CySecurity News - Latest Information Security and Hacking Incidents: Ransomware

BlackCat Cyber Crime Insider Threat Plea Guilty Ransomware

Ex-Cybersecurity Pros Plead Guilty in $9.5M Ransomware Spree

Former incident responders Ryan Clifford Goldberg and Kevin Tyler Martin have pleaded guilty to participating in a series of ransomware attacks while working at cybersecurity firms tasked with helping organizations recover from such incidents. The case highlights a rare instance of trusted professionals abusing their positions to commit cybercrime, causing significant damage to multiple organizations in 2023.

Goldberg, formerly a manager of incident response at Sygnia, and Martin, a ransomware negotiator at DigitalMint, collaborated with an unnamed co-conspirator to carry out ransomware attacks using the ALPHV (BlackCat) ransomware variant. According to federal court records, the total losses caused by their actions exceeded $9.5 million. The attacks targeted a medical company in Florida, a pharmaceutical firm in Maryland, a California doctor’s office, an engineering company in California, and a drone manufacturer in Virginia.

The indictment revealed that the trio received nearly $1.3 million in ransom payments from the Florida medical company in May 2023, but were unable to extort payments from the other victims. The ALPHV/BlackCat ransomware, first identified in late 2021, has been linked to numerous attacks on critical infrastructure providers, including the high-profile breach of UnitedHealth Group’s subsidiary Change Healthcare in 2024.

Goldberg and Martin each pleaded guilty to one count of conspiracy to interfere with interstate commerce by extortion, which reduces their maximum penalty from 50 years to 20 years in federal prison. As part of their plea agreements, both defendants are ordered to forfeit $342,000, representing the value of proceeds traced to their crimes. The court may also impose fines of up to $250,000 and additional restitution.

A spokesperson for DigitalMint stated that the company cooperated fully with the Justice Department and supports the outcome as a step toward accountability. “His behavior is a clear violation of our values and ethical standards,” the spokesperson said, emphasizing that Martin’s actions were undertaken without the company’s knowledge or involvement. Sygnia did not immediately respond to requests for comment.

Prosecutors noted that Goldberg and Martin abused their positions of trust and used their specialized skills to facilitate and conceal their crimes. Officials have indicated that they will recommend reduced sentences if both defendants make full, accurate, and complete disclosures of their offenses and refrain from committing further crimes.

RansomHouse Develops More Complex Encryption for Recent Attacks



 

Ransomware

Cyber Crime Data Extortion Encryption Files RansomHouse Ransomware

RansomHouse Develops More Complex Encryption for Recent Attacks

The ransomware group known as RansomHouse has recently enhanced the encryption mechanism used in its attacks, moving away from a basic, single-step process to a more advanced, multi-layered approach. This change reflects a deliberate effort to strengthen the effectiveness of its ransomware operations.

Earlier versions of the encryptor relied on a linear method, where data was transformed in one continuous pass. The updated version introduces multiple stages of processing, which results in stronger encryption, improved execution speed, and greater stability across modern systems. These improvements increase the pressure on victims by making encrypted data harder to recover and negotiations more favorable for attackers after systems are locked.

RansomHouse first appeared in late 2021 as a cybercrime group focused on data extortion, where stolen information was used as leverage rather than encryption alone. Over time, the group expanded its tactics and began deploying ransomware encryptors during attacks. It also developed an automated tool, known as MrAgent, designed to simultaneously encrypt multiple VMware ESXi hypervisors, a technique that allows attackers to disrupt large virtualized environments efficiently.

In more recent activity, security analysts observed RansomHouse using more than one ransomware strain during attacks on a major Japanese e-commerce company. This suggests a flexible operational strategy rather than reliance on a single malware family.

Further insight into the group’s evolving capabilities comes from a new analysis by cybersecurity researchers, who examined RansomHouse’s latest encryptor, internally referred to as “Mario.” This version introduces a two-stage data transformation process that relies on two different encryption keys: one substantially longer than the other. Using multiple keys increases the randomness of the encrypted output, making partial file recovery or reconstruction far more challenging.

The updated encryptor also changes how files are handled during the encryption process. Instead of treating all files the same way, it adjusts its behavior based on file size. Large files are processed in dynamically sized chunks, with encryption applied intermittently rather than continuously. This irregular pattern makes the malware harder to analyze because it avoids predictable processing behavior.

Researchers also noted improvements in how the encryptor manages memory. The newer version separates tasks across multiple buffers, with each buffer assigned a specific role during encryption. This design increases operational complexity and reduces inefficiencies found in earlier variants.

Another visible change is the amount of internal information displayed during file processing. Unlike older versions, which only indicated when encryption was complete, the new encryptor provides more detailed status output as it operates.

Despite these changes, the ransomware continues to focus on virtual machine-related files, renaming encrypted data with a new extension and placing ransom instructions across affected directories.

Security researchers caution that these upgrades indicate a troubling direction in ransomware development. While RansomHouse does not carry out attacks at the scale of larger ransomware groups, its continued investment in advanced encryption techniques points to a strategy centered on precision, resilience, and evasion rather than volume.

AI in Cybercrime: What’s Real, What’s Exaggerated, and What Actually Matters



 

Technology

AI tools Artificial Intelligence CyberCrime organizations Ransomware Technology

AI in Cybercrime: What’s Real, What’s Exaggerated, and What Actually Matters

Artificial intelligence is increasingly influencing the cyber security infrastructure, but recent claims about “AI-powered” cybercrime often exaggerate how advanced these threats currently are. While AI is changing how both defenders and attackers operate, evidence does not support the idea that cybercriminals are already running fully autonomous, self-directed AI attacks at scale.

For several years, AI has played a defining role in cyber security as organisations modernise their systems. Machine learning tools now assist with threat detection, log analysis, and response automation. At the same time, attackers are exploring how these technologies might support their activities. However, the capabilities of today’s AI tools are frequently overstated, creating a disconnect between public claims and operational reality.

Recent attention has been driven by two high-profile reports. One study suggested that artificial intelligence is involved in most ransomware incidents, a conclusion that was later challenged by multiple researchers due to methodological concerns. The report was subsequently withdrawn, reinforcing the importance of careful validation. Another claim emerged when an AI company reported that its model had been misused by state-linked actors to assist in an espionage operation targeting multiple organisations.

According to the company’s account, the AI tool supported tasks such as identifying system weaknesses and assisting with movement across networks. However, experts questioned these conclusions due to the absence of technical indicators and the use of common open-source tools that are already widely monitored. Several analysts described the activity as advanced automation rather than genuine artificial intelligence making independent decisions.

There are documented cases of attackers experimenting with AI in limited ways. Some ransomware has reportedly used local language models to generate scripts, and certain threat groups appear to rely on generative tools during development. These examples demonstrate experimentation, not a widespread shift in how cybercrime is conducted.

Well-established ransomware groups already operate mature development pipelines and rely heavily on experienced human operators. AI tools may help refine existing code, speed up reconnaissance, or improve phishing messages, but they are not replacing human planning or expertise. Malware generated directly by AI systems is often untested, unreliable, and lacks the refinement gained through real-world deployment.

Even in reported cases of AI misuse, limitations remain clear. Some models have been shown to fabricate progress or generate incorrect technical details, making continuous human supervision necessary. This undermines the idea of fully independent AI-driven attacks.

There are also operational risks for attackers. Campaigns that depend on commercial AI platforms can fail instantly if access is restricted. Open-source alternatives reduce this risk but require more resources and technical skill while offering weaker performance.

