Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomwares. Show all posts
Ransomwares
Advanced Social Engineering Cyber Attacks cybercriminal group data security FBI FBI cybersecurity advisory Law Firms Luna Moth phishing techniques ransomware attacks Ransomwares

FBI Warns of Silent Ransom Group Using Phishing and Vishing to Target U.S. Law Firms

 

The FBI has issued a warning about a sophisticated cybercriminal group known as the Silent Ransom Group (SRG), also referred to by aliases like Luna Moth, Chatty Spider, and UNC3753. This group has been actively targeting U.S.-based law firms and related organizations through advanced phishing techniques and social engineering scams. The group, which has been operational since 2022, is known for using deceptive communication methods to gain unauthorized access to corporate systems and extract sensitive legal data for ransom demands. In the past, SRG’s activities spanned across industries such as healthcare and insurance. 

However, since the spring of 2023, its focus has shifted to legal entities, likely because of the highly confidential nature of the data managed by law firms. The group commonly uses a method called callback phishing, also known as reverse vishing. In this approach, victims receive emails that appear to originate from reputable companies and warn them of small charges for fake subscriptions. The emails prompt users to call a phone number to cancel the subscription. During these calls, victims are instructed to download remote access software under the guise of resolving the issue. Once the software is installed, SRG gains control of the victim’s device, searches for valuable data, and uses it to demand ransom.  

In March 2025, SRG has adapted their strategy to include voice phishing or vishing. In this new approach, the attackers call employees directly, posing as internal IT staff. These fraudulent callers attempt to convince their targets to join remote access sessions, often under the pretext of performing necessary overnight maintenance. Once inside the system, the attackers move swiftly to locate and exfiltrate data using tools like WinSCP or a disguised version of Rclone. Notably, SRG does not prioritize escalating privileges, instead focusing on immediate data theft. The FBI noted that these voice phishing methods have already resulted in multiple successful breaches. 

SRG reportedly continues to apply pressure during ransom negotiations by making follow-up calls to victim organizations. While the group does maintain a public site for releasing stolen data, its use of this platform is inconsistent, and it does not always follow through on threats to leak information. A significant concern surrounding these attacks is the difficulty in detection. SRG uses legitimate system management and remote access tools, which are often overlooked by traditional antivirus software. The FBI advises organizations to remain vigilant, particularly if there are unexplained downloads of programs such as AnyDesk, Zoho Assist, or Splashtop, or if staff receive unexpected calls from alleged IT personnel. 

In response, the FBI urges companies to bolster cybersecurity training, establish clear protocols for authenticating internal IT requests, and enforce two-factor authentication across all employee accounts. Victims of SRG attacks are encouraged to share any information that might assist in ongoing investigations, including ransom communications, caller details, and cryptocurrency wallet data.
Read more »
ScatteredSpider
Co-op customer data compromise Cyber Attacks cyber intrusion data security DragonForce DragonForce Ransomware Group Malware. Scattered Spider Marks & Spencer ransomware attacks Ransomwares ScatteredSpider

Scattered Spider Cyberattack Cripples M&S, Co-op: DragonForce Ransomware Causes Weeks-Long Disruption

 

Weeks after a significant cyberattack disrupted operations at major British retailers, companies like Marks & Spencer (M&S) and Co-op are still struggling to restore full functionality. Despite public reassurances, the scope of the attack is proving more serious than initially acknowledged. M&S CEO Stuart Machin recently confirmed that personal customer data had been accessed, prompting the company to require password resets for online accounts. Online orders on the M&S website remain suspended weeks after the breach, and no clear timeline has been offered for full recovery. 

The attack first became public on April 25 when M&S halted its online operations due to a cyber intrusion. Within days, Co-op revealed it had also been targeted in an attempted hack, which disrupted several services. Harrods, another luxury retailer, was also reportedly affected during this wave of cyberattacks. While M&S is still unable to process online sales, Co-op has only just resumed stocking its shelves, and both companies remain silent about when operations might return to normal. Government officials have weighed in on the seriousness of the incident. 

