusual network traffic patterns that might indicate attackers leveraging knowledge of internal network configurations. Focus on connections to previously unknown external IP addresses or unexpected internal network traversal.

Authentication Log Review: Examine VPN and administrative access logs for successful authentication attempts using compromised credentials or from unexpected geographic locations. Look for authentication events occurring outside normal business hours.

API Activity Monitoring: For organizations using cloud-based firewall management services, monitor API call patterns and authenticate all management interface access. Implement alerting for bulk configuration downloads or unusual API usage patterns.

Endpoint Detection: Deploy endpoint detection and response tools to identify lateral movement techniques that attackers might employ after gaining initial access through compromised firewall configurations.

Specific IOCs: Specific indicators of compromise related to this incident have not been publicly disclosed by affected organizations or security vendors.

Mitigation & Hardening
Immediate Credential Reset: Reset all credentials, API keys, and authentication tokens used by users, VPN accounts, and administrative services. This includes service accounts and automated system credentials that may have been exposed in configuration files.
Firewall Configuration Audit: Conduct comprehensive review of current firewall rules, VPN configurations, and access control policies. Compare current settings against known-good baselines to identify unauthorized modifications.
Multi-Factor Authentication Implementation: Deploy MFA across all administrative interfaces, VPN connections, and cloud management portals. Prioritize hardware-based tokens or certificate-based authentication for high-privilege accounts.
Network Segmentation Review: Reassess network segmentation strategies to limit potential lateral movement if perimeter defenses are compromised. Implement zero-trust principles for internal network communications.
Cloud Service Security Assessment: Evaluate security posture of all third-party cloud services, particularly those handling configuration data or backup files. Implement additional encryption and access controls where possible.
Patch Management Acceleration: Ensure all network security devices receive priority patching, particularly SonicWall devices that should be updated to address CVE-2024-40766 and other known vulnerabilities.
Monitoring Enhancement: Deploy enhanced network monitoring tools to detect configuration-based attacks and unusual administrative activity. Establish baselines for normal network behavior patterns.
Incident Response Planning: Update incident response procedures to address supply chain compromise scenarios where third-party service breaches enable downstream attacks.
FAQ
How did attackers use SonicWall configuration data to compromise Marquis?
According to Marquis's statement, attackers leveraged configuration data extracted from SonicWall's cloud backup breach to circumvent their firewall defenses. The stolen configuration files likely contained network topology information, firewall rules, and security policies that attackers used to identify weaknesses and craft targeted bypass techniques. Specific technical details of how configuration data was weaponized have not been publicly disclosed.

Were SonicWall customers who don't use cloud backup affected?
No, the SonicWall breach specifically affected customers using the MySonicWall cloud backup service. Organizations that maintain local-only firewall configurations and don't utilize SonicWall's cloud backup features were not directly impacted by the configuration file theft. However, all SonicWall customers should ensure they have applied patches for CVE-2024-40766 and other known vulnerabilities.

What legal action is Marquis taking against SonicWall?
Marquis has indicated they are evaluating options with respect to SonicWall, including seeking recoupment of expenses incurred due to the incident. The company has not specified whether formal legal proceedings have been initiated, but they are exploring potential avenues for recovering costs related to the breach investigation, customer notification, and remediation efforts.

How can organizations protect against similar supply chain attacks?
Organizations should implement multiple defensive layers including vendor risk assessments, contractual security requirements for third-party services, monitoring of cloud service provider security bulletins, and incident response procedures that account for supply chain compromises. Recent incidents like Ingram Micro's ransomware attack and ransomware attacks on major firms demonstrate the importance of maintaining defense-in-depth strategies that ensure single points of failure in vendor services don't compromise entire security postures. Organizations should also stay informed about emerging threats, such as new ransomware techniques being adopted by threat actors.

| CyberScoop
cyberscoop.com/
By
Matt Kapko
January 22, 2026

Ianis Antropenko, a Russian national living in California, admitted to committing ransomware attacks against at least 50 victims. He faces up to 25 years in jail.

Russian national pleaded guilty to leading a ransomware conspiracy that targeted at least 50 victims during a four-year period ending in August 2022.

Ianis Aleksandrovich Antropenko began participating in ransomware attacks before moving to the United States, but conducted many of his crimes while living in Florida and California, where he’s been out on bond enjoying rare leniency since his arrest in 2024.

Antropenko pleaded guilty in the U.S. District Court for the Northern District of Texas earlier this month to conspiracy to commit money laundering and conspiracy to commit computer fraud and abuse. He faces up to 25 years in jail, fines up to $750,000 and is ordered to pay restitution to his victims and forfeit property.

