Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label RansomHouse. Show all posts
RansomHouse
Askul Data Breach Data Theft Japanese Firm RansomHouse

Askul Confirms RansomHouse Ransomware Breach Exposed 740,000 Records

 

Japanese e-commerce giant Askul Corporation confirmed that a ransomware attack carried out by the RansomHouse group led to the theft of about 740,000 customer records in October 2025. Askul, which is a major supplier of office supplies and logistics services owned by Yahoo! Japan, suffered a critical failure within their IT system due to the breach, forcing the company to shut down shipments to customers, including the popular retail chain Muji. 

Compromised data includes approximately 590,000 business customer service records, 132,000 individual customer records, 15,000 records of business partners (outsourcers, agents, suppliers), and about 2,700 records of executives and employees across group companies. 

Detailed information about the breach is not being disclosed by Askul to avoid further exploitation. The company is trying to individually contact affected customers and partners. It has reported the incident to Japan's Personal Information Protection Commission and put in place long-term monitoring to mitigate the risk of misuse. 

The RansomHouse group is known to conduct both data exfiltration and encryption operations, and it announced the breach on October 30, followed by two data leaks on November 10 and December 2. An Askul investigation found that the breach occurred due to compromised authentication credentials related to an outsourced partner administrator account that did not have multi-factor authentication (MFA). After accessing the systems, the attackers performed reconnaissance, gathered authentication information, disabled EDR software, and moved laterally between servers to gain privileged access. 

Several types of ransomware were deployed; some were even capable of bypassing the EDR signatures of the time. This resulted in widespread data encryption and systemic outages. Another step the attackers took was to clear the backup files to further impede recovery. Askul severed connectivity to infected networks, isolated affected systems, updated EDR signatures, and implemented MFA for all critical systems. 

As of mid-December, Askul continues to face disruptions in order shipping and is working to fully restore its systems. The financial impact of the attack has not yet been estimated, and the company has postponed its scheduled earnings report to allow for a thorough assessment.
Read more »
Ransomware
Cyber Crime Data Extortion Encryption Files RansomHouse Ransomware

RansomHouse Develops More Complex Encryption for Recent Attacks

 


The ransomware group known as RansomHouse has recently enhanced the encryption mechanism used in its attacks, moving away from a basic, single-step process to a more advanced, multi-layered approach. This change reflects a deliberate effort to strengthen the effectiveness of its ransomware operations.

Earlier versions of the encryptor relied on a linear method, where data was transformed in one continuous pass. The updated version introduces multiple stages of processing, which results in stronger encryption, improved execution speed, and greater stability across modern systems. These improvements increase the pressure on victims by making encrypted data harder to recover and negotiations more favorable for attackers after systems are locked.

RansomHouse first appeared in late 2021 as a cybercrime group focused on data extortion, where stolen information was used as leverage rather than encryption alone. Over time, the group expanded its tactics and began deploying ransomware encryptors during attacks. It also developed an automated tool, known as MrAgent, designed to simultaneously encrypt multiple VMware ESXi hypervisors, a technique that allows attackers to disrupt large virtualized environments efficiently.

In more recent activity, security analysts observed RansomHouse using more than one ransomware strain during attacks on a major Japanese e-commerce company. This suggests a flexible operational strategy rather than reliance on a single malware family.

Further insight into the group’s evolving capabilities comes from a new analysis by cybersecurity researchers, who examined RansomHouse’s latest encryptor, internally referred to as “Mario.” This version introduces a two-stage data transformation process that relies on two different encryption keys: one substantially longer than the other. Using multiple keys increases the randomness of the encrypted output, making partial file recovery or reconstruction far more challenging.

The updated encryptor also changes how files are handled during the encryption process. Instead of treating all files the same way, it adjusts its behavior based on file size. Large files are processed in dynamically sized chunks, with encryption applied intermittently rather than continuously. This irregular pattern makes the malware harder to analyze because it avoids predictable processing behavior.

Researchers also noted improvements in how the encryptor manages memory. The newer version separates tasks across multiple buffers, with each buffer assigned a specific role during encryption. This design increases operational complexity and reduces inefficiencies found in earlier variants.

Another visible change is the amount of internal information displayed during file processing. Unlike older versions, which only indicated when encryption was complete, the new encryptor provides more detailed status output as it operates.

Despite these changes, the ransomware continues to focus on virtual machine-related files, renaming encrypted data with a new extension and placing ransom instructions across affected directories.

Security researchers caution that these upgrades indicate a troubling direction in ransomware development. While RansomHouse does not carry out attacks at the scale of larger ransomware groups, its continued investment in advanced encryption techniques points to a strategy centered on precision, resilience, and evasion rather than volume.

Read more »
Ransomware attack
Adidas Data Breach Fulgar H&M RansomHouse Ransomware attack

RansomHouse Ransomware Hits Fulgar, Key Supplier to H&M and Adidas

 

Fulgar, a major supplier of synthetic yarns to global fashion brands such as H&M, Adidas, Wolford, and Calzedonia, has confirmed it suffered a ransomware attack linked to the notorious RansomHouse group. The attack, which was first noted on RansomHouse’s leak site on November 12, involved the publication of encrypted internal data stolen since October 31. 

