Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Extortion. Show all posts
Supply Chain Security
API Token Exposure Cloud Cyber Extortion Cyber Threats DevSecOps Security GitHub Token Leak Grafana Breach Supply Chain Security

GitHub Token Exposure at Grafana Triggered Codebase Theft Incident


 

Following the acquisition of a privileged GitHub token tied to Grafana Labs' development environment, a threat actor quickly escalated the initial credential exposure into a significant source code security incident. It was possible for the attacker to gain access to the company's private GitHub infrastructure, extract internal code repositories, and then attempt to extort payment from the organization via unauthorized access.

In addition to revoked credentials quickly, Gloria Labs launched an internal forensic investigation to determine the origin of the exposure and limit further risks. In spite of the fact that the breach resulted in access to sensitive development assets, the company announced that investigators found no evidence of data compromise, disruption of operations, or unauthorized access to user environments as a result of the breach. 

Grafana’s widespread use in modern observability environments has drawn significant attention across the cybersecurity community due to the platform’s widespread role in monitoring infrastructure, cloud workloads, applications, and telemetry systems through centralized dashboards and analytics. The incident has attracted significant attention across the cybersecurity community.

In the course of the investigation, Grafana Labs disclosed that after detecting unauthorized activity, its security team initiated an immediate forensic response, eventually tracing the source of credential exposure and revoking the compromised access token in order to prevent further intrusion. Additionally, additional defensive controls were implemented across the company's development environment as part of its efforts to contain and harden the environment. 

Afterwards, the threat actor attempted to extort the organization by requesting payment in exchange for delaying publication of the stolen data, according to the disclosure. Grafana, however, chose not to engage in ransom negotiations, aligning its response with Federal Bureau of Investigation guidance, which has consistently emphasized that paying extortion demands does not ensure data recovery nor prevent future misuse of stolen information. 

A number of federal authorities have warned against ransom payments, stating that they rarely ensure suppression of stolen data and often contribute to additional criminal activity targeting technology providers and enterprise platforms. 

The exact timeline of the attack or the length of time the attacker was permitted access to Grafana Labs' GitHub environment have not been disclosed, as only that the incident has recently been discovered. It is also noteworthy that the company did not explicitly attribute the intrusion to a specific threat actor. 

However, various cyber threat intelligence reports, including Halcyon and Fortinet FortiGuard Labs assessments, have linked claims surrounding the incident with CoinbaseCartel, a collective of data extortionists. It has been noted that the group is an emerging extortion-focused operation that emerged in late 2025 and has operational overlap with criminal ecosystems such as ShinyHunters, Scattered Spider, and LAPSUS$ based on public statements released by Grafana.

According to the company's public statements, investigators believe that the intrusion occurred due to the compromise of privileged authentication tokens used in Grafana's development process. As a result, these tokens are frequently used to authenticate automated processes, integrations, and development workflows without requiring repeated manual logins. Although highly beneficial to operational efficiency, exposed tokens can also serve as high-value attack vectors when given broad permissions. 

In this case, Grafana Labs' GitHub environment was compromised as a result of a compromised token that allowed the attacker access to private source code repositories within Grafana Labs. Despite the company's assertion that no customer information, user environments, or operational systems were compromised, the exposure of proprietary source code remains a significant security concern within software supply chain environments.

Although Grafana stated that customer environments were not affected, unauthorized access to proprietary source codes remains a serious concern, as attackers have the capability of analyzing internal architecture, configurations, or development logic to identify vulnerabilities that may later be used to conduct targeted attacks or other supply chain risks. 

Grafana is widely deployed observability technology, and therefore the security of its development infrastructure is of particular importance. Attacks against software vendors may result in downstream risks affecting customers, cloud deployments, as well as broader enterprise environments linked by modern DevOps and observability pipelines. Upon tracking the threat intelligence associated with the incident, it has been determined that the operators behind the claimed attack are primarily engaged in data theft and extortion operations rather than conventional ransomware operations that encrypt files. 

Over 170 victims have been linked to the group across sectors such as healthcare, transportation, manufacturing, and technology, reflecting the growing trend toward cyber-attacks that focus on data theft and extortion. There has been no public announcement by Grafana Labs regarding which repositories or internal projects were accessed during the breach, indicating that there is no clear understanding of the scope of the material that was downloaded. Grafana Labs has not disclosed which repositories were accessed during the breach. 

In addition to Grafana Cloud, Grafana's managed cloud monitoring platform is widely used across enterprise environments for observing observability. In addition to the disclosure, cyber attacks aimed at extortionating software vendors and cloud service providers are also becoming increasingly aggressive. Following threats of leaking large volumes of data supposedly associated with schools and universities across the United States, Instructure reportedly agreed to negotiate with threat actors connected to ShinyHunters following an alleged agreement to negotiate. 

Grafana Labs' decision to reject the extortion demand reflects a growing industry debate concerning ransomware economics, incident response strategies, and the long-term consequences of compensating cybercriminals. A company statement in accordance with advice issued by the Federal Bureau of Investigation stated that paying attackers would not guarantee the suppression of the stolen material nor eliminate the possibility of future abuse, resale, or repeated extortion attempts. 

The company notes that organizations have no assurance that the stolen information will actually be removed after payment, which makes ransom negotiations risky and uncertain from an operational perspective. The incident emphasizes the high value of authentication tokens, API credentials, and machine-level secrets within enterprise environments, in addition to the breach itself.

In order to reduce the risk of token-based intrusions and software supply chain attacks, security teams are increasingly recommending implementing measures such as short-lived credentials, least privilege access, credential rotation, and multi-factor authentication. They also recommend continuous monitoring of repositories and continuous delivery pipelines. 

The enterprise attack surface has been increasingly centered around GitHub repositories, package distribution systems, internal build pipelines, and cloud-based engineering environments, which require security controls comparable to those protecting production infrastructure. Grafana Labs has gained attention for its relatively transparent disclosure approach despite the seriousness of the intrusion. 

A statement from the company outlined the compromise, clarified what investigators believe remains unaffected, disclosed the attempted extortion component, and indicated that further details may become apparent as the forensic investigation proceeds. At present, the known impact appears to be limited to unauthorised access and download of internal source code repositories, with no evidence suggesting that customer environments, operational systems, or personal information has been compromised.

Grafana remains closely monitored across the cybersecurity community, as it is widely used throughout production observability stacks and cloud-native enterprise environments around the world. Despite Grafana Labs' assurance that customer systems and personal data were not affected, the incident highlights the increasing importance of securing development infrastructure, access credentials, and cloud-connected engineering environments against increasing sophistication in extortion-focused threats.
Read more »
Hacker attack
Cyber Attacks Cyber crimes Cyber Extortion cybercrime gangs CyberSecurity Ransomware Attacks Hacker attack

Rival Ransomware Gangs 0APT And Krybit Clash In Unusual Cyber Extortion Battle

 

A clash almost unseen among digital outlaws has begun - 0APT, a hacking collective, now warns it will unmask operatives from enemy faction Krybit. This shift came to light through surveillance of hidden online forums. Tension simmers beneath the surface of these underground circles. Rival gangs once operating in parallel seem to fracture under pressure. Trust, usually scarce, is vanishing faster than usual. Evidence points toward escalating friction inside ransomware communities. 

