Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware. Show all posts
VPN
CISA Cyber Security FBI Ransomware VPN

FBI Urges Immediate Action as Play Ransomware Attacks Surge

 


The Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released a critical warning about the sharp rise in Play ransomware attacks. The agencies report that this cyber threat has affected hundreds of organizations across the Americas and Europe, including vital service providers and businesses.

The updated alert comes after the FBI identified over 900 confirmed victims in May alone, which is three times more than previously reported. Cybersecurity experts are urging organizations to act quickly to strengthen their defenses and stay informed about how these cybercriminals operate.


How the Play Ransomware Works

Play ransomware attackers use various advanced methods to break into systems. They often start by targeting services that are accessible from outside, like Remote Desktop Protocol (RDP) and Virtual Private Networks (VPNs). Once they gain access, they move within the network, stealing login details and aiming to control the system entirely.

The FBI notes that the attackers do not immediately demand payment in their ransom notes. Instead, they leave email addresses that victims must contact. These emails usually come from unique addresses linked to German domains. In some cases, the criminals also make threatening phone calls to pressure victims into paying.


Connections to Other Threat Groups

Investigations suggest that the Play ransomware may be connected to several known hacking groups. Some security researchers believe there could be links to Balloonfly, a cybercrime group involved in earlier ransomware attacks. There have also been reports connecting Play to serious security incidents involving Windows systems and Microsoft Exchange servers.

In the past, attackers have taken advantage of security flaws in popular software, including Microsoft’s Windows and Fortinet’s FortiOS. Most of these security gaps have already been fixed through updates, but systems that remain unpatched are still at risk.


Key Steps to Protect Your Organization

The FBI strongly recommends that all organizations take immediate steps to reduce their risk of falling victim to these attacks. Here are the essential safety measures:

1. Create backup copies of important data and store them in secure, separate locations.

2. Use strong, unique passwords that are at least 15 characters long. Do not reuse passwords or rely on password hints.

3. Enable multi-factor authentication to add extra security to all accounts.

4. Limit the use of admin accounts and require special permissions to install new software.

5. Keep all systems and software up to date by applying security patches and updates promptly.

6. Separate networks to limit how far a ransomware attack can spread.

7. Turn off unused system ports and disable clickable links in all incoming emails.

8. Restrict the use of command-line tools that attackers commonly use to spread ransomware.

Staying alert and following these steps can help prevent your organization from becoming the next target. Cybersecurity is an ongoing effort, and keeping up with the latest updates is key to staying protected.

Read more »
Salesforce
Data Data Breach Hackers Ransomware Salesforce

Cybercriminals Exploit Fake Salesforce Tool to Steal Company Data and Demand Payments

 



A group of hackers has been carrying out attacks against businesses by misusing a tool that looks like it belongs to Salesforce, according to information shared by Google’s threat researchers. These attacks have been going on for several months and have mainly focused on stealing private company information and later pressuring the victims for money.


How the Attack Happens

The hackers have been contacting employees by phone while pretending to work for their company’s technical support team. Through these phone calls, the attackers convince employees to share important login details.

After collecting this information, the hackers guide the employees to a specific page used to set up apps connected to Salesforce. Once there, the attackers use an illegal, altered version of a Salesforce data tool to quietly break into the company’s system and take sensitive data.

In many situations, the hackers don’t just stop at Salesforce. They continue to explore other parts of the company’s cloud accounts and sometimes reach deeper into the company’s private networks.


Salesforce’s Advice to Users

Earlier this year, Salesforce warned people about these kinds of scams. The company has made it clear that there is no known fault or security hole in the Salesforce platform itself. The problem is that the attackers are successfully tricking people by pretending to be trusted contacts.

Salesforce has recommended that users improve their account protection by turning on extra security steps like multi-factor authentication, carefully controlling who has permission to access sensitive areas, and limiting which locations can log into the system.


Unclear Why Salesforce is the Target

It is still unknown why the attackers are focusing on Salesforce tools or how they became skilled in using them. Google’s research team has not seen other hacker groups using this specific method so far.

Interestingly, the attackers do not all seem to have the same level of experience. Some are very skilled at using the fake Salesforce tool, while others seem less prepared. Experts believe that these skills likely come from past activities or learning from earlier attacks.


Hackers Delay Their Demands

In many cases, the hackers wait for several months after breaking into a company before asking for money. Some attackers claim they are working with outside groups, but researchers are still studying these possible connections.


A Rising Social Engineering Threat

This type of phone-based trick is becoming more common as hackers rely on social engineering — which means they focus on manipulating people rather than directly breaking into systems. Google’s researchers noted that while there are some similarities between these hackers and known criminal groups, this particular group appears to be separate.

Read more »
Ransomware
Critical Infrastructure data security malware Play PlayCrypt Playgroup Ransomware

FBI Alert: Play Ransomware Attacks 900 Organizations

FBI Alert: Play Ransomware Attacks 900 Victims

In a recent joint cybersecurity advisory released with its Australian partners, the FBI announced that the Play ransomware group has attacked over 900 organizations since May 2025. “As of May 2025, FBI was aware of approximately 900 affected entities allegedly exploited by the ransomware actors,” the FBI said

Triple growth in three years

The number has tripled; in 2023, the figure was 300. This highlights the group’s rapid growth of attacking capabilities and compromise of new flaws.

Since 2022, the Playgroup, aka Playcrypt, has launched attacks across Europe, North America, and South America. The victims are diverse, ranging from MNCs to public sector agencies to areas of critical infrastructure. 

The Play ransomware differs due to its strategic use of manual-coded malware for each compromise. The constant configuration of attacks and retooling increases the group’s efficiency by helping it avoid getting caught. 

In a few cases, the group has strengthened attack tactics by contacting victims directly and asking for ransom for not leaking their data. 

Members of the infamous cybercrime syndicate have also compromised various newly found flaws (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) in remote monitoring and management software, deploying them as entry points for deeper penetration to compromise systems. In one incident, threat actors backdoored systems and used Sliver beacons, building the foundation for future ransomware attacks. 

Play follows a unique approach

Differing from other gangs, Play uses direct email communication instead of the Dark Web negotiation. 

Play extracts sensitive data and uses it for extortion, and also uses a proprietary tool to escape shadow copy protections in data thefts. Some high-profile targets include the City of Oakland, Dallas County, and Krispy Kreme. 

How to stay safe?

A sound understanding of ransomware groups and good cyber hygiene is a must to prevent ransomware attacks, specialized tools, however, can boost your defenses. 

The joint advisory recommends security teams to keep their systems updates to prevent exploit of unpatched vulnerabilities. They are also advised to use two-factor authentication (2FA) throughout all services. Organizations should keep offline data backups and make and test a recovery drill as part of their security practices. 


Read more »
TrickBot
Conti Cyber Crime Dark Web FBI ID Leak Internet Ransomware TrickBot

Mysterious Entity ExposedGang Exposes Cyber Criminals


An anonymous leaker is exposing the identities of the world’s most wanted cybercriminals. 

Recently, a mysterious leaker exposed leaders behind Trickbot and Conti ransomware, hacking groups that are known for some of the biggest extortions in recent times. 