Federal prosecutors reached a plea agreement with Antropenko after a years-long investigation, closing one of the more unusual cases against a Russian ransomware operator who committed many of his crimes while living in the U.S.

While most cybercriminals, especially those involved in ransomware, are held in jail pending trial because of a flight risk, Antropenko was granted bail the day of his arrest.

This rare flash of deferment in a case involving a prolific cybercriminal is even more shocking considering his multiple run-ins with police since then. Antropenko violated conditions for his pretrial release at least three times in a four-month period last year, including two arrests in Southern California involving dangerous behavior while under the influence of drugs and alcohol.

As part of his plea agreement, Antropenko recognized that pleading guilty could impact his immigration status since the crimes he committed are removable offenses.

Court records don’t indicate if Antropenko has been detained pending sentencing, and his sentencing hasn’t been scheduled. His attorney and federal prosecutors working on his case did not respond to requests for comment.

Antropenko admitted to leading the ransomware conspiracy with the aid of multiple co-conspirators, including some who lived outside the U.S.

His ex-wife, Valeriia Bednarchik, was previously implicated by the FBI and prosecutors as one of his alleged co-conspirators involved in the laundering of ransomware proceeds.

FBI investigators traced Antropenko’s activities via accounts he held at Proton Mail, PayPal and Bank of America, and accounts he and Bednarchik controlled at Binance and Apple. In Bednarchik’s iCloud account, agents found a seed phrase for a crypto wallet that had received over 40 Bitcoin from Antropenko’s accounts, as well as evidence she had agreed to safeguard a disguised copy of this phrase so the funds could be accessed if Antropenko became unavailable. Her account also contained joint tax returns with Antropenko and photos showing large amounts of U.S. cash.

Bednarchik, who also lives in Southern California, has been identified as Antropenko’s unnamed co-conspirator through court documents and public records. While authorities previously indicated they plan to bring charges against her, no cases are currently pending.

Antropenko, who previously pleaded not guilty to the charges in October 2025, used multiple ransomware variants to commit attacks, including Zeppelin and GlobeImposter. The ransomware operation he led caused losses of at least $1.5 million to victims, according to court records.

Yet, the spoils of his crimes appear to be much greater. The Justice Department seized more than $2.8 million in cryptocurrency, nearly $71,000 in cash and two luxury vehicles from Antropenko in February 2024. Authorities seized an additional $595,000 in cryptocurrency from a wallet Antropenko owned in July 2025.

cybernews.com/
Vilius Petkauskas
Deputy Editor

Luxshare, one of Apple’s key partners in assembling iPhones, AirPods, Apple Watches, and Vision Pro, allegedly suffered a data breach, orchestrated by a ransomware cartel. The attackers are threatening to leak data from Apple, Nvidia, and LG unless the company pays a ransom.

Key takeaways:
Luxshare, Apple's key iPhone assembler, allegedly suffered a ransomware attack threatening confidential product data leaks from multiple tech giants.
RansomHub attackers claim access to 3D CAD models, circuit board designs, and engineering documentation from Apple and Nvidia products.
Cybernews researchers claim leaked data includes confidential Apple-Luxshare repair projects, employee PII, and product design files from 2019-2025.
The breach could enable competitors to reverse-engineer products, manufacture counterfeits, and exploit hardware vulnerabilities in Apple devices.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
The Luxshare data breach allegedly occurred last month, with attackers claiming December 15th, 2025, as the date Apple key partners’ data was encrypted. The alleged attackers, RansomHub, announced the Luxshare data breach on their dark web forum.

Luxshare is an essential partner to the American giant. Many Apple products, including iPhone, AirPods, Apple Watch are assembled at Luxshare, which means the company has very intimate information about Apple’s products.

The conversation on this topic is live. Join in the discussion.

“We were waiting for you for quite some time, but it seems that your IT department decided to conceal the incident that took place in your company. We strongly recommend that you contact us to prevent your confidential data and project documents from being leaked,” the attackers claim.

We have reached out to the company and will update the article once we receive a reply. We have also reached out to Apple and will add its response as soon as we receive it.

Luxshare data breach claims on the dark web
Attakers' post announcing Luxshare data breach. Image by Cybernews.
What data did the Luxshare data breach expose?
The Cybernews research team investigated the data sample that the attackers attached to the post.

According to our team, the leaked data includes details on what appear to be confidential projects regarding device repair and shipping between Apple and Luxshare, including timelines, detailed processes, and information about other Luxshare clients.

Moreover, the leaked information appears to include personal identifiable information (PII) of individuals working on specific projects, with their full names, job positions and work emails exposed.

Luxshare data breach projects
Alleged information on Apple and Luxshare projects. Image by Cybernews.
“Dates of these projects range from 2019 to 2025 and the information appears to expose sensitive business operations. Additionally, .dwg and gerber files, which are often used to create product model designs, are also included,” the team explained.

