Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Extortion. Show all posts
Ransomware
Akira Attack Breach Cloud Cybersecurity Data Encryption Extortion FBI Hitachi malware Ransomware

Hitachi Vantara Takes Servers Offline Following Akira Ransomware Attack

 

Hitachi Vantara, a subsidiary of Japan's Hitachi conglomerate, temporarily shut down several servers over the weekend after falling victim to a ransomware incident attributed to the Akira group.

The company, known for offering data infrastructure, cloud operations, and cyber resilience solutions, serves government agencies and major global enterprises like BMW, Telefónica, T-Mobile, and China Telecom.

In a statement to BleepingComputer, Hitachi Vantara confirmed the cyberattack and revealed it had brought in external cybersecurity specialists to assess the situation. The company is now working to restore all affected systems.

“On April 26, 2025, Hitachi Vantara experienced a ransomware incident that has resulted in a disruption to some of our systems," Hitachi Vantara told BleepingComputer.

"Upon detecting suspicious activity, we immediately launched our incident response protocols and engaged third-party subject matter experts to support our investigation and remediation process. Additionally, we proactively took our servers offline in order to contain the incident.

We are working as quickly as possible with our third-party subject matter experts to remediate this incident, continue to support our customers, and bring our systems back online in a secure manner. We thank our customers and partners for their patience and flexibility during this time."

Although the company has not officially attributed the breach to any specific threat actor, BleepingComputer reports that sources have linked the attack to the Akira ransomware operation. Insiders allege that the attackers exfiltrated sensitive data and left ransom notes on infiltrated systems.

While cloud services remained unaffected, sources noted that internal platforms at Hitachi Vantara and its manufacturing arm experienced disruption. Despite these outages, clients operating self-hosted systems are still able to access their data.

A separate source confirmed that several government-led initiatives have also been impacted by the cyberattack.

Akira ransomware first appeared in March 2023 and swiftly became notorious for targeting a wide range of sectors worldwide. Since its emergence, the group has reportedly compromised more than 300 organizations, including high-profile names like Stanford University and Nissan (in Oceania and Australia).

The FBI estimates that Akira collected over $42 million in ransom payments by April 2024 after infiltrating over 250 organizations. According to chat logs reviewed by BleepingComputer, the gang typically demands between $200,000 and several million dollars, depending on the scale and sensitivity of the targeted entity.

Keywords: ransomware, cybersecurity, Hitachi, Akira, cloud, breach, data, FBI, malware, attack, encryption, extortion, hacking, disruption, recovery, infrastructure, digital, protection
Read more »
Rhysida ransomware gang
Data Breach Data Leak Extortion Ransomware attack Ransomware group Ransomwares Rhysida Rhysida Ransomware Rhysida ransomware gang

Rhysida Ransomware Group Leaks 1.3M Files Stolen from Oregon DEQ After Failed Extortion Attempt

 

A major ransomware breach has rocked the Oregon Department of Environmental Quality (DEQ), with over 1.3 million files—amounting to 2.4 terabytes—dumped online by the cybercriminal group Rhysida. The stolen data, now circulating on the dark web, reportedly includes confidential information linked to DEQ employees. Whether personal data of Oregon residents outside the agency was compromised remains unconfirmed. DEQ first disclosed system disruptions on April 9, attributing them to a suspected cyberattack. 

The agency, responsible for regulating pollution, waste, air quality, and smog checks for vehicle registrations, had to suspend several core services as a result. An investigation into the breach is underway, but DEQ has not officially confirmed the volume or content of the compromised data. However, Rhysida’s own dark web site claimed responsibility, stating that it attempted to contact DEQ but was ignored. The group then released the data publicly, writing: “They think their data hasn’t been stolen. They’re sorely mistaken.” Before the leak, the group had placed a $2.5 million price tag—30 Bitcoins—on the files, offering them at auction to the highest bidder. 

