Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label RaaS. Show all posts
Ransomware
Businesses Cyber Attacks nord stellar RaaS Ransomware

Ransomware Attacks Surge in 2025, With Smaller Businesses and Manufacturers Most Affected

 



Ransomware threats are rising fast in 2025, with the first half of the year already showing a sharp increase in attacks. New research shows that U.S.-based companies, small and medium-sized businesses, and firms in the manufacturing sector are currently among the top targets for these cybercriminal campaigns.

Between January and June this year, nearly 4,200 ransomware incidents were made public on the dark web. That’s a 49% jump compared to the same time period in 2024, according to recent findings by cybersecurity firm NordStellar.

Experts suggest that several factors may be driving this rise. These include the growing use of Ransomware-as-a-Service (RaaS) — a model where criminal groups rent out ransomware tools to others, as well as challenges related to remote or hybrid working setups. Additionally, ongoing economic struggles may be pushing more individuals toward illegal activities, including cybercrime.

In terms of geography, the United States experienced the highest number of attacks, with 596 cases. This accounted for nearly half of all reported incidents worldwide. Other affected countries included Germany (84 cases), Canada (74), the UK (40), and Spain (37). Analysts believe that U.S. companies are often targeted because of their size, visibility, and the potential financial damage of a public attack. These businesses are more likely to pay the ransom quickly to avoid reputational harm.

Tight regulations around data privacy and system availability may also push organizations to resolve incidents faster, especially if they fear penalties or losing client trust.

The manufacturing sector was hit particularly hard, with 223 reported cases. Construction (97 incidents) and the IT industry (88) followed close behind. Experts point out that many of these organizations rely on older systems that lack regular updates, and they often operate in multiple locations, making cybersecurity harder to manage across the board.

Small to mid-sized firms, especially those with 51 to 200 employees and annual revenue between $5 million and $25 million, faced the most ransomware attempts. Researchers say this may be because these companies often depend on third-party IT providers and don’t always have strong internal security policies.

As for which ransomware gangs are most active in 2025, the group known as Qilin leads with 214 reported attacks. SafePay, allegedly linked to a recent incident involving a global tech distributor, followed with 201 cases, and Akira came in third with 200.

Cybersecurity professionals continue to emphasize basic but crucial practices: employee training on phishing threats, use of multi-factor authentication, and better password protection. Beyond that, building a full-scale cybersecurity plan is key to identifying and stopping threats early, before they cause widespread damage.

Read more »
Ransomware
AI Data data security Internet Privacy RaaS Ransomware

Cybercrime Gang Hunters International Shuts Down, Returns Stolen Data as Goodwill

Cybercrime Gang Hunters International Shuts Down, Returns Stolen Data as Goodwill

Cybercrime gang to return stolen data

The Hunters International Ransomware-as-a-Service (RaaS) operation has recently announced that it is shutting down its operation and will provide free decryptors to help targets recover their data without paying a ransom. 

"After careful consideration and in light of recent developments, we have decided to close the Hunters International project. This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with," the cybercrime gang said. 

Hunter International claims goodwill

As a goodwill gesture to victims affected by the gang’s previous operations, it is helping them recover data without requiring them to pay ransoms. The gang has also removed all entries from the extortion portal and stated that organizations whose systems were encrypted in the Hunters International ransomware attacks can request assistance and recovery guidance on the group’s official website.

Gang rebranding?

The gang has not explained the “recent developments” it referred to, the recent announcement comes after a November 17 statement announcing Hunters International will soon close down due to strict law enforcement actions and financial losses. 

In April, Group-IB researchers said the group was rebranding with the aim to focus on extortion-only and data theft attacks and launched “World Leaks”- a new extortion-only operation. Group-IB said that “unlike Hunters International, which combined encryption with extortion, World Leaks operates as an extortion-only group using a custom-built exfiltration tool. The new tool looks like an advanced version of the Storage Software exfiltration tool used by Hunter International’s ransomware associates.