What began as covert threats may reshape alliances unexpectedly. Reports indicate 0APT sent a threat to Krybit, insisting on payment under risk of exposing private records - names, positions, operational files - if ignored. A limited set of claimed stolen materials was published shortly after, serving as evidence - a move mirroring classic dual-pressure methods seen in attacks on businesses. Yet using such an approach toward another illicit network stirs doubt around its real impact, given that public image matters little within hidden communities. 

Even so, the danger remains somewhat real. Because cybercrime networks depend on staying hidden, revealed identities might invite legal trouble or revenge attacks. From the exposed information, security analysts pulled login details tied to Krybit members - alongside digital currency wallets - hinting at weak points in how the group functions. Yet the full impact stays unclear. Now showing a blank page, Krybit's site now displays only a standard upkeep notice, hinting at disruptions tied to recent events. Little is known about the collective so far, mainly because big security analysts have published almost nothing on them - possibly a sign they are just beginning operations. 

On the opposite end, 0APT emerged around spring 2026 and gained attention fast, marked by complex tools and methods, even though some doubt surrounds how truthful their early reports of breaches really were. Odd as it seems, infighting among hackers has happened before. Earlier clashes included DragonForce going after opponents - BlackLock, then Mamona - by altering web pages and exposing private messages. 

In much the same way, activity aimed at RansomHub tied back to DragonForce, revealing ongoing friction between ransomware crews. This conflict taking shape between 0APT and Krybit signals changes in how cybercriminals operate - motives like money, dominance, and competition now spark open clashes. With ransomware networks evolving fast, these kinds of face-offs might happen more often, making it harder for security experts to follow the players involved.
Read more »
World Leaks
Cyber Extortion Data Leaks malware RustyRocket Software World Leaks

Researchers Identify Previously Undocumented Malware Used in World Leaks Intrusions

 



Cybersecurity researchers have identified a newly developed malicious software tool being used by the extortion-focused cybercrime group World Leaks, marking a pivotal dent the group’s technical capabilities. According to findings published by the cybersecurity research division of Accenture, the malware has not been observed in prior investigations and appears to be custom-built for covert operations within victim networks. The researchers have designated the tool “RustyRocket” to distinguish it from previously documented malware families.

Analysts explain that RustyRocket functions as a long-term persistence mechanism. Instead of triggering immediate disruption, the malware is designed to quietly embed itself within compromised systems, allowing attackers to remain present for extended periods without raising alarms. This hidden presence enables threat actors to move through internal networks, quietly extract sensitive information, and route network traffic through compromised machines. Security experts involved in the research noted that the tool had operated unnoticed until its recent discovery, surfacing the challenges organizations face in detecting advanced covert threats.

Although World Leaks is commonly categorized as a ransomware group, its operations differ from traditional ransomware campaigns that encrypt files and demand payment for decryption keys. Rather than denying access to data, the group prioritizes unauthorized data collection. Victims are pressured with the threat of having confidential corporate and personal information publicly disclosed if payment demands are not met. This model places reputational damage, regulatory penalties, and legal exposure at the center of the extortion strategy.

The group has publicly claimed responsibility for attacks against large international corporations. In one widely reported incident, World Leaks alleged that a major global sportswear company declined to comply with extortion demands, after which a substantial volume of internal documents was released. As with many threat actor statements, independent verification of the full scope of such claims remains limited, underlining the importance of cautious attribution in cyber incident reporting.

From a technical perspective, RustyRocket is written in the Rust programming language and engineered to operate across both Microsoft Windows and Linux environments. This cross-platform design allows the malware to function in mixed enterprise infrastructures, increasing its usefulness to attackers. Researchers describe the tool as a combined data extraction and network proxy utility, capable of transferring stolen information through multiple layers of encrypted communication. By masking malicious traffic within normal network activity, the malware makes detection by conventional security tools comparatively more difficult.

The tool also incorporates an execution safeguard that requires attackers to supply a pre-encrypted configuration file at runtime. Without this configuration, the malware remains dormant. This feature complicates forensic analysis and reduces the likelihood that automated security systems will successfully analyze or neutralize the tool.

Investigators assess that World Leaks has been active since early 2025 and typically gains initial access through social engineering techniques, misuse of compromised credentials, or exploitation of externally exposed systems. Once inside a network, tools like RustyRocket enable attackers to quietly maintain their presence while systematically collecting data for later extortion.

Security specialists warn that RustyRocket reflects a broader turn in cybercriminal operations toward stealth-based, intelligence-gathering intrusions rather than overtly disruptive attacks. To reduce exposure, organizations are advised to closely monitor unusual outbound data transfers and enforce strict network segmentation. These measures can limit an attacker’s ability to move across systems and reduce the volume of data that can be silently extracted.

The rise of RustyRocket illustrates how extortion groups are increasingly investing in custom malware designed to evade traditional defenses, reinforcing the need for continuous security testing, proactive threat monitoring, and workforce preparedness to counter evolving attack methods.


Read more »
Ransomware group
Black Basta Conti Ransomware Cyber Extortion Cybercrime Investigation Data Breach Interpol Red Notice Oleg Nefedov ransomware attacks Ransomware group

Black Basta Under Pressure After Ukraine Germany Enforcement Operation


 

Investigators say the Black Basta ransomware campaign left a trail of disruption that extended across Europe and beyond, impacting everything from hospital wards to industrial production lines that were abruptly halted, resulting in a temporary ban of internet and phone use.

Prosecutors from the German Federal Ministry of Justice, along with international law enforcement partners, now believe that the trail of this extortion, the most damaging in recent years, can be traced back to one individual who they describe as the driving force behind one of these operations. 

There has been an investigation into whether Oleg Nefedov was the architect and operational leader of the Black Basta group. Authorities have identified him as a Russian national. 

Authorities accuse him of coordinating a massive ransomware campaign against companies and public institutions across multiple continents by forming and leading an overseas criminal organization.

There is a suspicion among investigators that Nefedov was responsible for leading the organization's core activities, including selecting targets, recruiting affiliates, orchestrating intrusions, and negotiating ransoms, while the proceeds of the transactions were laundered via cryptocurrency wallets and distributed among all participants in the scheme.

Black Basta was also analyzed from an online alias perspective and suspected ties to a now-defunct ransomware collective named Conti. This reinforces the assessment that Black Basta arose from an advanced and interconnected cybercrime ecosystem that has matured over many years. 

Officials from the Federal Republic of Germany have confirmed that Nefedov still resides in Russia and that he has been placed on Interpol's international wanted list, an indication that European authorities have intensified their efforts to identify and pursue the individuals behind cyber extortion committed in large scale industrial scales. 

The Federal Criminal Police Office of Germany has confirmed that Oleg Nefedov, a 36-year-old Russian national suspected of leading the Black Basta ransomware group, is one of the suspected leaders of the ransomware. He is charged with forming criminal organizations abroad, orchestrating large-scale extortion crimes, and committing related cyber crimes. 

A central coordinator was alleged by investigators to be Nefedov. During his time at the group, Nefedov selected targets, recruited and managed members, assigned operational roles, negotiated ransom demands, and distributed extorted proceeds, which were usually paid in cryptocurrency, according to the investigation. 