By April 24, some of the stolen content had reportedly been sold, while the remaining files were made freely available for download. The breach has had serious operational consequences. For nearly a week following the attack, DEQ employees were locked out of their internal systems and email. Emails sent between April 9 and 11 were lost entirely. Vehicle emissions testing—a requirement for registrations in parts of Oregon—was halted across all non-DEQ testing locations, though some services resumed at DEQ-owned facilities on April 14. In a statement issued April 19, DEQ confirmed that employees were gradually regaining access to their work devices, moving from phones back to laptops. 

Despite the cyber disruption, spokesperson Lauren Wirtis said DEQ’s mission-critical services via its online platform DEQ Online remained operational and unaffected. Rhysida, an increasingly active ransomware gang, has previously attacked global organizations including the British Library, Chilean Army, and the Port of Seattle. Their tactics typically include data theft, extortion, and high-pressure ransom demands. 

Oregon’s Enterprise Information Services is leading the forensic investigation, alongside efforts to strengthen state cybersecurity systems. As of April 26, DEQ clarified that no ransom negotiations had occurred, and the timeline for completing the investigation remains uncertain.
Read more »
sensitive user information
Data Breach Data Safety User Data data security Extortion GitLab Sensitive Information sensitive user information

Europcar GitLab Breach Exposes Sensitive User Data and Configuration Files

 

A cybersecurity breach allegedly targeting Europcar has brought attention to vulnerabilities in corporate development platforms. A threat actor operating under the alias “Europcar” recently claimed on an underground forum that they had gained unauthorized access to the car rental giant’s GitLab repository, leading to the extraction of thousands of sensitive files. The attacker reportedly obtained over 9,000 SQL files and at least 269 .ENV files, which are commonly used to store application configuration settings, API keys, and other sensitive operational data. 

The scale of the breach raised concerns about the potential exposure of customer and internal company information. Europcar later confirmed the breach to BleepingComputer, clarifying that only a limited portion of its GitLab repository was compromised, and not the entire system as initially claimed. The company stated it is currently assessing the scope of the intrusion and is in the process of notifying affected users. Initial findings suggest that customer names and email addresses from affiliated brands such as Goldcar and Ubeeqo, generated between 2017 and 2020, may have been exposed. Importantly, payment data was not compromised in this incident. 

The Europcar data breach is believed to have been part of an extortion attempt, although it remains unclear whether any ransom was paid. The method used to access Europcar’s GitLab remains under investigation, but cybersecurity experts suspect phishing or infostealer malware as the most likely attack vectors. Credential theft through malware or social engineering continues to be a leading cause of repository leaks across industries.  

GitLab, a widely used platform for code collaboration and storage, is frequently targeted by cybercriminals. Attackers often exploit its popularity by spoofing repositories or distributing malicious packages. Developers are advised to exercise caution by verifying repository sources, reading user feedback, and implementing multi-layered security protocols. The GitLab repository leak highlights the broader issue of digital supply chain vulnerabilities. 

When attackers gain access to development environments, the consequences can include compromised applications, internal data leaks, and reputational damage. This incident reinforces the importance of robust cybersecurity hygiene, particularly for companies managing user-sensitive platforms. As Europcar continues to investigate the breach and tighten security protocols, the incident serves as another reminder of the growing sophistication of cyberattacks and the urgent need for proactive security measures.
Read more »
RIBridges
brain cipher Data Breach Extortion Rhode Island RIBridges

RIBridges Data Breach: Sensitive Information of Rhode Islanders Exposed

 



The RIBridges system, a very important tool for Rhode Island's social services, has become the latest victim of a ransomware attack, resulting in the leak of personal data belonging to hundreds of thousands of residents. This breach, orchestrated by the Brain Cipher ransomware group, has raised serious concerns about the security of systems handling sensitive information.


What is RIBridges?

RIBridges is the vital system for Rhode Island that runs social support programs, such as access to health care, food assistance, childcare, and more. Much of the private data in this compromise was made vulnerable to exploitation.  