The UK’s National Cyber Security Centre has acknowledged that AI will accelerate certain attack techniques, particularly vulnerability research. However, fully autonomous cyberattacks remain speculative.

The real challenge is avoiding distraction. AI will influence cyber threats, but not in the dramatic way some headlines suggest. Security efforts should prioritise evidence-based risk, improved visibility, and responsible use of AI to strengthen defences rather than amplify fear.

India Witnesses Sharp Surge in Cybercrime, Fraud Dominates NCRB 2023 Report



 

Ransomware

Cyber Crime CyberCrime Data Fraud India NCRB Ransomware

India Witnesses Sharp Surge in Cybercrime, Fraud Dominates NCRB 2023 Report

The cybercrime landscape in India has witnessed a drastic increase with NCRB data indicating cases jacking up from above 52,000 in 2021 to over 86,000 by 2023 led by fraud and online financial crime. Concurrently, threat intelligence shows that India is now a high‑risk ransomware and dark‑web ecosystem within the Asia‑Pacific region.

NCRB data and growth trend

The report suggests that NCRB’s “Crime in India” figures show an alarming and persistent increase in reported cybercrimes, increasing from just above 52,000 cases in 2021 to beyond 86,000 cases by 2023, owing to increased digitization, online payments and use of mobile internet. This is a 31.2% year-on-year increase between 2022 and 2023 alone and the country’s cybercrime rate has increased from 4.8 to 6.2 cases per lakh population.

Fraud is the most prevalent motive, making up almost 69% of all cybercrime incidents in 2023, followed by sexual exploitation, and extortion, highlighting that attackers mainly prey on financial and personal vulnerabilities. States such as Karnataka, Telangana and Uttar Pradesh account for a large number of cases, reflecting higher IT penetration, urbanisation and digital adoption.

Ransomware and dark-web activity

Beyond the raw figures of the NCRB, the report places India among an Asia‑Pacific threat map of sorts, drawing upon the Cyble Monthly Threat Landscape Report for July 2025, to show that India is still among the key targets for operators of ransomware. It cited the Warlock ransomware group for targeting an India-based manufacturing firm, exfiltrating HR, financial, and design data, which was then used for extortion and exposure.

The report also notes dark‑web listings advertising unauthorized access to an Indian telecom network for around US$35,000, including credentials and critical operational details, highlighting the commoditization of network breaches. Regionally, Thailand, Japan, and Singapore each recorded six ransomware victims in the observed period, with India and the Philippines close behind, and manufacturing, government, and critical infrastructure sectors bearing the brunt of attacks.

Additionally, South Asia is experiencing ideologically driven attacks, exemplified by the pro‑India Team Pelican Hackers, which claimed breaches of major Pakistani research and academic institutions. These campaigns blur the line between classic cybercrime and geopolitical conflict, indicating that Indian networks face both profit‑motivated and politically motivated breachs.

Askul Discloses Scope of Customer Data Theft Following October Ransomware Incident



 

Ransomware

Data Breach Data Theft eCommerce Japan MFA Ransomware

Askul Discloses Scope of Customer Data Theft Following October Ransomware Incident

Japanese e-commerce firm Askul Corporation has officially confirmed that a ransomware attack earlier this year led to the unauthorized access and theft of data belonging to nearly 740,000 individuals. The company made the disclosure after completing a detailed investigation into the cyber incident that occurred in October.

Askul operates a large-scale online platform that provides office supplies and logistics services to both corporate clients and individual consumers. The company is part of the Yahoo! Japan corporate group and plays a significant role in Japan’s business-to-business supply chain.

The cyberattack caused serious disruptions to Askul’s internal systems, resulting in an operational shutdown that forced the company to suspend product shipments. This disruption affected a wide range of customers, including major retail partners such as Muji.

Following the conclusion of its internal review, Askul clarified the categories of data that were compromised. According to the company, service-related records of approximately 590,000 business customers were accessed. Data connected to around 132,000 individual customers was also involved. In addition, information related to roughly 15,000 business partners, including outsourcing firms, agents, and suppliers, was exposed. The incident further affected personal data linked to about 2,700 executives and employees, including those from group companies.

Askul stated that it is deliberately limiting the disclosure of specific details related to the stolen data to reduce the risk of further exploitation. The company confirmed that affected customers and business partners will be informed directly through individual notifications.

Regulatory authorities have also been notified. Askul reported the data exposure to Japan’s Personal Information Protection Commission and has implemented long-term monitoring measures to identify and prevent any potential misuse of the compromised information.

System recovery remains ongoing. As of December 15, shipping operations had not fully returned to normal, and the company continues to work toward restoring all affected services.

Responsibility for the attack has been claimed by the ransomware group known as RansomHouse. The group publicly disclosed the breach at the end of October and later released portions of the stolen data in two separate leaks in November and December.

Askul shared limited technical findings regarding how the attackers gained access. The company believes the intrusion began through stolen login credentials associated with an administrator account belonging to an outsourced partner. This account did not have multi-factor authentication enabled, making it easier for attackers to exploit.

After entering the network, the attackers conducted internal reconnaissance, collected additional authentication information, and expanded their access to multiple servers. Askul reported that security defenses, including endpoint detection and response tools, were disabled during the attack. The company also noted that several ransomware variants were deployed, some of which bypassed existing detection mechanisms despite recent updates.

The attack resulted in both data encryption and widespread system failures. The ransomware was executed simultaneously across multiple servers, and backup files were deliberately erased to prevent rapid system recovery.

In response, Askul disconnected affected networks, restricted communication between data centers and logistics facilities, isolated compromised devices, and strengthened endpoint security controls. Multi-factor authentication has since been enforced across critical systems, and all administrator account passwords have been reset.

The financial consequences of the incident have not yet been determined. Askul has postponed its earnings report to allow additional time for a comprehensive assessment of the impact.

CyberVolk Ransomware Fails to Gain Traction After Encryption Misstep



 

VolkLocker

Cryptographic Vulnerability Cyber Attacks Cyber Extortion CyberVolk Pro Russian Hacktivists Ransomware Ransomware As A Service Telegram Command And Control Threat Intelligence VolkLocker

CyberVolk Ransomware Fails to Gain Traction After Encryption Misstep

CyberVolk, a pro-Russian hacktivist collective, has intensified its campaign of ransomware-driven intimidation against entities perceived as hostile to Moscow in the past year, marking a notable change in both scale and presentation, marking a notable shift in its operations.

In addition to its attacks, the group has become increasingly adept at constructing carefully constructed visual branding, including the release of stylized ransomware imagery to publicize successful intrusions in addition to attacking. It seems that these visuals, which were enhanced by deliberately inflammatory language and threatening tone, were not intended simply to announce breaches, but rather to amplify psychological pressure for victims and broader audiences alike.

In October 2024, CyberVolk appeared to have a clear strategy in the ransoming of several Japanese organizations, including the Japan Oceanographic Data Center and the Japan Meteorological Agency, in which they claimed responsibility for the ransoming. CyberVolk has reportedly altered the desktop wallpapers of several victims prior to starting the encryption process, using the act itself as a signal of control and coercion to control and coerce them.

CyberVolk's plans to venture into the ransomware-as-a-service ecosystem, however, seem to have been undermined by fundamental technical lapses that were clearly underhand. As part of its strategy to attract affiliates, this group has recently launched a new ransomware strain called VolkLocker, positioning it as a RaaS offering designed to expand its operational reach and attract affiliates.

A SentinelOne research team has found that the malware has severe cryptographic and implementation weaknesses that greatly reduce its effectiveness, according to a study conducted by researchers. It is worth noting that the encryptor is specifically hardcoded directly into the ransomware binary as well as written in plaintext to a hidden file on compromised systems, compounding the error.