While Apple’s assembler data breach is still unconfirmed, the team believes that the information included in the post appears to be legitimate.

Luxshare data breach team info
Alleged information about Luxshare staff working on Apple projects. Image by Cybernews.
What do the Luxshare attackers say?
The RansomHub attackers claim to have wide access to confidential Luxshare client data. The stolen data supposedly ranges from 3D product models to circuit board design data, information that’s highly coveted by corporate spies.

According to the attackers, they have accessed archives that contain:

Confidential 3D CAD product models, 3D engineering design data, 3D engineering documentation
Access to high-precision geometric data for Parasolid products
2D component drawings for manufacturing
Mechanical component drawings
Confidential engineering drawings in PDF format
Electronic design documentation
Electrical and layout architecture data
Printed circuit board manufacturing data
“The archives contain data from Apple, Nvidia, as well as LG, Geely, Tesla, and other large companies whose production and R&D information is publicly available. Protected by a non-disclosure agreement,” the attackers claim.

If confirmed, the attack could be disastrous for Luxshare and its partners. For one, attackers could sell the data to competitors who could utilize the stolen details to reverse-engineer products, bypass years of R&D, and manufacture counterfeits.

The cybersecurity implications are also extreme as attackers could clearly uncover hardware vulnerabilities, chip locations, and power systems, which would be beneficial to target firmware or carry out supply chain attacks.

China-based Luxshare is a behemoth in the electronics manufacturing industry. Based in the country’s tech heart, Shenzhen, the company employs over 230,000 people and reports revenues of over $37 billion.

According to reporting by the Wall Street Journal, Luxshare’s importance to Apple’s supply chain ballooned after its main assembler, Foxconn, went through a series of production halting protests.

Who are the Luxshare attackers?
First spotted in 2024, RansomHub is a well established actor in the ransomware scene. For example, the gang proved itself to be one of the most active ransomware gangs of the past couple of years.

According to security experts, RansomHub is among the most prolific ransomware-as-a-service (RaaS) operations, emerging after ALPHV (BlackCat) disappeared. It primarily targets industrial manufacturing and healthcare.

RansomHub brought some technological innovations to the table. Its tools are capable of remote encryption. The affiliates exploit exposed unprotected machines, reducing the risk of detection and increasing the success rate of attacks.

According to a CISA advisory, the cybercrooks breached nearly 500 victims in 2024, almost at a rate of one victim per day. The cyber watchdog also provides a full list of the Kremlin-backed gang's known IOCs, including IP addresses, tools, known URLs, email addresses, and more.

Updated on January 19th [01:30 p.m. GMT] with a insights from the Cybernews research team.

The Brussels Times
Tuesday, 13 January 2026
By
The Brussels Times with Belga

The AZ Monica hospital in Antwerp was targeted by a cyberattack on Tuesday, with a full-scale investigation now launched.

The hospital detected a serious IT system disruption around 6:30 am and, as a precaution, shut down its servers at both the Deurne and Antwerp campuses. It is not yet clear whether patient data has been compromised.

All scheduled procedures were postponed on Tuesday, impacting a minimum of 70 surgeries across both campuses. Seven patients were proactively transferred to another hospital.

The motives behind the cyberattack remain unknown. Unconfirmed reports within the hospital suggest the hackers may be demanding ransom, but neither the public prosecutor nor the hospital’s CEO has confirmed these claims.

Access to AZ Monica remains possible, and its emergency department is operational, albeit in a limited capacity.

However, MUG and PIT emergency services are temporarily unavailable. The hospital emphasised that its primary focus continues to be patient safety and care continuity.

bleepingcomputer.com
By Sergiu Gatlan
December 30, 2025

Two former employees of cybersecurity incident response companies Sygnia and DigitalMint have pleaded guilty to targeting U.S. companies in BlackCat (ALPHV) ransomware attacks in 2023.
Two former employees of cybersecurity incident response companies Sygnia and DigitalMint have pleaded guilty to targeting U.S. companies in BlackCat (ALPHV) ransomware attacks in 2023.

33-year-old Ryan Clifford Goldberg of Watkinsville, Georgia (in federal custody since September 2023), and 28-year-old Kevin Tyler Martin of Roanoke, Texas, who were charged in November, have now pleaded guilty to conspiracy to obstruct commerce by extortion and are set to be sentenced on March 12, 2026, facing up to 20 years in prison each.

Together with a third accomplice, the two BlackCat ransomware affiliates breached the networks of multiple victims across the United States between May 2023 and November 2023, paying a 20% share of ransoms in exchange for access to BlackCat's ransomware and extortion platform.