Recently, The Register contacted an anonymous individual known by the alias GangExposed, who is on a personal mission to “fight against an organized society of criminals known worldwide”. GangExposed takes pleasure in thinking he can rid society of at least some of the cybercriminals. "I simply enjoy solving the most complex cases,” he said. 

Stern doxxed

One of the criminals doxxed is Stern, the mastermind of Conti ransomware operations and TrickBot. GangExposed claims Stern is Vitaly Nikolaevich, CySecurity reported about this case recently.

After the doxxing of Stern, GangExposed went after another important criminal, AKA professor, who is a 39-year-old Russian called Vladimir Viktorovich Kvitko. He is living in Dubai. Apart from exposing important individuals, GangExposed also leaked videos, ransom negotiations, and chat logs. 

About GangExposed

The leaker said it was not an “IT guy,” it just observed patterns that other people missed. 

"My toolkit includes classical intelligence analysis, logic, factual research, OSINT methodology, stylometry (I am a linguist and philologist), human psychology, and the ability to piece together puzzles that others don't even notice," the leaker said. 

"I am a cosmopolitan with many homes but no permanent base — I move between countries as needed. My privacy standards are often stricter than most of my investigations' subjects."

Leaked bought info to expose IDs

To expose the IDs of infamous threat actors, GangExposed used information received via “semi-closed databases, darknet services,” and through purchases. It has “access to the leaked FSB border control database.” GangExposed claims it purchased the database from the dark web for $250,000. 

GangExposed could have gotten at least $10 million in bounty from the FBI if it wanted to, but it has decided not to demand money.  This suggests the leakers may be resentful of former members looking for revenge, while some experts think taking the bounty would make them criminal as well. 

CySecurity had earlier reported on this incident, you can read the full story about the international crackdown on cybercrime gangs here

Read more »
Vulnerability
Breach Cyber Security Data DragonForce MSP Ransomware Retail SimpleHelp Sophos Vulnerability

DragonForce Targets MSPs Using SimpleHelp Exploit, Expands Ransomware Reach

 


The DragonForce ransomware group has breached a managed service provider (MSP) and leveraged its SimpleHelp remote monitoring and management (RMM) tool to exfiltrate data and launch ransomware attacks on downstream clients.

Cybersecurity firm Sophos, which was brought in to assess the situation, believes that attackers exploited a set of older vulnerabilities in SimpleHelp—specifically CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726—to gain unauthorized access.

SimpleHelp is widely adopted by MSPs to deliver remote support and manage software deployment across client networks. According to Sophos, DragonForce initially used the compromised tool to perform system reconnaissance—gathering details such as device configurations, user accounts, and network connections from the MSP's customers.

The attackers then moved to extract sensitive data and execute encryption routines. While Sophos’ endpoint protection successfully blocked the deployment on one customer's network, others were not as fortunate. Multiple systems were encrypted, and data was stolen to support double-extortion tactics.

In response, Sophos has released indicators of compromise (IOCs) to help other organizations defend against similar intrusions.

MSPs have consistently been attractive targets for ransomware groups due to the potential for broad, multi-company impact from a single entry point. Some threat actors have even tailored their tools and exploits around platforms commonly used by MSPs, including SimpleHelp, ConnectWise ScreenConnect, and Kaseya. This trend has previously led to large-scale incidents, such as the REvil ransomware attack on Kaseya that affected over 1,000 businesses.

DragonForce's Expanding Threat Profile

The DragonForce group is gaining prominence following a string of attacks on major UK retailers. Their tactics reportedly resemble those of Scattered Spider, a well-known cybercrime group.

As first reported by BleepingComputer, DragonForce ransomware was used in an attack on Marks & Spencer. Shortly after, the same group targeted another UK retailer, Co-op, where a substantial volume of customer data was compromised.

BleepingComputer had earlier noted that DragonForce is positioning itself as a leader in the ransomware-as-a-service (RaaS) space, offering a white-label version of its encryptor for affiliates.

With a rapidly expanding victim list and a business model that appeals to affiliates, DragonForce is cementing its status as a rising and formidable presence in the global ransomware ecosystem.
Read more »
Ransomware
Data Breach Files links Nova Scotia Ransomware

Ransomware Attack Exposes Private Data of Over 280,000 Nova Scotia Power Customers

 


A major cybersecurity incident has affected Nova Scotia Power, the province’s electricity provider. The company recently confirmed it was hit by a ransomware attack that led to a massive data leak, although electricity services were not disrupted.

The cyberattack was first detected in late March 2025, but the company didn’t reveal full details until much later. After noticing unusual activity on April 25, Nova Scotia Power quickly activated emergency measures. They called in cybersecurity professionals and informed local authorities.

By May, investigations confirmed that customer information had been accessed by unauthorized hackers. The stolen records include names, birth dates, email addresses, phone numbers, home and service addresses, electricity usage history, payment records, and details of past service requests. Some individuals were affected more severely, as sensitive documents like Social Insurance Numbers, driver's license numbers, and bank account information were also accessed—particularly for those using automatic payments.

Despite the attack, Nova Scotia Power chose not to give in to the ransom demands. In a public statement, they explained that their decision was based on advice from cybersecurity experts and legal authorities. Unfortunately, since the ransom wasn’t paid, the attackers responded by leaking the stolen data online.

To help affected customers, the company has partnered with TransUnion, a credit monitoring agency. Those impacted are being offered a free two-year subscription to a credit monitoring program called myTrueIdentity. Letters with instructions on how to sign up and tips to stay protected are being sent out.

Nova Scotia Power has advised customers to be cautious. People are warned not to respond to suspicious emails, texts, or phone calls pretending to be from the company. If contacted unexpectedly, it’s safer to double-check the message before sharing personal information. Avoid clicking on strange links or downloading unknown files.

While customer privacy has been compromised, the company confirmed that its electricity system remains secure. The power supply across the province has not been affected in any way. All power generation, delivery, and transmission systems continue to operate as usual.

Emera Inc., the parent company of Nova Scotia Power, stated that the cyberattack has not had a serious effect on its financial results. The company continues to report earnings and operate its business normally.

This incident is one of the largest data breaches in recent Canadian history. The company is still investigating what happened and is working with professionals to strengthen its digital systems and prevent future attacks. With so many people impacted, it raises growing concerns about how easily private data can be exposed in today’s digital world.

Read more »
Ransomware
Black Basta Cyber Attacks GoodSync Microsoft Ransomware

Hackers Tricking Employees with Fake IT Calls and Email Floods in New Ransomware Scam

 


A growing number of cyberattacks are being carried out by a group linked to the 3AM ransomware. These attackers are using a combination of spam emails and fake phone calls pretending to be a company’s tech support team. Their goal is to fool employees into giving them access to internal systems.

This method, which has been seen in past cyber incidents involving other groups like Black Basta and FIN7, is becoming more widespread due to how effective it is. Cybersecurity company Sophos has confirmed at least 55 attacks using this approach between November 2024 and January 2025. These incidents appear to come from two different hacker groups following similar tactics.

In one recent case during early 2025, the attackers targeted a company using a slightly different method than before. Instead of pretending to be tech support over Microsoft Teams, they called an employee using a fake caller ID that showed the company’s actual IT department number. The call took place while the employee’s inbox was being flooded with dozens of spam emails in just minutes — a technique known as email bombing.