VolkLocker's credibility and viability within the cybercrime market is severely undermined by the vulnerability of extracting and reusing the exposed key, which could possibly allow organizations to recover their data without having to pay a ransom. As a consequence, affected organizations could potentially recover their data without paying a ransom.

It was last year when the Infosec Shop and other researchers first started documenting CyberVolk's activities that it caught the attention of the security community, and when it became known that the hacktivist collective was pro-Russian. CyberVolk appears to be operating in the same ideological space as outfits such as CyberArmyofRussia_Reborn and NoName057(16) — both of which have been linked to the Russian military intelligence apparatus and President Vladimir Putin by US authorities.

However, CyberVolk has yet to be proven to maintain direct ties with the Russian governing authorities. Additionally, CyberVolk has a distinctive operational difference from many of its peers. Compared to comparable hacktivist teams, which tend to focus their efforts on disruption but low-impact distributed denial-of-service attacks, CyberVolk has consistently utilized ransomware as part of its campaigns.

Researchers have noted that after repeated bans from Telegram in 2025, the group almost disappeared from public view for the first half of 2025, only to resurface in August with a revamped ransomware service based on VolkLocker. In analyzing the operations, it is evident that an uneven scaling attempt has taken place, combining fairly polished Telegram automation with malware payloads that retain signs of testing and incomplete hardening.

VolkLocker is written in Go and designed to work across both Windows and Linux environments. In addition to enabling user communication, Telegram-based command-and-control functionality, it also handles system reconnaissance, decryption requests, and the decryption of sensitive data. In order to configure new payloads, affiliates must provide operational details such as Bitcoin payment addresses, Telegram bot credentials, encryption deadlines, file extensions, and self-destruct parameters.

Among the backbones of this ecosystem is Telegram, which is responsible for providing communication, tool distribution, and customer support services. However, some operators have reported extending the default C2 framework to include keylogging and remote access capabilities. As of November, the group was advertising standalone remote access trojans and keyloggers in addition to its RaaS offerings, and these packages included tiered pricing options.

The ransomware is capable of escalating privileges, bypassing Windows User Account Control, selectively encrypting files based on pre-defined exclusion rules, and applying AES-256 encryption in GCM mode, which emphasizes CyberVolk's ongoing attempts to mix ideological messaging with the increasingly commercialized nature of cybercrime.

In the course of further technical analysis of VolkLocker, it has been revealed that the ransomware has been shaped by an aggressive design choice and critical implementation errors. One of the most notable features of the program is its integration of a timer function written in Go that can be configured to initiate a destructive wipe upon expiration of the countdown or upon entering an incorrect password into the ransom note in HTML.

Upon activation, the routine targets the most common user directories, such as Documents, Downloads, Pictures, and the Desktop, making the users vulnerable to permanent data loss. In order to access CyberVolk's ransomware-as-a-service platform, one must pay approximately $800 to $1,100 for an operating system that supports just one operating system, or $1,600 to $2,200 for a build that supports both Windows and Linux operating systems.

In the early days of the group, affiliates obtained the malware by using Telegram-based builder bots that were able to customize encryption parameters and create customized payloads, indicating that the group relied heavily on Telegram as a delivery and coordination platform.

As of November 2025, the same operators have expanded their commercial offerings, advertising standalone remote access trojans and keyloggers for $500 each, further signaling a desire to diversify their offerings from merely ransomware to a wide range of security technologies. Nevertheless, VolkLocker’s operations have a serious cryptographic weakness at the core of their operation that makes it difficult for them to be effective.

As part of the encryption process, AES-256 is employed in Galois/Counter Mode and a random 12-byte nonce is generated for each file before it deletes the original and adds extensions such as .locked or .cvolk to the encrypted copies after destroying the original files. Although the system seems to be designed to be quite strong, researchers found that all files on a victim's system are encrypted using a single master key which is derived from a 64-character hexadecimal string embedded directly in the binary files.

Additionally, the same key is stored in plaintext to a file named system_backup.key, which is never removed, compounding the problem. This backup appears to be a testing artifact that was inadvertently left in production builds, and SentinelOne suggests that it might be able to help victims recover their data without paying a ransom for it.

While the flaw offers a rare advantage to those already affected, it is expected that when it is disclosed to the public, the threat actors will take immediate steps to remedy the issue. The majority of security experts advise that, generally, the best way to share such weaknesses with law enforcement and ransomware response specialists while an operation is ongoing, is by utilizing private channels. This is done in order to maximize victim assistance without accelerating adversary adaptation, thus maximizing victim assistance without accelerating adversary adaptation.

The modern cyber-extortion economy is sustained by networks of hackers, affiliates, and facilitators that work together to run these campaigns. In order to understand this landscape effectively, open-source intelligence was gathered from social media activity and media reporting. These activities highlighted the existence of a broad range of actors operating within it.

One such group is the Ukrainian-linked UA25 collective, whose actions retaliate against Russian infrastructure are often accompanied by substantial financial and operational damage, with a claim to responsibility publicly made in the media. In such cases, asymmetrical cyber conflict is being highlighted, where loosely organized non-state actors are able to cause outsized damage to much larger adversaries, underscoring the asymmetrical nature of contemporary cyber conflict.

In this climate, Russian cybercriminal groups are often able to blur the line between ideological alignment and financial opportunism, pushing profit-driven schemes under the banner of political activism in an effort to achieve political goals. CyberVolk is an example of this hybrid model: CyberVolk aims to gain legitimacy through hacktivist rhetoric while also engaging in extortion and tool sales to monetize its ransomware activity.

Security firms and independent researchers have been continuously scrutinizing the situation, which has led, in the past few years, to expose internal operational weaknesses, including flawed cryptographic practices, insecure key handling, which can be leveraged to disrupt campaigns and, in some cases, aid law enforcement and takedown efforts on a broader scale. This has been reported as well by publications such as The Register.

In the near-term, analysts warn that ransomware operations will likely get more sophisticated and destructive - with future strains of ransomware increasingly incorporating elements commonly associated with wiper malware, which encrypts data rather than issuing ransoms. There have been several regulatory actions, sanctions, and government advisories issued throughout 2025 that have laid the foundation for a more coordinated international response to these threats.

However, experts warn that meaningful progress will depend on a sustained cooperation between governments, technology companies, and private sector firms. In the case of CyberVolk, the technical ambition often outweighs the execution, yet even faulty operations demonstrate a persistent threat from Russian-linked actors, who continue to adapt despite mounting pressures from the West.

In the wake of recent sanctions targeting key enablers, some parts of this ecosystem have been disrupted; however, new infrastructure and service providers are likely to fill these gaps as time goes on. Defensers should take note of the following lesson: continued vigilance, proactive threat hunting, as well as adopting advanced detection and response capabilities remain essential for preventing ransomware from spreading, as the broader contest against ransomware increasingly depends on converting adversaries' mistakes into durable security advantages to ensure the success of the attack.

It should be noted that the rise and subsequent missteps of CyberVolk can be considered a timely reminder that the ransomware landscape is evolving in multiple ways, not only in terms of technical sophistication but also in terms of narrative strategy and operational ambition.

Although advocates of groups may work to increase their impact by using political messaging, branding, and service models that are tailored for commercialization, long-term success remains dependent on disciplined engineering and operational security-areas in which even ideologically motivated actors continue to fail.