There were several aliases he operated under on the internet-including tramp, tr, gg, kurva, AA, Washingt0n, and S.Jimmi-and authorities say he may have maintained a connection to the now-defunct Conti ransomware group. 

According to German authorities, Nefedov is believed to be in Russia at the moment, though his exact location remains unclear. Interpol has also added him to a global wanted list. In recent months, the investigation has been further strengthened by numerous disclosures and enforcement actions that have heightened the investigation. 

A leaked internal chat log attributed to Black Basta, which gave rare insights into the group's organization, operations, and communications, as well as exposing identifying information about the individuals involved. This information provided an insight into the organization's inner workings and daily operations. 

According to cybersecurity researchers, many of the Black Basta members previously operated within criminal networks that were closely linked to the Conti and Ryuk ransomware strains, as well as the TrickBot banking trojan — operations that have led Western governments to identify and sanction more than a dozen individuals for their involvement in such attacks. 

According to researchers and investigators, Black Basta is the result of the collapse of Conti, a ransomware operation which fragmented into smaller, semi-autonomous cells after it shut down. In a recent study published by the International Security Agency, Black Basta has been widely interpreted as a rebranding of the former Conti infrastructure, with many of those splinter groups either embedding themselves into existing ransomware schemes or controlling existing operations. 

It has been demonstrated that this view has been reinforced by a review of leaked internal communications by Trellix researchers. According to those who reviewed the Black Basta chat logs, GG and Chuck were exchanging emails about a purported $10 million reward for information about an individual, referred to as “tr” or “-amp,” an individual which researchers believe corresponds to a bounty offered by the U.S. Government for information that will lead to the identification of key Conti figures, including Tramp, the hacker. 

Additionally, Trellix researchers found that within the leaked conversations, GG was identified as Tramp, who had been regarded as Conti's leader for some time, by a participant called "bio," sometimes known as "pumba," a figure who was previously connected to the Conti organization. 

These findings echo those released earlier in February 2022, when a researcher revealed Conti's internal chats in the aftermath of the Russian invasion of Ukraine, revealing internal dynamics and explicitly referring to Tramp as leader of the group. 

It is well-known that such leaks have long been a source of attribution efforts within the cybersecurity industry, but German authorities say that their current case rests on evidence gathered through intelligence and investigation on the German side. 

Oleg Nefedov has been identified formally as the head of the Black Basta ransomware group by Europol, and the Interpol red notice database has been updated with his name. This is a crucial step in the international effort to enquire about the group's activities, marking a decisive step in the effort to enshrine accountability for the group. 

The data breach is the result of an attack on more than 500 organizations across North America, Europe, and Australia by means of Black Basta's ransomware-as-a-service model, which was active since April 2022 and caused hundreds of millions of dollars in damage in the process.

Two suspects in western Ukraine, which were allegedly acting as hash crackers in order to help facilitate network intrusions, data theft, and ransomware deployment, were also announced by German authorities. The police seized digital devices and cryptocurrency during raids that are related to the incident, and are currently conducting forensic analysis of the evidence. 

Official figures underscore the scale of the damage attributed to the group. An official press release from the German authorities stated that documented Black Basta attacks have caused prolonged operational disruptions at over 100 companies in Germany, as well as over 700 organizations worldwide, including hospitals, public institutions, and government agencies. 

In Germany, it is estimated that losses will exceed 20 million euros in the next few years. Research conducted in December 2023 by blockchain analytics firm Elliptic and Corvus Insurance found that over the course of the past four years, the group accumulates at least $107 million in Bitcoin ransom payments, which has been determined to be paid by over 329 victims in 31 countries across the world. 

A detailed analysis of blockchain transactions also revealed a clear financial and operational link between Black Basta and Conti, which supported the conclusions of law enforcement that this syndicate grew out of a well-established, interconnected cybercrime ecosystem that was well-established and interconnected. 

In light of the scope and selectivity of Black Basta's operations, it is evident why it has been a top priority for law enforcement and security researchers to investigate. A number of victims have been confirmed, including Rheinmetall, Hyundai, BT Group, Ascension, ABB, the American Dental Association, U.K.-based outsourcing company Capita, the Toronto Public Library, the Yellow Pages Canada, and others. 

These victims include German defense contractor Rheinmetall, Hyundai's European division, BT Group, as well as the United States healthcare provider Ascension. According to the researchers, the group did not operate in an indiscriminate manner, but applied a targeted strategy based on geography, industry, and organizational revenue, while also closely tracking geopolitical developments in order to reduce the likelihood of retaliation from law enforcement agencies. 

A ransomware operation known as Black Basta, which is characterized by a focus on large, high-revenue organizations with the ability to pay large ransoms, was known to be targeting large, high-revenue organizations. Based on internal communications, it appears that entities in both the United States and Germany were the most likely to pay a ransom. 

There are 57 percent of victims in the United States who had reported a leak between April 2022 and January 2025, with Germany accounting for 12 percent, while additional victims were observed throughout Europe, Asia Pacific and the Americas as well. 

Accordingly, that assessment is reflected in activity observed on the group's leak site. Several leaks of internal chats in the group have introduced rare insights into the group's internal structure, its financial management, and its extortion practices, which have strengthened efforts to identify key actors and disrupt their operations by exposing real-world names and financial transactions. 

Despite the fact that Black Basta’s data leak site is currently offline, analysts warn that the group still has the resources and incentives to re-emerge, either by adopting a new name or partnering with other ransomware crews, illustrating how authorities continue to face challenges in dismantling entrenched cybercrime networks rather than simply disrupting them, even when the site is offline. 

Together, these findings present a detailed portrayal of a ransomware operation that developed out of a fractured but resilient cybercrime ecosystem into a global enterprise that has far-reaching consequences. Having identified an alleged leader along with financial tracing, leaking internal communications, and coordinated international enforcement, German authorities state that the investigation has matured—with an emphasis not only on disruption, but also on attribution and accountability for ransomware. 

It should be noted that while law enforcement actions have slowed Black Basta's visible activities, experts and officials agree that dismantling such networks will take years, especially when key figures are believed to be operating in jurisdictions that are beyond the reach of law enforcement officials. 

In addition to demonstrating the extent of the harm caused by ransomware campaigns, the case also highlights the growing determination of governments to pursue those responsible, even through the broader cybercrime landscape continues to evolve, fragment, and resurface.
Read more »
supply chain attacks
Crypto-Funded Crime Cyber Extortion cyber threat Data Exfiltration Helpdesk Social Engineering Insider Threats Ransomware Retail Cyber Resilience supply chain attacks

Ransomware Profits Shrink Forcing Criminal Gangs to Innovate

 


Ransomware networks are increasingly using unconventional recruitment channels to recruit new operators. Using blatant job-style announcements online, these networks are enlisting young, inexperienced operators with all sorts of job experience in order to increase their payouts. 

There is a Telegram post from a channel that is connected to an underground collective that emphasizes the importance of female applicants, dismissing nationality barriers and explicitly welcoming people who have no previous experience in recruitment, with the promise to train recruits “from scratch” while emphasizing the expectation that they will learn rapidly.

