Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware. Show all posts
ToolShell
CERT Croatia phishing Ransomware RBI Research ToolShell

Croatia’s Largest Research Institute Hit by Ransomware in Global ToolShell Exploits




The RuÄ‘er BoÅ¡ković Institute (RBI) in Zagreb — Croatia’s biggest science and technology research center has confirmed it was one of thousands of organizations worldwide targeted in a massive cyberattack exploiting Microsoft SharePoint’s “ToolShell” security flaws.

The incident occurred on Thursday, July 31, 2025, and resulted in ransomware being installed on parts of the Institute’s internal network. According to RBI’s statement, the affected systems were linked to its administrative and support operations, with attackers encrypting documents and databases to block access.


Refusing to Pay the Hackers

Unlike some victims, RBI has stated it will not pay the ransom. Instead, the Institute plans to follow strict security protocols, restore affected systems from backups, and upgrade its infrastructure to meet modern cybersecurity standards.

Past reports indicate that ToolShell vulnerabilities have been used to spread two strains of ransomware — Warlock and 4L4MD4R but RBI has not yet confirmed which variant hit its systems.


Restoration Underway

Recovery work is ongoing, with some systems already back online. Email services were restored the Friday after the attack, and the Institute is slowly bringing other parts of its network back into operation. A completely new IT system is also being built to improve defenses and reduce future risks.

The response involves not just RBI’s internal team but also the Ministry of the Interior, Croatia’s national CERT, and other cybersecurity agencies. A detailed forensic investigation is still in progress.


Possible Data Exposure

It’s still unclear whether the attackers accessed personal information. Croatia’s Personal Data Protection Agency has been notified, and the Institute has pledged to act in line with GDPR rules if any breach of personal data is confirmed.

As a precaution, RBI’s data protection officer has already warned staff that some sensitive information, such as personal ID numbers, addresses, financial reimbursements, and other records may have been stolen. Employees were advised to stay alert for phishing emails pretending to be from the Institute or official authorities.


Part of a Global Problem

RBI is one of at least 9,000 institutions worldwide affected by attacks using the same ToolShell vulnerabilities. These flaws in Microsoft SharePoint have become a major cybercrime tool, enabling hackers to infiltrate networks, steal or lock data, and demand large ransom payments.

While the Institute continues its recovery, the attack is a reminder that even highly respected research organizations can be vulnerable, and that refusing to pay ransom demands can be both a security stance and a financial gamble.

Read more »
Ransomware
BYOVD Attack Cyber Crime Data Stolen EDR Ransomware

New Hacking Tool Lets Ransomware Groups Disable Security Systems

 



Cybersecurity experts have discovered a new malicious tool designed to shut down computer security programs, allowing hackers to attack systems without being detected. The tool, which appears to be an updated version of an older program called EDRKillShifter, is being used by at least eight separate ransomware gangs.

According to researchers at Sophos, the groups using it include RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC. These criminal gangs use such programs to disable antivirus and Endpoint Detection and Response (EDR) systems software meant to detect and stop cyberattacks. Once these protections are switched off, hackers can install ransomware, steal data, move through the network, and lock down devices.


How the Tool Works

The new tool is heavily disguised to make it difficult for security software to spot. It starts by running a scrambled code that “unlocks” itself while running, then hides inside legitimate applications to avoid suspicion.

Next, it looks for a specific type of computer file called a driver. This driver is usually digitally signed, meaning it appears to be safe software from a trusted company but in this case, the signature is stolen or outdated. If the driver matches a name hidden in the tool’s code, the hackers load it into the computer’s operating system.

This technique is called a “Bring Your Own Vulnerable Driver” (BYOVD) attack. By using a driver with security weaknesses, the hackers gain deep control of the system, including the ability to shut down security tools.

The driver pretends to be a legitimate file, sometimes even mimicking trusted products like the CrowdStrike Falcon Sensor Driver. Once active, it terminates the processes and services of security products from well-known vendors such as Microsoft Defender, Kaspersky, Symantec, Trend Micro, SentinelOne, McAfee, F-Secure, and others.


Shared Development, Not Leaks

Sophos notes that while the tool appears in attacks by many different groups, it is not a case of one stolen copy being passed around. Instead, it seems to be part of a shared development project, with each group using a slightly different version — changing driver names, targeted software, or technical details. All versions use the same “HeartCrypt” method to hide their code, suggesting close cooperation among the groups.


A Common Criminal Practice

This is not the first time such tools have been shared in the ransomware world. In the past, programs like AuKill and AvNeutralizer have been sold or distributed to multiple criminal gangs, allowing them to disable security tools before launching attacks.

The discovery of this new tool is a reminder that ransomware operators are constantly improving their methods and working together to overcome defenses. Security experts stress the need for updated protections and awareness to defend against such coordinated threats.

Read more »
Windows
AI Akira Ransomware Bugs Internet malware Ransomware Windows

Akira ransomware turns off Windows Defender to install malware on Windows devices

Akira ransomware turns off Windows Defender to install malware on Windows devices

Akira ransomware strikes again. This time, it has abused an Intel CPU tuning driver to stop Microsoft Defender in attacks from EDRs and security tools active on target devices.

Windows defender turned off for attacks

The exploited driver is called “rwdrv.sys” (used by ThrottleStop), which the hackers list as a service that allows them to gain kernel-level access. The driver is probably used to deploy an additional driver called “hlpdrv.sys,” a hostile tool that modifies Windows Defender to shut down its safety features.

'Bring your own vulnerable driver' attack

Experts have termed the attack “Bring your vulnerable driver (BYOVD), where hackers use genuine logged-in drivers that have known bugs that can be exploited to get privilege escalation. The driver is later used to deploy a hostile that turns off Microsoft Defender. According to the experts, the additional driver hlpdrv.sys is “similarly registered as a service. When executed, it modifies the DisableAntiSpyware settings of Windows Defender within \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware.” The malware achieves this by executing regedit.exe. 

Discovery of the Akira ransomware attack

The technique was observed by Guidepoint Security, which noticed repeated exploitation of the rwdrv.sys driver in Akira ransomware attacks. The experts flagged this tactic due to its ubiquity in the latest Akira ransomware incidents. “This high-fidelity indicator can be used for proactive detection and retroactive threat hunting,” the report said. 

To assist security experts in stopping these attacks, Guidepoint Security has offered a YARA rule for hlpdrv.sys and complete indicators of compromise (IoCs) for the two drivers, as well as their file paths and service names.

SonicWall VPN attack

Akira ransomware was also recently associated with SonicWall VPN attacks. The threat actor used an unknown bug. According to Guidepoint Security, it could not debunk or verify the abuse of a zero-day flaw in SonicWall VPNs by the Akira ransomware gang. Addressing the reports, SonicWall has advised to turn off SSLVPN, use two-factor authentication (2FA), remove inactive accounts, and enable Botnet/Geo-IP safety.

The DFIR report has also released a study of the Akira ransomware incidents, revealing the use of Bumblebee malware loader deployed through trojanized MSI loaders of IT software tools.

Read more »
Technology
DarkBit Encyption Internet Iran Israel Ransomware Technology

Experts decoded encryption keys used by DarkBit ransomware gang

Experts decoded encryption keys used by DarkBit ransomware gang

Encryption key for Darkbit ransomware

Good news for people affected by the DarkBit ransomware: experts from Profero have cracked the encryption process, allowing victims to recover their files for free without paying any ransom.

However, the company has not yet released the decryptor. The National Cyber Directorate from Israel connected the DarkBit ransomware operation to the Iran-nexus cybercriminal gang called “MuddyWater APT.”

How the attack started

After a DarkBit ransomware attack in 2023, Profero encrypted various VMware ESXi servers, which were believed as retaliation for Iranian drone attacks. The threat actors did not negotiate the ransom and emphasized disrupting operations and campaigns to damage the target’s reputation.

The gang posed as pro-Iran hackers and had a history of attacking Israeli agencies. In this incident, the gang asked for 80 Bitcoins and had anti-Israel messages in ransom notes. Profero, however, cracked the encryption, allowing free recovery.

How did the experts find out

While studying DarkBit ransomware, experts discovered that its AES-128-CBC key generation tactic gave weak and predictable keys. Profero used file timestamps and a known VMDK header to limit the keyspace to billions of probabilities, allowing effective brute-force.

“We made use of an AES-128-CBC key-breaking harness to test if our theory was correct, as well as a decryptor which would take an encrypted VMDK and a key and IV pair as input to produce the unencrypted file. The harness ran in a high-performance environment, allowing us to speed through the task as quickly as possible, and after a day of brute-forcing, we were successful!” according to the Profero report. 