Cabinet Office Minister Pat McFadden called the attack a “wake-up call” for British businesses, highlighting the urgent need for enhanced cybersecurity protocols. Financial losses have been steep. M&S is reportedly losing £3.5 million per day while its website remains offline, and its stock has dropped by an estimated half a billion pounds in market value. Co-op also disclosed that customer data had been compromised, and they experienced issues with card payments at the height of the disruption. 

Investigations suggest the cybercriminal group known as Scattered Spider is responsible. Known for targeting large enterprises, the group is believed to have used a ransomware strain called DragonForce to paralyze systems. According to cybersecurity experts, the attackers may have exploited unpatched vulnerabilities and misconfigured systems to gain entry. Reports indicate they employed SIM-swapping tactics to hijack phone numbers and impersonate employees, fooling IT help desks into granting system access. Once inside, the hackers are believed to have compromised Microsoft Active Directory—a central hub that connects internal networks—potentially gaining access to crucial files and passwords. 

Though it’s unlikely they decrypted these password files directly, the level of access would have allowed them to severely disrupt internal systems. Experts say this level of infiltration can cripple multiple areas of a business, making recovery extremely challenging without a full rebuild of core IT infrastructure. One reason for the prolonged disruption may be that both M&S and Co-op chose not to pay the ransom, in line with UK government advice. While this decision aligns with best practices to avoid funding cybercrime, it also means recovery will take significantly longer. 

Despite the chaos, M&S has emphasized that no payment information or account passwords were compromised. The company is urging customers to reset their passwords for peace of mind and has provided guidelines on staying safe online. Co-op has resumed deliveries to most of its stores but acknowledged that some shelves may still lack regular stock. Empty shelves and apology signs have appeared across affected stores, as customers share their frustrations online. 

This incident underscores the growing threat posed by sophisticated cybercriminals and the urgent need for companies to prioritize cybersecurity. From exploiting human error to using advanced ransomware tools, the tactics are evolving, and so must the defenses.
Read more »
Sensitive data
Cloud Security Cyber Attacks Data Theft Employee Training enterprise cybersecurity fake ads Malicious Ads ransomware attacks Ransomwares Sensitive data

Employee Monitoring Tool Kickidler Targeted in Ransomware Attacks

 

Cybersecurity researchers have discovered that cybercriminals are misusing a legitimate employee monitoring tool called Kickidler to execute targeted ransomware attacks. Originally developed to help businesses track productivity and ensure compliance, Kickidler offers features like real-time screen monitoring, keystroke logging, and activity tracking—functionalities that have now become attractive tools for threat actors. Security firms Varonis and Synacktiv have reported observing these attacks actively taking place. 

The attack campaign begins with malicious advertisements placed on the Google Ads network. These ads are cleverly designed to trick users searching for a legitimate utility called RVTools—a free Windows application used to connect to VMware vCenter or ESXi environments. Victims are lured into downloading a trojanized version of RVTools, which secretly installs a backdoor named SMOKEDHAM. Once SMOKEDHAM gains access to the system, attackers use it to deploy Kickidler, with a focus on targeting enterprise administrators. 

By infiltrating admin machines, the attackers can monitor keystrokes and capture sensitive data, such as credentials for off-site backups or cloud platforms. This method allows them to bypass more secure authentication systems that are often separated from Windows domains, a common defense strategy in many organizations. According to the researchers, the ransomware groups Qilin and Hunters International have been leveraging this approach to expand their reach within enterprise networks. 

These groups appear to be focusing on cloud backup systems and VMware ESXi infrastructure. Hunters International, in particular, was observed using VMware PowerCLI and WinSCP Automation tools to enable SSH access, deploy ransomware, and execute it on ESXi servers. Their payloads encrypted VMDK virtual hard disks, disrupting operations and access to virtual environments. 

One of the most concerning aspects of this campaign is how stealthily it operates. By capturing data directly from administrators’ screens and inputs, the attackers avoid using higher-risk tactics like memory dumps or privilege escalation, which are more likely to be flagged by security systems. The misuse of Kickidler demonstrates a growing trend of cybercriminals weaponizing legitimate enterprise tools to bypass traditional defenses and maintain stealth within targeted networks. 

