Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Exploit. Show all posts
Zscaler
Cyber Attacks CyberCrime Cybersecurity Data Exploit Digital Security Ransomware Security Infrastructure Security Vulnerabilities VPN Zero Trust Zscaler

Sharp Increase in Ransomware Incidents Hits Energy Sector

 


The cyber threat landscape is constantly evolving, and ransomware attacks have increased in both scale and sophistication, highlighting how urgent it is for enterprises to take a strategic approach to cybersecurity. A survey conducted by Zscaler in 2025 found that ransomware incidents increased 146% over the past year. 

Ten prominent groups took 238 terabytes of data from their servers over the past year, nearly doubling the 123 terabytes they stole a year ago. There has been an alarming 900% increase in attacks in the oil and gas industry, largely attributed to the development of digital infrastructure as well as unresolved security vulnerabilities. Additionally, manufacturing, technology, and healthcare have all been affected by this increase, resulting in more than 2,600 reported incidents combined. 

A large percentage of ransomware cases were reported in the United States, which accounts for more than twice the total number of cases reported in the next 14 most affected countries combined. According to experts, threat actors are increasingly turning to generative artificial intelligence (AI) in order to streamline operations and perform more targeted and efficient attacks. This shift corresponds with the growing preference for data extortion over traditional file encryption, resulting in more effective attacks. 

In response to these evolving tactics, cybersecurity leaders are advocating the widespread adoption of Zero Trust architecture in order to prevent large-scale data loss and contain lateral movement within networks. The rise of digital transformation is accelerating the use of ransomware actors to launch increasingly sophisticated attacks on critical infrastructure sectors while automating and leveraging vulnerable industrial control systems as a source of attack. 

A dramatic increase in the number of attacks on the oil and gas industry was attributed to expanding digital footprints and security lapses, whereas Zscaler's latest research indicates that manufacturing, information technology, and healthcare are the sectors that are most frequently targeted by cybercriminals. This attack disproportionately affected the United States, as there were 3,671 ransomware incidents registered in this country, which is more than any of the next 14 most targeted countries combined. 

Over the past year, 238 terabytes of data were exfiltrated in ransomware campaigns, a 92% increase over last year. In the April-to-April period, RansomHub emerged as the most active ransomware group, followed by Akira and Clop in a close second place. These intrusions were largely caused by vulnerabilities that were known to exist in widely used enterprise technologies, such as VMware hypervisors, Fortinet and SonicWall VPNs, and Veeam backup software, making the critical need for proactive vulnerability management and real-time threat detection to be implemented across all levels of IT and operational infrastructure even clearer.

In recent years, cybercriminal groups have adopted more targeted and scalable approaches to extortion, which is reshaping the global ransomware landscape. According to Zscaler's ThreatLabz Ransomware Report for 2025, RansomHub, Akira, and Clop are the three most prolific groups, each of which has claimed more than 850 victims, 520 victims, and 488 victims, respectively. 

The success of Ariara is attributed primarily to its affiliate-based operation model and close collaboration with initial access brokers, while Clop has continued to exploit vulnerabilities in commonly used third-party software to execute impactful supply chain attacks in the last few years. In spite of the high-profile actors involved in this reporting period, Zscaler tracked 425 ransomware groups, so this is just a small part of a much broader and rapidly growing ecosystem. 34 new ransomware groups were created during the reporting period. 

In addition, according to this report, a significant proportion of ransomware campaigns were exploiting a limited range of critical software vulnerabilities, primarily in internet-facing technologies such as SonicWall VPNs and Fortinet VPNs, VMware hypervisors, Veeam backup tools, and SimpleHelp remote access servers. 

It is due to their widespread deployment and ease of discovery through simple scanning techniques that these vulnerabilities remain so attractive. This allows both veteran and newly formed groups of hackers to launch high-impact attacks more effectively and with greater precision. The ransomware ecosystem continues to grow at an alarming rate, and there have been unprecedented numbers of groups launching ransomware attacks. 