During the call, the attacker claimed the employee's device had security issues and asked them to open Microsoft’s Quick Assist tool. This is a real remote help feature that allows another person to take control of the screen. Trusting the caller, the employee followed instructions and unknowingly handed over access to the attacker.

Once inside, the hacker downloaded a dangerous file disguised as a support tool. Inside the file were harmful components including a backdoor, a virtual machine emulator (QEMU), and an old Windows system image. These tools allowed the attacker to hide their presence and avoid detection by using virtual machines to move through the network.

The hacker then used tools like PowerShell and WMIC to explore the system, created a new admin account, installed a remote support tool called XEOXRemote, and gained control of a domain-level account. Although Sophos security software stopped the ransomware from spreading and blocked attempts to shut down protections, the hacker managed to steal 868 GB of company data. This data was sent to cloud storage using a syncing tool called GoodSync.

The full attack lasted around nine days. The majority of the data theft happened in the first three days before the attackers were cut off from further access.

To protect against such attacks, Sophos suggests reviewing admin accounts for weaknesses, using security tools that can spot unusual uses of trusted programs, and setting strict rules for running scripts. Most importantly, companies should train employees to recognize signs of fake support calls and suspicious emails, as these scams depend on fooling people — not just machines.

The 3AM ransomware group is relatively new, first spotted in late 2023, but appears to have links with well-known cybercrime networks like Conti and Royal.


Read more »
Trojan
cryptocurrency Cyberattack Hacking malware printing Ransomware remoteaccess Security Software Trojan

Malware Discovered in Procolored Printer Software, Users Advised to Update Immediately

 

For at least six months, the official software bundled with Procolored printers reportedly included malicious code, including a remote access trojan (RAT) and a cryptocurrency-stealing malware.

Procolored, a Shenzhen-based manufacturer known for its affordable Direct-to-Film (DTF), UV DTF, UV, and Direct-to-Garment (DTG) printers, has built a strong reputation in the digital printing market. Since its founding in 2018, the company has expanded to over 31 countries and developed a considerable footprint in the United States.

The issue was first identified by Cameron Coward, a tech YouTuber behind the channel Serial Hobbyism. He was installing the driver and companion software for a $7,000 Procolored UV printer when his security tool flagged a threat: the Floxif USB worm.

After further investigation, cybersecurity firm G Data confirmed that malware was being distributed through Procolored’s official software packages—potentially impacting customers for over half a year.

Initially dismissed by Procolored as a “false positive,” Coward found that every time he attempted to download or unzip the printer software, his system immediately quarantined the files.

“If I try to download the files from their website or unzip the files on the USB drive they gave me, my computer immediately quarantines them,” said the YouTuber.

Coward turned to Reddit for support in analyzing the malware before publishing a critical review. G Data researcher Karsten Hahn responded and discovered that six printer models—F8, F13, F13 Pro, V6, V11 Pro, and VF13 Pro—came with software downloads hosted on Mega that were infected with malware.

Mega.nz is the file-sharing platform Procolored uses to distribute printer software via its official website.

Hahn found 39 infected files, including:

  • XRedRAT: A RAT with capabilities such as keylogging, taking screenshots, accessing the remote shell, and file manipulation. Its hardcoded command-and-control (C2) URLs were consistent with previously analyzed samples.
  • SnipVex: A newly identified clipper malware that infects .EXE files and hijacks Bitcoin addresses copied to the clipboard. This malware is believed to have compromised the developer’s machine or software build environment.

According to G Data, the SnipVex malware was used to steal around 9.308 BTC (worth nearly $1 million at current exchange rates).

Company Response and Security Measures

Though Procolored initially denied any wrongdoing, the compromised software was removed from its website on May 8, and the company launched an internal probe.

In communication with G Data, Procolored explained that the infected files had been uploaded via a USB drive possibly infected with the Floxif worm.

“As a precaution, all software has been temporarily removed from the Procolored official website,” explained Procolored to G Data.

“We are conducting a comprehensive malware scan of every file. Only after passing stringent virus and security checks will the software be re-uploaded.”

G Data later confirmed that the newly uploaded software packages are clean and safe to install.

Customers who previously downloaded Procolored software are urged to update to the new versions and perform a system scan to remove remnants of XRedRAT and SnipVex. Given the nature of SnipVex's binary tampering, experts recommend a thorough system cleaning.

In a comment to BleepingComputer, Procolored emphasized that all of its software has now been verified and is secure:

“Procolored confirms that its software is completely safe, clean, and has no connection whatsoever to any cryptocurrency-related incidents. All software packages have been thoroughly scanned and verified by third-party tools including VirusTotal and G Data, with no threats detected. Users can purchase and use Procolored products with complete confidence, as there is no risk of Bitcoin or other cryptocurrency theft linked to their software.”

“To further reassure customers, Procolored has provided third-party certifications and conducted strict technical checks to prove its software is secure.”

“In particular, the hash values of the key ‘PrintExp.exe’ file were verified and confirmed to match the official values published on Procolored’s website, proving the file is authentic, untampered, and free of any viruses or malware.”

“The company remains fully committed to customer care — no matter the issue, whether software or hardware, Procolored promises to resolve it to customer satisfaction, supported by their dedicated after-sales team and U.S.-based service resources.”


Read more »
Skitnet
Cyber Defender Cyber Surge Cyberattacks Cybersecurity CyberThreat EDR malware PowerShell malware RAMP Ransomware Security Audits Skitnet

Surge in Skitnet Usage Highlights Evolving Ransomware Tactics

 


Today’s cyber threat landscape is rapidly evolving, making it increasingly difficult for adversaries to tell the difference between traditional malware families, as adversaries combine their capabilities to maximise their impact. Skitnet, an advanced multistage post-exploitation toolkit, is one of the best examples of this convergence, as it emerged as an evolution of the legacy Skimer malware, a sophisticated multi-stage post-exploitation toolkit. 

Skitnet, which was once used as a tool for skimming card information from ATMs, has been repurposed as one of the strongest weapons in the arsenal of advanced ransomware groups, notably Black Basta. In the last few months, it has appeared again as part of a larger tactical shift aimed at focusing on stealth, persistent access, data exfiltration, and support for double extortion ransomware campaigns that move away from singular objectives like financial theft. 

Since April 2024, Skitnet, which is also known as Bossnet in some underground circles, has been actively traded on darknet forums like RAMP, with a noticeable uptake noticed among cybercriminals by early 2025. This version has an enterprise-scale modular architecture, unlike its predecessor, which allows it to operate at an enterprise scale. 

There is no need to worry about fileless execution, DNS-based communication for command-and-control (C2), system persistence, or seamless integration with legitimate remote management tools like PowerShell or AnyDesk to use it. Through this flexibility, attackers can continue to remain covert inside targeted environments for extended periods of time without being noticed. 

In addition to being a threat to enterprises, Skitnet has also been deployed through sophisticated phishing campaigns that attempt to duplicate trusted enterprise platforms such as Microsoft Teams, thus allowing threat actors to use social engineering as a primary vector for gaining access to networks and systems. 

Moreover, this evolution demonstrates the growing commoditization of post-exploitation toolkits on underground markets, which offers a leading indicator of how ransomware groups are utilising increasingly advanced malware to refine their tactics and enhance the overall efficiency of their operations. 