These attacks highlight the need for increased vigilance around software downloads, especially from third-party sources, and reinforce the importance of strong endpoint protection, regular software audits, and employee awareness training. 

As cyberattacks grow more sophisticated, defenders must adapt by tightening controls, decoupling critical system access from everyday credentials, and monitoring for unusual activity—even from tools considered safe.
Read more »
Ransomwares
agentic AI AI Agent AI technology AI threats AI tools Cyber Security Cybersecurity Threats IABs Malicious Code Ransomwares

Agentic AI and Ransomware: How Autonomous Agents Are Reshaping Cybersecurity Threats

 

A new generation of artificial intelligence—known as agentic AI—is emerging, and it promises to fundamentally change how technology is used. Unlike generative AI, which mainly responds to prompts, agentic AI operates independently, solving complex problems and making decisions without direct human input. While this leap in autonomy brings major benefits for businesses, it also introduces serious risks, especially in the realm of cybersecurity. Security experts warn that agentic AI could significantly enhance the capabilities of ransomware groups. 

These autonomous agents can analyze, plan, and execute tasks on their own, making them ideal tools for attackers seeking to automate and scale their operations. As agentic AI evolves, it is poised to alter the cyber threat landscape, potentially enabling more efficient and harder-to-detect ransomware attacks. In contrast to the early concerns raised in 2022 with the launch of tools like ChatGPT, which mainly helped attackers draft phishing emails or debug malicious code, agentic AI can operate in real time and adapt to complex environments. This allows cybercriminals to offload traditionally manual processes like lateral movement, system enumeration, and target prioritization. 

Currently, ransomware operators often rely on Initial Access Brokers (IABs) to breach networks, then spend time manually navigating internal systems to deploy malware. This process is labor-intensive and prone to error, often leading to incomplete or failed attacks. Agentic AI, however, removes many of these limitations. It can independently identify valuable targets, choose the most effective attack vectors, and adjust to obstacles—all without human direction. These agents may also dramatically reduce the time required to carry out a successful ransomware campaign, compressing what once took weeks into mere minutes. 

In practice, agentic AI can discover weak points in a network, bypass defenses, deploy malware, and erase evidence of the intrusion—all in a single automated workflow. However, just as agentic AI poses a new challenge for cybersecurity, it also offers potential defensive benefits. Security teams could deploy autonomous AI agents to monitor networks, detect anomalies, or even create decoy systems that mislead attackers. 

While agentic AI is not yet widely deployed by threat actors, its rapid development signals an urgent need for organizations to prepare. To stay ahead, companies should begin exploring how agentic AI can be integrated into their defense strategies. Being proactive now could mean the difference between falling behind or successfully countering the next wave of ransomware threats.
Read more »
SentinelOne
Babuk Babuk Ransomware critical vulnerabilities Cyber Security cybercriminals EDR Ransomware attack Ransomwares SentinelOne

SentinelOne EDR Exploit Allows Babuk Ransomware Deployment Through Installer Abuse

 

A newly discovered exploit has revealed a critical vulnerability in SentinelOne’s endpoint detection and response (EDR) system, allowing cybercriminals to bypass its tamper protection and deploy the Babuk ransomware. The method, identified as a “Bring Your Own Installer” technique, was uncovered by John Ailes and Tim Mashni from Aon’s Stroz Friedberg Incident Response team during a real-world ransomware case investigation. 


The core issue lies in how the SentinelOne agent handles updates. When an agent is upgraded, the existing version is momentarily stopped to make way for the new one. Threat actors have figured out how to exploit this transition window by launching a legitimate SentinelOne installer and then terminating it mid-process. This action disables the EDR protection temporarily, leaving the system vulnerable long enough to install ransomware or execute malicious operations without being detected.  

Unlike traditional bypasses that rely on third-party drivers or hacking tools, this method takes advantage of SentinelOne’s own software. Once the process is interrupted, the system loses its protection, allowing the attackers to act with impunity. Ailes stressed that the bypass can be triggered using both older and newer agent versions, putting even up-to-date deployments at risk if specific configuration settings are not enabled. During their investigation, the team observed how the targeted device disappeared from the SentinelOne management console shortly after the exploit was executed, signaling that the endpoint had become unmonitored. 