There have been 34 new ransomware gangs reported by Zscaler between April 2024 and April 2025, totalling 425 groups that have been tracked so far. Clearly, the significant growth in ransomware over recent years is a reflection of the enduring appeal of ransomware as an attractive criminal model, and it demonstrates how sophisticated and agile cybercriminal organisations have become over the last few years. 

Even though the continued rise in new ransomware actors is a concern, some signs sustained law enforcement action and stronger cybersecurity frameworks are beginning to help counteract this trend, as well as strong cybersecurity frameworks. To dismantle ransomware infrastructures, sixteen illicit assets, and disrupt cybercrime networks, international efforts are increasing pressure on cybercriminals. Not only can these actions impede operational capabilities, but they may also serve as a psychological deterrent, preventing emerging gangs from maintaining momentum or evading detection. 

Experts suggest, even in spite of the complexity and evolution of ransomware threats, that efforts by law enforcement agencies, cybersecurity professionals, and private sector stakeholders are beginning to make a meaningful contribution to combating ransomware threats. In spite of the growth of the number of threat groups, it is becoming increasingly difficult for these groups to sustain operations over the long run. 

In the face of the global ransomware threat, there is a cautious but growing sense of optimism, as long as we continue to collaborate and be vigilant. In terms of ransomware activity, there is still a stark imbalance in the distribution of attacks across the globe. The United States remains, by a wide margin, the nation that has been hit the most frequently. 

The 2025 ThreatLabz report from Zscaler indicates that 50 per cent of all ransomware attacks originated from U.S.-based organisations, totalling 3,671 incidents - more than double the total number of attacks reported across the next 14 most targeted countries combined. The United Kingdom and Canada ranked distantly behind the US and Canada, respectively, with only 5 and 4 per cent of global incidents.
This concentration of attacks is a result of the strategic targeting of highly dense, high-value economies by threat actors looking for maximum disruption and financial gain as a result of their actions. In this surge, several prominent ransomware groups were at the forefront, including RansomHub, which had 833 victims publicly identified by the media. 

As an affiliate program and partnership with initial access brokers helped Akira rise to prominence, involving 520 victims, it became a leading ransomware group. A close second was Clop, which had 488 victims, using its proven tactics to leverage vulnerable third-party software, in order to carry out large-scale supply chain attacks using vulnerable third-party software. 

Zscaler identified 34 new ransomware families in the past year, increasing the total number of tracked groups from 425 to 425. There are more than 1,000 ransomware notes available on GitHub, with 73 new samples being added every day within the past year, highlighting the scale of the threat and its persistence. With the increasing threat landscape, Zscaler continues to advance its Zero Trust Exchange framework, powered by artificial intelligence, to combat ransomware at every stage of its lifecycle. 

By replacing legacy perimeter-based security models with this platform, you will be able to minimise attack surfaces, block initial compromises, eliminate lateral movement, and stop data exfiltration that was previously possible. 

As part of Zscaler’s architecture, which is enhanced with artificial intelligence-driven capabilities like breach prediction, phishing and command and control detection, inline sandboxing, segmentation, dynamic policy enforcement, and robust data loss prevention, we can take an active and scalable approach to ransomware mitigation, aligning with the evolving needs of modern cybersecurity. 

Increasingly, ransomware is becoming a systemic risk across digital economies, which makes it essential for enterprises and governments to develop comprehensive, forward-looking cyber defence strategies. As a result of the convergence of industrial digitisation, widespread software vulnerabilities, and the emergence of ransomware-as-a-service (RaaS) models, the global threat landscape is changing in ways that require both public and private sectors to take immediate action. 

The attacks have not only caused immediate financial and operational losses, but they have also now threatened national security, supply chain resilience, and public infrastructure, particularly within high-value, interconnected industries like the energy industry, manufacturing industry, healthcare industry, and technology industry. Leaders in cybersecurity have increasingly advocated for a paradigm shift from reactive control measures to proactive cyber resilience strategies. 