Organizations should take this episode as an example of the importance of building multilayered defenses that go beyond perimeter security to include credential hygiene, behavioral monitoring, and rapid incident response planning in addition to regular patching, offline backups, and tabletop exercises. This episode emphasizes how vital it is to engage with threat intelligence providers in order to identify emerging patterns before they turn into operational disruptions.

In the eyes of policymakers and industry leaders, the case highlights the benefits of coordinated disclosure practices and cross-border collaboration as means of weakening ransomware ecosystems without inadvertently making them more refined.

Iterating and rebranding ransomware groups can be equally instructive as iterating and rebranding their malware, providing defenders with valuable opportunities to anticipate next moves and close gaps before they are exploited. The ability to survive in an environment characterized by both sides adapting will increasingly depend on turning visibility into action and learning from every flaw that has been exposed.

Researchers Find Massive Increase in Hypervisor Ransomware Incidents



 

Ransomware

AI Akira Cloud Cyber Attacks Hypervisor Internet Ransomware

Researchers Find Massive Increase in Hypervisor Ransomware Incidents

Rise in hypervisor ransomware incidents

Cybersecurity experts from Huntress have noticed a sharp rise in ransomware incidents on hypervisors and have asked users to be safe and have proper back-up.

The Huntress case data has disclosed a surprising increase in hypervisor ransomware. It was involved in malicious encryption and rose from a mere three percent in the first half to a staggering 25 percent in 2025.

Akira gang responsible

Experts think that the Akira ransomware gang is the primary threat actor behind this, other players are also going after hypervisors to escape endpoint and network security controls. According to Huntress threat hunters, players are going after hypervisors as they are not secure and hacking them can allow hackers to trigger virtual machines and manage networks.

Why hypervisors?

“This shift underscores a growing and uncomfortable trend: Attackers are targeting the infrastructure that controls all hosts, and with access to the hypervisor, adversaries dramatically amplify the impact of their intrusion," experts said. The attack tactic follows classic playbook. Researchers have "seen it with attacks on VPN appliances: Threat actors realize that the host operating system is often proprietary or restricted, meaning defenders cannot install critical security controls like EDR [Endpoint Detection and Response]. This creates a significant blind spot.”

Other instances

The experts have also found various cases where ransomware actors install ransomware payloads directly via hypervisors, escaping endpoint security. In a few cases, threat actors used built-in-tools like OpenSSL to run encryption of the virtual machine volume without having to upload custom ransomware binaries.

Attack tactic

Huntress researchers have also found attackers disrupting a network to steal login credentials and then attack hypervisors.

“We’ve seen misuse of Hyper-V management utilities to modify VM settings and undermine security features,” they add. “This includes disabling endpoint defenses, tampering with virtual switches, and preparing VMs for ransomware deployment at scale," they said.

Mitigation strategies

Due to the high level of attacks on hypervisors, experts have suggested admins to revisit infosec basics such as multi-factor authentication and password patch updates. Admins should also adopt hypervisor-specific safety measures like only allow-listed binaries can run on a host.

For decades, the Infosec community has known hypervisors to be an easy target. In a worst-case scenario of a successful VM evasion where an attack on a guest virtual machine allows hijacking of the host and its hypervisor, things can go further south. If this were to happen, the impact could be massive as the entire hyperscale clouds depend on hypervisors to isolate tenants' virtual systems.

FinCEN: Ransomware Gangs Extorted Over $2.1B from 2022 to 2024



 

Ransomware

BlackCat Cyber Attacks Extortion FinCEN LockBit Ransomware

FinCEN: Ransomware Gangs Extorted Over $2.1B from 2022 to 2024

FinCEN’s most recent report has revealed that ransomware activity reached a new peak in 2023, accumulating over $1.1 billion in payments before a decline in 2024, as law enforcement pursued major gangs such as ALPHV/BlackCat, LockBit. In general, FinCEN data reveals $2.1 billion in ransoms paid from 2022 through 2024, and about $4.5 billion from 2013 to 2024.

FinCEN’s findings draw on thousands of Bank Secrecy Act reports, that registered 4,194 ransomware incidents between January 2022 and December 2024. Ransomware earnings peaked 2023 with 1,512 incidents and a 77% increase in payouts from 2022, but dropped to nearly $734 million in 1,476 incidents during 2024, decrease attributed to the global disruption of the BlackCat and LockBit operations. These takedowns left affiliates to either transition to other ransomware brands or try to rebuild.

The report does note that most single ransom amounts were under $250,000, although some sectors consistently took the biggest hits. By number of incidents, manufacturing, financial services, healthcare, retail, and legal services were the most frequently targeted industries from 2022 to 2024. By total losses, financial services led with about $365.6 million paid, followed by healthcare, manufacturing, science and technology, and retail, each suffering hundreds of millions in extorted funds.

Over the period under review, FinCEN counted 267 unique ransomware families; however, a handful caused the majority of distraught. Akira accounted for the most reports (376), followed by ALPHV/BlackCat with the highest earnings at close to $395 million, and LockBit with $252.4 million. As for the top 10 most active groups, they were a combined $1.5 billion between 2022 and 2024, featuring Black Basta, Royal, BianLian, Hive, Medusa, and Phobos.

The flow of money is still largely in cryptocurrency, with around 97% of ransom payments in Bitcoin and the remainder in Monero, Ether, Litecoin and Tether. Notification of Ransomware Incident to FBI FinCEN stressed that routine, detailed reporting of ransomware incidents to the FBI and ransom payments to FinCEN continues to be critical to enable tracking of funds, further disrupting them, and sustaining the pressure that resulted in the decline noted in 2024.

Beer Firm Asahi Not Entertaining Threat Actors After Cyberattack



 

Ransomware

AI Asahi Cloud Cyber Attacks Data Internet Ransomware

Beer Firm Asahi Not Entertaining Threat Actors After Cyberattack

Asahi denies ransom payment

Japanese beer giant Asahi said that it didn't receive any particular ransom demand from threat actors responsible for an advanced and sophisticated cyberattack that could have exposed the data of more than two million people.

About the attack

CEO Atsushi Katsuki in a press conference said that the company had not been in touch with the threat actors. But Asahi has delayed the release of financial results. Even if the company received a ransom demand, it would not have paid, Katsuki said. Asahi Super Dry is one of Japan's most popular beers. Asahi suffered a cyberattack on 29th September. However, the company clarified on October 3 that it was hit by a ransomware attack.

Attack tactic

In such incidents, threat actors typically use malicious software to encrypt the target's systems and then ask ransom for providing encryption keys to run the systems again.

Asahi said threat actors could have hacked or stolen identity data like phone numbers and names of around two million people- employees, customers and families.

Qilin gang believed to be responsible

The firm didn't disclose details of the attacker at the conference. Later, it told AFP via mail that experts hinted towards a high chance of attack by hacking group Qilin. The gang issued a statement that the Japanese media understood as a claim of responsibility. Commenting on the situation,

Katsuki said the firm thought it had taken needed measures to prevent such an incident. "But this attack was beyond our imagination. It was a sophisticated and cunning attack," Katsuki said.

Impact on Asahi business

Interestingly, Asahi delayed the release of third-quarter earnings and recently said that the annual financial results had also been delayed. "These and further information on the impact of the hack on overall corporate performance will be disclosed as soon as possible once the systems have been restored and the relevant data confirmed," the firm said.

The product supply hasn't been affected. Shipments will resume in stages while systems recover. "We apologise for the continued inconvenience and appreciate your understanding," Asahi said.