Persistent effort led to successful encryption

The experts had proven that it was possible and got the key. They continued brute-forcing another VMDK. This method, however, was not scalable for the following reasons:

  • Each VMDK would require a day for the experts to decrypt
  • The harness resides in an HPC environment and is difficult to scale

“While expensive, it ended up being possible. We decided to once again take a look at any potential weaknesses in the crypto,” Proffero experts said.

The experts made a tool to check all possible seeds and create key and IV pairs to match them against VMDK headers. This allowed them to restore the decryption keys. Profero also leveraged the scarce VMDK files, where most of the content was unencrypted, as the ransom was partially encrypted. The experts then directly recovered the most needed files, avoiding brute-force decryption for most of the data.

Read more »
SafePlay
Cyberbreach CyberCrime CyberThreat Data Breach Ingram Ingram Micro Ransom Threat Ransomware SafePlay

Ingram Micro Faces Alleged Breach by SafePay with Ransom Threat

 


As Ingram Micro is dealing with a widespread outage in its global technology distribution operations that appears to be directly linked to a ransomware attack by the cybercrime group SafePay, the company appears to be experiencing a significant disruption. The company has shut down internal systems due to the incident, which has affected the company's website and online ordering platform since Thursday, according to information obtained by BleepingComputer. 

Despite the fact that Ingram Micro is a major business-to-business technology distributor and service provider that offers hardware, software, cloud solutions, logistics, and training to resellers and managed service providers across the world, it has not yet been publicly confirmed what caused the disruption. According to a ransomware group known as SafePay, the group has issued an ultimatum to Ingram Micro, warning that it will publish 3.5 terabytes of allegedly stolen data unless they are paid a ransom by August 1st. 

Several prominent warning signs, along with a countdown clock, are prominently displayed on the leak site of the group, increasing the pressure on the California-based technology distributor to enter into negotiations with the group. During an ongoing investigation, Ingram Micro informed the public on 5 July of a ransomware attack, which resulted in certain internal systems being shut down as a precaution. 

SafePay did not confirm at that time that any data exfiltration occurred, but now, following the breach, the company claims responsibility and asserts that it has obtained a significant volume of sensitive corporate information. A security researcher has found code similarities to the LockBit ransomware family, suggesting a potential rebrand or offshoot. SafePay started causing threats in late 2024 to at least twenty organisations across different industries.

With the group operating under a double-extortion model, not only do they encrypt compromised systems, but they also threaten victims with leaking their data should they refuse to pay the ransom. In the course of investigating the incident, it has been determined that SafePay was responsible for orchestrating the attack, a comparatively new type of ransomware which emerged between September and November 2024. 

Ingram Micro had not attributed the attack to any specific threat actor. However, BleepingComputer has now discovered a link between the breach and the group that employs the double-extortion model, in which data is stolen and encrypted using system encryption, as well as claiming to have compromised more than 200 companies across a wide range of fields, including manufacturing, healthcare, and education. 

There has been some speculation that SafePay exploited vulnerabilities in the GlobalProtect VPN platform to gain access to the company and left ransom notes on the company's employee devices. As a result of the attack, Ingram Micro's AI-driven Xvantage distribution system, as well as its Impulse license provisioning platform, both critical components of the organisation's global operations, were reportedly affected by the hack.

According to Ingram Micro's announcement on July 5, a number of internal systems had been identified as infected with malicious software, following a ransomware attack. An immediate precautionary measure was taken by the company to secure its environment, including proactively taking down systems and implementing mitigation measures, and the company announced the following week that global operations were fully back to normal. 

There has been no mention of the stolen data, ransom demands, or who was responsible on the company's official incident update page or in its 8-K filing to the Securities and Exchange Commission, as of 7 July. Although the company has continued to acknowledge that it is actively investigating the scope of the incident and the nature of any data affected, it has opted not to comment further on it. 

Interestingly, however, the ransomware group SafePay—which claims responsibility for the intrusion—is more forthright, claiming that it has infected 3.5 terabytes of sensitive data and has set the public release deadline of 1 August 2025 if a ransom is not paid. Consequently, a countdown clock is displayed on their leak site stating that if the ransom is not paid, it will release the data publicly. 

As an intermediary in the supply chain for major technology vendors, Ingram Micro is the largest reseller and enterprise network in the world, servicing over 160,000 resellers and enterprise customers worldwide. There is a growing concern among security specialists that the exposure of partner agreements, customer records, and proprietary product information may have a far-reaching impact across the technology channel. 

From enabling targeted phishing attacks to eroding competitive advantages, the risks are extensive across the technology channel. According to industry consultants, organisations should take steps to strengthen access controls, enforce multifactor authentication, monitor for emerging vulnerabilities, and limit remote access to secured VPNs to prevent such threats. 

While Ingram Micro is still investigating the SafePay leak, the persistent countdown clock on the leak site indicates that no agreement has been reached, which makes it more likely for full disclosure of data to occur. If the claimed dataset is made available, vendors, resellers, and end users might have to reset their credentials on a large scale, prepare for targeted scams, and comply with any potential regulatory reporting requirements. 

Security researchers are then expected to examine these files for potential indicators of compromise and tactical insights that could mitigate similar attacks in the future, as well as the likelihood of these attacks occurring again. It was in a brief announcement published by Ingram Micro on a Sunday morning that they had been victimised by ransomware attacks, stating that malicious software was detected on several internal systems. 

During the investigation, the company reported that it took immediate steps to secure its environment, including the initiation of a proactive shutdown of the affected systems, the implementation of additional mitigation measures, the launch of an investigation with the assistance of leading cybersecurity experts, and the notification of authorities. 

Despite the inconvenience caused by Ingram Micro, the company has expressed its sincere apologies to customers, vendors, and partners, as well as a commitment to restoring affected systems so normal order processing and shipping can resume. Palo Alto Networks responded to reports suggesting that attackers had gained access via Ingram Micro's GlobalProtect VPN gateway on 7 Julyemphasisingng that the company was investigating the claims and emphasising that threat actors regularly infiltrate VPNs by using stolen credentials or misconfigured networks. 

It was reported that Ingram Micro had made great progress toward restoring transactional operations by 8 July. Subscription orders, renewals, and modifications had been processed globally again through its central support organisation, and customers across multiple countries, including the UK, Germany, France, Italy, Spain, Brazil, India, China, Portugal, and the Nordic countries, were accepting phone or email orders. 

There are still some restrictions that apply to hardware and technology orders. Sources also indicate that VPN access has been restored in certain regions. Palo Alto Networks later confirmed that none of the company's products were exploited or compromised by the breach. In spite og only operating for about a year, SafePay has established a substantial footprint in the cybercrime landscape, displaying 265 victims on the dark web leak site it has operated for. 

Having been identified in September 2024, this group is believed to have previously deployed LockBit ransomware, though it is unclear whether it is related to LockBit. The SafePay ransomware company claims it is different from many contemporary ransomware operations because it does not utilise affiliates to breach networks as a ransomware-as-a-service model. 

A report by Emsisoft’s Brett Callow indicates that this strategy, along with the preference for a low public profile of the group, may be the group’s attempt to avoid the intense scrutiny that law enforcement authorities have been paying for actions taken against other high-profile gangs in recent months. Among the most active ransomware actors worldwide, SafePay is ranked fourth behind Qilin, Akira, and Play in NCC Group's second quarter 2025 report. 

It has been estimated that this group is responsible for 70 attacks in May 2025 alone, which makes them the most active ransomware operators in the entire month. Ingram Micro and its global network of partners were impacted by the SafePay attack that led to a cascade of operational, financial and reputational consequences. It was reported that technology resellers, managed service providers, and vendors worldwide were unable to conduct transactions due to the downtime of digital commerce platforms, order processing systems, and cloud license provisioning systems. 

As a result of the disruption, hardware and cloud shipments slowed, and downstream partners sought alternate distribution channelsemphasisingng the central role large distributors play in supplying IT products. In the wake of the outage, industry analysts estimate that SafePay has lost up to $136 million in revenue per day, according to industry analysts. SafePay claims to have exfiltrated 3.5 terabytes of sensitive data, including financial, legal, and intellectual property. If its ransom demands are not met, it threatens public release. 

The prolonged downtime, along with limited communication from the company, caused criticism from both customers and industry observers. Experts believe that the incident underscores the vulnerable nature of VPNs and identity management systems, especially where multi-factor authentication is lacking, password security is not enforced, and timely patches aren't applied promptly. 