Embedding zero trust principles into organization infrastructure, modernising legacy systems, and investing in artificial intelligence-driven threat detection are some of the steps that are required to achieve this objective, as well as building intelligence-sharing ecosystems between private companies, governments, and law enforcement agencies. 

There is also a constant need to evaluate the role of artificial intelligence in both attack and defence cycles, where defenders have the need to outperform their adversaries by automating, analysing, and enforcing policy in real time. As for the policy level, the increased use of ransomware underscores the need for globally aligned cybersecurity standards and enforcement frameworks. 

Isolated responses cannot be relied upon anymore when transnational threat actors leverage decentralized infrastructure and exploit jurisdictional loopholes in order to exploit them. In order to disrupt the ransomware economy and regain trust in the digital world, a holistic collaboration is essential that involves advanced technologies, legal deterrents, and public awareness.

While there is no indication that ransomware is going away anytime soon, the progress being made in detecting threats, managing vulnerabilities, and coordinating cross-border responses offers a path forward as long as we work together on these improvements. The need to protect digital assets and ensure long-term operational continuity is not just a matter of IT hygiene anymore – it has become a foundational pillar of enterprise risk management, and therefore a crucial component for the management of business continuity in today's environment.
Read more »
Threat actors
Akira Ransomware Cyber Attacks Data Exploit Ransomware Threat actors

Akira Ransomware: The Need for Rapid Response

Akira Ransomware: The Need for Rapid Response

Threat actors wielding the Akira ransomware demonstrated unprecedented efficiency in a recent cyber attack that sent shockwaves through the cybersecurity community. 

Their lightning-fast data exfiltration took just over two hours, representing a dramatic shift in the average time it takes a cybercriminal to go from first access to information exfiltration and leaving organizations scrambling to respond. Let’s delve into the details of this alarming incident.

Attack Overview

The victim in this case was a Latin American airline. The attackers exploited a vulnerability in their infrastructure, emphasizing the importance of robust security measures for critical industries. They gained entry through an unpatched Veeam backup server, leveraging the Secure Shell (SSH) protocol. Veeam servers are attractive targets due to their tendency to store sensitive data and credentials.

The BlackBerry Threat Research and Intelligence Team has revealed a summary of a June Akira ransomware assault against a Latin American airline. According to BlackBerry's anatomy of the attack, the threat actor acquired first access via an unpatched Veeam backup server and promptly began stealing data before installing the Akira ransomware the next day.

Swift Data Exfiltration

Within a remarkably short timeframe, the threat actors exfiltrated data from the Veeam backup folder. This included documents, images, and spreadsheets. The speed of their operation highlights the need for proactive security practices.

The Culprit: Storm-1567

Storm-1567, a notorious user of the Akira ransomware-as-a-service (RaaS) platform, is the likely perpetrator. Known for double-extortion tactics, Storm-1567 has targeted over 250 organizations globally since emerging in March 2023.

Technical Insights

1. Legitimate Tools and Utilities

The attackers demonstrated technical prowess by using legitimate tools and utilities during the attack. These tools allowed them to:

  • Conduct reconnaissance to identify valuable data.
  • Establish persistence within the compromised network.
  • Efficiently exfiltrate sensitive information.
2. Escalation from Initial Access to Data Theft

Storm-1567’s ability to escalate from initial access to data theft in such a short span underscores their expertise. Organizations must prioritize timely patching and secure backup systems to prevent similar incidents.

Key Takeaways

Patch Promptly 

Regularly update and patch all software, especially critical components like backup servers. Vulnerabilities left unaddressed can lead to devastating consequences.

Backup Security Matters

Secure backup systems are essential. They often contain critical data and serve as gateways for attackers. Implement access controls, monitor for suspicious activity, and encrypt backups.