Timeline of the Incident

1. First Warning: On December 5, Deloitte, the vendor responsible for RIBridges, warned Rhode Island officials that there may have been a security breach. 

2. Confirmation of Breach: By December 10, it was confirmed that hackers had indeed accessed the system. The hackers even published screenshots of the stolen file directories on Deloitte's screen.

3. Action Taken: Confirmation of presence of harmful code led to system shut down to minimize damage, and this occurred on December 13. 

 

What Data Was Leaked?

Last week, a group known as Brain Cipher began to leak their stolen files on the dark web. It claims to have included names, addresses, birth dates, Social Security numbers, and banking details of people. The list contained both adults and minors. Other reports also suggest that some file folders contained database backups and system archives. 


Implications for Rhode Island Residents

This breach has potentially exposed around 650,000 individuals to identity theft and fraud. Governor Dan McKee has advised residents to take immediate steps to protect their data. This includes freezing credit reports, monitoring accounts for unusual activity, and staying cautious of phishing attempts that may exploit the stolen information.  

The Brain Cipher ransomware group, operating since mid-2024, is known to use advanced encryption tools and a data leak website to extort victims. Its operations were first brought to public attention after attacking Indonesia's temporary National Data Center. In that attack, it used a modified version of a leaked codebase for an encryptor to breach RIBridges.

Although the data leak site from the gang remains inaccessible, reportedly as a result of a distributed denial-of-service attack, their negotiation page on Tor remains active. It appears they are still pushing the victims or perhaps even looking for further extortions.  


What's Being Done?

The IT teams in state work to comprehend the full effect of the breach and to secure the system. Residents are advised to stay vigilant and to take proactive steps to prevent these risks caused by the leakage of such data. This attack calls out the increased risk of ransomware and an increased need for cybersecurity measures in securing crucial public systems and sensitive information on individuals.




Read more »
Victim
Cyber Security Cybersecurity Data Breach Encryption Extortion Healthcare HHS Ransomware Ransomware attack Trinity Victim

New Trinity Ransomware Strain Targets U.S. Healthcare, Federal Officials Warn

 

A new ransomware strain, known as Trinity, has reportedly compromised at least one healthcare organization in the U.S., according to a recent report from federal authorities.

The U.S. Department of Health and Human Services (HHS) issued a warning on Friday, alerting hospitals about the serious threat posed by the ransomware group. They highlighted that Trinity’s methods make it a "notable risk" to both the U.S. healthcare and public health sectors.

HHS's Health Sector Cybersecurity Coordination Center confirmed that one U.S. healthcare entity has recently fallen victim to the Trinity ransomware, which was first detected around May 2024.

To date, seven victims of Trinity ransomware have been identified, including two healthcare providers—one in the U.K. and another in the U.S. The latter, a gastroenterology services provider, lost 330 GB of data. While the facility remains unnamed, it has been listed on Trinity’s data leak site and is currently facing technical disruptions, including limited phone access.

Additionally, researchers have found another case involving a dental group based in New Jersey.

HHS noted similarities between Trinity and two other ransomware groups—2023Lock and Venus—hinting at potential collaboration between these cybercriminals.

Trinity ransomware mirrors other known operations by exploiting common vulnerabilities to extract data and extort victims.

After installation, the ransomware gathers system information, such as available processors and drives, to escalate its attack. Operators then scan for weaknesses to spread the ransomware within the network.

The files encrypted by the attack are marked with the “trinitylock” extension, and victims receive a ransom note demanding payment within 24 hours, with threats of data exposure if they fail to comply.

At present, there is no available decryption tool for Trinity, leaving victims with few options, according to the HHS advisory.

The attackers operate two websites: one to assist those who pay the ransom with decryption, and another that displays stolen data to extort victims further.

Federal officials have discovered code similarities between the Trinity and Venus ransomware strains, noting identical encryption methods and naming schemes, which suggest a close link between them. Trinity also shares features with 2023Lock, including identical ransom notes and code, implying it could be an updated variant.