Virtual Machines on Nutanix AHV now in Akira’s Crosshairs; Enterprises must Close Gaps



 

Ransomware

Akira Cyber Crime Data Theft it services Ransomware

Virtual Machines on Nutanix AHV now in Akira’s Crosshairs; Enterprises must Close Gaps

Security agencies have issued a new warning about the Akira ransomware group after investigators confirmed that the operators have added Nutanix AHV virtual machines to their list of targets. This represents a significant expansion of the group’s capabilities, which had already included attacks on VMware ESXi and Microsoft Hyper-V environments. The update signals that Akira is no longer limiting itself to conventional endpoints or common hypervisors and is now actively pursuing a wider range of virtual infrastructure used in large organisations.

Although Akira was first known for intrusions affecting small and medium businesses across North America, Europe and Australia, the pattern of attacks has changed noticeably over the last year. Incident reports now show that the group is striking much larger companies, particularly those involved in manufacturing, IT services, healthcare operations, banking and financial services, and food-related industries. This shift suggests a strategic move toward high-value victims where disruptions can cause substantial operational impact and increase the pressure to pay ransom demands.

Analysts observing the group’s behaviour note that Akira has not simply created a few new variants. Instead, it has invested considerable effort into developing ransomware that functions across multiple operating systems, including Windows and Linux, and across several virtualisation platforms. Building such wide-reaching capability requires long-term planning, and researchers interpret this as evidence that the group aims to remain active for an extended period.

How attackers get into networks

Investigations into real-world intrusions show that Akira typically begins by taking advantage of weak points in remote access systems and devices connected to the internet. Many victims used VPN systems that lacked multifactor authentication, making them vulnerable to attackers trying common password combinations or using previously leaked credentials. The group has also exploited publicly known vulnerabilities in networking products from major vendors and in backup platforms that had not been updated with security patches.

In addition to these weaknesses, Akira has used targeted phishing emails, misconfigured Remote Desktop Protocol portals, and exposed SSH interfaces on network routers. In some breaches, compromising a router allowed attackers to tunnel deeper into internal networks and reach critical servers, especially outdated backup systems that had not been maintained.

Once inside, the attackers survey the entire environment. They run commands designed to identify domain controllers and trust relationships between systems, giving them a map of how the network is structured. To avoid being detected, they often use remote-access tools that are normally employed by IT administrators, making their activity harder to differentiate from legitimate work. They also disable security software, create administrator-level user accounts for long-term access, and deploy tools capable of running commands on multiple machines at once.

Data theft and encryption techniques

Akira uses a double-extortion method. The attackers first locate and collect sensitive corporate information, which they compress and transfer out of the network using well-known tools such as FileZilla, WinRAR, WinSCP or RClone. Some investigations show that this data extraction process can be completed in just a few hours. Once the information has been removed, they launch the ransomware encryptor, which uses modern encryption algorithms that are designed to work quickly and efficiently. Over time, the group has changed the file extensions that appear after encryption and has modified the names and placement of ransom notes. The ransomware also removes Windows shadow copies to block easy recovery options.

Why the threat continues to succeed

Cybersecurity experts point out that Akira benefits from long-standing issues that many organisations fail to address. Network appliances, remote access devices, and backup servers often remain unpatched for months, giving attackers opportunities to exploit vulnerabilities that should have been resolved. These overlooked systems create gaps that remain unnoticed until an intrusion is already underway.

How organisations can strengthen defences

While applying patches, enabling multifactor authentication, and keeping offline backups remain essential, the recent wave of incidents shows that more comprehensive measures are necessary. Specialists recommend dividing networks into smaller segments to limit lateral movement, monitoring administrator-level activity closely, and extending security controls to backup systems and virtualisation consoles. Organisations should also conduct complete ransomware readiness exercises that include not only technical recovery procedures but also legal considerations, communication strategies, and preparations for potential data leaks.

Security researchers emphasise that companies must approach defence with the same mindset attackers use to find vulnerabilities. Identifying weaknesses before adversaries exploit them can make the difference between a minor disruption and a large-scale crisis.

Akira Ramps up Ransomware Activity With New Variant And More Aggressive Intrusion Methods



 

Ransomware

Akira Cyber Security Data Extortion Ransomware

Akira Ramps up Ransomware Activity With New Variant And More Aggressive Intrusion Methods

Akira, one of the most active ransomware operations this year, has expanded its capabilities and increased the scale of its attacks, according to new threat intelligence shared by global security agencies. The group’s operators have upgraded their ransomware toolkit, continued to target a broad range of sectors, and sharply increased the financial impact of their attacks.

Data collected from public extortion portals shows that by the end of September 2025 the group had claimed roughly 244.17 million dollars in ransom proceeds. Analysts note that this figure represents a steep rise compared to estimates released in early 2024. Current tracking data places Akira second in overall activity among hundreds of monitored ransomware groups, with more than 620 victim organisations listed this year.

The growing number of incidents has prompted an updated joint advisory from international cyber authorities. The latest report outlines newly observed techniques, warns of the group’s expanded targeting, and urges all organisations to review their defensive posture.

Researchers confirm that Akira has introduced a new ransomware strain, commonly referenced as Akira v2. This version is designed to encrypt files at higher speeds and make data recovery significantly harder. Systems affected by the new variant often show one of several extensions, which include akira, powerranges, akiranew, and aki. Victims typically find ransom instructions stored as text files in both the main system directory and user folders.

Investigations show that Akira actors gain entry through several familiar but effective routes. These include exploiting security gaps in edge devices and backup servers, taking advantage of authentication bypass and scripting flaws, and using buffer overflow vulnerabilities to run malicious code. Stolen or brute forced credentials remain a common factor, especially when multi factor authentication is disabled.

Once inside a network, the attackers quickly establish long-term access. They generate new domain accounts, including administrative profiles, and have repeatedly created an account named itadm during intrusions. The group also uses legitimate system tools to explore networks and identify sensitive assets. This includes commands used for domain discovery and open-source frameworks designed for remote execution. In many cases, the attackers uninstall endpoint detection products, change firewall rules, and disable antivirus tools to remain unnoticed.

The group has also expanded its focus to virtual and cloud based environments. Security teams recently observed the encryption of virtual machine disk files on Nutanix AHV, in addition to previous activity on VMware ESXi and Hyper-V platforms. In one incident, operators temporarily powered down a domain controller to copy protected virtual disk files and load them onto a new virtual machine, allowing them to access privileged credentials.

Command and control activity is often routed through encrypted tunnels, and recent intrusions show the use of tunnelling services to mask traffic. Authorities warn that data theft can occur within hours of initial access.

Security agencies stress that the most effective defence remains prompt patching of known exploited vulnerabilities, enforcing multi factor authentication on all remote services, monitoring for unusual account creation, and ensuring that backup systems are fully secured and tested.

Checkout Refuses ShinyHunters Ransom, Donates Funds to Cybersecurity Research



 

Tech Firm

Checkout Data Breach Ransomware ShinyHunters Tech Firm

Checkout Refuses ShinyHunters Ransom, Donates Funds to Cybersecurity Research

Checkout, a UK-based financial tech firm, recently suffered a data breach orchestrated by the cybercriminal group ShinyHunters, who have demanded a ransom for stolen merchant data. In response, the company announced it would not pay the ransom but instead donate the equivalent amount to Carnegie Mellon University and the University of Oxford Cyber Security Center to fund cybercrime research initiatives.

The breach occurred after ShinyHunters gained unauthorized access to a legacy third-party cloud storage system used by Checkout in 2020 and earlier. This system, which had not been properly decommissioned, contained internal operational documents, onboarding materials, and data from a significant portion of company’s merchant base, including past and current customers. The company estimates that less than 25% of its current merchant base was affected by the incident.