The report also reflects the increasing use of double-extortion tactics, which combine system encryption with the threat of sensitive data leaks to achieve double extortion. Thus, organisations must prepare not only for the restoration of services, but also for possible repercussions in terms of privacy and legality. Although Ingram Micro had restored global services on 30 July 2025, it remains under continuous extortion threat, and the company is still undergoing an extensive forensic investigation. 

As a result of the Ingram Micro incident, ransomware operations have become increasingly sophisticated and persistent, where a technical compromise is just the beginning of a broader campaign of intimidation and leverage. The tactics employed by SafePay—combining the operational paralysis of core systems with the looming threat of massive data loss—illustrate how modern cyberattacks are built to exert sustained pressure on victims for quite some time after initial containment measures have been completed. 

It has served as a reminder for global supply chain operators that security perimeters must extend far beyond traditional network defenses, including identity verification, remote access governance, and proactive vulnerability management, in addition to traditional network defenses. In light of the interconnected nature of modern information technology ecosystems, it is evident that disruptions can cause shockwaves across multiple industries and markets if a single node is disrupted. 

Several experts have noted that in the wake of high-profile supply chain breaches, threat actors are likely to be more focused on distributors and service aggregators, since they have extensive vendor and customer relationships, which have the potential to increase the impact of financial gains and reputational harm. It is also likely that regulatory bodies will examine these incidents with greater care, particularly where they involve the disclosure of sensitive partner information or customer information, which can result in broader compliance obligations as well as legal liabilities. 

Taking Ingram Micro to the next level will require not only the resolution of immediate security and operational issues, but also the rebuilding of trust with the vast network of customers and partners the company has cultivated. 

To reduce the long-term repercussions of the incident, it is crucial to be transparent in communications following the incident, to demonstrate security enhancements, and to collaborate with the industry to share intelligence on emerging threats. In the course of the investigation, it is likely to become an important reference point for cybersecurity strategy debates, as well as in shaping future policy aimed at protecting global supply chains against cybersecurity threats.
Read more »
Technology
AI Corporate Internet Ransomware Technology

Why Companies Keep Ransomware Payments Secret


Companies hiding ransomware payments

Ransomware attacks are ugly. For every ransomware attack news story we see in our feed, a different reality hides behind it. Victims secretly pay their attackers. The shadow economy feeds on corporate guilt and regulatory hysteria.

Companies are hiding the true numbers of ransomware incidents. For each attack that makes headlines, five more companies quietly push it under the carpet, keeping it secret, and wire cryptocurrency payments to attackers, in hopes of avoiding detection. We can call it corporate cowardice, but this gives confidence to the ransomware cybercriminals. It costs the victims $57 billion annually and directly damages the devices that we use.

Paying attackers fuels future attacks

According to the FBI, it “does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.

The patches in our smartphones exist because companies suffer attacks. Our laptop endpoint protection was developed from enterprise systems compromised by ransomware groups that used secret corporate ransoms to invest in more advanced malware. 

Corporate guilt is a reason for keeping payments secret

Few experts believe that for every reported ransomware attack, five more are kept hidden, and the payments are made secretly to escape market panic and regulatory enquiry. The transactions travel through the cryptocurrency networks, managed by negotiators who deal in digital extortion.

Companies justify their actions by keeping quiet to avoid regulatory scrutiny and falling stock prices, and quietly resolving the issue. The average ransom demand is around $5.2 million, but actual payments hit $1 million, a relative discount that may fund future ransomware attacks.

According to Gadget Review, “This secrecy creates a feedback loop more vicious than algorithmic social media engagement. Ransomware groups reinvest payments into advanced encryption, better evasion techniques, and expanded target lists that inevitably include the consumer technology ecosystem you depend on daily.”

It adds that “even as payment rates drop to historic lows—just 25% of victims now pay—the total damage keeps climbing. Companies face average costs exceeding $5.5 million per attack, combining ransom payments, recovery expenses, and reputation management.”

Read more »
ware
ALPHV Blackcat Ransomware BlackSuit Cisco Talos Cyberhackers CyberThreat DHS ICE Ransomware ransomware-as-a-service (RaaS) Royal Ranso ware

BlackSuit Ransomware Capabilities Undermined by Targeted Server Takedown

 


With the help of U.S Immigration and Customs Enforcement's Homeland Security Investigations (HSI), as well as domestic and international law enforcement agencies, U.S Immigration and Customs Enforcement's Homeland Security Investigations has dismantled the backbone of the BlackSuit ransomware group, a decisive blow taken against transnational cybercrime. 

As a result of the coordinated action taken against the gang, servers, domains, and other digital assets vital to the gang's illicit activities were seized. There is widespread evidence that BlackSuit is the successor to the notorious Royal ransomware. It has been implicated in numerous high-impact attacks on critical sectors such as healthcare and education, public safety organisations, energy infrastructure, and government agencies, which have threatened the availability of essential services and public safety. 

Currently, the U.S. Department of Homeland Security (DHS) is examining allegations that the BlackSuit ransomware group—the successor to the Royal gang—was responsible for compromising 450 organisations across the country and extorting $370 million in ransom payments before its federal authorities took action to take the group down. 

An official at Immigration and Customs Enforcement (ICE) confirmed today that Homeland Security Investigations (HSI), in collaboration with U.S. and international law enforcement partners, had successfully dismantled the critical infrastructure supporting the organisation's operations, as part of a statement issued by the agency. 

In a coordinated action initiated by the FBI, servers, domains, and digital assets used to deliver ransomware were seized, along with the proceeds that were laundered from the extortion of victims and the deployment of ransomware on victims. This marks a significant disruption of one of the most damaging cybercriminal enterprises in recent memory. 

A multinational law enforcement effort, coordinated by U.S. and Europol officials and spanning nine countries, has struck a significant blow against the BlackSuit ransomware gang, seizing its darknet leak site and disassembling portions of its digital infrastructure, in accordance with a joint announcement on July 24, 2025. A company with roots dating back to the spring of 2023, BlackSuit stands out from the crowd due to the fact that the firm has been able to avoid the common ransomware-as-a-service model, preferring instead to keep full control of the malicious tools and infrastructure instead of licensing them out to affiliates. 

A joint advisory released in 2024 by the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) identified this group as a continuation and evolution of the Royal ransomware, which itself was associated with Conti, a notorious Russian-speaking syndicate that disbanded in the year 2022-23. There has been a calculated campaign by the BlackSuit ransomware group against organisations that range in scope from education, government, healthcare, information technology, manufacturing, and retail. 

The group used a double extortion model for extorting victims by stealing data before it was encrypted to maximise their leverage. With respect to Windows and Linux environments, the gang exploited VMware ESXi servers, encrypting files over a wide area within accessible drives, hindering recovery efforts, and issuing ransom notes that direct victims to the Tor network for communication. As part of its operations, the group targeted small and medium-sized businesses, as well as large enterprises.

According to the US authorities, they had demanded at least $500 million in ransom payments by August 2024, ranging from $1 million to $60 million for individual demands. Approximately the same time as the leak site of the Cisco Talos network was seized, cybersecurity researchers from Cisco Talos released an analysis of Chaos ransomware - the first to be observed in early 2025. This ransomware is likely to be a successor to BlackSuit, according to Cisco Talos researchers. 

A string of high-profile ransomware attacks, including those perpetrated by BlackSuit and its predecessor, Royal, caused extensive disruptions as well as financial losses. A crippling attack on the city of Dallas led to heightened law enforcement interest in this group. The attack disrupted emergency services, court operations, and municipal systems in the city. Several U.S. schools, colleges, major corporations, and local governments were the victims of this attack, including Japan's publishing giant Kadokawa and the Tampa Bay Zoo. 

During April 2024, the gang claimed responsibility for an attack on Octapharma, a blood plasma collection company that caused the temporary closure of nearly 200 collection centres across the country, according to the American Hospital Association. In an effort led by Europol to target Royal and BlackSuit, Operation Checkmate was a key component of the effort, which Bitdefender called a milestone in the fight against organised cybercrime by marking the group's dismantling as one of the largest achievements to date. 

Even though the takedown has been described as a “critical blow” to the group’s infrastructure, U.S. Secret Service Special Agent in Charge William Mancino said that the group has re-surfaced under the Chaos ransomware name, displaying striking similarities in the encryption methods, ransom note formatting, and attack tools. However, Cisco Talos analysts reported resurfacing with elements of the gang under the Chaos ransomware name after the operation.

In addition, the Department of Justice announced that $2.4 million in cryptocurrency has been confiscated from an address allegedly linked to a Chaos member known as Hors, who has been implicated in ransomware attacks in Texas and other countries. BlackSuit's servers have been effectively disabled by the operation, effectively stopping it from functioning, according to experts confirmed by the operation. 