Goldberg is a former Sygnia incident response manager, and Martin worked at DigitalMint as a ransomware threat negotiator (just as the unnamed co-conspirator).

"These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop," said Assistant Attorney General A. Tysen Duva. "Extortion via the internet victimizes innocent citizens every bit as much as taking money directly out of their pockets."

According to court documents, their alleged victims include a Maryland pharmaceutical company, a California engineering firm, a Tampa medical device manufacturer, a Virginia drone manufacturer, and a California doctor's office.

While they have demanded ransoms ranging from $300,000 to $10 million, prosecutors said they were only paid $1.27 million by the Tampa medical device company after encrypting its servers and demanding $10 million in May 2023. While other victims also received ransom demands, the indictment does not indicate whether additional payments were made.

As BleepingComputer previously reported, the Justice Department was also investigating a former DigitalMint negotiator in July for allegedly working with ransomware groups. However, the DOJ and FBI did not comment on the investigation, and it is unclear if this case is related to it.

In December 2023, the FBI created a decryption tool after breaching BlackCat's servers to monitor their activities and obtain decryption keys. The FBI also found that the BlackCat operation collected at least $300 million in ransom payments from more than 1,000 victims until September 2023.

In a February 2024 joint advisory, the FBI, CISA, and the Department of Health and Human Services (HHS) also warned that Blackcat affiliates were primarily targeting organizations in the U.S. healthcare sector.

Hackread – Cybersecurity News, Data Breaches, AI, and More
by
Waqas
December 26, 2025
2 minute read

On December 25, while much of the world was observing Christmas, the Everest ransomware group published a new post on its dark web leak site claiming it had breached Chrysler systems, an American automaker. The group says it exfiltrated 1088 GB (over 1 TB) of data, describing it as a full database linked to Chrysler operations.

According to the threat actors, the stolen data spans from 2021 through 2025 and includes more than 105 GB of Salesforce related information. Everest claims the data contains extensive personal and operational records tied to customers, dealers, and internal agents.

Everest Ransomware Group Claims Theft of Over 1TB of Chrysler Data
Screenshot from the Everest ransomware group’s dark web leak site (Credit: Hackread.com)
Leaked Screenshots and Sample Data Details
Screenshots shared by the group and reviewed for this report appear to show structured databases, internal spreadsheets, directory trees, and CRM exports. Several images display Salesforce records containing customer interaction logs with names, phone numbers, email addresses, physical addresses, vehicle details, recall case notes, and call outcomes such as voicemail, disconnected, wrong number, or callback scheduled.

Everest Ransomware Group Claims Theft of Over 1TB of Chrysler Data
Related screenshots (Credit: Hackread.com)
The same material also includes agent work logs documenting call attempts, recall coordination steps, appointment handling, and vehicle status updates, such as sold, repaired, or owner not found.

Additional screenshots appear to reference internal file servers and directories labelled with dealer networks, automotive brands, recall programs, FTP paths, and internal tooling. One set of images also suggests the presence of HR or identity-related records, listing employee names, employment status fields such as active or permanently separated, timestamps, and corporate email domains associated with Stellantis.

For your information, Stellantis is a global automaker behind brands such as Jeep, Chrysler, Dodge, and FIAT. The automaker was also a victim of a cyber attack in September 2025.

Samples published by the attackers also include recall case narratives documenting customer conversations, interpreter use, dealership coordination, appointment scheduling, and follow-up actions. These records align with standard automotive recall support and customer service processes and are consistent with the CRM data shown in other samples.

The group has threatened to publish the full dataset once its countdown timer expires, stating that the company still has time to make contact. Everest also announced plans to release audio recordings linked to customer service interactions, further escalating the pressure.

Unconfirmed Pending Chrysler Response
Ransomware groups increasingly time disclosures around holidays, when incident response capacity is often reduced. At the time of writing, Chrysler has not publicly confirmed the breach or commented on the claims, and independent verification remains limited.

If validated, the alleged exposure would raise significant concerns regarding customer privacy, internal operational security, and third-party platform governance, given the reported scale and sensitivity of the CRM and recall management data involved.

This story is developing.

breakingnews.ie
Darragh Mc Donagh

It has now emerged that a second ransomware attack took place last February

There is no evidence that patients’ data was stolen during a second ransomware attack targeting Health Service Executive (HSE) systems earlier this year, the authority has said.

Earlier this week, the HSE began offering compensation to victims of a cyberattack that caused widespread disruption in May 2021, costing the agency an estimated €102 million.

It has now emerged that a second ransomware attack took place last February, targeting a third-party processor and resulting in a data protection breach reported by HSE primary care services in the midlands.

