Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label GuidePoint Security. Show all posts
GuidePoint Security
Akira Ransomware Cyber Crime Cyber Security Ransomware Attacks cybercrime group cybercrime group attack cybersecurity threat actors GuidePoint Security

Global Ransomware Groups Hit Record High as Smaller Threat Actors Emerge

 

The number of active ransomware groups has reached an unprecedented high, marking a new phase in the global cyber threat landscape. According to GuidePoint Security’s latest Ransomware & Cyber Threat Report, the total number of active groups surged 57%, climbing from 49 in the third quarter of 2024 to an all-time peak of 77. Despite this sharp rise, the number of victims has remained consistent, averaging between 1,500 and 1,600 per quarter since late last year. 

The United States continues to bear the brunt of these attacks, accounting for 56% of all reported victims. Germany and the United Kingdom followed distantly at 5% and 4%, respectively. Manufacturing, technology, and the legal sectors were among the hardest hit, with the manufacturing industry alone reporting 252 publicly claimed attacks in the second quarter—a 26% increase from the previous quarter. 

GuidePoint’s senior threat intelligence analyst, Nick Hyatt, noted that while the overall ransomware volume has stabilized, the number of distinct groups is soaring. He explained that this growth reflects both the consolidation of experienced threat actors under major ransomware-as-a-service (RaaS) platforms and the influx of newer, less skilled operators trying to gain traction in the ecosystem. 

Among the most active groups, Qilin led with a dramatic 318% year-over-year surge, claiming 234 victims this quarter. Akira followed with 130 victims, while IncRansom—first detected in August 2023—emerged as the third most active group after a sharp increase in attacks. Another rising player, SafePay, has steadily expanded its operations since its appearance in late 2024, now linked to 258 victims across 29 industries and 30 countries in 2025 alone. 

GuidePoint’s researchers also observed a growing number of unclaimed or unattributed ransomware attacks, suggesting that many threat actors are either newly formed or deliberately avoiding public identification. This trend points to an increasingly fragmented and unpredictable ransomware environment. 

While the stabilization in overall attack numbers might appear reassuring, experts warn against complacency. The rapid diversification of ransomware groups and the proliferation of smaller, anonymous actors underline the evolving sophistication of cybercrime. As Hyatt emphasized, this “new normal” reflects a sustained, adaptive threat landscape that demands continuous vigilance, proactive defense strategies, and cross-industry collaboration to mitigate future risks.
Read more »
Vulnerabilities and Exploits
Akira Ransomware GuidePoint Security Microsoft Defender SonicWall VPN Vulnerabilities and Exploits

Hackers Bypassed Microsoft Defender to Deploy Ransomware on PCs

 

GuidePoint Security's latest report reveals a sophisticated Akira ransomware campaign exploiting SonicWall VPNs through the strategic use of malicious Windows drivers. The campaign, which began in late July 2025, represents a significant escalation in the group's tactics for evading security controls. 

From late July through early August 2025, multiple security vendors reported a surge in Akira ransomware deployments following SonicWall VPN exploitation. While the underlying cause remains disputed—potentially involving a zero-day vulnerability—SonicWall has acknowledged the activity but hasn't disclosed specific vulnerability details. 

Key technical findings 

GuidePoint's incident response teams identified two drivers consistently used by Akira affiliates in a Bring Your Own Vulnerable Driver (BYOVD) attack chain: 

Primary Driver - rwdrv.sys: This legitimate driver from ThrottleStop, a Windows performance monitoring utility for Intel CPUs, is being weaponized by attackers. Once registered as a service, it provides kernel-level access to compromised systems, essentially giving attackers the highest privileges possible on Windows machines. 

Secondary Driver - hlpdrv.sys: This malicious driver specifically targets Windows Defender by modifying the DisableAntiSpyware registry settings through automated registry edits. The driver's hash has been identified in commercial malware repositories. 

The researchers suspect the legitimate rwdrv.sys driver enables execution of the malicious hlpdrv.sys driver, though the exact mechanism remains unclear. 

Detection and response

GuidePoint has developed a comprehensive YARA rule to detect the malicious hlpdrv.sys driver based on its PE structure, imports, and associated strings. The rule validates specific characteristics including section layouts, import functions from ntoskrnl.exe, and unique artifact strings.

The report provides critical Indicators of Compromise (IOCs), including file paths typically found in Users$$REDACTED]\AppData\Local\Temp\ and service registrations under names "mgdsrv" and "KMHLPSVC". 

Mitigation tips 

SonicWall has issued specific hardening recommendations for organizations using their VPN solutions: 

  • Disable SSLVPN services where operationally feasible.
  • Restrict SSLVPN connectivity to trusted source IP addresses only. 
  • Enable comprehensive security features including Botnet protection and Geo-IP filtering.
  • Enforce multi-factor authentication (MFA) for all VPN access.
  • Remove unused accounts and maintain strict password hygiene practices. 

This campaign highlights Akira's evolution toward more sophisticated anti-detection techniques, moving beyond simple encryption to actively disabling endpoint security solutions. The consistent use of these drivers across multiple incident response cases makes them high-fidelity indicators for both proactive threat hunting and forensic analysis. 

The report emphasizes that defenders should prioritize log review and YARA rule deployment to identify pre-ransomware activity, potentially enabling intervention before full system compromise occurs.
Read more »
Subscribe to: Comments (Atom)