The tech firm provides payment processing services to major global brands such as eBay, Uber Eats, adidas, GE Healthcare, IKEA, Klarna, Pinterest, Alibaba, Shein, Sainsbury’s, Sony, DocuSign, Samsung, and HelloFresh, managing billions in merchandise revenue. The company’s systems include a unified payments API, hosted payment portals, mobile SDKs, and plugins for existing platforms, along with fraud detection, identity verification, and dispute management features.

ShinyHunters is an international threat group known for targeting large organizations, often leveraging phishing, OAuth attacks, and social engineering to infiltrate systems and extort ransom payments. The group has recently exploited the Oracle E-Business Suite zero-day vulnerability (CVE-2025-61884) and carried out attacks on Salesforce and Drift systems affecting multiple organizations earlier in the year.

Despite the pressure to pay a ransom to prevent the leaked data from being published, Checkout has refused and opted for a different strategy. The company will invest in strengthening its own security infrastructure and protecting its customers more effectively in the future. Additionally, the company has committed to supporting academic research in cybersecurity by channeling the intended ransom funds to prestigious universities.

Checkout has not disclosed the identity of the compromised third-party cloud file storage system or the specific breach method. The company continues to work on bolstering its defenses and has emphasized its commitment to transparency and customer protection. This decision sets a notable precedent for organizations facing ransomware demands, highlighting the importance of proactive security investment and responsible action in the face of cyber threats.

Governments sanction Russian “bulletproof” host for aiding ransomware networks



 

USA

Bulletproof hosting Cyber Crime media land Ransomware Russia USA

Governments sanction Russian “bulletproof” host for aiding ransomware networks

Authorities in the United States, the United Kingdom, and Australia have jointly imposed sanctions on a Russian bulletproof hosting provider accused of giving safe and long-term technical support to ransomware operators and other criminal groups. Officials say the newly sanctioned entities have played a central role in keeping several high-impact cybercrime operations online.

A bulletproof hosting service is a type of internet infrastructure provider that knowingly allows harmful activity on its servers. These companies rent out digital space and refuse to take down malicious websites, even when they receive complaints from victims or requests from law enforcement. Such services help threat actors conduct phishing campaigns, distribute malware, run command and control systems for their attacks, and host illegal content without fear of quick removal. This resistance to oversight makes it harder for investigators to disrupt cybercriminal networks.

Media Land and its linked companies named as key targets

The United States Treasury’s Office of Foreign Assets Control announced that Media Land, a Russia-based provider, has been added to the sanctions list along with three related firms: Media Land Technology, Data Center Kirishi, and ML Cloud. According to officials, Media Land’s infrastructure has been connected to well-known ransomware groups. It has also been tied to distributed denial-of-service attacks that targeted American companies, including systems categorized as critical infrastructure such as parts of the telecommunications sector.

Officials name individuals connected to the operation

Sanctions also extend to three people associated with Media Land. Aleksandr Volosovik has been identified as someone who promoted the company’s services on underground cybercriminal forums under the username Yalishanda. Another individual, Kirill Zatolokin, is accused of handling customer payments. A third person, Yulia Pankova, is said to have assisted with legal matters and financial management. The United Kingdom additionally stated that Volosovik has interacted with multiple cybercrime groups in the past.

Other companies involved in supporting the infrastructure

The sanctions package further includes Aeza Group LLC, another bulletproof hosting operator that had already been sanctioned earlier this year. Authorities say Aeza attempted to continue operating by using a UK-based company named Hypercore Ltd as a front. Additional entities in Serbia and Uzbekistan that provided technical assistance to the network have also been designated.

Government agencies issue defensive guidance

Along with the sanctions, cybersecurity agencies across the Five Eyes alliance released technical recommendations to help defenders identify and block activity linked to bulletproof hosting services. They suggest creating high-confidence lists of harmful internet resources based on verified threat intelligence, performing continuous monitoring of network traffic, and applying filtering rules at network boundaries while examining how those rules might affect legitimate users. The guidance also encourages service providers to maintain stronger onboarding checks for new customers since criminal operators often hide behind temporary email accounts or phone numbers.

Implications of the sanctions

All assets connected to the named individuals and companies within the United States, the United Kingdom, and Australia will now be frozen. Any organisation or person that continues to conduct transactions with them may face secondary sanctions or other enforcement actions. This step builds on earlier actions taken in February, when the three nations sanctioned ZServers, another Russian hosting operation, while Dutch authorities seized more than one hundred of its servers.

The coordinated announcement signals a growing international effort to dismantle the online infrastructure that ransomware groups depend on. It also reinforces the need for organisations to maintain strong cybersecurity practices, rely on reputable service providers, and monitor threat intelligence to reduce exposure to criminal activity.

When Weak Passwords Open The Door: Major Breaches That Began With Simple Logins



 

Ransomware

Account security British transport Data Breach MFA Passwords Ransomware

When Weak Passwords Open The Door: Major Breaches That Began With Simple Logins

Cybersecurity incidents are often associated with sophisticated exploits, but many of the most damaging breaches across public institutions, private companies and individual accounts have originated from something far more basic: predictable passwords and neglected account controls. A review of several high-profile cases shows how easily attackers can bypass defences when organisations rely on outdated credentials, skip essential updates or fail to enforce multi-factor authentication.

One example resurfaced when an older assessment revealed that the server used to manage surveillance cameras at a prominent European museum operated with a password identical to the institution’s name. The report, which stresses on configuration weaknesses and poor access safeguards, has drawn renewed attention following recent thefts from the museum’s collection. The outdated credential underlined how critical systems often remain vulnerable because maintenance and password policies fall behind operational needs.

A similar pattern was seen in May 2021 when a major fuel pipeline in the United States halted operations after attackers used a compromised login associated with an inactive remote-access account. The credential was not protected by secondary verification, allowing the intruders to infiltrate the network. The temporary shutdown triggered widespread disruption, and the operator ultimately paid a substantial ransom before systems could be restored. Investigators later recovered part of the payment, but the event demonstrated how a single unsecured account can affect national infrastructure.

In the corporate sector, a British transport company with more than a century of operations collapsed after a ransomware group accessed its internal environment by correctly guessing an employee’s password. Once inside, the attackers encrypted operational data and locked critical systems, demanding a ransom the firm could not pay. With its files unrecoverable, the company ceased trading and hundreds of employees lost their jobs. The case illustrated how small oversights in password hygiene can destabilise even long-established businesses.

Weak or unchanged default codes have also enabled intrusions into personal communications. Years-long investigations into unlawful phone-hacking in the United Kingdom revealed that some voicemail systems were protected by factory-set PINs or extremely simple numerical combinations. These lax protections enabled unauthorized access to private messages belonging to public figures, eventually triggering criminal proceedings, regulatory inquiries and the shutdown of a national newspaper.

Historical oversight is not limited to consumer systems. Former personnel who worked with early nuclear command procedures in the United States have described past practices in which launch mechanisms relied on extremely simple numeric sequences. Although additional procedural safeguards existed, later reforms strengthened the technical requirements to ensure that no single point of failure or simplistic code could enable unauthorized action.

More recently, a national elections authority in the United Kingdom was reprimanded after attackers accessed servers containing voter registration data between 2021 and 2022. Regulators found that essential patches had not been applied and that many internal accounts continued to use passwords similar to those originally assigned at setup. By impersonating legitimate users, intruders were able to penetrate the system, though no evidence indicated that the data was subsequently misused.