In return, the position was advertised as being available during weekdays between 12 p.m. and 6 p.m. Eastern Time and being compensated $300 per successful call, which is paid out exclusively in cryptocurrency. It was far from a legitimate job offer, but it served as a gateway into a thriving criminal ecosystem known as The Community or The Com, a loosely connected group of about 1,000 individuals, many of whom are children in middle and high school. 

In order to operate, the network relies on fluid, short-lived alliances, constantly reshaping its structure in what cybersecurity researcher Allison Nixon calls an "infernal soup" of overlapping partnerships, which recur continuously. 

In the years since 2022, the collective and its evolving offshoots have carried out sustained intrusion campaigns against large corporations across the United States and the United Kingdom that have been referred to by previously referred to as Scattered Spider, ShinyHunters, Lapsus$, SLSH, and many others, among others. 

It is estimated that these sort of attacks, which include data breaches, credential theft, account takeovers, spear phishing, and digital extortion, may have compromised companies with a market value of more than $1 trillion. It is estimated that these sort of attacks, which include data breaches, credential theft, account takeovers, spear phishing, and digital extortion, may have compromised companies with a market value of more than $1 trillion. 

In the coming weeks, Silent Push will unveil a new research report based on cyber intelligence research conducted by Silent Push, Silent Push's partner firm Silent Push's affiliate Silent Push. Legal documents indicate that at least 120 organizations, as well as 120 brands, have been targeted, ranging from the worldwide giant Chick-fil-A, to the global giants of Instacart, Louis Vuitton, Morningstar, News Corporation, Nike, Tinder, T-Mobile, T-Mobile, Vodafone, and T-Mobile, Vodafone among others. 

This indicates that modern ransomware crime rings have undergone a major shift in both their operational strategy as well as the talent pool they utilize. In a world where profit margins are tightening, ransomware operations are changing, forcing threat actors to choose their victims with greater deliberateness and design attack models that are increasingly engineered. 

According to Coveware, the analysis division within Veeam, ransomware campaigns are no longer driven by broad, opportunistic targeting, but rather by pressure to extract leverage through precision and psychological manipulation in order to gain a competitive edge. There was a stark shift in corporate behavior during the third quarter that signaled a dramatic change in behavior in the ransomware industry. 

The proportion of victims paying ransoms fell below 25 percent for the first time ever in the history of ransomware tracking. However, when payments were made, they reflected a contraction that was unprecedented — an average of $376,941 with a median payout of $140,000. This represents a two-thirds decline from the previous quarter. 

There has been a decline in trust among major enterprises as a result of the downturn, particularly around the claim that stolen data would be permanently deleted after payment. This skepticism has had a material negative impact on exfiltration-only extortion, which has been reduced by 19 percent in ransom compliance. 

According to industry researchers, the financial strain has fractured the ransomware economy, resulting in 81 unique data-leak sites being recorded in Q3, the highest number to date, as emerging groups fill the void left by larger syndicates exiting the arena, following suit with their own ransomware campaigns. 

In spite of this dispersion, targeted groups have developed an erratic targeting behavior, drawing markets that were previously considered peripheral, including Southeast Asia, such as Thailand, and Thailand in particular. Especially recently, attackers have targeted midsize organizations that are lacking the financial resilience to weather sustained disruption – such as Russian-speaking crews like Akira and Qilin – even if they cannot meet multimillion-dollar demands that are being demanded. 

It is not only about victim realignment; operators are also exploring a broad range of revenue-enhancement strategies, including insider recruitment and bribery, social engineering on the helpdesk, supply chain compromise, and callback phishing, a tactic first developed in 2021 by the Ryuk group to destabilize defenses by causing victims to contact attackers directly, which in turn would disrupt defenses. 

Cisco Talos research highlights the importance of live negotiation in security, noting that attackers have been using real-time phone interaction to weaponize emotional pressure and adaptive social engineering to increase the effectiveness of attacks. Despite the fact that raw economic incentives have failed to deliver historical returns, modern ransomware groups have evolved a new way of leveraging influence, as evidenced by recent research. 

It has become apparent over the past few months that cybercriminal groups are increasingly embracing high-profile consumer brands in their strategic entanglements, as well as a marked shift in how these brands are defending themselves against such attacks. 

During the late spring and early summer of 2018, cybercrime collective Scattered Spider, a decentralized cybercrime collective that is known for targeting retail and supply chain organizations, targeted major retail and supply chain organizations including Victoria's Secret, United Natural Foods, and Belk, among others.

As the incidents unfolded, and the industry as a whole mobilized to defend itself against the attacks, the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) was established, an intelligence-sharing organization that coordinates the collective cybersecurity defense by retail enterprises. 

The RH-ISAC played an important role in the escalating digital threats and the tightening budgets for security in the retail and hospitality industries, industry intelligence releases indicate that there is also a parallel increase in executive alignment and organizational preparedness across the two industry sectors. There has been an increase in the number of chief information security officers reporting directly to senior business leaders as reflected in a recent study conducted by RH-ISAC. 

In a way, this represents a 12-point increase from the previous year, signaling that cybersecurity has become more integrated into corporate strategy rather than being separated from IT. It has been noted by sector leaders that, as a result of this structural shift, security chiefs have become an increasingly important part of commercial decision-making, with their influence extending beyond breach prevention to risk governance, vendor evaluation, and business continuity planning. 

There is no doubt that the same report showed that operational resilience has emerged as a major priority in the boardroom, ranking at the top for approximately half of the organizations surveyed. 

During the conference, the leadership of RH-ISAC highlighted the industry's need to focus on recovery readiness, incident response coordination, and cross-company intelligence exchange, all of which are now considered essential to maintaining customer trust and continuous supply chains in an environment where reputational damage can often outweigh technical damage. 

Although some retail and hospitality enterprises are still faced with the challenge of tight security functions and the apparent friction between deploying them rapidly as well as ensuring that the security remains airtight, many enterprises have been able to demonstrate an improved capacity for absorbing and responding to sustained adversarial pressure. 

Analysts observe that recent high-profile compromises have not derail the industry but have instead tested its defenses and, in several cases, validated them. In this regard, the growing emphasis on cyber resilience is emerging from an aspiration to a reality as a result of orchestrating coordinated response strategies, sharing threat intelligence, mitigation frameworks, and incident guidelines to help organizations prevent becoming successive targets for cyber crimes. 

During the course of the center's response, European retail partners were able to share their insights quickly with the center, since they were facing Scattered Spider operations only weeks earlier. As early as April, the same group had breached a number of U.K. retail organizations including Harrods, Marks & Spencer, and the Co-op, which resulted in emergency advisories from British law enforcement and national cyber agencies advising the public. 

A cross-border intelligence dialogue was held by RH-ISAC in light of those developments to gain an in-depth understanding of the group's evolving tactics. Shortly after the U.K. attacks, the organization held a members-only threat briefing with researchers from Mandiant, Google's cyber intelligence division, to review operational patterns, attacker behavior, and defensive weaknesses. 

RH-ISAC's intelligence coordination with British retailers has enabled them to refine the attribution signals and enhance their early-warning models before the group escalated operations in North America and it was no surprise that they achieved this. 

During this series of breaches, it was revealed that the collective was heavily dependent on young, loosely affiliated operators, but that the retail industry was also making a marked departure from historically isolated incident management models, and instead was increasingly committed to collaborative defenses, intelligence reciprocity, and coordinated response planning. 