There were 184 victims of the group worldwide, including several Germans, whose data was published on a dark web leak site to pressure victims into paying ransoms, which the group claimed to have killed. At the time that this report was written, the site was no longer accessible, instead showing a seizure notice stating that the site had been taken down following an international law enforcement investigation coordinated by the organisation. It has been confirmed by German authorities that the effort was carried out with the support of ICE's Homeland Security Investigations unit as well as Europol, although ICE representatives declined to comment on this matter. 

The seizure of the drugs was reported earlier in the week by officials, but no arrests have yet been confirmed as a result. As of late, BlackSuit has emerged as one of the largest ransomware operations in the United States, having struck major U.S. cities like Dallas and targeting organisations from several industries, including manufacturing, communications, and healthcare. 

Cisco Talos cybersecurity researchers have discovered that after blackSuit's infrastructure was dismantled, it was found that the ransomware group likely rebranded itself as Chaos ransomware after dismantling its infrastructure. Several cases of newly emerging ransomware-as-a-service (RaaS) operations have been associated with distinct double-extortion strategies, combining voice-based social engineering to gain access to targets, followed by deploying an encryptor to target both local and remote storage to create maximum impact.

In a report by the Talos security group, the current Chaos ransomware is not related to earlier Chaos variants, and there are rumours that the group adopted the name to create confusion among victims. Several researchers have analysed the operation and assessed it as either a direct rebranding of BlackSuit (formerly Royal ransomware) or as run by former members of the organisation with moderate confidence. 

According to their findings, there are similarities between tactics, techniques, and procedures, from encrypted commands and ransom notes to the use of LOLbins and remote monitoring and management tools. It is believed that BlackSuit's origins can be traced back to the Conti ransomware group, which was fractured in 2022 after its internal communications were leaked. 

After the Russian-speaking syndicate splintered into three factions, the first was Zeon, the second was Black Basta, the third was Quantum, but by 2024, they had adopted the BlackSuit name after rebranding themselves as Royal. Among the most significant developments in the Russian-language ransomware ecosystem is the rise of the INC collective, which has been dubbed the "granddaddy of ransomware" by cybersecurity researcher Boguslavskiy. There is concern that BlackSuit will increase its dependency on INC's infrastructure as a result of INC's growth. 

According to reports, the syndicate has about 40 members and is led by a person who is referred to as "Stern", who has forged extensive alliances, creating a decentralised network with operational ties to groups such as Akira, ALPHV, REvil, and Hive, among others. In terms of Russian-speaking ransomware collectives, LockBit Inc. is presently ranked as the second biggest, only being surpassed by DragonForce. 

There is no doubt that the takedown of BlackSuit marks a decisive moment in the fight against ransomware syndicates as it represents the disruption of a prolific and financially destructive cybercrime operation. Although analysts warn that the seizure of infrastructure, cryptocurrency, and dark web platforms might have been a tangible setback for these groups, they have historically shown they can reorganise, rebrand, and adapt their tactics when they are under pressure from law enforcement. 

It is evident that Chaos ransomware, which employs sophisticated extortion techniques as well as targeted exploitation of both local and remote systems, has demonstrated the persistence of this threat, as well as the adaptability of its operators. Experts point out that the operation's success is a reflection of unprecedented international coordination, which combines investigative expertise, intelligence sharing, and cyber forensics across multiple jurisdictions to achieve unprecedented success. 

In today's world, a collaborative model has become increasingly crucial for dismantling decentralised ransomware networks that span borders, rely on anonymising technologies to avoid detection, and use decentralised methods of evading detection. Cybersecurity researchers note that the BlackSuit case highlights how deeply connected Russian-speaking ransomware groups are, with many of them sharing tools, infrastructure, and operational methods, making them more resilient and also making them easier to trace when global enforcement efforts are aligned. 

There is no doubt that the BlackSuit takedown serves as both a victory and a warning for governments, industries, and cybersecurity professionals alike—demonstrating how effective sustained, multinational countermeasures are, but also demonstrating the importance of maintaining vigilance against the rapid reemergence of threat actors in new identities that can happen any time. 

Despite law enforcement agencies' attempts to track the remnants of BlackSuit through the lens of Chaos ransomware and beyond, the case serves as a reminder that, when it comes to cybercrime, it is quite common for one operation to end, only for another to begin some weeks later.
Read more »
Technology
AI Dark Web Data Leak Internet Ransomware Technology

Ransomware Attacks Threaten CEOs to Get Results


Ransomware gangs are getting desperate for results. Generally known for encrypting and leaking data on the internet, they have now started blackmailing CEOs with physical violence. 

CEO's get physically threatened

Cybersecurity experts from Semperis say that over the past year, in 40% of ransomware attacks, the CEOs of the victim company were physically attacked, which is particularly prevalent in US-based organizations, at 46%.

However, even paying the attackers is not enough. The research revealed that over 55% of businesses that paid a ransom had to do so multiple times, with around 29% of those firms paying three or more times, and 15% didn’t even receive decryption keys, while in a few cases, they received corrupted keys.

New ransomware tactics 

Blackmailing to file a regulatory complaint is also a famous tactic, Semperis said. It was found in 47% of attacks, increasing to 58% in the US. 

In 2023, the notorious BlackCat ransomware gang reported one of its victims to the Securities and Exchange Commission (SEC) to make them pay. This was done because the SEC requires organizations to report about a cybersecurity incident if there is a breach, which includes the SEC's four-day disclosure rule for publicly traded businesses.

Ransomware on the rise

Ransomware attacks have threatened businesses and the cybersecurity industry for decades, constantly evolving and outsmarting security professionals. The attacks started with encryption, but the companies started mitigating by having offline backups of all the important data.

Ransomware actors then turned to stealing data and blackmailing to leak it on the web if the ransom was not paid. Known as “double extortion,” the technique works really well. Some threat actors even dropped the encryption part totally and now focus on stealing files. But many companies still don’t cave in, forcing cybercriminals to go to extreme lengths. 

New tactics

In a few cases, the attackers combine the encryption of the back-end with a DDoS on the front-end, stopping the business entirely. Semperis CEO  Mickey Bresman said that while some “circumstances might leave the company in a non-choice situation, we should acknowledge that it's a down payment on the next attack.”

"Every dollar handed to ransomware gangs fuels their criminal economy, incentivizing them to strike again. The only real way to break the ransomware scourge is to invest in resilience, creating an option to not pay ransom," he commented.

Read more »
Ransomware
Cyber Attacks Data Leak Dollar Tree Hacking Ransomware

Dollar Tree Refutes Cyberattack Claim, Says Leaked Data Belongs to Another Company

 




Discount retail chain Dollar Tree has denied being the target of a recent cyberattack, following claims by a ransomware group that it stole sensitive company files. According to Dollar Tree, the data allegedly leaked online does not belong to them but appears to be from a completely different company.

The hacking group, which calls itself “INC Ransom,” listed Dollar Tree on its dark web site, stating it had stolen over one terabyte of confidential information, including personal documents such as scanned passports. The group even shared a sample of the files and quoted an old Dollar Tree press release to suggest it had access to internal information.

However, Dollar Tree has firmly denied being hacked. Company officials say the data actually comes from 99 Cents Only, a separate discount chain that went out of business earlier this year.


What really happened?

99 Cents Only, once a popular budget retailer, filed for bankruptcy in April 2024. Rising costs, pandemic aftereffects, and increasing theft were cited among the reasons for its financial collapse. By mid-2024, all 371 of its stores were shut down and assets liquidated.

Dollar Tree later acquired rights to 170 of these store locations, along with their U.S. and Canadian web domains and some store equipment. But according to Dollar Tree, they never purchased the company's internal data, networks, or systems.

A Dollar Tree spokesperson clarified the situation:

"The files mentioned in these cyberattack claims appear to be linked to former employees of 99 Cents Only. Dollar Tree only acquired certain real estate leases and select assets not their data or technology infrastructure. Any suggestion that we were breached is simply not true."

Because 99 Cents Only is no longer operational, its customer support lines and emails are inactive, making it difficult to get an official response from the company itself.


Is Dollar Tree affected?

Dollar Tree says there’s no indication its own systems were accessed or compromised. The company remains one of the largest and most profitable players in the U.S. discount retail sector, reporting over $17 billion in sales last year.

While the ransomware group has not clarified the confusion, cybersecurity experts suggest the mix-up may stem from Dollar Tree’s acquisition of 99 Cents Only store leases, which may have led attackers or observers to wrongly associate the two companies.

This incident is a testament to how misleading information can spread quickly, especially when legacy data from bankrupt companies becomes part of a broader breach.