The emergence of Hunter International

Hunter International surfaced in 2023, and cybersecurity experts flagged it as a rebrand of as it showed code similarities. The ransomware gang targeted Linux, ESXi (VMware servers), Windows, FreeBSD, and SunOS. In the past two years, Hunter International has attacked businesses of all sizes, demanding ransom up to millions of dollars. 

The gang was responsible for around 300 operations globally. Some famous victims include the U.S Marshals Service, Tata Technologies, Japanese optics mammoth Hoya, U.S Navy contractor Austal USA, Oklahoma’s largest not-for-profit healthcare Integris Health, AutoCanada, and a North American automobile dealership. Last year, Hunter International attacked the Fred Hutch Cancer Center and blackmailed to leak stolen data of more than 800,000 cancer patients if ransom was not paid.

Read more »
VPN
At-Bay Cyber Security CyberCrime Cyberhackers CyberThreat Digital Threat RaaS Ransomware remote access VPN

Increasing Exploitation of Remote Access Tools Highlights Ransomware Risks

 


Among the latest findings from cybersecurity insurance provider At-Bay, ransomware incidents witnessed a significant resurgence in 2024, with both the frequency and the severity of these attacks escalating significantly. Based on the firm's 2025 InsurSec Report, ransomware activity rose 20 percent from the previous year, returning to the high level of threat that had been experienced in 2021, when ransomware activity soared to 20 per cent. 

There is an overwhelmingly large number of remote access tools and virtual private networks (VPNS) that have been exploited as entry points for these attacks, according to the report. In particular, mid-market organisations, particularly those with annual revenues between $25 million and $100 million, have been severely hit by this surge, with targeted incidents on the rise by 46 per cent. As a result of the At-Bay claims data, it is apparent that the severity of ransomware breaches has increased by 13 per cent year over year, highlighting how sophisticated and financially destructive these threats are becoming. 

It was also found that attacks originating from third parties, such as vendors and service providers, have increased by 43 per cent, compounding the risk. It is also important to note that the economic toll of these supply chain-related incidents increased by 72 per cent on average, which increased the overall cost associated with them. This study highlights the need to reassess the cybersecurity postures of businesses, especially those that are reliant on remote access infrastructure, as well as strengthen defences across the entire digital ecosystem. 

A study published by At-Bay highlights the widespread misuse of conventional cybersecurity tools, particularly those intended to enhance remote connectivity, as well as the deterioration of the effectiveness of traditional cybersecurity tools. Virtual private networks (VPNS) and remote access software, which are frequently deployed to ensure secure access to internal systems from off-site, are increasingly being repurposed as a gateway for malicious activities. 

As a matter of fact, At-Bay’s analysis illustrates a concerning trend that threatens the flexibility of work environments. Threat actors are frequently exploiting these same tools to get access to corporate networks, extract sensitive data, and carry out disruptive operations. Due to their visibility on the public internet, cybercriminals are actively searching for potential vulnerabilities in these systems to attack them. 

The Remote Access Tools are essentially a front door that provides access to your company's network and can typically be viewed by the general public. For that reason, remote access tools are prone to being attacked by attackers, according to Adam Tyra, Chief Information Security Officer for At-Bay's customer service department. In addition to this, the report highlights the disproportionately high risk posed by mid-sized enterprises, which generate annual revenue of between $25 million and $100 million. 

The number of direct ransomware claims has increased significantly within the segment, which highlights both the increased exposure to cyber threats as well as the potential limitations in resources available to defend against them. As part of this report, the authors point out that “remote” ransomware activity has increased dramatically, a tactic that has gained considerable traction among threat actors over the past few years. 

In 2024, this type of attack is expected to have increased by 50 per cent compared to the year before, representing an astounding 141 per cent increase since the year 2022. As far as traditional endpoint detection systems are concerned, remote ransomware campaigns are typically carried out by unmanaged or personal devices. In these kinds of attacks, rather than deploying a malicious payload directly onto the victim's machine, networks file-sharing protocols are used to access and encrypt data between connected systems by using the network file-sharing protocol. Therefore, the encryption process is often undetected by conventional security tools, such as malware scanners and behaviour-based defences. 