There has been a significant evolution in ransomware in recent years, marking the beginnings of a new era of cyber defenses for consumer-facing industries in which economics, psychology, and collaboration are coming together as critical forces. 

In the age of fragmented threat groups, a growing number of recruits, and more manipulative attack models, resilience cannot be solely based on perimeter security. There are experts in the field who emphasize the importance of pairing rapid threat detection with institutional memory, so that organizations can preserve information from every incident, regardless of how quickly attacker infrastructure or affiliations erode. 

A growing number of organizations are implementing protocols for verifying helpdesks, monitoring insider threats, performing supply chain risk audits, and sharing cross-border intelligence. This is an era in which human weaknesses are exploited as aggressively as software flaws, and these protocols are emerging as non-negotiable defenses. 

Meanwhile, the shift towards executive security ownership in retail and hospitality is a blueprint for other sectors as well, since cybersecurity influence needs to be integrated with business strategy rather than being buried beneath it. 

There are a number of recommendations for organizations to implement continuous employee awareness conditioning, stricter playbooks for recovering access, simulated social engineering drills, and incident response alliances that are as fast as an attacker can move. 

Essentially, resilience is not being able to compromise. It does not imply that you do not compromise, but that you are able to recover more rapidly, coordinate more effectively, and think quicker than the opposition.
Read more »
VolkLocker
Cryptographic Vulnerability Cyber Attacks Cyber Extortion CyberVolk Pro Russian Hacktivists Ransomware Ransomware As A Service Telegram Command And Control Threat Intelligence VolkLocker

CyberVolk Ransomware Fails to Gain Traction After Encryption Misstep


 

CyberVolk, a pro-Russian hacktivist collective, has intensified its campaign of ransomware-driven intimidation against entities perceived as hostile to Moscow in the past year, marking a notable change in both scale and presentation, marking a notable shift in its operations. 

In addition to its attacks, the group has become increasingly adept at constructing carefully constructed visual branding, including the release of stylized ransomware imagery to publicize successful intrusions in addition to attacking. It seems that these visuals, which were enhanced by deliberately inflammatory language and threatening tone, were not intended simply to announce breaches, but rather to amplify psychological pressure for victims and broader audiences alike. 

In October 2024, CyberVolk appeared to have a clear strategy in the ransoming of several Japanese organizations, including the Japan Oceanographic Data Center and the Japan Meteorological Agency, in which they claimed responsibility for the ransoming. CyberVolk has reportedly altered the desktop wallpapers of several victims prior to starting the encryption process, using the act itself as a signal of control and coercion to control and coerce them. 

CyberVolk's plans to venture into the ransomware-as-a-service ecosystem, however, seem to have been undermined by fundamental technical lapses that were clearly underhand. As part of its strategy to attract affiliates, this group has recently launched a new ransomware strain called VolkLocker, positioning it as a RaaS offering designed to expand its operational reach and attract affiliates. 

A SentinelOne research team has found that the malware has severe cryptographic and implementation weaknesses that greatly reduce its effectiveness, according to a study conducted by researchers. It is worth noting that the encryptor is specifically hardcoded directly into the ransomware binary as well as written in plaintext to a hidden file on compromised systems, compounding the error. 

VolkLocker's credibility and viability within the cybercrime market is severely undermined by the vulnerability of extracting and reusing the exposed key, which could possibly allow organizations to recover their data without having to pay a ransom. As a consequence, affected organizations could potentially recover their data without paying a ransom. 

It was last year when the Infosec Shop and other researchers first started documenting CyberVolk's activities that it caught the attention of the security community, and when it became known that the hacktivist collective was pro-Russian. CyberVolk appears to be operating in the same ideological space as outfits such as CyberArmyofRussia_Reborn and NoName057(16) — both of which have been linked to the Russian military intelligence apparatus and President Vladimir Putin by US authorities. 

However, CyberVolk has yet to be proven to maintain direct ties with the Russian governing authorities. Additionally, CyberVolk has a distinctive operational difference from many of its peers. Compared to comparable hacktivist teams, which tend to focus their efforts on disruption but low-impact distributed denial-of-service attacks, CyberVolk has consistently utilized ransomware as part of its campaigns. 

Researchers have noted that after repeated bans from Telegram in 2025, the group almost disappeared from public view for the first half of 2025, only to resurface in August with a revamped ransomware service based on VolkLocker. In analyzing the operations, it is evident that an uneven scaling attempt has taken place, combining fairly polished Telegram automation with malware payloads that retain signs of testing and incomplete hardening. 

VolkLocker is written in Go and designed to work across both Windows and Linux environments. In addition to enabling user communication, Telegram-based command-and-control functionality, it also handles system reconnaissance, decryption requests, and the decryption of sensitive data. In order to configure new payloads, affiliates must provide operational details such as Bitcoin payment addresses, Telegram bot credentials, encryption deadlines, file extensions, and self-destruct parameters. 

Among the backbones of this ecosystem is Telegram, which is responsible for providing communication, tool distribution, and customer support services. However, some operators have reported extending the default C2 framework to include keylogging and remote access capabilities. As of November, the group was advertising standalone remote access trojans and keyloggers in addition to its RaaS offerings, and these packages included tiered pricing options. 

The ransomware is capable of escalating privileges, bypassing Windows User Account Control, selectively encrypting files based on pre-defined exclusion rules, and applying AES-256 encryption in GCM mode, which emphasizes CyberVolk's ongoing attempts to mix ideological messaging with the increasingly commercialized nature of cybercrime. 

In the course of further technical analysis of VolkLocker, it has been revealed that the ransomware has been shaped by an aggressive design choice and critical implementation errors. One of the most notable features of the program is its integration of a timer function written in Go that can be configured to initiate a destructive wipe upon expiration of the countdown or upon entering an incorrect password into the ransom note in HTML.

Upon activation, the routine targets the most common user directories, such as Documents, Downloads, Pictures, and the Desktop, making the users vulnerable to permanent data loss. In order to access CyberVolk's ransomware-as-a-service platform, one must pay approximately $800 to $1,100 for an operating system that supports just one operating system, or $1,600 to $2,200 for a build that supports both Windows and Linux operating systems. 

In the early days of the group, affiliates obtained the malware by using Telegram-based builder bots that were able to customize encryption parameters and create customized payloads, indicating that the group relied heavily on Telegram as a delivery and coordination platform. 

As of November 2025, the same operators have expanded their commercial offerings, advertising standalone remote access trojans and keyloggers for $500 each, further signaling a desire to diversify their offerings from merely ransomware to a wide range of security technologies. Nevertheless, VolkLocker’s operations have a serious cryptographic weakness at the core of their operation that makes it difficult for them to be effective. 

As part of the encryption process, AES-256 is employed in Galois/Counter Mode and a random 12-byte nonce is generated for each file before it deletes the original and adds extensions such as .locked or .cvolk to the encrypted copies after destroying the original files. Although the system seems to be designed to be quite strong, researchers found that all files on a victim's system are encrypted using a single master key which is derived from a 64-character hexadecimal string embedded directly in the binary files. 