These incidents reinforce a consistent conclusion. Passwords remain central to digital security, and organisations that fail to enforce strong credential policies, update software and enable multi-factor authentication expose themselves to avoidable breaches. Even basic improvements in password complexity and account management can prevent the kinds of failures that have repeatedly resulted in financial losses, service outages and large-scale investigations.

How Oversharing, Weak Passwords, and Digital IDs Make You an Easy Target and What You Can Do



 

Scams

2FA Cyber Threats Digital ID Digital identification Passwords Privacy Ransomware Scams

How Oversharing, Weak Passwords, and Digital IDs Make You an Easy Target and What You Can Do

The more we share online, the easier it becomes for attackers to piece together our personal lives. Photos, location tags, daily routines, workplace details, and even casual posts can be combined to create a fairly accurate picture of who we are. Cybercriminals use this information to imitate victims, trick service providers, and craft convincing scams that look genuine. When someone can guess where you spend your time or what services you rely on, they can more easily pretend to be you and manipulate systems meant to protect you. Reducing what you post publicly is one of the simplest steps to lower this risk.

Weak passwords add another layer of vulnerability, but a recent industry assessment has shown that the problem is not only with users. Many of the most visited websites do not enforce strong password requirements. Some platforms do not require long passwords, special characters, or case sensitivity. This leaves accounts easier to break into through automated attacks. Experts recommend that websites adopt stronger password rules, introduce passkey options, and guide users with clear indicators of password strength. Users can improve their own security by relying on password managers, creating long unique passwords, and enabling two factor authentication wherever possible.

Concerns about device security are also increasing. Several governments have begun reviewing whether certain networking devices introduce national security risks, especially when the manufacturers are headquartered in countries that have laws allowing state access to data. These investigations have sparked debates over how consumer hardware is produced, how data flows through global supply chains, and whether companies can guarantee independence from government requests. For everyday users, this tension means it is important to select routers and other digital devices that receive regular software updates, publish clear security policies, and have a history of addressing vulnerabilities quickly.

Another rising threat is ransomware. Criminal groups continue to target both individuals and large organisations, encrypting data and demanding payment for recovery. Recent cases involving individuals with cybersecurity backgrounds show how profitable illicit markets can attract even trained professionals. Because attackers now operate with high levels of organisation, users and businesses should maintain offline backups, restrict access within internal networks, and test their response plans in advance.

Privacy concerns are also emerging in the travel sector. Airline data practices are also drawing scrutiny. Travel companies cannot directly sell passenger information to government programs due to legal restrictions, so several airlines jointly rely on an intermediary that acts as a broker. Reports show that this broker had been distributing data for years but only recently registered itself as a data broker, which is legally required. Users can request removal from this data-sharing system by emailing the broker’s privacy address and completing identity verification. Confirmation records should be stored for reference. The process involves verifying identity details, and users should keep a copy of all correspondence and confirmations.

Finally, several governments are exploring digital identity systems that would allow residents to store official identification on their phones. Although convenient, this approach raises significant privacy risks. Digital IDs place sensitive information in one central location, and if the surrounding protections are weak, the data could be misused for tracking or monitoring. Strong legal safeguards, transparent data handling rules, and external audits are essential before such systems are implemented.

Experts warn that centralizing identity increases the potential impact of a breach and may facilitate tracking unless strict limits, independent audits, and user controls are enforced. Policymakers must balance convenience with strong technical and legal protections.

Practical, immediate steps one should follow:

1. Reduce public posts that reveal routines or precise locations.

2. Use a password manager and unique, long passwords.

3. Turn on two factor authentication for important accounts.

4. Maintain offline backups and test recovery procedures.

5. Check privacy policies of travel brokers and submit opt-out requests if you want to limit data sharing.

6. Prefer devices with clear update policies and documented security practices.

These measures lower the chance that routine online activity becomes a direct route into your accounts or identity. Small, consistent changes will greatly reduce risk.

Overall, users can strengthen their protection by sharing less online, reviewing how their travel data is handled, and staying informed about the implications of digital identification. Small and consistent actions reduce the likelihood of becoming a victim of cyber threats.

M&S Cyberattack: Retailer Issues Fresh Warning to Shoppers



 

Scattered Spider

Cyber Attacks DragonForce Marks & Spencer Ransomware Scattered Spider

M&S Cyberattack: Retailer Issues Fresh Warning to Shoppers

Marks & Spencer (M&S) suffered a severe cyberattack in April 2025, orchestrated by the ransomware group known as Scattered Spider, with the ransomware called DragonForce. This breach forced M&S to halt all online transactions for nearly six weeks, disrupting its operations during a traditionally strong trading period around Easter.

The attackers first infiltrated M&S's network through social engineering tactics aimed at a third-party IT helpdesk contractor, Tata Consultancy Services, tricking staff into granting access. This human error allowed the hackers to steal sensitive customer personal data, including names, addresses, emails, phone numbers, birthdates, and order histories, though no payment details or passwords were compromised.

As a result, M&S had to suspend online shopping completely and revert to manual processes for inventory and logistics, which led to empty shelves and disrupted service in many stores. Contactless payments and order collection systems failed at the outset of the incident, adding to customer frustration. M&S publicly apologized and reset all customer passwords on affected accounts as a precaution against subsequent phishing attacks using the stolen data.

Financially, the incident is estimated to have cost M&S approximately £300 million in lost profits, which significantly impacted its half-year results. Despite the disruption, M&S’s revenue during the affected period remained relatively stable, reflecting growth in grocery and clothing/home segments, though online market share was partly lost to competitors like Next. The full impact on profits and sales was to be revealed in M&S’s upcoming financial report.

The cyber attack highlighted vulnerabilities in traditional cybersecurity defenses focused on inbound threats, as the ransomware attack involved a "double extortion" technique where data was exfiltrated before encryption, and legacy tools failed to detect the outbound data theft. Experts suggest that more advanced anti-data exfiltration capabilities could have mitigated damage. M&S is reviewing its cybersecurity posture and continuing to recover operationally while managing costs and store investments moving forward.

M&S shoppers were urged to remain vigilant against phishing scams, as criminals exploit stolen personal data for targeted attacks. The incident underscores the evolving threats retailers face from ransomware and social engineering attacks on supply chains and third-party vendors. Overall, the attack marked a significant challenge for M&S’s digital and retail operations with a wide-reaching customer impact and financial implications.

Why Ransomware Attacks Keep Rising and What Makes Them Unstoppable



 

Technology

AI Cloud Dark Web Internet Ransomware Technology

Why Ransomware Attacks Keep Rising and What Makes Them Unstoppable

In August, Jaguar Land Rover (JLR) suffered a cyberattack. JLR employs over 32,800 people and provides additional 104,000 jobs via it's supply chain. JLR is the recent victim in a chain of ransomware attacks.

Why such attacks?

Our world is entirely dependent on technology which are prone to attacks. Only a few people understand such complex infrastructure. The internet is built to be easy, and this makes it vulnerable. The first big cyberattack happened in 1988. That time, not many people knew about it.

The more we rely on networked computer technology, the more we become exposed to attacks and ransomware extortion.

How such attacks happen?

There are various ways of hacking or disrupting a network. Threat actors get direct access through software bugs, they can access unprotected systems and leverage them as a zombie army called "botnet," to disrupt a network.

Currently, we are experiencing a wave of ransomware attacks. First, threat actors hack into a network, they may pretend to be an employee. They do this via phishing emails or social engineering attacks. After this, they increase their access and steal sensitive data for extortion reasons. By this, hackers gain control and assert dominance.