IT systems were fully recovered following the cyberattack and there was no evidence that data had been exfiltrated, according to HSE records obtained under the Freedom of Information Act.

A ransomware attack occurs when malicious software locks or encrypts a victim’s computer systems, blocking access until a ransom is paid. Some attacks involve a threat to leak stolen data.

A spokeswoman for the HSE did not respond when asked whether the health authority had paid a ransom following the February cyberattack.

“The HSE manages and responds to thousands of cyber threats annually, taking appropriate action to ensure awareness of current threats, while maintaining the ability to deliver healthcare services securely and reliably, regardless of the evolving threat landscape,” she said.

The spokeswoman said HSE systems were not “directly” impacted by the February ransomware attack.

“The HSE has invested significantly in cyber remediation since the cyberattack in May 2021. Multiple ongoing programmes of work are focused on addressing all issues highlighted in the wake of the attack,” she added.

The original ransomware attack occurred when an employee clicked on a malicious MS Excel file that was attached to a phishing email on March 18th, 2021.

This enabled the hackers to gain access to the HSE’s IT environment, where they continued to operate undetected for more than eight weeks before detonating the ransomware on May 14th.

The attack caused widespread disruption and some information relating to patients was illegally accessed and copied.

Last year, the HSE said it had written to 90,936 people affected by the cyberattack. It has reportedly offered compensation of €750 to more than 600 individuals who took legal action over the breach.

A subsequent investigation found that the HSE was operating a frail IT system and did not have adequate cyber expertise or resources prior to the attack. The attack is estimated to have cost the HSE €102 million.

| FinCEN.gov
December 04, 2025

WASHINGTON—Today, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) is issuing a Financial Trend Analysis on ransomware incidents in Bank Secrecy Act (BSA) data between 2022 and 2024, which totaled more than $2.1 billion in ransomware payments.

WASHINGTON—Today, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) is issuing a Financial Trend Analysis on ransomware incidents in Bank Secrecy Act (BSA) data between 2022 and 2024, which totaled more than $2.1 billion in ransomware payments.

“Banks and other financial institutions play a key role in protecting our economy from ransomware and other cyber threats,” said FinCEN Director Andrea Gacki. “By quickly reporting suspicious activity under the Bank Secrecy Act, they provide law enforcement with critical information to help detect cybersecurity trends that can damage our economy. This work is vital to safeguarding our nation’s financial sector and strengthening our national security.”

Previous FinCEN Financial Trend Analyses have focused on reported ransomware payments and incidents by the date the activity was filed with FinCEN. Today’s report shifts the focus to the incident date of each ransomware attack and offers greater visibility into the activities conducted by ransomware actors.

Reported Ransomware Incidents and Payments Reach All-Time High in 2023

Ransomware incidents and payments reported to FinCEN reached their highest level in 2023 with 1,512 incidents, totaling $1.1 billion in payment—an increase of 77 percent in total payments year-over-year from 2022 to 2023.
Following law enforcement’s disruption of two high-profile ransomware groups, ransomware incidents reported to FinCEN decreased in 2024, with 1,476 incidents, reflecting $734 million in the aggregate value of reported payments in BSA reports.
The median amount of a single ransomware transaction was $124,097 in 2022; $175,000 in 2023; and $155,257 in 2024. Between 2022 and 2024, the most common payment amount range was below $250,000.
FinCEN Data Shows Ransomware Payments Top $2.1B in Just Three Years

During the three-year review period (January 2022 – December 2024), FinCEN received 7,395 BSA reports related to 4,194 ransomware incidents totaling more than $2.1 billion in ransomware payments.
During the previous nine-year period (2013 through the end of 2021) FinCEN received 3,075 BSA reports totaling approximately $2.4 billion in ransomware payments.
Financial Services, Manufacturing, and Healthcare were the Most Impacted Industries

The manufacturing industry accounted for 456 incidents totaling approximately $284.6 million reported payments; the financial services industry accounted for 432 incidents totaling approximately $365.6 million reported payments; and the healthcare industry accounted for 389 incidents totaling approximately $305.4 million reported payments.
The Onion Router (TOR) was the Most Common Communication Method Reported

Threat actors most often communicated with their intended ransomware targets via messages sent over The Onion Router protocol, accounting for 67 percent of reports that provided the communication method.
Other ransomware threat actors communicated with their intended targets via email or through other private encrypted messaging systems.
ALPHV/BlackCat was the Most Prevalent Ransomware Variant Between 2022 and 2024

FinCEN identified more than 200 ransomware variants reported in BSA data.
The most reported variants were Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta.
The 10 variants with the highest cumulative payment amounts identified in BSA reports accounted for approximately $1.5 billion in payments.
Ransomware is a complex cybersecurity problem requiring a variety of preventive, protective, and preparatory best practices. More information on FinCEN’s efforts to combat ransomware, including guidance and other resources for financial institutions, is available at www.fincen.gov/resources/fincen-combats-ransomware.