Additionally, the same key is stored in plaintext to a file named system_backup.key, which is never removed, compounding the problem. This backup appears to be a testing artifact that was inadvertently left in production builds, and SentinelOne suggests that it might be able to help victims recover their data without paying a ransom for it. 

While the flaw offers a rare advantage to those already affected, it is expected that when it is disclosed to the public, the threat actors will take immediate steps to remedy the issue. The majority of security experts advise that, generally, the best way to share such weaknesses with law enforcement and ransomware response specialists while an operation is ongoing, is by utilizing private channels. This is done in order to maximize victim assistance without accelerating adversary adaptation, thus maximizing victim assistance without accelerating adversary adaptation. 

The modern cyber-extortion economy is sustained by networks of hackers, affiliates, and facilitators that work together to run these campaigns. In order to understand this landscape effectively, open-source intelligence was gathered from social media activity and media reporting. These activities highlighted the existence of a broad range of actors operating within it. 

One such group is the Ukrainian-linked UA25 collective, whose actions retaliate against Russian infrastructure are often accompanied by substantial financial and operational damage, with a claim to responsibility publicly made in the media. In such cases, asymmetrical cyber conflict is being highlighted, where loosely organized non-state actors are able to cause outsized damage to much larger adversaries, underscoring the asymmetrical nature of contemporary cyber conflict. 

In this climate, Russian cybercriminal groups are often able to blur the line between ideological alignment and financial opportunism, pushing profit-driven schemes under the banner of political activism in an effort to achieve political goals. CyberVolk is an example of this hybrid model: CyberVolk aims to gain legitimacy through hacktivist rhetoric while also engaging in extortion and tool sales to monetize its ransomware activity. 

Security firms and independent researchers have been continuously scrutinizing the situation, which has led, in the past few years, to expose internal operational weaknesses, including flawed cryptographic practices, insecure key handling, which can be leveraged to disrupt campaigns and, in some cases, aid law enforcement and takedown efforts on a broader scale. This has been reported as well by publications such as The Register. 

In the near-term, analysts warn that ransomware operations will likely get more sophisticated and destructive - with future strains of ransomware increasingly incorporating elements commonly associated with wiper malware, which encrypts data rather than issuing ransoms. There have been several regulatory actions, sanctions, and government advisories issued throughout 2025 that have laid the foundation for a more coordinated international response to these threats. 

However, experts warn that meaningful progress will depend on a sustained cooperation between governments, technology companies, and private sector firms. In the case of CyberVolk, the technical ambition often outweighs the execution, yet even faulty operations demonstrate a persistent threat from Russian-linked actors, who continue to adapt despite mounting pressures from the West. 

In the wake of recent sanctions targeting key enablers, some parts of this ecosystem have been disrupted; however, new infrastructure and service providers are likely to fill these gaps as time goes on. Defensers should take note of the following lesson: continued vigilance, proactive threat hunting, as well as adopting advanced detection and response capabilities remain essential for preventing ransomware from spreading, as the broader contest against ransomware increasingly depends on converting adversaries' mistakes into durable security advantages to ensure the success of the attack. 

It should be noted that the rise and subsequent missteps of CyberVolk can be considered a timely reminder that the ransomware landscape is evolving in multiple ways, not only in terms of technical sophistication but also in terms of narrative strategy and operational ambition. 

Although advocates of groups may work to increase their impact by using political messaging, branding, and service models that are tailored for commercialization, long-term success remains dependent on disciplined engineering and operational security-areas in which even ideologically motivated actors continue to fail. 

Organizations should take this episode as an example of the importance of building multilayered defenses that go beyond perimeter security to include credential hygiene, behavioral monitoring, and rapid incident response planning in addition to regular patching, offline backups, and tabletop exercises. This episode emphasizes how vital it is to engage with threat intelligence providers in order to identify emerging patterns before they turn into operational disruptions. 

In the eyes of policymakers and industry leaders, the case highlights the benefits of coordinated disclosure practices and cross-border collaboration as means of weakening ransomware ecosystems without inadvertently making them more refined. 

Iterating and rebranding ransomware groups can be equally instructive as iterating and rebranding their malware, providing defenders with valuable opportunities to anticipate next moves and close gaps before they are exploited. The ability to survive in an environment characterized by both sides adapting will increasingly depend on turning visibility into action and learning from every flaw that has been exposed.
Read more »
ransomware attacks
AI in cybersecurity Cyber Attacks Cyber Extortion Microsoft Digital Defense Report nation-state hackers ransomware attacks

Microsoft Warns: Over Half of Cyberattacks Driven by Extortion and Ransomware, Legacy Security Failing to Keep Up

 


More than 50% of cyberattacks are now motivated by extortion and ransomware, according to Microsoft’s latest Digital Defense Report. The tech giant revealed that outdated security systems are no longer capable of defending against today’s evolving cyber threats.

In its sixth annual report, Microsoft highlighted that around 80% of the cyber incidents its security teams investigated last year were financially motivated.

"That’s at least 52% of incidents fueled by financial gain, while attacks focused solely on espionage made up just 4%," said Amy Hogan-Burney, CVP for Customer Security and Trust at Microsoft.

She added, "Nation-state threats remain a serious and persistent threat, but most of the immediate attacks organizations face today come from opportunistic criminals looking to make a profit."

The report noted that critical public sectors, including hospitals and local governments, are prime targets. These institutions often handle highly sensitive information but operate with limited cybersecurity resources and response capabilities. In many cases, healthcare and other essential services are more likely to pay ransoms due to the critical nature of their operations.

Although nation-state-driven attacks account for a smaller share of total incidents, their volume is steadily increasing. Microsoft’s findings show that China continues its aggressive campaigns across industries to steal sensitive data, using covert systems and exploiting internet vulnerabilities to avoid detection.

Iran has widened its scope, targeting sectors from the Middle East to North America, including shipping and logistics companies in Europe and the Persian Gulf to gain access to valuable commercial data.

Meanwhile, Russia has extended its operations beyond Ukraine, focusing on small businesses in pro-Ukraine countries, perceiving them as softer targets compared to larger corporations.

Microsoft also identified North Korea as a major concern for both espionage and revenue-driven cyber operations. Thousands of North Korean IT workers are reportedly employed remotely by global companies, funneling their salaries back to the regime. When exposed, some of these operatives have shifted to extortion tactics.

"The cyber threats posed by nation-states are becoming more expansive and unpredictable," Hogan-Burney warned. "In addition, the shift by at least some nation-state actors to further leveraging the cybercriminal ecosystem will make attribution even more complicated."

She stressed the importance of collaboration: "This underscores the need for organizations to stay abreast of the threats to their industries and work with both industry peers and governments to confront the threats posed by nation-state actors."

Microsoft’s report also underscored how artificial intelligence and automation have empowered cybercriminals, even those with minimal expertise, to execute more complex attacks. AI tools are being used to develop malware faster, generate convincing fake content, and enhance phishing and ransomware campaigns.

More than 97% of identity attacks are now password-related, with a 32% surge in the first half of 2025 alone. Attackers commonly exploit leaked credentials and use large-scale password guessing.

"However, credential leaks aren’t the only place where attackers can obtain credentials," Hogan-Burney explained. "This year, we saw a surge in the use of infostealer malware by cyber criminals. Infostealers can secretly gather credentials and information about your online accounts, like browser session tokens, at scale."