The attack was effective across multiple versions of the software, indicating that the exploit isn’t tied to a particular release. To mitigate this risk, SentinelOne recommends activating a feature called “Online Authorization” (also referred to as Local Upgrade Authorization). This setting ensures that any attempt to upgrade, downgrade, or uninstall the agent must first be approved via the SentinelOne management console. 

Although this option exists, it is not enabled by default for existing customers, largely to maintain compatibility with deployment tools like Microsoft’s System Center Configuration Manager. Since the vulnerability was disclosed, SentinelOne has taken steps to notify customers and is now enabling the protective setting by default for new installations. 

The company also confirmed sharing the findings with other major EDR providers, recognizing that similar techniques could potentially impact their platforms as well. While the current exploit does not affect SentinelOne when configured correctly, the case serves as a stark reminder of the importance of security hardening, particularly in the tools meant to defend against sophisticated threats.
Read more »
Ransomwares
Cyber Attacks data security Data Theft Hacker attack Pharmaceutical Firms Ransom Demand Ransomware attack Ransomwares

Pune-Based Biopharma Company Hit by Ransomware Attack, Hackers Demand $80,000

 

A multinational biopharmaceutical company based in Pune has fallen victim to a sophisticated ransomware attack, with cybercriminals encrypting vital data and demanding $80,000 (over Rs 68 lakh) for its release. The attackers have also threatened to leak the stolen proprietary data on the dark web if the ransom is not paid, according to local police authorities. 

The incident came to light when a senior executive from the company’s Pune office lodged a complaint at the Cyber Crime Police Station of Pimpri Chinchwad on Monday evening. The attack was first identified on Sunday afternoon, prompting immediate concern due to the sensitivity of the data involved. According to initial investigations by cybercrime officials, the breach is believed to have occurred through a compromised endpoint device—most likely via a phishing email containing a malicious link. 

Once the attackers gained access to the internal network, they deployed ransomware to the company’s main server and extended it to more than a dozen connected servers. Sensitive data, including proprietary pharmaceutical formulations, manufacturing protocols, and confidential business documents, was then encrypted and locked. 

“A preliminary probe suggests that vulnerabilities in the company’s cybersecurity setup allowed the attackers to infiltrate its systems,” an officer from the Cyber Police Station said. “Unfortunately, a significant portion of the critical data was not backed up offline, leaving the organization exposed to potential data loss if the ransom is not paid.” The hackers have made it clear that if their ransom demand of $80,000 is not met, the stolen data will be sold on the dark web. 

So far, the company has not paid the ransom, and authorities are currently analyzing IP logs and other digital evidence to trace the origin of the attack. Cybercrime investigators have urged all businesses to strengthen their cybersecurity measures, including regularly backing up data offline, updating firewall configurations, and educating employees about phishing threats. “This incident is a wake-up call for organizations to prioritize robust digital security,” the officer added.  

Deputy Commissioner of Police (Crime) Sandeep Doiphode emphasized the growing need for enterprises to invest in both technology and skilled cybersecurity personnel. “This case underlines the urgent necessity for companies to stay ahead of evolving threats through both infrastructure and human resource development,” he said. Police also noted that ransomware attacks typically use phishing emails and exploit weak security protocols. Payments are often demanded in cryptocurrency, making the attackers harder to trace. 

The investigation remains ongoing.
Read more »
Rhysida ransomware gang
Data Breach Data Leak Extortion Ransomware attack Ransomware group Ransomwares Rhysida Rhysida Ransomware Rhysida ransomware gang

Rhysida Ransomware Group Leaks 1.3M Files Stolen from Oregon DEQ After Failed Extortion Attempt

 

A major ransomware breach has rocked the Oregon Department of Environmental Quality (DEQ), with over 1.3 million files—amounting to 2.4 terabytes—dumped online by the cybercriminal group Rhysida. The stolen data, now circulating on the dark web, reportedly includes confidential information linked to DEQ employees. Whether personal data of Oregon residents outside the agency was compromised remains unconfirmed. DEQ first disclosed system disruptions on April 9, attributing them to a suspected cyberattack. 