According to recent threat intelligence findings, multiple ransomware groups are now actively integrating Skitnet into their post-exploitation toolkits in order to facilitate data theft, maintain persistent remote access to compromised enterprise systems, and reinforce control over compromised enterprise systems as well as facilitate after-exploitation data theft. Skitnet began circulating in underground forums like RAMP as early as April 2024, but its popularity skyrocketed by early 2025, when several prominent ransomware actors began leveraging its use in active campaigns to target consumers.

Several experts believe that Skitnet will end up being a major ransomware threat to the public shortly. The ransomware group Black Basta, for instance, was seen using Skitnet as part of phishing campaigns mimicking Microsoft Teams communications in April of 2025, an increasingly common technique that exploits the trust of employees towards workplace collaboration tools. 

The Skitnet campaign targets enterprise environments, where its stealth capabilities and modular design make it possible for the attacker to deep infiltrate and stay active for a long time. PRODAFT is tracking Skitnet as LARVA-306, the threat actor designated by the organisation. Skitnet, also known in underground circles by Bossnet, is a multi-stage malware platform designed to be versatile and evasive in nature. 

A unique feature of this malware is its use of Rust and Nim, two emerging programming languages in the malware development community, to craft payloads that are highly resistant to detection. By initiating a reverse shell via the DNS, the malware bypasses traditional security monitoring and allows attackers to remain in communication with the command-and-control infrastructure and maintain covert communications. 

Further increasing Skitnet's threat potential are its robust persistence mechanisms, the ability to integrate with legitimate remote access tools, and the ability to exfiltrate data built into its software. The .NET loader binary can also be retrieved and executed by the server, which serves as a mechanism to deliver additional payloads to the machine, thus increasing its operational flexibility. 

As described on dark web forums, Skitnet is a “compact package” comprised of a server component as well as a malware payload that is easy to deploy. As a result of Skitnet's technical sophistication and ease of deployment, it continues to be a popular choice among cybercriminals looking for scalable, stealthy, and effective post-exploitation tools. 

There is a modular architecture built into Skitnet, with a PowerShell-based dropper that decodes and executes the core loader in a centralised manner. Using HTTP POST requests with AES-encrypted payloads, the loader retrieves task-specific plugins from hardcoded command-and-control servers that are hardcoded. One of its components is skitnel.dll, which makes it possible to execute in memory while maintaining the persistence of the system through built-in mechanisms.

Researchers have stated that Skitnet's plugin ecosystem includes modules that are dedicated to the harvesting of credentials, escalation of privileges, and lateral movement of ransomware, which allow threat actors to tailor their attacks to meet the strategic objectives and targets of their attacks. It is clear from the infection chain that Skitnet is a technical advancement in the post-exploitation process, beginning with the execution of a Rust-based loader on compromised hosts. 

With this loader, a Nim binary that is encrypted with ChaCha20 is decrypted and then loaded directly into memory, allowing the binary to be executed stealthily, without the need for traditional detection mechanisms. The Nim-based payload establishes a reverse shell through a DNS-based DNS request, utilising randomised DNS queries to initiate covert communications with the command-and-control (C2) infrastructure as soon as it is activated. 

To carry out its core functions, the malware then launches three different threads to manage its core functions: one thread takes care of periodic heartbeat signals, another thread monitors and extracts shell output, and yet another thread monitors and decrypts responses received over DNS, and the third thread listens for incoming instructions. Based on the attacker's preferences set within the Skitnet C2 control panel, command execution and C2 communication are dynamically managed, using either HTTP or DNS protocols. 

Through the web-based interface, operators can view infected endpoints in real-time, view their IP address, their location, and their system status, as well as remotely execute command-line commands with precision, in real time. As a result of Skitnet's level of control, it has become a very important tool in modern ransomware campaigns as a highly adaptable and covert post-exploitation tool. 

As opposed to custom-built malware created just for specific campaigns, Skitnet is openly traded on underground forums, offering a powerful post-exploitation solution to cyber criminals of all sorts. The stealth characteristics of this product, as well as minimal detection rates and ease of deployment, make it an attractive choice for threat actors looking to maximise performance and maintain operational covertness. With this ready accessibility, the technical barrier to executing sophisticated attacks is dramatically reduced. 

Real-World Deployments by Ransomware Groups


There is no doubt in my mind that Skitnet is not just a theoretical concept. Security researchers have determined that it has been used in actual operations conducted by ransomware groups such as Black Basta and Cactus, as well as in other real-life situations. 

As part of their phishing campaigns, actors have impersonated Microsoft Teams to gain access to enterprise environments. In these attacks, Skitnet has successfully been deployed, highlighting its growing importance among ransomware threats. 

Defensive Measures Against Skitnet 


Skitnet poses a significant risk to organisations. Organisations need to adopt a proactive and layered security approach to mitigate these risks. Key recommendations are as follows: 

DNS Traffic Monitoring: Identify and block unusual or covert DNS queries that might be indicative of an activity like command and control. 

Endpoint Detection and Response (EDR) Use advanced EDR tools to detect and investigate suspicious behaviour associated with Rust and Nim-based payloads. Often, old antivirus solutions are unable to detect these threats. 

PowerShell Execution Restrictions: PowerShell should be limited to only be used in situations that prevent unauthorised script execution and minimise the risk of a fileless malware attack. 

Regular Security Audits Continually assess and manage vulnerabilities to prevent malware like Skitnet from entering the network and exploiting them, as well as administer patches as needed. 

The Growing Threat of Commodity Malware 


In the context of ransomware operations, Skitnet represents the evolution of commodity malware into a strategic weapon. As its presence in cybercrime continues to grow, organisations are required to stay informed, agile, and ready to fight back. To defend against this rapidly evolving threat, it is crucial to develop resilience through threat intelligence, technical controls, and user awareness. 

Often times, elite ransomware groups invest in creating custom post-exploitation toolsets, but they take a considerable amount of time, energy, and resources to develop them—factors that can restrict operational agility. Skitnet, on the other hand, is a cost-effective, prepackaged alternative that is not only easy to deploy but also difficult to attribute, as it is actively distributed among a wide range of threat actors. 

A broad distribution of incidents further blurs attribution lines, making it more difficult to identify threat actors and respond to incidents. The cybersecurity firm Prodaft has published on GitHub associated Indicators of Compromise (IoCs) related to incident response. As a result of Skitnet's plug-and-play architecture and high-impact capabilities, it is particularly appealing to groups that wish to achieve strategic goals with minimal operational overhead in terms of performance and operational efficiency. 

According to Prodaft in its analysis, Skitnet is particularly attractive for groups that are trying to maximise impact with the lowest overhead. However, in spite of the development of antivirus evasion techniques for custom-made malware, the affordability, modularity, and stealth features of Skitnet continue to drive its adoption in the marketplace. 

Despite the fact that it is a high-functioning off-the-shelf tool, its popularity in the ransomware ecosystem illustrates a growing trend that often outweighs bespoke development when attempting to achieve disruptive outcomes. As ransomware tactics continue to evolve at an explosive rate, the advent and widespread adoption of versatile toolkits like Skitnet are a stark reminder of how threat actors have been continually refining their methods in order to outpace traditional security measures. 