She added, "Cyber criminals can then buy this stolen information on cyber crime forums, making it easy for anyone to access accounts for purposes such as the delivery of ransomware."

The report concludes by urging governments to establish stronger frameworks to ensure credible consequences for cyber activities that breach international laws and norms.


Read more »
ShinyHunters
Cyber Extortion Cyber Security Ransomware ShinyHunters

Red Hat Data Breach Deepens as Extortion Attempts Surface

 



The cybersecurity breach at enterprise software provider Red Hat has intensified after the hacking collective known as ShinyHunters joined an ongoing extortion attempt initially launched by another group called Crimson Collective.

Last week, Crimson Collective claimed responsibility for infiltrating Red Hat’s internal GitLab environment, alleging the theft of nearly 570GB of compressed data from around 28,000 repositories. The stolen files reportedly include over 800 Customer Engagement Reports (CERs), which often contain detailed insights into client systems, networks, and infrastructures.

Red Hat later confirmed that the affected system was a GitLab instance used exclusively by Red Hat Consulting for managing client engagements. The company stated that the breach did not impact its broader product or enterprise environments and that it has isolated the compromised system while continuing its investigation.

The situation escalated when the ShinyHunters group appeared to collaborate with Crimson Collective. A new listing targeting Red Hat was published on the recently launched ShinyHunters data leak portal, threatening to publicly release the stolen data if the company failed to negotiate a ransom by October 10.

As part of their extortion campaign, the attackers published samples of the stolen CERs that allegedly reference organizations such as banks, technology firms, and government agencies. However, these claims remain unverified, and Red Hat has not yet issued a response regarding this new development.

Cybersecurity researchers note that ShinyHunters has increasingly been linked to what they describe as an extortion-as-a-service model. In such operations, the group partners with other cybercriminals to manage extortion campaigns in exchange for a percentage of the ransom. The same tactic has reportedly been seen in recent incidents involving multiple corporations, where different attackers used the ShinyHunters name to pressure victims.

Experts warn that if the leaked CERs are genuine, they could expose critical technical data, potentially increasing risks for Red Hat’s clients. Organizations mentioned in the samples are advised to review their system configurations, reset credentials, and closely monitor for unusual activity until further confirmation is available.

This incident underscores the growing trend of collaborative cyber extortion, where data brokers, ransomware operators, and leak-site administrators coordinate efforts to maximize pressure on corporate victims. Investigations into the Red Hat breach remain ongoing, and updates will depend on official statements from the company and law enforcement agencies.


Read more »
Ransomwares
AI Chatbots AI Models AI Techniques Cyber Crime Cyber Extortion Cyber Hackers Data Extortion international cybercrime operation Ransomwares

Hacker Exploits AI Chatbot Claude in Unprecedented Cybercrime Operation

 

A hacker has carried out one of the most advanced AI-driven cybercrime operations ever documented, using Anthropic’s Claude chatbot to identify targets, steal sensitive data, and even draft extortion emails, according to a new report from the company. 

It Anthropic disclosed that the attacker leveraged Claude Code — a version of its AI model designed for generating computer code — to assist in nearly every stage of the operation. The campaign targeted at least 17 organizations across industries including defense, finance, and healthcare, making it the most comprehensive example yet of artificial intelligence being exploited for cyber extortion. 

Cyber extortion typically involves hackers stealing confidential data and demanding payment to prevent its release. AI has already played a role in such crimes, with chatbots being used to write phishing emails. However, Anthropic’s findings mark the first publicly confirmed case in which a mainstream AI model automated nearly the entire lifecycle of a cyberattack. 

The hacker reportedly prompted Claude to scan for vulnerable companies, generate malicious code to infiltrate systems, and extract confidential files. The AI system then organized the stolen data, analyzed which documents carried the highest value, and suggested ransom amounts based on victims’ financial information. It also drafted extortion notes demanding bitcoin payments, which ranged from $75,000 to more than $500,000. 

Jacob Klein, Anthropic’s head of threat intelligence, said the operation was likely conducted by a single actor outside the United States and unfolded over three months. “We have robust safeguards and multiple layers of defense for detecting this kind of misuse, but determined actors sometimes attempt to evade our systems through sophisticated techniques,” Klein explained. 

The report revealed that stolen material included Social Security numbers, bank records, medical data, and files tied to sensitive defense projects regulated by the U.S. State Department. Anthropic did not disclose which companies were affected, nor did it confirm whether any ransom payments were made. 

While the company declined to detail exactly how the hacker bypassed safeguards, it emphasized that additional protections have since been introduced. “We expect this model of cybercrime to become more common as AI lowers the barrier to entry for sophisticated operations,” Anthropic warned. 

The case underscores growing concerns about the intersection of AI and cybersecurity. With the AI sector largely self-regulated in the U.S., experts fear similar incidents could accelerate unless stronger oversight and security standards are enforced.
Read more »
Threat Landscape
Cyber crimes Cyber Extortion Sextortion Threat Landscape

Three Cyber Extortion Schemes Attackers Can Employ Against You

 

Cybercriminals appear to have an infinite repertoire of strategies at their disposal when it comes to forcefully extracting financial information from victims. They prefer specific methods over others, and extortion is one of them. 

Keep in mind that blackmailers will not just use one trick, but will use various types of extortion to force their victims to do their bidding, whether it is paying them a significant sum of money or performing tasks on their behalf.

Hack and extort

The term is rather self-explanatory, but to be sure, the extortionist will access your device or online accounts, search your files for any sensitive or valuable data, and steal it. Although it may resemble ransomware in some ways, the breaking and entering of your system is done manually, and the cybercriminal has to dedicate time and resources in doing so.

Unless your password was compromised in a large-scale data breach, in which case the job required is negligible. The successfully targeted individual is then sent an email in which the criminal attempts to force the intended victim into paying by threatening to expose this data and listing examples for added effect. To safeguard yourself, try encrypting your data and adequately protecting all of your accounts with a strong passphrase, as well as enabling two-factor authentication whenever possible. 

Sextortion

Sextortion is precisely what it sounds like: extortion carried out with the threat of exposing sexual material about the target. Sextortionists might approach the practice in a variety of ways. Until the criminal gains the victim's trust and persuades them to switch from the dating platform to a regular messaging service, it may begin as an apparent romantic dalliance through a dating platform. 

This is done in order to prevent setting off the security measures that dating apps employ to identify possible con artists. After the victim leaves the dating site, they will attempt to persuade them to share some explicit or risqué images or videos, which they will then use as leverage in a blackmail campaign. As an alternative, hackers can opt to break into a victim's computer and take control of their webcam in order to secretly monitor and even record explicit images or videos of them; American model and previous Miss Teen USA Cassidy Wolf was a victim of such sextortion. 

Sending risqué images to anyone is not advisable. Even if you trust someone, you can't rule out the possibility that their devices or accounts have been compromised, sensitive images have been exposed, or that your current level of trust in them has changed or is otherwise wrong. To mitigate your risks of getting hacked, keep your gadgets patched and updated, and utilise a respected security solution.