FinCEN’s FTA is available online at Ransomware Trends in Bank Secrecy Act Data

Questions or comments regarding the contents of this release should be addressed to the FinCEN Regulatory Support Section by submitting an inquiry at www.fincen.gov/contact.

FinCEN periodically publishes Financial Trend Analyses describing threat pattern and trend information derived from Bank Secrecy Act (BSA) filings to highlight priority illicit finance risks. These analyses provide information that is relevant to a wide range of consumers, businesses, and industries; communicate the value of BSA reporting; and enhance feedback loops between government users of BSA reports and their filers. Additionally, Financial Trend Analyses fulfill FinCEN’s obligations pursuant to section 6206 of the Anti-Money Laundering Act of 2020, which requires FinCEN to periodically publish threat pattern and trend information derived from BSA filings.

| CyberScoop
cyberscoop.com
Written by Matt Kapko
November 13, 2025

The newspaper said a “bad actor” contacted the company in late September, prompting an investigation that nearly a month later confirmed the extent of compromise.

he Washington Post said it, too, was impacted by the data theft and extortion campaign targeting Oracle E-Business Suite customers, compromising human resources data on nearly 10,000 current and former employees and contractors.

The company was first alerted to the attack and launched an investigation when a “bad actor” contacted the media company Sept. 29 claiming they gained access to the company’s Oracle applications, according to a data breach notification it filed in Maine Wednesday. The Washington Post later determined the attacker had access to its Oracle environment from July 10 to Aug. 22.

The newspaper is among dozens of Oracle customers targeted by the Clop ransomware group, which exploited a zero-day vulnerability affecting Oracle E-Business Suite to steal heaps of data. Other confirmed victims include Envoy Air and GlobalLogic.

The Washington Post said it confirmed the extent of data stolen during the attack on Oct. 27, noting that personal information on 9,720 people, including names, bank account numbers and routing numbers, and Social Security numbers were exposed. The company didn’t explain why it took almost a month to determine the amount of data stolen and has not responded to multiple requests for comment.

Oracle disclosed and issued a patch for the zero-day vulnerability — CVE-2025-61882 affecting Oracle E-Business Suite — in a security advisory Oct. 4, and previously said it was aware some customers had received extortion emails. Mandiant, responding to the immediate fallout from the attacks, said Clop exploited multiple vulnerabilities, including the zero-day to access and steal large amounts of data from Oracle E-Business Suite customer environments.

Oracle, its customers and third-party researchers were not aware of the attacks until executives of alleged victim organizations received extortion emails from members of Clop demanding payment in late September. Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center, previously told CyberScoop ransom demands reached up to $50 million.

Clop’s data-leak site included almost 30 alleged victims as of last week. The notorious ransomware group has threatened to leak alleged victims’ data unless it receives payment.

The ransomware group has intruded multiple technology vendors’ systems before, allowing it to steal data and extort many downstream customers. Clop specializes in exploiting vulnerabilities in file-transfer services and achieved mass exploitation in 2023 when it infiltrated MOVEit environments, ultimately exposing data from more than 2,300 organizations.

| The Record from Recorded Future News
therecord.media
Jonathan Greig
November 13th, 2025

FBI: Akira gang has received nearly $250 million in ransoms
Government agencies in the U.S. and Europe shared new information on Thursday to help organizations defend themselves against the Akira ransomware gang, which has attacked small- and medium-sized businesses since 2023.

The updates to an April 2024 advisory about the group’s operations include a new list of tactics and vulnerabilities being exploited in attacks.

As of late September, Akira is believed to have claimed more than $244 million in ransomware proceeds, according to the advisory.

“Akira ransomware doesn’t just steal money – it disrupts the systems that power our hospitals, schools, and businesses,” said FBI Cyber Division Assistant Director Brett Leatherman. “Behind every compromised network, you’ll find real people and communities harmed by callous cyber criminals.”

In addition to the FBI, the Defense Department and the Health and Human Services Department contributed to the advisory. Europol and law enforcement agencies in France, Germany and the Netherlands were also involved in the updated advisory.

The group has allegedly targeted the manufacturing, education, IT and healthcare sectors.

“Akira threat actors gain access to VPN products, such as SonicWall, by stealing login credentials or exploiting vulnerabilities like CVE-2024-40766,” the agencies said.

“In some instances, they gain initial access through compromised VPN credentials, potentially by using initial access brokers or brute-forcing VPN endpoints. Additionally, Akira threat actors deploy password spraying techniques, using tools such as SharpDomainSpray to gain access to account credentials.”