The agency, responsible for regulating pollution, waste, air quality, and smog checks for vehicle registrations, had to suspend several core services as a result. An investigation into the breach is underway, but DEQ has not officially confirmed the volume or content of the compromised data. However, Rhysida’s own dark web site claimed responsibility, stating that it attempted to contact DEQ but was ignored. The group then released the data publicly, writing: “They think their data hasn’t been stolen. They’re sorely mistaken.” Before the leak, the group had placed a $2.5 million price tag—30 Bitcoins—on the files, offering them at auction to the highest bidder. 

By April 24, some of the stolen content had reportedly been sold, while the remaining files were made freely available for download. The breach has had serious operational consequences. For nearly a week following the attack, DEQ employees were locked out of their internal systems and email. Emails sent between April 9 and 11 were lost entirely. Vehicle emissions testing—a requirement for registrations in parts of Oregon—was halted across all non-DEQ testing locations, though some services resumed at DEQ-owned facilities on April 14. In a statement issued April 19, DEQ confirmed that employees were gradually regaining access to their work devices, moving from phones back to laptops. 

Despite the cyber disruption, spokesperson Lauren Wirtis said DEQ’s mission-critical services via its online platform DEQ Online remained operational and unaffected. Rhysida, an increasingly active ransomware gang, has previously attacked global organizations including the British Library, Chilean Army, and the Port of Seattle. Their tactics typically include data theft, extortion, and high-pressure ransom demands. 

Oregon’s Enterprise Information Services is leading the forensic investigation, alongside efforts to strengthen state cybersecurity systems. As of April 26, DEQ clarified that no ransom negotiations had occurred, and the timeline for completing the investigation remains uncertain.
Read more »
Ransomwares
Cyber Attacks cybercrime group cybercriminals data security Data Theft DOGE Dogecoin Elon Musk Ransom Demand Ransomware attack Ransomwares

Cybercriminals Behind DOGE Big Balls Ransomware Demand $1 Trillion, Troll Elon Musk

 

A cybercrime group notorious for its outrageous tactics has resurfaced with a ransomware attack demanding an unbelievable $1 trillion from its victims. The group, responsible for the DOGE Big Balls ransomware campaign, has updated its ransom demands with bizarre references to Elon Musk and the Dogecoin meme culture, blending humor with a highly dangerous threat.  

According to a report by Trend Micro researchers Nathaniel Morales and Sarah Pearl Camiling, the attackers are leveraging a modified form of the FOG ransomware to carry out these intrusions. The malware exploits a long-known Windows vulnerability (CVE-2015-2291) through a multi-step PowerShell script that allows deep access into infected systems. Delivered via deceptive shortcut files inside ZIP folders, the malware initiates a chain reaction to execute its payload. Though the ransom note may appear comical—mocking Musk’s past corporate directives and making false claims about stealing “trilatitude and trilongitude” coordinates—the security community warns against taking this threat lightly. 

The ransomware performs environment checks to avoid detection, analyzing machine specs, RAM, and registry entries to detect if it’s being run in a sandbox. If any signs of monitoring are detected, the malware will exit silently. The FBI, in its April 2025 Internet Crime Report, highlighted ransomware—particularly FOG variants—as a dominant threat, impacting critical infrastructure and organizations across the U.S. The report revealed over 100 known FOG ransomware infections between January and March 2025, making it the most reported strain of the year thus far. Beyond encryption, the malware also exfiltrates sensitive data and pressures victims to communicate via the Tor network for instructions. 

The attackers claim stolen files and urge victims not to involve law enforcement, adding a “don’t snitch now” line in their taunting ransom message. Despite its absurd tone, security leaders emphasize the seriousness of the attack. Dr. Ilia Kolochenko, CEO of ImmuniWeb, cautions that many victims discreetly pay ransoms to groups known for not leaking data—urging companies to seek legal and cybersecurity advice before making decisions. 

Although the group hides behind memes and internet jokes, their ability to cause significant operational and financial disruption is very real. Their humor might distract, but the threat demands urgent attention.
Read more »
Subscribe to: Posts (Atom)