Dollar Tree is continuing to monitor the situation but insists there is no current threat to its systems or customer data.

Read more »
Zscaler
Cyber Attacks CyberCrime Cybersecurity Data Exploit Digital Security Ransomware Security Infrastructure Security Vulnerabilities VPN Zero Trust Zscaler

Sharp Increase in Ransomware Incidents Hits Energy Sector

 


The cyber threat landscape is constantly evolving, and ransomware attacks have increased in both scale and sophistication, highlighting how urgent it is for enterprises to take a strategic approach to cybersecurity. A survey conducted by Zscaler in 2025 found that ransomware incidents increased 146% over the past year. 

Ten prominent groups took 238 terabytes of data from their servers over the past year, nearly doubling the 123 terabytes they stole a year ago. There has been an alarming 900% increase in attacks in the oil and gas industry, largely attributed to the development of digital infrastructure as well as unresolved security vulnerabilities. Additionally, manufacturing, technology, and healthcare have all been affected by this increase, resulting in more than 2,600 reported incidents combined. 

A large percentage of ransomware cases were reported in the United States, which accounts for more than twice the total number of cases reported in the next 14 most affected countries combined. According to experts, threat actors are increasingly turning to generative artificial intelligence (AI) in order to streamline operations and perform more targeted and efficient attacks. This shift corresponds with the growing preference for data extortion over traditional file encryption, resulting in more effective attacks. 

In response to these evolving tactics, cybersecurity leaders are advocating the widespread adoption of Zero Trust architecture in order to prevent large-scale data loss and contain lateral movement within networks. The rise of digital transformation is accelerating the use of ransomware actors to launch increasingly sophisticated attacks on critical infrastructure sectors while automating and leveraging vulnerable industrial control systems as a source of attack. 

A dramatic increase in the number of attacks on the oil and gas industry was attributed to expanding digital footprints and security lapses, whereas Zscaler's latest research indicates that manufacturing, information technology, and healthcare are the sectors that are most frequently targeted by cybercriminals. This attack disproportionately affected the United States, as there were 3,671 ransomware incidents registered in this country, which is more than any of the next 14 most targeted countries combined. 

Over the past year, 238 terabytes of data were exfiltrated in ransomware campaigns, a 92% increase over last year. In the April-to-April period, RansomHub emerged as the most active ransomware group, followed by Akira and Clop in a close second place. These intrusions were largely caused by vulnerabilities that were known to exist in widely used enterprise technologies, such as VMware hypervisors, Fortinet and SonicWall VPNs, and Veeam backup software, making the critical need for proactive vulnerability management and real-time threat detection to be implemented across all levels of IT and operational infrastructure even clearer.

In recent years, cybercriminal groups have adopted more targeted and scalable approaches to extortion, which is reshaping the global ransomware landscape. According to Zscaler's ThreatLabz Ransomware Report for 2025, RansomHub, Akira, and Clop are the three most prolific groups, each of which has claimed more than 850 victims, 520 victims, and 488 victims, respectively. 

The success of Ariara is attributed primarily to its affiliate-based operation model and close collaboration with initial access brokers, while Clop has continued to exploit vulnerabilities in commonly used third-party software to execute impactful supply chain attacks in the last few years. In spite of the high-profile actors involved in this reporting period, Zscaler tracked 425 ransomware groups, so this is just a small part of a much broader and rapidly growing ecosystem. 34 new ransomware groups were created during the reporting period. 

In addition, according to this report, a significant proportion of ransomware campaigns were exploiting a limited range of critical software vulnerabilities, primarily in internet-facing technologies such as SonicWall VPNs and Fortinet VPNs, VMware hypervisors, Veeam backup tools, and SimpleHelp remote access servers. 

It is due to their widespread deployment and ease of discovery through simple scanning techniques that these vulnerabilities remain so attractive. This allows both veteran and newly formed groups of hackers to launch high-impact attacks more effectively and with greater precision. The ransomware ecosystem continues to grow at an alarming rate, and there have been unprecedented numbers of groups launching ransomware attacks. 

There have been 34 new ransomware gangs reported by Zscaler between April 2024 and April 2025, totalling 425 groups that have been tracked so far. Clearly, the significant growth in ransomware over recent years is a reflection of the enduring appeal of ransomware as an attractive criminal model, and it demonstrates how sophisticated and agile cybercriminal organisations have become over the last few years. 

Even though the continued rise in new ransomware actors is a concern, some signs sustained law enforcement action and stronger cybersecurity frameworks are beginning to help counteract this trend, as well as strong cybersecurity frameworks. To dismantle ransomware infrastructures, sixteen illicit assets, and disrupt cybercrime networks, international efforts are increasing pressure on cybercriminals. Not only can these actions impede operational capabilities, but they may also serve as a psychological deterrent, preventing emerging gangs from maintaining momentum or evading detection. 

Experts suggest, even in spite of the complexity and evolution of ransomware threats, that efforts by law enforcement agencies, cybersecurity professionals, and private sector stakeholders are beginning to make a meaningful contribution to combating ransomware threats. In spite of the growth of the number of threat groups, it is becoming increasingly difficult for these groups to sustain operations over the long run. 

In the face of the global ransomware threat, there is a cautious but growing sense of optimism, as long as we continue to collaborate and be vigilant. In terms of ransomware activity, there is still a stark imbalance in the distribution of attacks across the globe. The United States remains, by a wide margin, the nation that has been hit the most frequently. 

The 2025 ThreatLabz report from Zscaler indicates that 50 per cent of all ransomware attacks originated from U.S.-based organisations, totalling 3,671 incidents - more than double the total number of attacks reported across the next 14 most targeted countries combined. The United Kingdom and Canada ranked distantly behind the US and Canada, respectively, with only 5 and 4 per cent of global incidents.
This concentration of attacks is a result of the strategic targeting of highly dense, high-value economies by threat actors looking for maximum disruption and financial gain as a result of their actions. In this surge, several prominent ransomware groups were at the forefront, including RansomHub, which had 833 victims publicly identified by the media. 

As an affiliate program and partnership with initial access brokers helped Akira rise to prominence, involving 520 victims, it became a leading ransomware group. A close second was Clop, which had 488 victims, using its proven tactics to leverage vulnerable third-party software, in order to carry out large-scale supply chain attacks using vulnerable third-party software. 

Zscaler identified 34 new ransomware families in the past year, increasing the total number of tracked groups from 425 to 425. There are more than 1,000 ransomware notes available on GitHub, with 73 new samples being added every day within the past year, highlighting the scale of the threat and its persistence. With the increasing threat landscape, Zscaler continues to advance its Zero Trust Exchange framework, powered by artificial intelligence, to combat ransomware at every stage of its lifecycle. 

By replacing legacy perimeter-based security models with this platform, you will be able to minimise attack surfaces, block initial compromises, eliminate lateral movement, and stop data exfiltration that was previously possible. 

As part of Zscaler’s architecture, which is enhanced with artificial intelligence-driven capabilities like breach prediction, phishing and command and control detection, inline sandboxing, segmentation, dynamic policy enforcement, and robust data loss prevention, we can take an active and scalable approach to ransomware mitigation, aligning with the evolving needs of modern cybersecurity. 

Increasingly, ransomware is becoming a systemic risk across digital economies, which makes it essential for enterprises and governments to develop comprehensive, forward-looking cyber defence strategies. As a result of the convergence of industrial digitisation, widespread software vulnerabilities, and the emergence of ransomware-as-a-service (RaaS) models, the global threat landscape is changing in ways that require both public and private sectors to take immediate action. 

The attacks have not only caused immediate financial and operational losses, but they have also now threatened national security, supply chain resilience, and public infrastructure, particularly within high-value, interconnected industries like the energy industry, manufacturing industry, healthcare industry, and technology industry. Leaders in cybersecurity have increasingly advocated for a paradigm shift from reactive control measures to proactive cyber resilience strategies. 

Embedding zero trust principles into organization infrastructure, modernising legacy systems, and investing in artificial intelligence-driven threat detection are some of the steps that are required to achieve this objective, as well as building intelligence-sharing ecosystems between private companies, governments, and law enforcement agencies. 

There is also a constant need to evaluate the role of artificial intelligence in both attack and defence cycles, where defenders have the need to outperform their adversaries by automating, analysing, and enforcing policy in real time. As for the policy level, the increased use of ransomware underscores the need for globally aligned cybersecurity standards and enforcement frameworks. 

Isolated responses cannot be relied upon anymore when transnational threat actors leverage decentralized infrastructure and exploit jurisdictional loopholes in order to exploit them. In order to disrupt the ransomware economy and regain trust in the digital world, a holistic collaboration is essential that involves advanced technologies, legal deterrents, and public awareness.