Screenshots shared on the leak site displayed sensitive company documents, spreadsheets, communications, and financial records—including bank balances, invoices, and exchanges with external parties. These leaks present a significant risk for targeted phishing attacks, as attackers now possess insider information that can be leveraged to deceive staff and partners.

Fulgar, established in the late 1970s, is one of Europe’s largest spinning mills, producing polyamide 66 and covered elastomers used in hosiery, lingerie, activewear, and technical textiles. The company distributes key brands like Lycra and Elaspan and operates across Italy, Sri Lanka, and Turkey. Its client list includes several of the world’s most recognized fashion retailers. The breach highlights how even large suppliers are vulnerable to cyber threats, especially when a single ransomware group gains access to internal systems.

The RansomHouse group, active since 2021, has claimed more than one hundred victims and is known for encrypting data and demanding ransom payments. US cyber authorities have previously connected the group to Iranian affiliates, who provide encryption support in exchange for a share of the ransom proceeds.

In Fulgar’s case, the attackers issued a direct warning to management: “Dear management of Fulgar S.p.A., we are sure that you are not interested in your confidential data being leaked or sold to a third party. We highly advise you to start resolving that situation.” This underscores the urgency for organizations to respond swiftly to ransomware incidents and mitigate potential reputational and financial damage.

The breach is a stark reminder of the cascading risks posed by compromised supplier networks. Sensitive records exposed in such incidents can fuel targeted identity theft and social engineering attacks, increasing threats for employees and business partners. Experts advise that organizations implement robust cybersecurity measures, including the use of strong antivirus software and properly configured firewalls, to reduce the risk of follow-up intrusions. 

However, even with these precautions, leaked internal documents can still be used to craft highly persuasive phishing campaigns, posing broader risks across manufacturing and supply chain sectors. Overall, the Fulgar breach illustrates the escalating sophistication of ransomware attacks and the critical need for vigilance among global suppliers and their clients to protect sensitive data and prevent further compromise.
Read more »
Ransomware
Italy malware RansomHouse RansomHub Ransomware

RansomHub and RansomHouse: Unmasking the Culprits Behind Italy’s Attacks

RansomHub and RansomHouse: Unmasking the Culprits Behind Italy’s Attacks

Hackers have claimed responsibility for three major cyberattacks in Italy in the last 24 hours. The RansomHub and RansomHouse gangs allegedly carried out the ransomware assaults in Italy. RansomHub targeted the websites of Cloud Europe and Mangimi Fusco, while RansomHouse claimed responsibility for conducting a cyberattack against Francesco Parisi.

Italy's Ransomware Attacks

Cloud Europe is a Tier IV carrier-neutral data center based in Rome's Tecnopolo Tiburtino. According to the company's website, it specializes in data center architecture and management, focusing on security and service continuity. The company creates, hosts, and operates modular infrastructure for data centers in both the private and public sectors.

The Attacks

1. Cloud Europe: On June 29, 2024, RansomHub claimed responsibility for infiltrating the servers of Cloud Europe, a prominent Tier IV certified data center in Rome. The attackers allegedly encrypted the servers and exfiltrated 70 terabytes of data. Among the stolen information were 541.41 gigabytes of sensitive data, including client records, financial documents, and proprietary software.

2. Mangimi Fusco: The same day, RansomHub targeted Mangimi Fusco, an animal food manufacturer. The group claimed to have stolen 490 gigabytes of confidential data, including client files, budget details, and payroll information. However, as of now, Mangini Fusco’s website shows no signs of the reported attack, leaving room for skepticism.

3. Francesco Parisi: RansomHouse, another hacking collective, breached the website of Francesco Parisi, a group specializing in freight forwarding and shipping services. The attack occurred on May 29, 2024, and resulted in the theft of 150 gigabytes of company data. Francesco Parisi has acknowledged the breach and is working to restore normalcy while enhancing its cybersecurity defenses.

The Implications

These attacks raise critical questions about the state of cybersecurity readiness among Italian businesses:

Vulnerabilities: Despite advancements in security protocols, organizations remain vulnerable to sophisticated attacks. The ability of threat actors to infiltrate well-established data centers and corporate websites highlights the need for continuous vigilance.

Data Privacy: The stolen data contains sensitive information that could be exploited for financial gain or used maliciously. Companies must prioritize data privacy and invest in robust encryption, access controls, and incident response plans.

Business Continuity: When ransomware strikes, business operations grind to a halt. Cloud Europe’s experience serves as a stark reminder that even data centers, designed to ensure continuity, are not immune. Organizations must have contingency plans to minimize disruptions.

How to Stay Safe?