A holistic and proactive cybersecurity posture is vital for organisations to adopt to protect themselves from cyber threats and evade detection, one that extends far beyond basic perimeter defences and incorporates advanced threat detection, continuous monitoring, and rapid incident response capabilities. To detect subtle indicators of compromise that commodity malware like Skitnet exploits to maintain persistence and evade detection, organisations should prioritise integrating behavioural analytics and threat intelligence. 

It is also vital to foster an awareness of cybersecurity risks among employees, particularly when it comes to the risks associated with phishing and social engineering, to close the gap in human intelligence that is often the first attack vector employed by cybercriminals. Organisations must be able to protect themselves from sophisticated post-exploitation tools through multilayered defence strategies combining technology, processes, and people, enabling them to not only detect and mitigate the current threats but also adapt to emerging cyber risks in an ever-changing digital environment with rapidity.
Read more »
Vulnerabilities and Exploits
China CISA IP Address Ransomware SAP Bug Vulnerabilities and Exploits

Ransomware Hackers Target SAP Servers Through Critical Flaw

 


A newly discovered security hole in SAP’s NetWeaver platform is now being misused by cybercriminals, including ransomware gangs. This flaw allows attackers to run harmful commands on vulnerable systems from a distance—without even needing to log in.

SAP issued urgent software updates on April 24 after learning about the flaw, found in NetWeaver’s Visual Composer tool. The weakness, labeled CVE-2025-31324, makes it possible for attackers to upload files containing malware. Once inside, they can take full control of the affected system.

ReliaQuest, a cybersecurity firm that tracked this issue, now says that two known ransomware groups, RansomEXX and BianLian have joined in. Although they haven’t yet successfully launched any ransomware in these cases, their involvement shows that multiple criminal groups are watching this flaw closely.

Investigators linked BianLian to at least one incident using an IP address tied to their past operations. In another case, RansomEXX attackers used a backdoor tool called PipeMagic and also took advantage of a previously known bug in Microsoft’s Windows system (CVE-2025-29824).

Even though their first effort didn’t succeed, the attackers made another attempt using a powerful hacking framework called Brute Ratel. They delivered it using a built-in Microsoft function called MSBuild, which helped them run the attack in a sneaky way.

More recently, security teams from Forescout and EclecticIQ connected this activity to hackers linked to China. These groups, tracked under various names, were also found to be exploiting the same SAP vulnerability. In fact, they managed to secretly install backdoors on at least 581 SAP systems, including some tied to national infrastructure in the US, UK, and Saudi Arabia. Their plans may also include targeting nearly 2,000 more systems soon.

Experts believe these hidden access points could help foreign state-sponsored hackers gather intelligence, interfere with operations, or even achieve military or economic goals. Since SAP systems are often connected to important internal networks, the damage could spread quickly within affected organizations.

SAP has also fixed another weakness (CVE-2025-42999), which had been silently misused since March. To stay safe, system administrators are advised to apply the patches immediately. If they can’t update right away, disabling the Visual Composer tool can help. They should also restrict access to certain features and monitor their systems closely for anything unusual.

The US government’s cyber agency CISA has officially listed this flaw as a known risk. Federal departments were told to patch their systems by May 20 to avoid falling victim.

Read more »
Ransomware
Computer CPU Cyber Security Operating system Ransomware

Ransomware May Soon Target the Brain of Your Computer — Here's What You Need to Know

 



Cyberattacks are evolving fast, and one of the biggest threats on the horizon is ransomware that doesn't just take over your files but could directly attack your computer’s processor.

Usually, ransomware blocks access to your files or system until you pay money to get control back. But in the future, attackers might go deeper and mess with your computer’s central processing unit (CPU) — the part that controls everything your computer does.

This new kind of attack could change how your CPU works by tampering with a hidden set of instructions inside the chip, called microcode. These instructions are installed by companies like Intel and AMD and can only be updated by them. They help your CPU run smoothly and securely. If criminals figure out how to replace this microcode with harmful code, they could take over your computer entirely.

Although this might sound like science fiction, it's starting to become more real. Researchers recently found a way to insert custom code into an AMD processor by using a flaw. They managed to change how the CPU handles random numbers — a small change, but proof that deeper control is possible.

A cybersecurity expert from Rapid7 has even created a working example of this type of attack. While it's not being shared publicly, it shows that this type of threat may not be far off. Once such ideas are out in the open, it's only a matter of time before bad actors attempt to use them.

Some tools already exist that allow hackers to sneak malicious programs into the firmware — the part of your computer that runs before the operating system loads. These tools are sold online and used by cybercriminals to secretly gain access to computers.

Right now, there are no known real-world attacks that target the CPU in this way, and it may still be years before it becomes a serious problem. However, it’s smart to be prepared.


Here’s how you can reduce your risk:

1. Keep your BIOS and firmware updated regularly, since companies release updates to fix problems.

2. Use reliable antivirus software to catch other types of ransomware early.

3. Don’t open unknown emails or click suspicious links.

4. Only install programs from websites you trust.


While this type of ransomware isn't common today, the fact that it's possible means we should stay alert. Updating your system and being cautious online are simple steps that can go a long way in keeping your device safe.

Read more »
Trojan
AItools CapCut Cybersecurity Darkweb Infostealer malware Noodlophile phishing Ransomware RAT Spyware Telegrambot Trojan

New AI Video Tool Scam Delivers Noodlophile Malware to Steal Your Data

 

Cybercriminals are using fake AI-powered video generation tools to spread a newly discovered malware strain called ‘Noodlophile’, disguised as downloadable media content.

Fraudulent websites with names like "Dream Machine" are being promoted in high-visibility Facebook groups, pretending to be advanced AI tools that can generate videos from user-uploaded files. However, these platforms are actually fronts for distributing information-stealing malware.

While cybercriminals leveraging AI for malware distribution isn't new, Morphisec researchers have uncovered a fresh campaign that introduces this new infostealer. “Noodlophile” is currently being sold on dark web forums, frequently bundled with services like "Get Cookie + Pass," indicating it's part of a malware-as-a-service operation linked to Vietnamese-speaking threat actors.

Once a victim uploads their file to the fake site, they receive a ZIP archive that supposedly contains the generated video. Instead, the archive includes a misleading executable named "Video Dream MachineAI.mp4.exe" and a hidden folder housing essential files for subsequent malware stages. On systems with file extensions hidden, the file could appear to be a harmless video.

"The file Video Dream MachineAI.mp4.exe is a 32-bit C++ application signed using a certificate created via Winauth," explains Morphisec.

This executable is actually a modified version of CapCut, a legitimate video editing software (version 445.0), and the naming and certificate are used to deceive both users and antivirus software.

Once run, the file executes a sequence of commands that launch a batch script (Document.docx/install.bat). This script then uses the Windows tool 'certutil.exe' to decode and extract a base64-encoded, password-protected RAR file that mimics a PDF. It also adds a registry key to maintain persistence on the system.

The batch script then runs srchost.exe, which executes an obfuscated Python script (randomuser2025.txt) from a hardcoded remote server. This leads to the in-memory execution of the Noodlophile stealer.

If Avast antivirus is found on the system, the malware uses PE hollowing to inject its code into RegAsm.exe. If not, it resorts to shellcode injection.