Cybersecurity researchers have also pointed out that Trinity may be a rebranded version of both Venus and 2023Lock. According to Allan Liska of Recorded Future, Trinity is "not a highly advanced strain of ransomware," and the attackers do not appear particularly sophisticated.

HHS emphasized that the potential collaboration between these threat actors could enhance the complexity and impact of future ransomware attacks.

Previous HHS warnings have covered other ransomware groups such as Royal, Cuba, Venus, Lorenz, and Hive.

Despite heightened law enforcement efforts, ransomware attacks persist, with operations continuing to generate significant revenue—approximately $450 million in the first half of 2024 alone.

The healthcare sector has been particularly affected by these attacks, causing severe disruptions. Just last week, a Texas hospital, the only level 1 trauma center in a 400-mile radius, had to reduce services and turn away ambulances due to a ransomware incident.

As of Friday, the hospital reported restored phone services, with only a limited number of ambulances being redirected to other facilities.
Read more »
Threat Landscape
Cyber Crime Data Leak Extortion Ransomware Threat Landscape

BlackByte Ransomware Outfit is Targeting More Orgs Than Previously Known

 

Researchers from Cisco have discovered that the BlackByte ransomware group is only disclosing a small portion of its successful attacks on its leak site this year. Talos, the company's cybersecurity department, believes the gang is creating extortion posts for only 20% to 30% of its successful attacks. 

The study of the ransomware outfit's leak site shows it posted 41 victims in 2023 but only three so far in 2024. BlackByte has been extremely active this year, but it's unclear why the group hasn't posted any further leaks. 

BlackByte has carried out high-profile assaults on local governments in Newburgh, New York, and Augusta, Georgia, as well as organisations such as the San Francisco 49ers and Yamaha. 

Researchers from Cisco Talos claimed that their involvement in a number of recent incident response investigations showed how quickly the organisation is evolving and how often it leads the way in exploiting vulnerabilities such as CVE-2024-37085, an ESXi software problem that Microsoft brought to light last month.

“Talos IR observed the threat actor leveraging this vulnerability, which initially received limited attention from the security community, within days of its publication,” the researchers stated. “This highlights the speed with which ransomware groups like BlackByte can adapt their [tactics, techniques and procedures] to incorporate newly disclosed vulnerabilities, and the level of time and effort put into identifying potential avenues for advancing an attack.” 

The analysts believe the ransomware-as-a-service (RaaS) gang is an offshoot of the now-defunct Conti operation, which appeared in late 2021. According to Cisco Talos, BlackByte has a history of searching for and exploiting public-facing vulnerabilities. However, the RaaS model's flexibility "allows threat actors to quickly counter new defensive strategies developed by cybersecurity experts by iterating and updating its tooling.” 

Callie Guenther, a Critical Start cyberthreat researcher, stated that the exploitation of CVE-2024-37085 was notable since it targeted VMware ESXi hypervisors, which allow servers to operate many virtual machines and efficiently distribute computing resources. The focus on ESXi hypervisors by Ransomware outfits such as BlackByte is especially troubling because the technology is often vital for firms' IT infrastructure and critical business applications.

“The adoption of the CVE-2024-37085 vulnerability by BlackByte signals an understanding of the value in targeting these systems, as they offer a high return on investment for the attackers in terms of potential ransom payouts,” she added.
Read more »
SIM card cloning
BSNL data breach cyberattack on BSNL dark web forum Data Breach Extortion Identity Theft kiberphant0m sensitive user information SIM card cloning

BSNL Reportedly Suffers Major Data Breach: Sensitive User Information at Risk

 

Bharat Sanchar Nigam Limited (BSNL) has reportedly experienced a significant data breach, with the responsible threat actor claiming to have acquired sensitive user and operational data. The government-owned telecom provider's servers were attacked, resulting in the hackers obtaining SIM card details, home location register data, and critical security keys. This stolen data could potentially be used for criminal activities such as SIM card cloning, identity theft, and extortion.