The group has also abused remote access tools like AnyDesk and LogMeIn to maintain their access to victim networks and blend in with administrator activity. In some cases, incident responders saw Akira uninstall endpoint detection and response (EDR) systems.

The FBI warned that in some incidents Akira threat actors were able to steal data just two hours after initial access.

The advisory links to specific advice for k-12 schools impacted by the ransomware gang.

“The threat of ransomware from groups like Akira is real and organizations need to take it seriously, with swift implementation of mitigation measures,” said Nick Andersen, Executive assistant director for the cybersecurity division at the Cybersecurity and Infrastructure Security Agency.

The advisory notes that Akira has ties to the now-defunct Conti ransomware gang, which launched several high-profile attacks before disbanding at the onset of Russia’s invasion of Ukraine.

On a call with reporters, Andersen confirmed that Akira “may have some connections to the now defunct Conti ransomware group” but declined to say if Akira had ties to the government of Russia.

The FBI’s Leatherman added that while there are no direct ties between Akira and the Russian state, they do know that the “Conti ransomware group at one point did operate within Russia and some actors may be associated with that group.”

“But like with any ransomware group or variant that operates as an affiliate based program, you can have actors located anywhere across the globe. So we do believe that we likely have actors who are in a variety of different countries,” Leatherman told Recorded Future News.

Researchers previously said there are deep similarities between the Akira and Conti ransomware strains. Blockchain analysis showed multiple Akira ransomware transactions to wallets associated with Conti's leadership team.

Akira most recently took credit for a cyberattack on BK Technologies, a Florida-based company that makes radios for U.S. defense companies, as well as dozens of police and fire departments across the country. BK Technologies warned investors last month that it suffered a security incident in September where hackers stole non-public information and data on current and former employees.

Akira has taken credit for dozens of high-profile attacks on entities like Stanford University, the Toronto Zoo, a state-owned bank in South Africa, major foreign exchange broker London Capital Group and other organizations.

| The Record from Recorded Future News
Daryna Antoniuk
October 27th, 2025

The utility responsible for operating Sweden's power grid is investigating a data breach after a ransomware group threatened to leak hundreds of gigabytes of purportedly stolen internal data.

Sweden’s power grid operator is investigating a data breach after a ransomware group threatened to leak hundreds of gigabytes of purportedly stolen internal data.

State-owned Svenska kraftnät, which operates the country’s electricity transmission system, said the incident affected a “limited external file transfer solution” and did not disrupt Sweden’s power supply.

“We take this breach very seriously and have taken immediate action,” said Chief Information Security Officer Cem Göcgören in a statement. “We understand that this may cause concern, but the electricity supply has not been affected.”

The ransomware gang Everest claimed responsibility for the attack on its leak site over the weekend, alleging it had exfiltrated about 280 gigabytes of data and saying it would publish it unless the agency complied with its demands.

The same group has previously claimed attacks on Dublin Airport, Air Arabia, and U.S. aerospace supplier Collins Aerospace — incidents that disrupted flight operations across several European cities in September. The group’s claims could not be independently verified.

Svenska kraftnät said it is working closely with the police and national cybersecurity authorities to determine the extent of the breach and what data may have been exposed. The utility has not attributed the attack to any specific threat actor.

“Our current assessment is that mission-critical systems have not been affected,” Göcgören said. “At this time, we are not commenting on perpetrators or motives until we have confirmed information.”

24heures.ch Marc Renfer
Publié le 03.10.2025 à 06h30

Comment une attaque informatique paralyse une PME romande

Visée par des pirates, l’entreprise Bugnard SA est à l’arrêt. Son directeur raconte l’enfer vécu depuis une semaine.
En bref:

* L’entreprise Bugnard SA subit une cyberattaque paralysante.
* Les serveurs cryptés empêchent la gestion des commandes.
* Le groupe Akira réclame une rançon en bitcoins.

La société n’est peut-être pas connue du grand public, mais les outils et appareils de mesure fournis par Bugnard SA ont sûrement servi à installer ou réparer une prise, un compteur ou une armoire électrique près de chez vous.

Très nombreux sont les installateurs à se fournir auprès de cette PME installée à Cheseaux-sur-Lausanne, avec des succursales à Genève et Zurich. Leader dans la vente de matériel pour électriciens, l’entreprise réalise 72% de ses affaires en ligne. Mais le 24 septembre en fin de journée, tout s’est brutalement arrêté.

«Vers 17 h 30, tous nos systèmes ont été bloqués. On a vite compris qu’on était sous cyberattaque. Depuis, nous sommes complètement à l’arrêt», témoigne Christian Degouy, CEO de Bugnard, qui a racheté l’entreprise en 2020 à la famille du fondateur.