"Noodlophile Stealer represents a new addition to the malware ecosystem. Previously undocumented in public malware trackers or reports, this stealer combines browser credential theft, wallet exfiltration, and optional remote access deployment," explains the Morphisec researchers.

The malware targets data like browser credentials, session cookies, tokens, and cryptocurrency wallets. Stolen information is sent through a Telegram bot, acting as a stealthy command and control (C2) channel. In some cases, Noodlophile is also packaged with XWorm, a remote access trojan (RAT), enabling more aggressive data theft.

How to Stay Safe:
  • Avoid downloading files from unverified websites.
  • Double-check file extensions—don’t trust names alone.
  • Always run downloads through a reliable, up-to-date antivirus tool before executing.


Read more »
URL
Antivirus System Cyberciminals CyberCrime Cybersecurity CyberThreat Cyberthreats Digital Threat File Download malware Malware Trojan Ransomware Software URL

How to Check If a Downloaded File Is Safe to Use

 


It is no longer a secret that downloading software is becoming an integral part of everyday computing in today’s digitally based environment. It is used to enhance productivity, explore new tools, and stay connected to an ever-increasing online world, all of which are aided by downloads of software. While instant downloads have many advantages, if they are not approached with due diligence, they can also pose significant risks. 

A variety of harmful software, including malware, spyware, and adware, can be easily embedded into seemingly harmless files, potentially compromising personal information or system functionality. Given this, users need to take a cautious and informed approach before they execute any downloaded file. 

By following a few simple steps to verify a file’s safety, for example, scanning it for antivirus, and signing it with a digital signature, users can greatly reduce their vulnerability to cybersecurity risks. 

As digital threats continue to evolve, awareness and prevention remain the best defences for a constantly evolving cyber environment. While downloading files from the internet is now part of current daily lives, it is not without its risks. Cybercriminals often take advantage of this habit by disguising malicious software, like viruses, trojans, ransomware, and a wide variety of other forms of malware, as legitimate software. 

The threats are often disguised as harmless files, making it easy for the uninitiated to become victims of data loss or security breaches. This is why it is imperative to use caution when downloading any content, regardless of the source, regardless of whether the source seems trustworthy. The risk of infection can be significantly reduced by practising due diligence by scanning files using antivirus software, checking for digital signatures, and avoiding unknown or suspicious links when it comes to downloading files. 

With the ever-evolving digital threat landscape, users must take precautions about file safety, not just as a recommendation, but as a necessity. Users across the globe are increasingly concerned about the risk of downloading malicious software unintentionally from the internet. It is possible to install malicious programs on a computer system just by clicking a single careless button. 

A malicious program could compromise the integrity of the system, take sensitive data, or render a computer inoperable. As a result of SonicWall's Cyber Threat Report 2021, there were more than 5.6 billion malware attacks recorded in 2020 alone, a staggering figure that indicates how persistent this threat has become. 

A malware infection is usually caused by deceptive email attachments, compromised websites, and software downloads that appear legitimate but are laced with hidden dangers, resulting in the infection of a device. As a result, many users unknowingly expose themselves to such risks when they install a file or application that they believe is safe and secure. As a result, it highlights the importance of being vigilant and informed when it comes to navigating the digital world. Anyone who wants to protect their digital environment must understand how malware spreads, adopt proactive safety habits, and become aware of the dangers lurking within downloadable files.

For organisations to strengthen their cybersecurity protocols, it is imperative to have a thorough understanding of the hidden threats lurking within downloadable files. A fairly common infection vector is malicious email attachments that are sent as part of an email. There is a common practice among cybercriminals of using deceptive emails to distribute infected files disguised as regular documents, such as invoices, reports, or internal memos, that contain infected files. It has been shown that these attachments can unleash email-based viruses which will infiltrate entire company networks and spread quickly, leading to widespread disruption. There is also a threat vector that resides within seemingly harmless documents from Microsoft Office. 

Word or Excel documents, for example, may contain malicious macros—automated scripts embedded within them. When an unsuspecting recipient enables macros, these scripts silently execute, causing the system to be compromised with malware. These types of attacks are especially dangerous because they appear to be standard business communication when they are, in fact, very dangerous. 

Compressed files such as .zip and .rar also pose a significant threat. Often, threat actors hide harmful executable files within these archives, making it more difficult for them to be detected. Once those files are extracted and executed, they can instantly infect a device, granting unauthorized access, or causing further damage to the network infrastructure. 

Given that these threats are becoming increasingly sophisticated and subtlebusinesses must develop proactive strategies that can prevent them from becoming infected in the first place. An organization might be able to prevent malicious software from entering its organisation by implementing comprehensive employee training programs, strict file filtering policies, advanced threat detection tools, and regular updates to software. 

The prevention of malicious software begins with awareness and continues through rigorous cybersecurity practices and disciplined digital hygiene. There is a potential security risk associated with every file that user download from the internet, whether it is a file attached to an email, a multimedia file, or something that appears harmless like a screen saver. It is possible for familiar sources to unknowingly transmit compromised files, which is why vigilance is essential in every digital interaction. 

Here are a few critical practices that need to be followed to protect both personal devices and organisational networks. To greatly reduce the possibility of infection with harmful software, it is imperative to exercise digital caution and apply sound judgment by avoiding downloads from unknown or suspicious sources. Users are significantly less likely to become infected with dangerous software. When users initiate a download, they should use a reputable website that has a secure (HTTPS) connection and has a well-known domain name. 

Users can prevent fraud by checking the URL bar of the site to ensure its legitimacy. Moreover, fraudulent emails continue to be a very common vehicle for distributing malware. Links and attachments within unsolicited or unexpected messages should never be opened without verifying that the source is genuine. If users encounter suspicious pop-ups or warnings while browsing, they would be wise to close them by clicking the close (X) button in the browser rather than engaging with them. 

A second method of protecting against malware is to save files on people's devices before opening them, which will allow their antivirus software to scan them and alert them to any potential threats that may exist. In addition to verifying the file extension, reading user reviews and comments can provide valuable insights, as previous users may have already reported security issues or hidden dangers.

Media files, for example, should never be delivered in executable (.exe) format, because this indicates malicious intent. Although these practices are simple in nature, they nonetheless serve as a powerful means of avoiding the growing threat of a complex and constantly evolving digital environment. 

Importance of Robust Antivirus and Antimalware Software 


Luigi Oppido, a computer expert, emphasised the importance of installing reputable antispyware, antivirus and antispyware programs such as Norton, AVG, Malwarebytes, or Avast. These programs provide an important line of defence by actively scanning files as soon as they are downloaded, which provides a vital line of defence by identifying and blocking malicious software before it reaches users' computers. Antivirus applications are often integrated into operating systems, which should be enabled and monitored for any security alerts to make sure they do not get infected. 

Download from Trusted Sources 


It is important to note that files obtained exclusively from official websites of established companies, like Microsoft, are much less likely to have any malware attached to them. In contrast, downloading files from less well known or unreliable websites poses a higher threat. In addition to enhancing security, using official digital distribution platforms such as Microsoft Store or Apple App Store adds another layer of protection since these platforms thoroughly vet software before listing it. 