These days, "hypervisor" has become a favourite target. It is a server computer that lets many remote systems to use just one system (like work from home). Hackers then use ransomware to encode data, which makes the entire system unstable and it becomes impossible to restore the data without paying the ransom for a decoding key.

Why constant rise in attacks?

A major reason is a sudden rise in cryptocurrencies. It has made money laundering easier. In 2023, a record $1.1 billion was paid out across the world. Crypto also makes it easier to buy illegal things on the dark web. Another reason is the rise of ransomware as a service (RaaS) groups. This business model has made cyberattacks easier for beginner hackers

About RaaS

RaaS groups market on dark web and go by the names like LockBit, REvil, Hive, and Darkside sell tech support services for ransomware attack. For a monthly fees, they provide a payment portal, encryption softwares, and a standalone leak site for blackmailing the victims, and also assist in ransom negotiations.

NCSC Warns of Rising Cyber Threats Linked to China, Urges Businesses to Build Defences



 

Ransomware

Artificial Intelligence China Cyber Attacks NCSC Ransomware

NCSC Warns of Rising Cyber Threats Linked to China, Urges Businesses to Build Defences

The United Kingdom’s National Cyber Security Centre (NCSC) has cautioned that hacking groups connected to China are responsible for an increasing number of cyberattacks targeting British organisations. Officials say the country has become one of the most capable and persistent sources of digital threats worldwide, with operations extending across government systems, private firms, and global institutions.

Paul Chichester, the NCSC’s Director of Operations, explained that certain nations, including China, are now using cyber intrusions as part of their broader national strategy to gain intelligence and influence. According to the NCSC’s latest annual report, China remains a “highly sophisticated” threat actor capable of conducting complex and coordinated attacks.

This warning coincides with a government initiative urging major UK companies to take stronger measures to secure their digital infrastructure. Ministers have written to hundreds of business leaders, asking them to review their cyber readiness and adopt more proactive protection strategies against ransomware, data theft, and state-sponsored attacks.

Last year, security agencies from the Five Eyes alliance, comprising the UK, the United States, Canada, Australia, and New Zealand uncovered a large-scale operation by a Chinese company that controlled a botnet of over 260,000 compromised devices. In August, officials again warned that Chinese-backed hackers were targeting telecommunications providers by exploiting vulnerabilities in routers and using infected devices to infiltrate additional networks.

The NCSC also noted that other nations, including Russia, are believed to be “pre-positioning” their cyber capabilities in critical sectors such as energy and transportation. Chichester emphasized that the war in Ukraine has demonstrated how cyber operations are now used as instruments of power, enabling states to disrupt essential services and advance strategic goals.

Artificial Intelligence: A New Tool for Attackers

The report highlights that artificial intelligence is increasingly being used by hostile actors to improve the speed and efficiency of existing attack techniques. The NCSC clarified that, while AI is not currently enabling entirely new forms of attacks, it allows adversaries to automate certain stages of hacking, such as identifying security flaws or crafting convincing phishing emails.

Ollie Whitehouse, the NCSC’s Chief Technology Officer, described AI as a “productivity enhancer” for cybercriminals. He explained that it is helping less experienced hackers conduct sophisticated campaigns and enabling organized groups to expand operations more rapidly. However, he reassured that AI does not currently pose an existential threat to national security.

Ransomware Remains the Most Severe Risk

For UK businesses, ransomware continues to be the most pressing danger. Criminals behind these attacks are financially motivated, often targeting organisations with weak security controls regardless of size or industry. The NCSC reports seeing daily incidents affecting schools, charities, and small enterprises struggling to recover from system lockouts and data loss.

To strengthen national resilience, the upcoming Cyber Security and Resilience Bill will require critical service providers, including data centres and managed service firms, to report cyber incidents within 24 hours. By increasing transparency and response speed, the government hopes to limit the impact of future attacks.

The NCSC urges business leaders to treat cyber risk as a priority at the executive level. Understanding the urgency of action, maintaining up-to-date systems, and investing in employee awareness are essential steps to prevent further damage. As cyber activity grows “more intense, frequent, and intricate,” the agency stresses that a united effort between the government and private sector is crucial to protecting the UK’s digital ecosystem.

Sotheby’s Investigates Cyberattack That Exposed Employee Financial Information



 

Sotheby

Data Breach Employee Data Financial Information Ransomware Sotheby

Sotheby’s Investigates Cyberattack That Exposed Employee Financial Information

Global auction house Sotheby’s has disclosed that it recently suffered a data breach in which cybercriminals accessed and extracted files containing sensitive information. The company confirmed that the security incident, detected on July 24, 2025, led to unauthorized access to certain internal data systems.

According to a notification filed with the Maine Attorney General’s Office, the compromised records included details such as full names, Social Security Numbers (SSNs), and financial account information. While the filing listed only a few individuals from the states of Maine and Rhode Island, the overall number of people affected by the breach has not been publicly confirmed.

Sotheby’s stated that once the intrusion was identified, its cybersecurity team immediately launched a detailed investigation, working alongside external security experts and law enforcement authorities. The process reportedly took nearly two months as the company conducted a comprehensive audit to determine what type of information was taken and whose data was affected.

In its notice to those impacted, the company wrote that certain Sotheby’s data “appeared to have been removed from our environment by an unknown actor.” It added that an “extensive review of the data” was carried out to identify the affected records and confirm the individuals connected to them.

As a precautionary measure, Sotheby’s is offering affected individuals 12 months of free identity protection and credit monitoring services through TransUnion, encouraging them to register within 90 days of receiving the notification letter.

Initially, it was unclear whether the compromised data involved employees or clients. However, in an update on October 17, 2025, Sotheby’s clarified in a statement to BleepingComputer that the breach involved employee information, not customer data. The company emphasized that it took the incident seriously and immediately involved external cybersecurity experts to support the response and remediation process.

“Sotheby’s discovered a cybersecurity incident that may have involved certain employee information,” a company spokesperson said in an official statement. “Upon discovery, we promptly began an investigation with leading data protection specialists and law enforcement. The company is notifying all impacted individuals as required and remains committed to protecting the integrity of its systems and data.”

Sotheby’s is among the world’s most recognized auction houses, dealing in high-value art and luxury assets. In 2024, the firm recorded total annual sales of nearly $6 billion, highlighting the scale and sensitivity of the data it manages, including financial and transactional records.

Although no ransomware groups have claimed responsibility for this breach so far, similar attacks have previously targeted high-end auction platforms. In 2024, the RansomHub gang allegedly breached Christie’s, stealing personal data belonging to an estimated 500,000 clients. Such incidents indicate that cybercriminals increasingly view global art institutions as lucrative targets due to the financial and personal data they store.

This is not the first time Sotheby’s has dealt with cybersecurity issues. Between March 2017 and October 2018, the company’s website was compromised by a malicious web skimmer designed to collect customer payment information. A comparable supply-chain attack in 2021 also led to unauthorized access to sensitive data.

The latest breach reinforces the growing risks faced by major cultural and financial institutions that handle valuable client and employee data. As investigations continue, Sotheby’s has urged affected individuals to remain vigilant, review their financial statements regularly, and immediately report any suspicious activity to their bank or credit institution.

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

About Me

Footer About

Labels

Showing result(s) for

Popular Posts

Pages

Menu Item

Rise in hypervisor ransomware incidents

Akira gang responsible

Why hypervisors?

Other instances

Attack tactic

Mitigation strategies

Asahi denies ransom payment

About the attack

Attack tactic

Qilin gang believed to be responsible

Impact on Asahi business

Why such attacks?

How such attacks happen?

Why constant rise in attacks?

About RaaS