These stealth-oriented methodologies pose a growing challenge to organizations, particularly small and medium-sized businesses (SMBS), as a result of this stealth-oriented methodology. In the study conducted by Sophos Managed Detection and Response (MDR), the most common threat vector in the SMB sector is ransomware and data exfiltration, which accounted for nearly 30 per cent of all cases tracked within this sector. 

Even though sophisticated attack techniques are on the rise, the overall volume of ransomware-related events in 2024 saw a slight decline in volume compared with 2023 despite the rise in sophisticated attack techniques. There has been a marginal decrease in ransomware-as-a-service (Raas) incidents. 

The advancement of defensive technologies and the dismantling of several of the most high-profile ransomware-as-a-service (Raas) operations have both contributed to this decline. This combined study emphasises the urgent need for businesses to modernise their cybersecurity strategies, invest in proactive threat detection, and strengthen the security of their remote access infrastructure to combat cybercrime. 

With the development of ransomware tactics in complexity and scale, the resilience of organisations targeted by these threats has also evolved. As a result of these developments, organisations are increasingly expected to reevaluate their risk management frameworks to adopt a more proactive cybersecurity policy. To ensure that a robust defense strategy is implemented, it is imperative that remote access security systems are secured and access controls are implemented and advanced monitoring capabilities are deployed. 

Besides raising awareness of cybersecurity throughout the workforce and fostering close cooperation between technology and insurance partners, it is also possible to significantly reduce the risk of ransomware being a threat to organisations. In the wake of cyber adversaries that keep improving their methods, businesses will have to take not only technical measures to strengthen their resilience, but also a wide range of strategic measures to anticipate and neutralise emergent attack vectors before they can cause significant damage.
Read more »
Ransomwares
CISA & FBI CISA advisory Cyber Attacks Malwares Medusa Attacks Medusa Ransomware RaaS ransomware attacks ransomware-as-a-service (RaaS) Ransomwares

Medusa Ransomware Attacks: CISA, FBI, and MS-ISAC Issue #StopRansomware Advisory

 

The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a #StopRansomware advisory, warning organizations about the increasing threat of Medusa ransomware. 

Medusa, a ransomware-as-a-service (RaaS) variant, was first detected in 2021 and has since targeted over 300 victims across multiple critical infrastructure sectors. Industries such as healthcare, law, education, insurance, technology, and manufacturing have been particularly affected, highlighting the wide reach and severity of the ransomware’s impact. Medusa initially operated as a closed ransomware variant, meaning its developers had full control over its deployment and operations. 

Over time, it transitioned to an affiliate-based model, allowing external cybercriminals to use the ransomware while keeping certain aspects, such as ransom negotiations, under the control of the original developers. This shift has allowed Medusa to expand its reach, increasing its effectiveness as a cyber threat. Medusa demands ransoms ranging from $100,000 to as much as $15 million. 

Like many modern ransomware variants, it employs double extortion tactics—stealing sensitive data before encrypting victim networks. This strategy puts additional pressure on victims, as attackers can threaten to leak or sell stolen data if the ransom is not paid. Cybersecurity researchers from Symantec’s Threat Hunter team recently reported a rise in Medusa-related attacks over the past year. 

Medusa’s developers use initial access brokers (IABs) to gain entry into victim networks. These brokers operate within cybercriminal forums and marketplaces, selling access to compromised systems for amounts ranging from $100 to $1 million. Medusa affiliates rely on phishing campaigns and vulnerability exploitation to gain initial access, making it crucial for organizations to bolster their email security and patch known vulnerabilities. Once inside a system, Medusa operators use “living-off-the-land” (LotL) techniques, leveraging legitimate system tools to evade detection while conducting reconnaissance, data theft, and lateral movement.

Given Medusa’s evolving tactics, cybersecurity experts stress the importance of proactive defense measures. Organizations should deploy security patches, implement network segmentation, and restrict access to critical services from untrusted sources. Dan Lattimer, area vice president for Semperis in the UK and Ireland, emphasized the need for an “assumed breach” mindset, urging companies to shift from a prevention-focused approach to rapid detection, response, and recovery. 