Verify Website Authenticity


As a result of cybercriminals creating spoofed websites using subtle variations in the domain names, users can often be deceived by spoofed sites (e.g., “microsoft.co” rather than “microsoft.com”). As a guide, users should look for signs of a trustworthy site, including a professional site design, a lack of excessive pop-ups or spam links, and the presence of SSL/TLS certificates, which can be recognised by the “https” and padlock icon on the browser. 

Awareness of Download Context 


A significant portion of the risk associated with downloading a file is determined by the source of the download. Files from dubious places, like torrent sites or adult content platforms, are often highly dangerous, and often contain malware or viruses. Files that resemble official software or originate from reputable companies are generally less dangerous.

Recognise Browser and System Warnings

It is important for users to heed warnings sent by modern browsers and antivirus programs when they are interested in downloading suspicious websites or potentially dangerous files. They must acknowledge these warnings and avoid proceeding with questionable downloads.

Check User Feedback and File Reputation


Reviews and comments left by users, whether on the hosting website or independent forums such as Reddit and Quora, can offer insights into the safety of a download. A positive reaction from multiple users will typically indicate a lower risk of malware infection. 

File Size Considerations


Several clues can be provided by the file size of a file. Usually, the size of a file is an indication of its legitimacy. An unusually small file may contain incomplete data or disguised malware. An unexpectedly large file may carry unwanted or harmful extras along with its intended purpose. 

Caution with Executable and Archive Files


It is common for malware to manifest itself in executable files (e.g., “.exe,” “.bat,” “.msi,” “.scr”) that were sourced from unknown locations. Hackers often use double extensions such as “.gif.exe” in order to trick consumers into executing harmful software. People using devices like laptops, computers, or mobiles must verify the source and digital signature of the executable file before opening it, since it grants an individual extensive control over the system. 

Digital Signatures and Licensing


Whenever users are running software on Windows, digital signatures and license warnings serve as indicators of authenticity. There is no guarantee that every executable is safe, no guarantee that every executable is intended to do harm. However, these factors can guide risk assessments before the installation of software is performed. 

The temptation to bypass security alerts, such as those that appear after a Windows update or warn that i file is potentially dangerous, arises whenever software is installed, and in the rush to do so, security warnings can be easily dismissed or disabled. However, these alerts serve a crucial function in protecting systems against potential threats. 

With Windows SmartScreen and other similar security mechanisms, users get more than just traditional antivirus software; they look at file reputations and behavioural patterns, which can often allow them to detect malware that conventional signature-based scanners may miss. As a precautionary measure, rather than switching off these protections, it is prudent to use such alerts as an opportunity to assess the file's safety using well-established verification methods rather than turning them off.

A major point to remember is that legitimate software rarely triggers multiple security warnings; encountering several warnings should be considered a clear red flag, indicating that the file may pose serious risks. To prevent infections and ensure the integrity of computer systems, one must maintain constant vigilance and respect these security layers.
Read more »
Ransomware
Data Breach Personal Information PowerSchool breach Ransomware

Hackers Resurface with PowerSchool Data, Target Schools Again with New Threats

 


Hackers behind the 2024 cyberattack on PowerSchool have returned, this time going after individual schools. They're now threatening to leak private data unless schools pay them ransom.

PowerSchool is a major digital platform used in the education sector. It provides services to over 17,000 schools in more than 90 countries, helping around 50 million students. In December 2024, the platform suffered a major data breach where hackers managed to steal large amounts of sensitive information. Reports confirmed that the attackers accessed personal data of about 62 million students and 9 million staff members across more than 6,500 school districts in the US and Canada.

At that time, PowerSchool made the controversial decision to pay the attackers in hopes that the stolen data would be deleted. According to the company, it was not a decision taken lightly. They believed that paying the ransom was the best way to keep the private information from being made public. They were told by the hackers—and shown evidence — that the stolen data would be destroyed. However, it now appears that those promises were not kept.

Recently, schools have reported receiving direct messages from cybercriminals, warning them that the stolen data could be released if more ransom is not paid. These threats are based on the same data from the December breach, suggesting that the attackers never deleted it in the first place.

The stolen information includes highly personal details such as names, Social Security Numbers, home addresses, and even health-related information. This kind of data can be used to commit fraud or identity theft, which puts both students and staff at serious risk.

To reduce the chances of identity misuse, PowerSchool is offering two years of free credit and identity monitoring services to those affected. They also expressed regret for the situation and said they are working closely with law enforcement to handle the latest round of threats and prevent further damage.

This situation stresses upon the danger of trusting cybercriminals, even after a ransom is paid. It also shows how long the effects of a data breach can last, especially when sensitive personal information is involved.

Read more »
ScatteredSpider
Cyberattack Cybersecurity Data Breach DragonForce Extortion Hacking Ransomware Retail ScatteredSpider

Marks & Spencer Cyberattack Fallout May Last Months Amid Growing Threat from Scattered Spider

 

Marks & Spencer is facing prolonged disruption after falling victim to a large-scale cyberattack. Experts warn that restoring normal operations could take months, highlighting a growing trend of sophisticated breaches targeting major retailers. This incident follows a wave of cyber intrusions, including those at Co-op and Harrods, allegedly orchestrated by the same hacking collective — Scattered Spider.

Described by ITPro as “the name on every security practitioner's mind right now,” Scattered Spider has gained notoriety for its aggressive tactics and global reach.

“Scattered Spider is one of the most dangerous and active hacking groups we are monitoring,” said Graeme Stewart of Check Point to Sky News.

Believed to be composed mainly of young, English-speaking individuals based in the UK and US, the group has reportedly executed over 100 cyberattacks since emerging in 2022. These attacks span sectors like telecommunications, finance, retail, and gaming.

One of their most prominent exploits occurred in 2023, when they severely disrupted two leading casino operators. Caesars Entertainment reportedly paid about $15 million to recover access, while MGM Resorts suffered estimated damages of around $100 million due to compromised customer data.

What makes Scattered Spider particularly elusive is its decentralized structure and independence from state backing. “They operate more like an organised criminal network, decentralised and adaptive,” Stewart added. Even after multiple arrests in the US and Europe, the group continues to rebound swiftly. “This is not a loose group of opportunistic hackers,” he emphasized.

Rather than relying solely on software flaws, Scattered Spider frequently exploits human error. The M&S and Co-op attacks, for example, were the result of “social engineering,” where attackers manipulated employees into revealing credentials.

Their tactics include mimicking corporate emails, sim swapping (cloning a phone number to hijack accounts), and building convincing fake login portals. “This is akin to ‘breaking down the front door’ of networks,” Paul Cashmore, CEO of Solace Cyber, told The Times. Once inside, Scattered Spider typically partners with ransomware gangs to carry out the final blow.

In these recent cases, the group appears to have collaborated with DragonForce, a ransomware cartel. Initially known as a pro-Palestinian hacktivist group based in Malaysia, DragonForce now operates a “ransomware-as-a-service” model. According to Bleeping Computer, they allow affiliates to use their tools and infrastructure in exchange for 20-30% of ransom payments.

The core motivation is financial gain. DragonForce reportedly reached out to the BBC claiming the Co-op breach was more severe than disclosed, hinting at an extortion attempt.