According to a report by digital risk management firm Athenian Tech, cited by News18, the cyberattack was carried out by a threat actor using the dark web forum username “kiberphant0m”. It remains unclear if the attack was executed by an individual or a group of hackers.

The report states that approximately 278GB of data from BSNL's telecom operations was compromised. This data includes not only user information but also server snapshots that could be exploited for further attacks, posing severe security risks. The threat actor claims to have obtained critical details such as International Mobile Subscriber Identity (IMSI) numbers, SIM card details, PIN codes, authentication keys, and snapshots of BSNL's SOLARIS servers.

The hacker has reportedly offered the stolen data for sale at $5,000 (roughly Rs. 4.18 lakh). Discussions on the dark web forum suggest potential misuse of the data for activities like SIM cloning, identity theft, and extortion.

Kanishk Gaur, CEO of Athenian Tech, explained that while the specific vulnerabilities exploited by “kiberphant0m” are not publicly disclosed, access to critical systems such as the Home Location Register (HLR) and SOLARIS server snapshots indicates a deep penetration. This likely involved exploiting software vulnerabilities or sophisticated social engineering techniques. The server snapshots suggest possible exploitation of known vulnerabilities within BSNL's server infrastructure, highlighting the need for rigorous patch management and security updates.

The alleged data breach poses a serious threat to millions of BSNL users whose sensitive information may have been compromised. Notably, BSNL experienced a similar data breach in December 2023. Gadgets 360 has reached out to BSNL for a comment and will update the story once a response is received.
Read more »
Online fraud
Bengaluru Cyber bullying Cyber Crime Extortion Goa Online fraud

Bengaluru Man Arrested for Exploiting Woman in Online Interview

 



Panaji: In a disturbing cybercrime case, the Goa Cyber Crime Police arrested a Bengaluru resident, Mohan Raj V, for allegedly cyberbullying and extorting a woman from Goa. The arrest was made on Saturday after a strategic operation by the police team.

The case began when the victim, a woman from Goa, filed a complaint with the cyber crime police. She reported that the accused had posted a fake job advertisement for a position at a foreign bank. Responding to the advertisement, the woman was contacted via a chatting app by the accused, who arranged an online interview. During the video call, individuals posing as company representatives coerced the woman into undressing. They recorded the video and took screenshots, which were later used to blackmail her.

According to the complaint, the accused demanded sexual favours in exchange for deleting the compromising material. Over the past two months, he persistently harassed the woman, threatening to make the videos and pictures public if she did not comply. He also demanded that she meet him in Bengaluru.

Following the complaint, the police, led by Superintendent of Police Rahul Gupta, devised a plan to apprehend the accused. A team, including the victim, travelled to Bengaluru and laid a trap. After extensive efforts and a lengthy chase, the accused was caught when he arrived to meet the victim. The police recovered the chats and videos from the accused's phone, which will be sent for a cyber forensic examination.

The investigation revealed that Mohan Raj V used VPN phone numbers to create fake Telegram accounts and post fraudulent job offers. He targeted women by promising high salary packages and conducting fake online interviews.

The accused has confessed to his crimes and has been booked under several sections of the Indian Penal Code, including section 354A (sexual harassment), section 384 (extortion), and relevant provisions of the Information Technology Act. The case is being further investigated by Police Inspector Deepak Pednekar.

SP Rahul Gupta urged the public to verify the authenticity of online job offers through local or cyber police stations before engaging with them. He also cautioned against complying with unethical online demands, no matter the promised benefits.

This case highlights the growing menace of cybercrime and the importance of vigilance in online interactions. The Goa Cyber Crime Police's successful operation furthers the cause for robust cyber security measures and public awareness to prevent such incidents.



Read more »
Subscribe to: Posts (Atom)