DDoS extortion 

Cybercriminals frequently use distributed denial of service (DDoS) attacks on enterprises in an attempt to completely disable their target's capacity to offer services. They frequently post their services on DDoS-for-hire marketplaces in an effort to increase their illicit revenue. Threat actors use a large number of machines arranged into a botnet to bombard a target with requests during these attacks. 

The goal is to overwhelm the target's systems to the point where they fail, so taking them offline. Attacker scans can cause this to continue for days at a time, costing some businesses hundreds of thousands of dollars in lost sales. For instance, a cybercrime collective recently threatened to use DDoS assaults against multiple organisations unless they paid ransoms ranging from US$57,000 to US$227,000 by adopting the garb of well-known shacking groups. 

Setting up a firewall to deny access to all unauthorised IP addresses and enrolling with a DDoS mitigation provider are just a few steps you can take to defend yourself from DDoS extortion attempts.
Read more »
Ransomware
Crypto Currency Cyber Crime Cyber Extortion Ransomware

Ransomware Actors Extorted More Than $450 Million in First Half of 2024

 

In the first half of 2024, victims of ransomware have paid $459,800,000 to attackers; if ransom payments continue at this pace, this year might establish a new record. Ransomware payments hit a historic high of $1.1 billion last year, as Chainalysis had previously estimated based on data from the first half of the year, when ransomware activity raked in $449,100,000. 

Despite massive law enforcement operations that halted large ransomware-as-a-service operations, like LockBit, we are currently about 2% higher than the record-breaking trend from the same period in 2023.

The recent Chainalysis study claims that this growth is the result of ransomware gangs concentrating on collecting large payments by stealing customers' private data and inflicting costly disruptions to major organisations. 

"2024 is set to be the highest-grossing year yet for ransomware payments, due in no small part to strains carrying out fewer high-profile attacks, but collecting large payments," reads the Chainalysis report. "2024 has seen the largest ransomware payment ever recorded at approximately $75 million to the Dark Angels ransomware group.” 

It is unclear who paid the large $75 million ransom payment, but Zscaler, which identified it, claims it was made by a Fortune 50 company for an attack in early 2024. The typical ransom payment increased significantly from around $199,000 in early 2023 to $1,500,000 in June 2024, indicating that ransomware perpetrators target larger organisations. 

The median ransom payment increased significantly from around $199,000 in early 2023 to $1,500,000 in June 2024, indicating that ransomware perpetrators target larger organisations. According to Chainalysis, the number of confirmed ransomware attacks increased by 10% year on year in 2024, while the number of victims displayed on dark web extortion platforms increased similarly. 

In terms of how many victims succumb to the threat actors' blackmail and pay the ransom in exchange for a decryptor and a promise not to leak stolen data, Chainalysis reports that the positive trend continues, with fewer organisations falling victim to the extortion.

Chainalysis also estimates that the influx of stolen cryptocurrency has quadrupled year on year, rising from $857 million to $1.58 billion by the end of July 2024. The average value of bitcoin stolen each heist climbed by over 80%, with hackers focussing on centralised exchanges rather than decentralised finance (DeFi) protocols, which had been the target of most attacks in previous years. 

Despite these increases in absolute numbers, illegal on-chain activity decreased by 20% compared to 2023, illustrating that authentic cryptocurrency use is rising faster.
Read more »
ransomware tactics
Cyber Extortion Cyber Threats Cybersecurity data exfiltration. logistics industry LukaLocker ransomware Malware attacks manufacturing sector phone call intimidation Ransomware group ransomware tactics

This New Ransomware Group Uses Phone Calls to Pressure Victims

 



Researchers have identified a new ransomware group called Volcano Demon, responsible for at least two successful attacks in the past two weeks. Tim West, an analyst at cybersecurity firm Halcyon, revealed that the group targeted companies in the manufacturing and logistics industries. However, further details about the targets were not disclosed.

Unlike typical ransomware groups, Volcano Demon does not have a public leaks website. Instead, they use phone calls to intimidate and negotiate payments with leadership at the victim organizations. These calls, often threatening, originate from unidentified numbers.

Before making the calls, the hackers encrypt files on the victims' systems using previously unknown LukaLocker ransomware and leave a ransom note. The note threatens to inform clients and partners about the attack and sell data to scammers if the ransom is not paid.

Volcano Demon uses a double extortion technique, exfiltrating data to command-and-control (C2) services before encrypting it. They successfully locked Windows workstations and servers by exploiting common administrative credentials from the network. Tracking Volcano Demon has proven difficult due to their practice of clearing log files on targeted machines, which hampers comprehensive forensic evaluation.

West mentioned that the hackers, who spoke with a heavy accent, call very frequently, almost daily in some cases. However, the origin of the callers remains unclear as no recordings are available.

It is uncertain whether Volcano Demon operates independently or as an affiliate of a known ransomware group. Halcyon has not yet identified any such links.

Ransomware operators continue to evolve, with new threat actors emerging and targeting various industries. In May 2024, researchers identified a criminal gang named Arcus Media, operating a ransomware-as-a-service model and targeting victims in the U.S., U.K., India, and Brazil. Another group, Space Bears, appeared in April, quickly gaining notoriety for their corporate-themed data leak site and affiliations with the Phobos ransomware-as-a-service group. Researchers suggest that these groups may be more organized and funded than previously anticipated.
Read more »
Threat Landscape
Credential Theft Cyber Crime Cyber Extortion Cyber Gang SaaS Apps Threat Landscape

Notorious Cyber Gang UNC3944 Shifts Focus to SaaS Apps vSphere and Azure

 

The notorious cyber gang UNC3944, which is suspected of involvement in the recent attacks on Snowflake and MGM Entertainment, among other things, has modified its methods and is now targeting SaaS apps. 

According to Google Cloud's Mandiant threat intelligence team, UNC3944's operations coincide significantly with those of the assault groups known as "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider." The group's operations began with credential harvesting and SIM swapping attacks, progressed to ransomware and data theft extortion, and has now transitioned to "primarily data theft extortion, without the use of ransomware.” 

Mandiant claimed to have heard recordings of UNC3944's calls to corporate help desks, in which it attempted social engineering attacks. 

"The threat actors spoke with clear English and targeted accounts with high privilege potential,” Mandiant's researchers noted last week. In some cases, callers already possessed victims' personally identifiable information – allowing the attackers to bypass identity verification checks. 

Scammers posing as callers from UNC3944 would frequently say they were getting a new phone, requiring an MFA reset. Help desk employees would enable the attackers to reset passwords and get around MFA protections if they allowed such reset. 

"UNC3944 has occasionally resorted to fearmongering tactics to gain access to victim credentials," Mandiant added. "These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material.” 

When the hackers infiltrated an organization's infrastructure, they would immediately hunt for information on tools such as VPNs, virtual desktops, and remote telework programmes that would provide persistent access. Access to Okta was another target; tampering with the vendor's single sign-on tools (SSO) allowed attackers to create accounts that could be used to log into other systems. 

VMware's vSphere hybrid cloud management tool was one of the targets of attacks resulting from compromised SSO tools. Microsoft Azure was another option. Both were intended to allow UC3944 operatives to design virtual machines within an organisation and use them for malicious purposes. This makes sense because most of an organization's resources will use IP addresses within a safe range.
Read more »
Subscribe to: Posts (Atom)