Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cybercrime gangs. Show all posts
Hacker Groups
Cyber Attacks cybercrime gangs CyberSecurity Ransomware Attacks Data protection data security Data Theft Hacker Groups

Rhysida Ransomware Gang Claims Attack on Cleveland County Sheriff’s Office

 

The ransomware gang Rhysida has claimed responsibility for a cyberattack targeting the Cleveland County Sheriff’s Office in Oklahoma. The sheriff’s office publicly confirmed the incident on November 20, stating that parts of its internal systems were affected. However, key details of the breach remain limited as the investigation continues. 

Rhysida claims that sensitive information was extracted during the intrusion and that a ransom of nine bitcoin—about $787,000 at the time of the claim—has been demanded. To support its claim, the group released what it described as sample records taken from the sheriff’s office. The leaked material reportedly includes Social Security cards, criminal background checks, booking documents, court filings, mugshots, and medical information. 

Authorities have not yet confirmed whether the stolen data is authentic or how many individuals may be affected. It also remains unclear how the attackers gained access, whether systems remain compromised, or if the sheriff’s office intends to negotiate with the group. 

In a brief public statement, the agency reported that a “cybersecurity incident” had disrupted its network and that a full investigation was underway. The sheriff’s office emphasized that emergency response and daily law enforcement functions were continuing without interruption. A Facebook post associated with the announcement—later removed—reiterated that 911 services, patrol response, and public safety operations remained operational. County IT teams are still assessing the full extent of the attack. 

Rhysida is a relatively recent but increasingly active ransomware operation, first identified in May 2023. The group operates under a ransomware-as-a-service model, allowing affiliates to deploy its malware in exchange for a share of ransom proceeds. Rhysida’s typical method involves data theft followed by encryption, with the group demanding payment both to delete stolen files and to provide decryption keys. The group has now claimed responsibility for at least 246 ransomware attacks, nearly 100 of which have been confirmed by affected organizations. 

Government agencies continue to be frequent targets. In recent years, Rhysida has claimed attacks on the Maryland Department of Transportation and the Oregon Department of Environmental Quality, although both organizations reported refusing ransom demands. Broader data suggests the trend is escalating, with researchers documenting at least 72 confirmed ransomware attacks on U.S. government entities so far in 2025, affecting nearly 450,000 records. 

The average ransom demand across these incidents is estimated at $1.18 million. The Cleveland County Sheriff’s Office serves approximately 280,000 residents in Oklahoma and has around 200 employees. As the investigation remains active, officials say additional updates will be shared as more information becomes available.
Read more »
threat analysis
3AM Conti Cyber Security cybercrime gangs Data Leaks intrusion tactics malware ranso Ransomware Royal Security Researchers threat analysis

Security Researchers Establish Connections Between 3AM Ransomware and Conti, Royal Cybercriminal Groups

 

Security researchers examining the operations of the recently surfaced 3AM ransomware group have unveiled strong connections with notorious entities like the Conti syndicate and the Royal ransomware gang.

The 3AM ransomware, also known as ThreeAM, has adopted a novel extortion strategy: publicly revealing data leaks to victims' social media followers and utilizing bots to respond to influential accounts on X (formerly Twitter), directing them to the compromised data.

Initially observed by Symantec's Threat Hunter Team in mid-September, 3AM gained attention after threat actors shifted from deploying LockBit malware. According to French cybersecurity firm Intrinsec, ThreeAM is likely affiliated with the Royal ransomware group, now rebranded as Blacksuit, consisting of former members of Team 2 within the Conti syndicate.

As Intrinsec delved into their investigation, they found substantial overlap in communication channels, infrastructure, and tactics between 3AM and the Conti syndicate. Notably, an IP address listed by Symantec as a network indicator of compromise led researchers to a PowerShell script for dropping Cobalt Strike on VirusTotal.

Further investigation uncovered a SOCKS4 proxy on TCP port 8000, a TLS certificate associated with an RDP service, and HTML content from 3AM's data leak site indexed by the Shodan platform. The servers involved were traced back to the Lithuanian hosting company, Cherry Servers, known for hosting malware despite having a low fraud risk.

Intrinsec's findings aligned with a report from Bridewell, connecting the IP subnet to the ALPHV/BlackCat ransomware operation. This group, not part of the Conti syndicate but allied, was identified as having ties to IcedID malware used in Conti attacks.

In addition to technical details, Intrinsec uncovered 3AM's experiment with a new extortion technique. The gang set up a Twitter account in August, using it to reply to tweets from victims and high-profile accounts, linking to the data leak site on the Tor network. Intrinsec suspected the use of a Twitter bot for a name-and-shame campaign, noting an unusually high volume of automated replies.

Despite 3AM's perceived lack of sophistication compared to Royal, the researchers cautioned against underestimating its potential for deploying numerous attacks. The article concludes with a broader context on the Conti syndicate, its dissolution, and the emergence of affiliated groups like Royal ransomware.
Read more »
Subscribe to: Comments (Atom)