While there is no indication that ransomware is going away anytime soon, the progress being made in detecting threats, managing vulnerabilities, and coordinating cross-border responses offers a path forward as long as we work together on these improvements. The need to protect digital assets and ensure long-term operational continuity is not just a matter of IT hygiene anymore – it has become a foundational pillar of enterprise risk management, and therefore a crucial component for the management of business continuity in today's environment.
Read more »
Ransomware
AI Bugs ChatGPT Cyber Attacks Generative AI Internet Ransomware

AI-supported Cursor IDE Falls Victim to Prompt Injection Attacks


Experts have found a bug called CurXecute that is present in all variants of the AI-supported code editor Cursor and can be compromised to run remote code execution (RCE), along with developer privileges. 

About the bug

The security bug is now listed as CVE-2025-54135 and can be exploited by giving the AI agent a malicious prompt to activate threat actor control commands. 

The Cursor combined development environment (IDE) relies on AI agents to allow developers to code quicker and more effectively, helping them to connect with external systems and resources using Model Context Protocol (MCP).

According to the experts, a threat actor effectively abusing the CurXecute bug could trigger ransomware and ransomware data theft attacks. 

Prompt-injection 

CurXecute shares similarities to the EchoLeak bug in Microsoft 365 CoPilot that hackers can use to extort sensitive data without interacting with the users. 

After finding and studying EchoLeak, the experts from the cybersecurity company Aim Security found that hackers can even exploit the local AI agent.

Cursor IDE supports the MCP open-standard framework, which increases an agent’s features by connecting it to external data tools and sources.

Agent exploitation

But the experts have warned that doing so can exploit the agent, as it is open to external, suspicious data that can impact its control flow. The threat actor can take advantage by hacking the agent’s session and features to work as a user.

According to the experts, Cursor doesn’t need permission to run new entries to the ~/.cursor/mcp.json file. When the target opens the new conversation and tells the agent to summarize the messages, the shell payload deploys on the device without user authorization.

“Cursor allows writing in-workspace files with no user approval. If the file is a dotfile, editing it requires approval, but creating one if it doesn't exist doesn't. Hence, if sensitive MCP files, such as the .cursor/mcp.json file, don't already exist in the workspace, an attacker can chain an indirect prompt injection vulnerability to hijack the context to write to the settings file and trigger RCE on the victim without user approval,” Cursor said in a report.

Read more »
Technology
AI AI vulnerabilities Artificial Intelligence Cyberbreach LLM Ransomware RSA Security System Technology

Ransomware Defence Begins with Fundamentals Not AI

 


The era of rapid technological advancements has made it clear that artificial intelligence isn't only influencing cybersecurity, it is fundamentally redefining its boundaries and capabilities as well. The transformation was evident at the RSA Conference in San Francisco in the year 2025, as more than 40,000 cybersecurity professionals gathered to discuss the path forward for the industry.

It was essential to emphasise that the rapid integration of agentic AI into cyber operations is one of the most significant topics discussed, highlighting both the disruptive potential and strategic complexities it introduces simultaneously. AI technologies continue to empower both defenders and adversaries alike, and organizations are taking a measured approach, recognising the immense potential of AI-driven solutions while remaining vigilant against the increasingly sophisticated attacks from adversaries. 

As the rise of artificial intelligence (AI) and its application in criminal activities dominates headlines more often than not, the narrative is far from a one-sided one, as there are several factors playing a role. However, the rise of AI reflects a broader industry shift toward balancing innovation with resilience in the face of rapidly shifting threats. 
Several cybercriminals are indeed using artificial intelligence (AI) and large language models (LLMs) to make ransomware campaigns more sophisticated and more convincing, crafting more convincing phishing emails, bypassing traditional security measures, and improving the precision with which victims are selected. In addition to increasing the stealth and efficiency of attackers, the stakes for organisational cybersecurity have increased as a result of these tools. 

Although AI is considered a weapon for adversaries, it is proving to be an essential ally in the defence against ransomware when integrated into security systems. By integrating AI into security systems, organisations are able to detect threats more quickly and accurately, which leads to quicker detection and response to ransomware attacks. 

Furthermore, AI helps enhance the containment and recovery efforts of incidents, leading to faster containment and a reduction in potential damage. Furthermore, AI helps to mitigate and recover from incidents more effectively. With AI coupled with real-time threat intelligence, security teams are able to adapt to evolving attack techniques, providing them with the agility to close the gap between offence and defence, making the cyber environment in which people live more and more automated.

In the wake of a series of high-profile ransomware attacks - most notably, those targeted at prominent brands like M&S - concerns have been raised that artificial intelligence may be contributing to a spike in cybercrime that has never been seen before. In spite of the fact that artificial intelligence is undeniably changing the threat landscape by streamlining phishing campaigns and automating attack workflows, its impact on ransomware operations has often been exaggerated. 

In practice, AI isn't really a revolutionary force at all, but rather a tool to accelerate tactics cybercriminals have relied on for years to come. Most ransomware groups continue to rely on proven, straightforward methods that offer speed, scalability, and consistent financial returns for their attacks. As far as successful ransomware campaigns are concerned, scammy emails, credential theft, and insider exploitation have continued to be the cornerstones of these campaigns, offering reliable results without requiring the use of advanced artificial intelligence. 

As security leaders are looking for effective ways to address these threats, they are focusing on getting a realistic perspective on how artificial intelligence is used within ransomware ecosystems. It has become increasingly evident that breach and attack simulation tools are critical assets for organisations as they enable them to identify vulnerabilities and close security gaps in advance of attackers exploiting them. 

There is a sense of balance in this approach, which emphasises the importance of bolstering foundational security controls while keeping pace with the incremental evolution of adversarial capabilities. Nevertheless, generative artificial intelligence is continuing to evolve in profound and often paradoxical ways as it continues to mature. In one way, it empowers defenders by automating routine security operations, detecting hidden patterns in complex data sets, and detecting vulnerabilities that might otherwise go undetected by the average defender. 

It also provides cybercriminals with the power to craft more sophisticated, targeted, scalable attacks, blurring the line between innovation and exploitation, providing them with powerful tools to craft more sophisticated, targeted, and scalable attacks. According to recent studies, over 80% of cyber incidents are caused by human error, which is why organisations need to harness artificial intelligence to strengthen their security posture to prevent future cyber attacks. 

AI is an excellent tool for cybersecurity leaders as it streamlines threat detection, reduces human oversight, and enables real-time response in real-time. There is, however, a danger that the same technologies may be adapted by adversaries to enhance phishing tactics, automate malware deployment, and orchestrate advanced intrusion strategies. The dual use of artificial intelligence has raised widespread concerns among executives due to its dual purpose. 

According to a recent survey, 84% of CEOs have expressed concern about generative AI being the source of widespread or catastrophic cyberattacks. Consequently, organisations are beginning to make a significant investment in AI-based cybersecurity, with projections showing a 43% increase in AI security budgets by 2025 as a result of this increase. 

In an increasingly complex digital environment, it is becoming increasingly recognised that even though generative AI introduces new vulnerabilities, it also holds the key to strengthening cyber resilience. This surge is indicative of a growing recognition of the need for generative AI. As artificial intelligence is increasing the speed and sophistication with which cyberattacks are taking place, it has never been more important than now to adhere to foundational cybersecurity practices. 

While artificial intelligence has unquestionably enhanced the tactics available to cybercriminals, allowing them to conduct more targeted phishing attempts, exploit vulnerabilities more quickly, and create more evasive malware, many of the core techniques have not changed. In other words, even though they have many similarities, the differences lie more in how they are executed, rather than in what they do. 

As such, rigorously and consistently applied traditional cybersecurity strategies remain critical bulwarks against even the threats that are enhanced by artificial intelligence. In addition to these foundational defences, multi-factor authentication (MFA), which is widely used, provides a vital safeguard against credential theft, particularly in light of the increasing use of artificial intelligence-generated phishing emails that mimic legitimate communication with astonishing accuracy - a powerful security measure that is critical today. 

As important as it is to maintain regular data backups, maintaining a secure backup mechanism also provides an effective fallback mechanism for ransomware, which is now capable of dynamically altering payloads to avoid detection. The most important element is to make sure that all systems and software are updated, as this prevents AI-enabled tools from exploiting known vulnerabilities. 

A Zero Trust architecture is becoming increasingly relevant as attackers with artificial intelligence move faster and stealthier than ever before. By assuming no implicit trust within the network and restricting lateral movement, this model greatly reduces the blast radius of any potential breach of the network and reduces the likelihood of the attack succeeding. 