As ransomware attacks grow more sophisticated, organizations must remain vigilant, continuously updating their cybersecurity strategies to mitigate risks and strengthen their defenses against threats like Medusa.
Read more »
Ransomwares
AI Attack Cyber Attacks cybercrime group Data Leak Hacktivism RaaS Ransom Demand Ransomware attack Ransomwares

FunkSec Ransomware Group: AI-Powered Cyber Threat Targeting Global Organizations

 

A new ransomware group, FunkSec, has emerged as a growing concern within the cybersecurity community after launching a series of attacks in late 2024. Reports indicate that the group has carried out over 80 cyberattacks, signaling a strategic blend of hacktivism and cybercrime. According to recent findings, FunkSec’s activities suggest that its members are relatively new to the cyber threat landscape but have been using artificial intelligence (AI) to amplify their capabilities and expand their reach. 

FunkSec’s ransomware, developed using the Rust programming language, has caught the attention of security analysts due to its complexity and efficiency. Investigations suggest that AI tools may have been used to assist in coding and refining the malware, enabling the attackers to bypass security defenses more effectively. A suspected Algerian-based developer is believed to have inadvertently leaked portions of the ransomware’s code online, providing cybersecurity researchers with valuable insights into its functionality. 

Operating under a ransomware-as-a-service (RaaS) framework, FunkSec offers its malware to affiliates, who then carry out attacks in exchange for a percentage of the ransom collected. Their approach involves double extortion tactics—encrypting critical files while simultaneously threatening to publish stolen information unless the victim meets their financial demands. To facilitate their operations, FunkSec has launched an underground data leak website, where they advertise stolen data and offer additional cybercrime tools, such as distributed denial-of-service (DDoS) attack capabilities, credential theft utilities, and remote access software that allows for covert control of compromised systems. 

The origins of FunkSec date back to October 2024, when an online persona known as “Scorpion” introduced the group in underground forums. Additional figures, including “El_Farado” and “Bjorka,” have been linked to its expansion. Investigators have noted discrepancies in FunkSec’s communications, with some materials appearing professionally written in contrast to their typical informal style. This has led experts to believe that AI-generated content is being used to improve their messaging and phishing tactics, making them appear more credible to potential victims. 

FunkSec’s ransomware is designed to disable security features such as antivirus programs, logging mechanisms, and backup systems before encrypting files with a “.funksec” extension. The group’s ransom demands are relatively modest, often starting at around $10,000, making their attacks more accessible to a wide range of potential victims. Additionally, they have been known to sell stolen data at discounted rates to other threat actors, further extending their influence within the cybercriminal ecosystem. Beyond financial motives, FunkSec has attempted to align itself with hacktivist causes, targeting entities in countries like the United States and India in support of movements such as Free Palestine. 

However, cybersecurity analysts have expressed skepticism over the authenticity of their claims, noting that some of the data they leak appears to have been recycled from previous breaches. While FunkSec may be a relatively new player in the cyber threat landscape, their innovative use of AI and evolving tactics make them a significant threat. Security experts emphasize the importance of proactive measures such as regular system updates, employee training on cybersecurity best practices, and the implementation of robust access controls to mitigate the risks posed by emerging ransomware threats like FunkSec.
Read more »
Ransomware
Artificial Intelligence cryptocurrency Cyber Security RaaS Ransomware

Understanding Ransomware: A Persistent Cyber Threat

 


Ransomware is a type of malicious software designed to block access to files until a ransom is paid. Over the past 35 years, it has evolved from simple attacks into a global billion-dollar industry. In 2023 alone, ransomware victims reportedly paid approximately $1 billion, primarily in cryptocurrency, underscoring the massive scale of the problem.

The First Recorded Ransomware Attack

The first known ransomware attack occurred in 1989. Joseph Popp, a biologist, distributed infected floppy disks under the guise of software analyzing susceptibility to AIDS. Once installed, the program encrypted file names and, after 90 uses, hid directories before displaying a ransom demand. Victims were instructed to send a cashier’s check to an address in Panama to unlock their files.