Organizations like the Co-op, which house personal data of millions, are prime targets. Once a system is locked, hackers demand large ransoms in return for decryption tools and promises to delete stolen data. “If a ransom is not paid, the ransomware operation typically publishes the stolen data on their dark web data leak site,” Bleeping Computer explained.

Whether or not to pay remains a complex dilemma. “Paying may provide a quick way to restore operations, protect customer data and limit immediate financial and reputational damage,” noted The Times. However, it also risks emboldening cybercriminals and marking companies as future targets.
Read more »
Russian Hackers
Cobb County Cyberattacks CyberCrime Cyberhackers Cybersecurity CyberThreat Data Breach Ransomware Russian Hackers

Cobb County Suffers Alleged Data Breach by Russian Hackers

 


The recent cyber attacks against local governments have been concerning, with Cobb County in Georgia being targeted in March 2025 by a sophisticated ransomware attack. In an attempt to gain an edge over their competitors, the cybercriminals known as Qilin have claimed responsibility for a breach that resulted in the theft of approximately 150 gigabytes of sensitive data, totalling more than 400,000 files, and the unauthorised access to them. 

An autopsy photograph, Social Security number, driver's license photo, and confidential internal government documents are among the materials that have been compromised. Public sector cybersecurity has been under increased scrutiny since this incident occurred, as officials attempt to assess the extent of the damage and prevent further exposures. 

Cobb County School District has been informed that there has been an intrusion into the network and is currently collaborating with multiple cybersecurity partners to investigate the incident. This intrusion is considered a serious incident and is currently under active investigation. It has been reported that both the Georgia Emergency Management Agency and the Department of Homeland Security have been notified about the breach. 

Throughout the investigation, the school system has advised all employees not to use desktop computers, and certain network processes are expected to be temporarily disrupted for the next few days as a precautionary measure, however, school operations are still expected to proceed as scheduled, despite these technical challenges. 

It is anticipated that Advanced Placement (AP) testing will begin on Monday, May 5, and that the state Milestones Testing will be administered as scheduled on Tuesday. As of right now, there has been no indication that any personal informatio,- including information concerning students and employees, has been compromised, since the school remains operational and has not been affected by the breach. In addition, there is no indication that any personal information has been compromised. 

The school system, however, is currently conducting a comprehensive investigation to assess the full scope and impact of the unauthorised access. At approximately 7:00 p.m. on Friday, the school system first discovered abnormal network activity. In line with established cybersecurity protocols, the IT department and its external security partners responded rapidly to the intrusion by shutting down affected systems, containing it, and identifying its source as soon as possible. 

While the district's internal network remains restricted in the interim for forensic review to continue, and to ensure the security of critical systems is maintained, access is restricted to the district's internal network. As a result of the investigation, the school district has assured parents, staff, and community members that the district maintains close communication with federal, state, and local authorities. As more details come in, the district will provide regular updates to parents, staff, and the community. 

A ransomware attack on Cobb County is still being investigated, with officials still trying to figure out the extent of the breach and identify individuals who might have been affected by the attack. Even though it is still unclear what type of data has been compromised, preliminary reports indicate that three county employees have been confirmed to have been compromised. 

To combat this situation, the county has agreed to offer impacted residents access to credit monitoring services as well as identity theft protection services as a precautionary measure. Several online systems, including court records, jail databases, and Wi-Fi services, were closed down as a result of the cyberattack that was first discovered on March 21, prompting county officials to act immediately. It appears that these systems have gradually been restored over the last few days, and that full functionality is reported to have been restored as of March 27. 

County officials have been cautious in disclosing specific details regarding the nature of the compromise throughout this period. They had until recently not confirmed whether ransom demands had been involved in the incident. It has been announced that Cobb County Communications Director Ross Cavitt addressed concerns about the server outages during a press conference held during the outages by stating that once all servers have been securely reconnected, residents will not experience any disruptions in accessing data or services. 

As for whether the incident has been labelled as a ransomware attack, he refused to provide any further information on it. The Marietta Daily Journal has not been able to conduct an interview with county officials, which includes chairwoman Lisa Cupid and other members of staff, citing the sensitivity of the ongoing investigation as the reason for not doing so. During a recent email message that was released by the Cobb County Communications Department, it was made clear that it would be premature to comment publicly on this matter while the investigation is still underway.

In the meantime, Commissioner Keli Gambrill expressed confidence in the county's response, pointing out that staff members are performing well under challenging circumstances, despite the situation. Cybersecurity expert Allan Hudson confirmed in the aftermath of the ransomware attack that 16 files that were stolen from the data had already been published online by the attackers as a result of the ransomware attack in an apparent attempt to demonstrate how serious the breach was. 

There were at least three autopsy photographs that were exposed, along with sensitive personal identification documents such as driver's licenses and social security cards that were also revealed. Several additional records released by the county seem to be about private citizens, incarcerated individuals, as well as government employees, which raises serious security and privacy concerns for many individuals. 

Authorities at Cobb County reported to the public in April that ten individuals had been formally informed that their data had been compromised as a result of the breach. Hudson, however, emphasised that the extent of the breach is likely to be much wider than that, warning that anyone who has had an interaction with Cobb County government services in the past several years is at risk of experiencing a breach. He recommended that residents take immediate precautions to reduce their risk of identity theft by freezing their credit, updating their passwords, and enabling two-factor authentication across all of their online accounts. Several county officials reiterated their position against negotiating with cybercriminals in an official statement. 

Even though there may be difficult choices to make, the county refuses to support or enable criminal enterprises, even if faced with difficult choices. While this may not be comforting to those affected, standing firm sends the clear message that bad actors won't benefit from this crime at any cost." Despite the growing concern that the ransomware group known as Qilin may continue to release sensitive information, this firm position comes at the same time that there are increasing concerns about this group's continued release of sensitive information. 

Hudson described the group as highly aggressive and warned that more information could leak soon. Cobb County continues to encourage residents to monitor financial accounts and report any suspicious activity by staying vigilant. The county is assisting those impacted by the cyberattack, including credit monitoring and identity theft protection services, as part of the county's ongoing mitigation efforts. In light of the ongoing investigation into the ransomware attack on Cobb County, the incident has served as a stark reminder of the growing threats that public institutions face as a result of cyberattacks. 

Among the many implications of the breach, not only did it expose vulnerabilities in government systems, but it also made it clear that the implications for citizens whose personal data may be compromised could be far-reaching. As a significant amount of sensitive information has already been released, it is evident that there is an urgent need for heightened digital security at every level of local government. 

The authorities are working closely with cybersecurity experts and federal agencies to contain the situation and prevent further compromise. Despite the initial steps taken by officials to offer identity protection and credit monitoring services, it will likely be the effectiveness and swiftness with which mitigation efforts are initiated that will determine the long-term impact of this breach. Cobb County residents who have used Cobb County services in the past should be encouraged to take proactive measures to protect their personal information by doing so. 

It is important to ensure that users' financial accounts are monitored, that multifactor authentication is enabled, and that their credit profile is frozen where needed. Especially when such cyberattacks are perpetrated by persistent and organised groups such as Qilin, it highlights how important awareness and resilience are at the community level. As a result of this incident, the world, as well as government entities, industrial entities, and individuals, will be called upon to re-evaluate their approach to digital security, especially in a world where we are increasingly interconnected.
Read more »
Subscribe to: Posts (Atom)