A major upgrade is also required for email filtering systems, with AI-based tools that are better equipped to detect subtle nuances in phishing campaigns that have been successfully evading legacy solutions. It is also becoming more and more important for organisations to emphasise security awareness training to prevent breaches, as human error is still one of the leading causes. There is no better line of defence for a company than having employees trained to spot deceptive artificial intelligence-crafted deception.

Furthermore, the use of artificial intelligence-based anomaly detection systems is becoming increasingly important for detecting unusual behaviours that indicate a breach of security. In order to limit exposure and contain threats, segmentation, strict access control policies, and real-time monitoring are all complementary tools. However, it is important to note that even as AI has created new complexities in the threat landscape, it has not rendered traditional defences obsolete. 

Rather, these tried and true cybersecurity measures, augmented by intelligent automation and threat intelligence, are the cornerstones of resilient cybersecurity, not the opposite. Defending against adversaries powered by artificial intelligence requires not just speed but also strategic foresight and disciplined execution of proven strategies. 

As AI-powered cyberattacks become a bigger and more prevalent subject of discussion, organisations themselves are at risk from an unchecked and ungoverned use of artificial intelligence tools, a risk that is often overlooked. While much of the attention has been focused on how threat actors are capable of weaponising artificial intelligence, the internal vulnerabilities that arise from the unscheduled adoption of generative AI present a significant and present threat to the organisation. 

In what is referred to as "Shadow AI," employees are using tools like ChatGPT without formal authorisation or oversight, which circumvents established security protocols and could potentially expose sensitive corporate data. According to a recent study, nearly 40% of IT professionals admit that they have used generative AI tools without proper authorisation. 

Besides compromising governance efforts, such practices obscure visibility of data processing and handling, complicate incident response, and increase the organisation's vulnerability to attacks. The use of artificial intelligence by organisations is unregulated, coupled with inadequate data governance and poorly configured artificial intelligence services, resulting in a number of operational and security issues. 

The risks posed by internal AI tools must be mitigated by organisations treating them as if they were any enterprise technologies. Among the measures that must be taken to mitigate these risks is to establish robust governance frameworks, ensure the transparency of data flows, conduct regular audits, and provide cybersecurity training that addresses the dangers of shadow artificial intelligence, as well as ensure that leaders remain mindful of current threats to their organisations. 

Although artificial intelligence generates headlines, the most successful attacks continue to rely on the proven techniques - phishing, credential theft, and ransomware. The emphasis placed on the potential threats that could be driven by AI can distract attention from critical, foundational defences. In this context, complacency and misplaced priorities are the greatest risks, and not AI itself. 

 It remains true that maintaining a disciplined cyber hygiene, simulating attacks, and strengthening security fundamentals remain the most effective ways to combat ransomware in the long run. There is no doubt that artificial intelligence is not just a single threat or solution for cybersecurity, but rather a powerful force capable of strengthening as well as destabilising digital defences in an environment that is rapidly evolving. 

As organisations navigate this shifting landscape, it is imperative to have clarity, discipline, and strategic depth as they attempt to navigate this new terrain. Despite the fact that artificial intelligence may dominate headlines and influence funding decisions, it does not negate the importance of basic cybersecurity practices. 

What is needed is a recalibration of priorities as people move forward. Security leaders must build resilience against emerging technologies, rather than chasing the allure of emerging technologies alone. They need to adopt a realistic and layered approach to security, one that embraces AI as a tool while never losing sight of what consistently works. 

To achieve this goal, advanced automation, analytics, and tried-and-true defences must be integrated, governance around AI usage must be enforced, and access to data flows and user behaviour must remain tightly controlled. In addition, organisations need to realise that technological tools are only as powerful as the frameworks and people that support them. 

Threats are becoming increasingly automated, making it even more important to have human oversight. Training, informed leadership, and an environment that fosters a culture of accountability are not optional; they are imperative. In order for artificial intelligence to be effective, it must be part of a larger, more comprehensive security strategy that is based on visibility, transparency, and proactive risk management. 

As the battle against ransomware and AI-enhanced cyber threats continues, the key to success will not be whose tools have the greatest sophistication, but whose application of these tools will be consistent, purposeful, and foresightful. AI isn't a threat, but it's an opportunity to master it, regulate it internally, and never let innovation overshadow the fundamentals that keep security sustainable in the first place. Today's defenders have a winning formula: strong fundamentals, smart integration, and unwavering vigilance are the keys to their success.
Read more »
Software
adoption agency Data Breach Gladney Center Ransomware Software

Sensitive Records of Over 1 Million People Exposed by U.S. Adoption Organization

 



A large scale data exposure incident has come to light involving the Gladney Center for Adoption, a U.S.-based non-profit that helps connect children with adoptive families. According to a cybersecurity researcher, an unsecured database containing over a million sensitive records was recently discovered online.

The breach was uncovered by Jeremiah Fowler, a researcher who specializes in finding misconfigured databases. Earlier this week, he came across a large file measuring 2.49 gigabytes that was publicly accessible and unprotected by a password or encryption.

Inside the database were more than 1.1 million entries, including names and personal information of children, biological parents, adoptive families, employees, and potential applicants. Details such as phone numbers, mailing addresses, and information about individuals' approval or rejection for adoption were also found. Even private data related to biological fathers was reportedly visible.

Experts warn that this kind of data, if accessed by malicious actors, could be extremely dangerous. Scammers could exploit the information to create convincing fake emails targeting people in the database. These emails could trick individuals into clicking harmful links, revealing banking details, or paying fake fees leading to financial fraud, identity theft, or even ransomware attacks.

To illustrate, a criminal could pretend to be an official from the adoption agency, claiming that someone’s previous application had been reconsidered, but required urgent action and a payment to proceed. Although this is just a hypothetical scenario, it highlights how exposed data could be misused.

The positive takeaway is that there is currently no evidence suggesting that cybercriminals accessed the database before it was found by Fowler. Upon discovering the breach, he immediately alerted the Gladney Center, and the organization took quick action to restrict access.

However, it remains unclear how long the database had been publicly available or whether any information was downloaded by unauthorized users. It’s also unknown whether the database was directly managed by Gladney or by an external vendor. What is confirmed is that the data was generated by a Customer Relationship Management (CRM) system, software used to track and manage interactions with clients.

This incident serves as a strong reminder for organizations handling personal data to regularly review their digital systems for vulnerabilities and to apply proper safeguards like encryption and password protection.

Read more »
SMM
AI/ML vulnerabilities CyberCrime Cyberhacekrs Cybersecurity CyberThreat Gigabyte malware Ransomware SMI SMM

Gigabyte Firmware Vulnerability Enables Stealth UEFI Malware Infection

According to security researchers, a critical set of vulnerabilities has been identified in UEFI firmware for a number of motherboards manufactured by Gigabyte, causing serious concerns about device integrity and long-term system security, as well as serious concerns regarding device integrity. Binarly, a cybersecurity firm, claims that American Megatrends Inc. (AMI) firmware contains four high-severity flaws which allow threat actors to execute stealthily and persistently. 

In a subsequent analysis, it was found that the identified vulnerabilities were exploitable by attackers who possess either local or remote administrative privileges in order to execute arbitrary code within the highly privileged System Management Mode (SMM) if the attackers possess the right credentials. In addition to operating independently of the host operating system, this execution environment is embedded in the firmware itself and gives the firmware considerable power over the hardware that is behind it. 

Hence, sophisticated threat actors often target this system to gain deeper control over compromised computers and establish long-term persistence through establishing deeper control over compromised systems. The System Management Mode is designed to handle low-level system functions and it is activated very early during the boot process, well before the operating system takes over. 

Consequently, code running within SMM has unrestricted access to critical system resources, including memory, processor instructions, and hardware configurations, because it is isolated and has elevated privileges. It is therefore a perfect target for firmware-based malware, including bootkits, that are capable of edging out traditional endpoint protection tools that rely on visibility at the OS level to detect them. 

A compromised SMM can serve as a launch pad for advanced threat campaigns, allowing attackers to remain stealthy, disable security mechanisms, and even reinstall malware after reboots or operating system reinstalls. As a result of the exploit of this layer, the ability to conduct attacks has increased dramatically, highlighting the necessity for improved firmware security practices, regular updates, and hardware integrity verification within both consumer and enterprise environments in order to minimize potential attacks. 

 The CVSS severity ratings for each of these vulnerabilities -- CVE-2025-7026, CVE-2025-7027, CVE-2025-7028, and CVE-2025-7029 -- have each been assigned an average of 8.2 out of 10 and are therefore categorized as high-risk vulnerabilities. Through the exploitation of these vulnerabilities, attackers would be able to elevate system privileges, deploy bootkits, and execute malicious code remotely. 