Threat Intelligence and Vigilance

Stay informed about emerging threats and threat actors. Vigilance and proactive defense are crucial in the ever-evolving landscape of cyber threats.


Read more »
Vulnerabilities and Exploits
Data Breaches Data Exploit data security File Transfer Tool MOVEit Remote Workers Vulnerabilities and Exploits

Fresh MOVEit Vulnerability Under Active Exploitation: Urgent Updates Needed

 

A newly discovered vulnerability in MOVEit, a popular file transfer tool, is currently under active exploitation, posing serious threats to remote workforces. 

This exploitation highlights the urgent need for organizations to apply patches and updates to safeguard their systems. The vulnerability, identified by Progress, allows attackers to infiltrate MOVEit installations, potentially leading to data breaches and other cyber threats. MOVEit users are strongly advised to update their systems immediately to mitigate these risks. Failure to do so could result in significant data loss and compromised security. Remote workforces are particularly vulnerable due to the decentralized nature of their operations. The exploitation of this bug underscores the critical importance of maintaining robust cybersecurity practices and staying vigilant against emerging threats. 

Organizations should ensure that all systems are up-to-date and continuously monitored for any signs of compromise. In addition to applying patches, cybersecurity experts recommend implementing multi-layered security measures, including firewalls, intrusion detection systems, and regular security audits. Educating employees about the risks and signs of cyber threats is also essential in maintaining a secure remote working environment. The discovery of this MOVEit vulnerability serves as a reminder of the ever-evolving landscape of cybersecurity threats. 

As attackers become more sophisticated, organizations must prioritize proactive measures to protect their data and operations. Regularly updating software, conducting security assessments, and fostering a culture of cybersecurity awareness are key strategies in mitigating the risks associated with such vulnerabilities. 

Organizations must act swiftly to update their systems and implement comprehensive security measures to protect against potential cyberattacks. By staying informed and proactive, businesses can safeguard their remote workforces and ensure the security of their sensitive data.
Read more »
ransomware attacks
Cyber Attacks Data Exploit data security LEHB Ransomware ransomware attacks

US Health Provider LEHB Hit by Ransomware Attack, Network Compromised

Law Enforcement Health Benefits (LEHB), health and welfare funds for Philadelphia police offers, sheriffs, and county detectives, disclosed that the company was hit by a ransomware attack in 2021. "The Conti ransomware group has been responsible for a large number of these incidents, successfully attacking at least 16 US healthcare organizations and first responder networks during the year – as well as Ireland’s Health Service Executive and Department of Health," writes The Daily Swig. 

According to LEHB, attackers started coding files stored in the company network on 14 September 2021. An inquiry into the issue revealed that on Friday 25th, 'few affected files' containing members' data might have been excluded from the network by threat actors. Suspicious access to the US Department of Health and Human Services (HSS) breach portal hints that more than 85,000 users from LEHB may have been impacted by the incident. The compromised data includes names, DoBs, Social Security numbers, driving license info, bank account numbers, and health information. 

However, every LEHB member wasn't affected, and the data elements mentioned above were also not the same for every member. LEHB denies any case of identity theft or abuse of compromised data from the ransomware hit. However, the incident impacted members and offered credit monitoring services to those whose Social Security numbers might have been used. The health plan provider suggests its members set up 'fraud alerts' and security freezes on credit files, and ask for a free credit report. 

Cyber attack incidents are getting sophisticated as each day passes, resulting in LEHB implementing extra precautionary steps to protect its network and enhance internal procedures to detect and mitigate future cybersecurity threats. LEHB is assessing and updating its company policies and procedures to reduce the chances of ransomware incidents in the future. 

The Daily Swig reports "the healthcare sector has been particularly hard hit by ransomware since the start of the Covid-19 pandemic, with the FBI’s 2021 Internet Crime Report revealing earlier this month that of all critical infrastructure sectors, it was healthcare that faced the most ransomware attacks last year."

Read more »
Subscribe to: Posts (Atom)