Depuis l’offensive informatique, il vit «dans un tunnel». Dès le lendemain de l’attaque, l’équipe découvre un fichier contenant une demande de rançon: 450’000 dollars, à verser en bitcoins. Le groupe derrière l’attaque est identifié rapidement. Il s’agit d’Akira, une organisation bien connue des spécialistes de la cybersécurité.
Une signature russe derrière l’attaque

Apparu en mars 2023, Akira est un groupe structuré de type ransomware, dont les développeurs seraient basés en Russie ou dans d’anciennes républiques soviétiques. Ils louent leur outil de piratage à des affiliés qui ciblent surtout des PME d’Europe de l’Ouest et d’Amérique du Nord. La récente victime vaudoise figure désormais sur leur site hébergé dans le dark web, avec une description des données dérobées.

L’analyse technique est encore en cours, mais une hypothèse pointe une potentielle faille dans un pare-feu.

«On connaissait le risque de ces attaques», reconnaît Christian Degouy. «On avait même entamé des démarches pour une assurance cyber. Mais comme on était en plein déménagement de notre siège social, on a reporté le processus», soupire-t-il.
Paralysie totale

Les conséquences sont lourdes. L’ensemble des serveurs est encrypté, y compris les sauvegardes pensées justement pour faire face à une telle situation. Le site de vente est à l’arrêt. Plus de commandes, plus de logistique, pour une entreprise de 30 employés qui traite habituellement plus de 1000 commandes par semaine.

«Nos 4800 clients sont pour l’essentiel des électriciens, petits ou grands. Ils dépendent de nous pour travailler. Et nous, on est paralysés. On ne peut plus sortir un bulletin de livraison, ni savoir où se trouve un article dans notre stock, qui comporte plus de 9000 emplacements.»

Son entrepôt principal fait plus de 2500 m². Sans l’aide informatique, retrouver le matériel est parfois devenu impossible. «Quand un client a un besoin urgent d’un produit que l’on peut localiser, il passe et on note à la main. On est revenus au carnet de lait. »

Par chance, les e-mails sont toujours fonctionnels et permettent de conserver le lien. La seule activité encore maintenue est la calibration des instruments à Genève, qui dépend d’un autre système et n’est pas concernée par l’attaque.
Le dilemme du paiement

En coulisses, les négociations ont démarré. Un prestataire spécialisé garde le contact avec les cybercriminels. Akira a revu sa demande à la baisse: 250, puis 200’000 dollars. «Je ne veux pas payer. Mais si on n’a pas redémarré vendredi, je paierai dimanche soir», tranche le CEO. «C’est difficile à dire, mais ce groupe a une «réputation», il semble livrer la clé quand on paie. »

Une plainte pénale a été déposée. La cellule cybercriminalité du canton de Vaud, qui a indiqué à l’entreprise suivre une cinquantaine de cas similaires, est mobilisée.

Bugnard SA espère pouvoir relancer ses activités d’ici à la fin de la semaine. Le doute persiste: tout reconstruire prend du temps, et le risque de réinstaller un système contaminé doit être écarté.

«Le sentiment d’impuissance est insupportable. Ce que je souhaite, c’est que ça n’arrive à personne d’autre», conclut Christian Degouy. À l’attention des autres entrepreneurs, il formule trois conseils simples: activer la double authentification sur tous les accès, effectuer des sauvegardes déconnectées, et maintenir à jour ses logiciels.

Message officiel – Bugnard SA bugnard.ch

Chers clients, chers partenaires,

Le 24 septembre 2025 en fin de journée, nous avons détecté une intrusion dans l'infrastructure informatique de Bugnard SA par le ransomware Akira. Cette attaque a affecté nos serveurs ainsi que notre site internet.
Par mesure de sécurité, nous avons immédiatement interrompu l’accès à la plateforme afin de protéger l’intégrité de vos données et de nos systèmes.
Notre équipe informatique est mobilisée sur place et travaille avec la plus haute priorité pour rétablir la situation. Si nécessaire, nous restaurerons notre dernier backup afin de remettre le site en service dans les plus brefs délais.
À ce stade, nous estimons que la remise en ligne pourra intervenir entre mercredi et vendredi de cette semaine.
Nous sommes pleinement conscients que 72% de notre activité passe par notre site et faisons tout pour que vous puissiez à nouveau passer vos commandes rapidement et en toute sécurité.
En attendant, notre équipe commerciale reste à votre disposition par téléphone et par e-mail pour répondre à vos besoins urgents.
Nous vous tiendrons informés de l’évolution de la situation et vous remercions pour votre compréhension et votre confiance.

Avec mes salutations les meilleures,
Christian Degouy
CEO