When malware such as this has been installed, it may be able to obtain deep-rooted persistence at the firmware level, making it extremely difficult for conventional antivirus software to detect or remove. This discovery underscores the growing threat of firmware-based attacks, especially those aimed at UEFI, the Unified Extensible Firmware Interface, which acts as the basis for a computer system’s operating system, especially when attacked at the firmware level. The ability to compromise this layer enables adversaries to take control of a system before the operating system even loads, effectively subverting all system defenses from the ground up. 

Due to the widespread use of Gigabyte motherboards by both consumer and enterprise organizations, the vulnerability has potentially broad implications, especially for those organizations that rely on hardware trust and boot process integrity to operate. As Binarly's findings show, there are not only technical issues with firmware supply chains, but there are also ongoing challenges in ensuring robust validation of firmware throughout the boot process, which are also highlighted by the findings of Binarly. As a result of extensive analysis conducted by Binarly, a leading firmware security company, researchers discovered these vulnerabilities in-depth. 

It was found that Gigabyte's implementation of UEFI firmware was faulty due to the fact that some of the flaws were rooted in Gigabyte's implementation of the UEFI firmware. The original firmware was developed by American Megatrends Inc. It was the responsibility of the researchers to provide the CERT Coordination Center (CERT/CC) with responsible disclosures of the findings. 

After a private disclosure of security issues, AMI addressed them, but some downstream firmware builds – particularly those for Gigabyte products – did not incorporate the necessary fixes at the moment of discovery. Binary has identified four different vulnerabilities within the affected firmware, each carrying a CVSS severity score of 8.2. These vulnerabilities are contained in System Management Interrupt (SMI) handlers which are an integral part of the System Management Mode (SMM) environment and when exploited will cause the affected firmware to crash. 

Specifically: 

There is a CVE-2025-7029 vulnerability in the OverClockSmiHandler, which can be exploited to elevate privileges within Systems Management Manager while exploiting the flaw. In order to exploit CVE-2025-7028, malware is likely to be installed by unauthorized accessing System Management RAM (SMRAM), a critical memory region. This vulnerability is likely to allow malware to be installed by unapproved means. 

Using CVE-2025-7027, an SMM privilege escalation vulnerability as well as arbitrary code injection into SMRAM is enabled, which compromises the integrity of the firmware as a whole. A vulnerability such as CVE-2025-7026 allows arbitrary write access to SMRAM, opening the way to long-term persistence because it allows attackers to remotely manipulate the firmware layer and exert full control over it. 

It has been reported by Binarly that the vulnerabilities affect more than 240 Gigabyte motherboards, including numerous revisions, regional variants, and product iterations which were released between late 2023 and mid-August 2024, according to Binarly. In spite of the fact that Binarly representatives admit that there are currently over a hundred distinct product lines known to be vulnerable to this vulnerability, the exact number of units affected remains fluid. 

These firmware-level flaws appear to also be affecting other enterprise hardware manufacturers, although the identities of these companies have not yet been disclosed. There has been a report from vendors that they have withheld disclosure until appropriate security patches are developed and deployed in order to mitigate customer risk. A report by Binarly revealed that the vulnerabilities that have been identified by the company affect several of its legacy Intel-based motherboards, including the H110, Z170, Z270, Z370, Z390, and Z590 models.

It appears that newer models of Gigabyte's platforms are not affected by these vulnerabilities, however, new BIOS updates are currently being rolled out for supported devices. It is important to note that end-of-life devices will not receive automatic firmware updates, which leaves the users of those systems with a responsibility to initiate remediation efforts. For tailored assistance, Gigabyte recommends contacting their regional Field Application Engineers for further information. 

 A CERT Coordination Center (CERT/CC) advisory issued last week strongly reminded users that they should visit the Gigabyte support portal to verify whether updated firmware is available and to apply patches without delay in order to avoid security issues --especially if they use hardware that is not supported by Gigabyte. According to CERT/CC, these aren't theoretical vulnerabilities. Instead, they represent a credible and active threat that can be exploited in stealthy, long-term system compromises. Hence, it is imperative that users and organizations act immediately to protect themselves.

American Megatrends Inc (AMI) addressed these issues in the past following private disclosures, however CERT/CC emphasized that the flaws remain in certain OEM implementations, such as those manufactured by Gigabyte, despite these previous disclosures. The above situation highlights a critical weakness in the firmware supply chain—a gap that requires more rigorous downstream verification of AMI's fixes by hardware vendors so that they will be properly integrated and tested. 

In addition to that, Binarly cautioned that System Management Mode (SMM) remains a very attractive attack vector for advanced threat actors because it has elevated privileges and is isolated from the operating system, making it a particularly popular attack vector. The use of this layer allows malicious software to operate covertly beneath the Operating System. As a result, it is incredibly difficult for traditional security tools to detect and remove malware from the system. Security experts shared these concerns as well. 

A firmware-level vulnerability described by Gunter Ollmann, CTO of Cobalt cybersecurity firm, is considered a nightmare scenario for enterprise security professionals. A compromise that takes place below the operating system but is not visible under the surface is the ultimate “ghost in the machine”—a compromise that occurs beneath the operating system and is not visible in conventional ways. 

The security flaws that have been detected indicate persistent, hard-to-detect control over the system, which highlights the importance of companies extending security testing throughout the entire technology stack,” Ollmann said. In his opinion, penetration testing programs should include firmware-level targets as well as ensure red team operators have the abilities to assess hardware-level security threats. A number of developments have occurred as a result of this, and organizations are advised to apply BIOS updates immediately upon release, as well as to phase out unsupported legacy hardware as soon as possible. 

In order to implement a solid hardware security strategy, people should begin by conducting regular firmware audits, working closely with hardware vendors, and conducting deeper security assessments at the firmware level. This situation is particularly concerning since some of the impacted Gigabyte platforms have been marked as end-of-life (EOL) and are no longer eligible for security updates, which means they are always vulnerable to exploitation, leaving them permanently vulnerable. A number of such devices are expected to remain vulnerable indefinitely, resulting in long-term security blind spots for both individuals and enterprise environments still using outdated technology, according to Binarly CEO Alex Matrosov. 

Despite the severity of firmware-level threats, cyber security experts continue to emphasize the importance of these kinds of vulnerabilities, and Gunter Ollmann, the Chief Technology Officer at Cobalt, described these types of vulnerabilities as "a nightmare scenario" for defense teams. "This is the ultimate 'ghost in the machine'—a compromise which takes place below the operating system and exploits a layer of the system that is inherently trusted, and thus is largely invisible to traditional security tools," Ollmann explained in an interview with Help Net Security. 

The evolution of attacker tactics has led to the necessity of more comprehensive testing across the entire technology stack as a result. The scope of security assessments needs to be increased to include firmware-level vulnerabilities, as well as having red teams equipped with the expertise necessary to analyze threats lurking at hardware interfaces in particular. 

A further complexity of the issue is the coordination of the firmware supply chain, which contributes to its complexity. Despite the fact that American Megatrends Inc. (AMI) has privately addressed these vulnerabilities and shared information about the remediation with downstream partners under nondisclosure agreements, it is becoming increasingly apparent that some OEM vendors have not yet completely implemented or validated their own firmware releases to address these vulnerabilities. 

There is a systemic challenge in ensuring a consistent security environment across a wide range of hardware ecosystems, which is highlighted by this gap, and this highlights a need for greater collaboration and transparency among firmware developers, OEMs, and security researchers to ensure this is the case. As a conclusion, the fact that firmware security remains a crucial element of system protection, but it is often overlooked but still of major importance. 

In the context of the continuing innovation of attackers below the operating system-where detection is minimal and trust is implicit-organizations are faced with the need to adopt a holistic, proactive security posture to deal with these threats. Firmware should not be treated as a static component of an infrastructure, but instead as a living entity that requires continuous inspection, patching, and risk assessments from stakeholders. 

Firmware validation should be formalized and incorporated into enterprise vulnerability management workflows, OEM partners should be made more transparent and responsive, and security programs should be developed cross-functionally that cover the entire hardware-software stack in order to effectively manage vulnerabilities. 

Furthermore, the importance of investing in specialized skill sets cannot be overstated—securing teams must be able to assess low-level threats, perform firmware penetration tests, and audit supply chain practices rigorously, so they are equipped with the necessary skills. With today’s rapidly evolving threat landscape, neglecting firmware is no longer a tolerable blind spot; it is becoming a strategic liability for companies.

Read more »
Subscribe to: Posts (Atom)