This incident, later dubbed the "AIDS Trojan," marked the dawn of ransomware attacks. At the time, the term "ransomware" was unknown, and cybersecurity communities were unprepared for such threats. Popp was eventually apprehended but deemed unfit for trial due to erratic behaviour.

Evolution of Ransomware

Ransomware has undergone significant changes since its inception:

  • 2004 – The Rise of GPCode: A new variant, "GPCode," used phishing emails to target individuals. Victims were lured by fraudulent job offers and tricked into downloading infected attachments. The malware encrypted their files, demanding payment via wire transfer.
  • 2013 – Cryptocurrency and Professional Operations: By the early 2010s, ransomware operations became more sophisticated. Cybercriminals began demanding cryptocurrency payments for anonymity and irreversibility. The "CryptoLocker" ransomware, infamous for its efficiency, marked the emergence of "ransomware-as-a-service," enabling less skilled attackers to launch widespread attacks.
  • 2017 – Global Disruptions: Major attacks like WannaCry and Petya caused widespread disruptions, affecting industries worldwide and highlighting the growing menace of ransomware.

The Future of Ransomware

Ransomware is expected to evolve further, with experts predicting its annual cost could reach $265 billion by 2031. Emerging technologies like artificial intelligence (AI) are likely to play a role in creating more sophisticated malware and delivering targeted attacks more effectively.

Despite advancements, simpler attacks remain highly effective. Cybersecurity experts emphasize the importance of vigilance and proactive defense strategies. Understanding ransomware’s history and anticipating future challenges are key to mitigating this persistent cyber threat.

Knowledge and preparedness remain the best defenses against ransomware. By staying informed and implementing robust security measures, individuals and organizations can better protect themselves from this evolving menace.

Read more »
Ransomware
Cyber Crime LockBit RaaS Ransomware

Look Who’s Back: LockBit Gears Up for a Comeback With Version 4.0

 



The infamous LockBit ransomware group has announced its return with the upcoming release of LockBit 4.0, set for February 2025. This marks a big moment for the group, which has had major setbacks over the last year. A global law enforcement crackdown shut down its operations, with arrests and recovery of nearly 7,000 decryption keys. As other ransomware groups like RansomHub take the lead, it remains uncertain if LockBit can reclaim its former dominance.  


Challenges Facing LockBit’s Return

LockBit's return is definitely not in the cards, though. The group did a lot of damage to itself, mainly because law enforcement was doing their job and newer Ransomware groups were outperforming it. Probably, the development of this 4.0 version involves deep changes in its codebase since the previous variant had been compromised. Experts therefore wonder whether LockBit manages to overcome these obstacles or gets back into the crowded field of ransomware services.

Another emerging favorite is ransomware-as-a-service, where groups start to sell their tools and infrastructure to affiliates in a specific ratio of the profits being extracted by that affiliate. LockBit will find itself competing not just with opponents such as RansomHub but also with variants from the same ransomware assembled using leaked source code.


What to Expect With LockBit 4.0

The group's announcement for LockBit 4.0 has bold claims, enticing potential affiliates with promises of wealth and success. The official launch is scheduled for February 3, 2025, and keys are provided to access their dark web leak site. While specific details about the 4.0 version are unclear, cybersecurity researchers are closely monitoring its development.

The group may also change its tactics to stay off the radar of international law enforcement. In the past, LockBit has been criticized for hitting high-profile victims, including the Toronto Hospital for Sick Children in 2022. After public backlash, the group issued an apology and provided a free decryption key, an unusual move for a ransomware organization.  


The Future

LockBit's ability to stage a successful comeback will depend on its capacity to adapt to the challenges it faces. With competitors gaining ground and its credibility in question, the group's path forward is uncertain. Cybersecurity experts will be watching closely to see how LockBit 4.0 impacts the ransomware infrastructure.

For now, organizations are advised to remain vigilant, as ransomware groups continue to improvise their tactics. Implementing robust security measures and staying informed about emerging threats are critical steps in defending against such attacks.