To safeguard against ransomware and other cyber threats, companies should consider the following strategies:

  • Regular Backups: Frequent backups of critical data are essential. These backups should be stored securely and tested periodically to ensure their integrity.
  • Employee Training: Human error often opens the door to cyberattacks. Regular training sessions can educate employees about phishing emails, suspicious links, and safe online practices.
  • Multi-Factor Authentication (MFA): Implementing MFA adds an extra layer of security, making it harder for unauthorized individuals to gain access.
  • Incident Response Plans: Organizations should develop comprehensive incident response plans that outline steps to take during a breach. Swift action can minimize damage and prevent data loss.

Read more »
VMware Carbon Black
8Base 8Base Ransomware Cyber Attacks MalwareBytes Phobos RansomHouse Ransomware Ransomware group VMware Carbon Black

8Base Ransomware: Researchers Raise Concerns Over its Increased Activities


The 8Base ransomware has well maintained its covert presence, avoiding detection for over a year. Although, a recent investigation into the ransomware revealed a significant rise in its operation during the period of May and June. It has been made clear that the ransomware group has been active since at least March 2022. The threat group labels itself as “simple pentesters,” indicating a basic level of proficiency in penetration testing.

Details of the 8Base

According to a research conducted by Malwarebytes and NCC Group, as of May, the ransomware group may have been linked with a total of whopping 67 attacks. Among these cyber incidents, around half of the manufacturing, construction, and business services industries together account for around half of the affected firms. The targeted firms are primarily located in the United States and Brazil, indicating a geographic focus by the threat group. 

June saw a significant surge in ransomware activities. The fact that the offenders used a dual extortion tactic raised the stakes for their victims is notable.

A list of 35 victims who have been identified has so far been on the 8Base-affiliated dark web extortion site. There have even been occasions where up to six companies have fallen victim to the ransomware operators' nefarious activities at once on specific days.

According to the VMware Carbon Black team, based on its recent activities, and its similarities of ransom notes and content on leak sites along with identical FAQ pages, 8Base could as well be a rebranding of the popular ‘RansomHouse’ ransomware group. RansomHouse, however flexibly promotes its partnership, while 8Base does not.

It is also noteworthy that a Phobos ransomware sample was also discovered by the VMware researchers, that was utilizing the “.8base” file extension, indicating the 8Base could well be the successor of or utilizing the existing ransomware strain.

The researchers concluded that the efficient operations conducted by the 8Base ransomware group may continue to group, which could be an onset of a mature organization. However, it has not yet been made clear whether the group is based on Phobos or RansomHouse.

As for now, there are speculations on 8Base's use of various ransomware strains, whether it be in earlier iterations or as a fundamental component of its typical mode of operation. However, it is commonly known that this organization is very active, with a concentration on smaller firms as a significant target.  

Read more »
SLGA
ADATA cyber attack Cyber Attacks RansomHouse SLGA

ADATA: RansomHouse Cyberattack Result of a Leak of 2021 Data


Taiwanese chip manufacturer ADATA denies all allegations of a RansomHouse cyberattack. This is following the announcement that threat actors began posting stolen data on a leak website belonging to the data leak group. 

Earlier this week, the RansomHouse gang added ADATA files to their data leak site. In this leak, they claimed they had taken 1TB worth of documents during a cyberattack in the year 2022. To demonstrate how much information the gang had staked, the threat actors posted samples of supposed stolen files that appear to be from ADATA. 

"Based on several technical methods of checking, we believe what Ransomhouse alleged was fake data and that it was stolen by Ragnar Locker in 2021, which is all confirmed by ADATA's spokesperson," said BleepingComputer in an email. 

ADATA implemented effective methods to provide strong security following the Ragnar Locker attack in 2021. Since then, no attack on ADATA has been successful, and no confidential information about ADATA was leaked. 

It can be stated that based on the comparison of the timestamps for the data shared by RansomHouse and the data that Ragnar Locker leaked in June 2021, both sets of stolen data had similar timestamps, which meant that both files were no older than May 2021 when compared to the timestamps for the data shared by RansomHouse. 

The company added that RansomHouse left no ransom notes on their servers that would demonstrate that an attack had been conducted against their servers. Ransom House maintains that they have taken advantage of ADATA recently through a data theft attack and that they have negotiated with the company regarding the stolen data. 

RansomHouse - who are they? 


After the release of SLGA's files in 2021, RansomHouse's extortion operation ended when it leaked the passwords of its first victim, the Saskatchewan Liquor and Gaming Authority (SLGA). Although the threat actors claim that they don't use any ransomware in their attacks, the White Rabbit ransom notes link the encryption attacks to Ransom House. 

This is a key part of the Ransom House attack. In the latest attack, RansomHouse appears to have claimed responsibility for attacks on eight Italian municipalities. A ransomware attack occurred as a result of this incident and the encryption of files with a .mario extension was appended and a ransom note leaving a greeting of, "Buongiorno to my lovely Italy" appeared on affected computers. 

The RansomHouse operation has also targeted other high-profile companies, such as AMD and Shoprite Holdings, one of Africa's largest supermarket chains, as well as large governments.
Read more »
Subscribe to: Comments (Atom)