Read more »
Ransomware
Encryption malware NHS Obfuscation Technique Qilin RaaS Ransomware

NEW Qilin Ransomware Variant Emerges with Improved Evasion Techniques

 



A much more potent version of the Qilin ransomware has been found, according to cybersecurity experts, showing a new and revamped kind that is ready to attack core systems using advanced encryption along with improved stealth techniques.


A Rebranding with a Twist: Qilin's Evolution

The Qilin ransomware operation, which first appeared in July 2022, has now morphed into a more formidable opponent with a new version dubbed "Qilin.B." Known previously as "Agenda," the malware was rebranded and rewritten in Rust, a programming language harder to detect and often used for high-performance systems. The Qilin group is notorious for demanding multi-million dollar ransoms, focusing on high-stakes sectors such as healthcare, where operational disruptions can be particularly severe.

Qilin's latest incarnation has been a powerful tool in mass-attack campaigns. Just last year, a significant cyber attack was launched against Synnovis, a pathology firm providing services to the United Kingdom's NHS, which resulted in the cancellation of thousands of hospital and family doctor appointments. In return for collaborating on campaigns, Qilin partners are promised a large percentage of ransom payments, up to 85% — an arrangement that is structured to encourage high-paying ransomware attacks with the highest payoffs.


Improved Encryption and Obfuscation

This variant, Qilin.B, has the following methods that make their detection a hard nut to crack by the standard systems of security. According to Halcyon, a research firm specialising in cybersecurity, enhanced encryption, such as AES-256-CTR systems that support AESNI, together with RSA-4096 and OAEP padding have been seen in this particular variant. Such standards ensure that decrypting files from this threat is impossible minus the private key, as the case of preventive actions being the only way forward.

Further, the obfuscation technique is available in Qilin.B with which the developers hide the coding language of malware in order to prevent detection via signature-based detection systems. Such evasion mechanisms make the detection and quick response even more difficult by the cyber security teams in case of infections. As reported by the researchers from Halcyon, who had studied malware upgrades, increasing sophistication can be seen in ransomware tactics, specifically Qilin.B was developed to resist reverse engineering as well as delay incident response.


New Tactics to Dodge System Defences

Qilin.B disables important system services such as backup and removes volume shadow copy to prevent rollback of the infected systems. In addition, it disables restarts and self-cleans up by removing the ransomware after a successful attack to minimise digital artefacts. All these features make it more robust for defence against evolving ransomware groups that will continue to change their approach to remain at least a step ahead of security patches.


Growing Need for Cross-Platform Security

As Qilin ransomware is becoming more agile, security experts say the cybersecurity posture of organisations must be more offensive-minded. Qilin.B is rebuilt in Rust and can be executed properly across different environments-from Linux to VMware's ESXi hypervisor. The required security monitoring needs to recognize stealthy methods identified with Qilin.B, including detection of code compiled in Rust because traditional systems would fail to counter it.


Advanced Configurations and Control

Qilin.B. This is another notable configuration option from the attackers so that one can personalise his attack. Thus, this version comes along with new names for some functions, encrypted strings and other complex code, in order to take more time for defence activities and forensic analysis of an incident. According to researchers of the Halcyon company, the best behaviour-based detecting systems should be implemented and it can easily find out what malware does, without the outdated method of searching for signatures by which malware has successfully dodged, in this case.

With the advancements of Qilin.B in terms of encryption and evasion, the security firm Halcyon recommends that organisations supplement their security infrastructure with cross-platform monitoring and backup solutions which are designed to fight against ransomware attacks' newest variations. A more complete system in detecting and responding to threats will still be an asset as ransomware advances through networks well-protected.

Continuous improvement in ransomware-as-a-service (RaaS) points to the intensifying threat that organisations have to grapple with as they secure sensitive data from increasingly sophisticated adversaries. The Qilin operation exemplifies how ransomware groups continue to adapt themselves to avoid defences, so proactive and adaptive security measures are justified in industries.


Read more »
Subscribe to: Posts (Atom)