Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Showing posts with label ransomware. Show all posts

New Prinz Eugen Ransomware Targets Recently Modified Files First, Researchers Find

 



Security researchers have revealed a ransomware operation known as Prinz Eugen that employs an unusual file-encryption strategy designed to increase pressure on victims. According to an investigation by ThreatDown, Malwarebytes' enterprise security division, the malware gives priority to files that have been modified most recently, focusing its efforts on data that organizations are most likely to rely on for day-to-day operations.

Researchers describe the actors behind Prinz Eugen as highly interactive intruders who rely on direct involvement throughout the attack process rather than fully automated deployment methods. Instead of depending on large-scale ransomware affiliate networks, the group appears to conduct attacks manually, using legitimate administration tools and built-in system utilities to move through victim environments and maintain access.

Evidence collected during incident response investigations suggests that attackers may initially gain entry through compromised Remote Desktop Protocol (RDP) credentials. After securing access, operators manually retrieve and launch the ransomware payload, identified as servertool.exe. In one investigated intrusion, researchers observed the use of the RemotePC remote management platform, alongside the creation of a backdoor administrator account that allowed the attackers to retain access to the compromised environment.

ThreatDown noted that Prinz Eugen does not currently appear to operate under the ransomware-as-a-service model that has become common across the cybercriminal ecosystem. Researchers found no indication that the group's operators are actively recruiting affiliates or distributing their malware to external partners. Instead, available evidence points to a more centralized operation in which attacks are carried out directly by the threat actors themselves.

Although the group's data-leak platform presently displays only three victims, researchers believe the actual number of affected organizations is higher. Information gathered during investigations indicates that multiple organizations have experienced incidents linked to the ransomware. Depending on the attack, victims may face file encryption, data theft, or a combination of both. Security researchers have identified at least five organizations impacted by the operation, including an incident involving Standard Bank, where attackers reportedly demanded a ransom payment of one Bitcoin. The demand was ultimately rejected.

One of the most distinctive characteristics of Prinz Eugen is its approach to selecting files for encryption. Analysis of the malware revealed that it processes files according to modification time, encrypting the most recently changed data before moving to older content. When several files share the same timestamp, the malware follows alphabetical order to determine which file is processed next.

Researchers believe this strategy is intended to maximize operational disruption. Files that have been edited recently are often associated with ongoing business activities, active projects, financial records, or other information that employees depend on regularly. By rendering this data inaccessible first, attackers can create immediate pressure on organizations to engage with extortion demands.

Technical analysis further showed that the ransomware scans directories recursively without imposing depth restrictions. Unlike some ransomware families that avoid certain locations or system folders, the examined Prinz Eugen sample applies very few limitations. The malware attempts to encrypt virtually every accessible file it encounters, excluding only files that already carry the .prinzeugen extension, which is added to data after encryption has been completed.

The encryption mechanism itself incorporates multiple modern cryptographic components. Researchers found that the ransomware uses the ChaCha20-Poly1305 algorithm together with a 32-byte master key. Each targeted file receives its own randomly generated initialization vector, while key generation and derivation processes rely on Argon2id, SHA-256, and HKDF-SHA256. Data is encrypted in 1 MB segments, and SHA-256 hashing is used to verify file integrity throughout the process.

Investigators also identified a safeguard built into the malware's deletion routine. When operators use the – delete option, the ransomware removes original files only after confirming that the encrypted version can be successfully decrypted. This verification step reduces the likelihood of accidental data destruction that could undermine the attackers' leverage over victims.

Beyond encrypting files, Prinz Eugen incorporates measures intended to frustrate forensic investigations. Researchers observed that the malware overwrites encryption keys with zero values once they are no longer needed, triggers garbage collection routines to remove remaining traces from memory, and then attempts to delete itself from disk. These actions are designed to make post-incident analysis and key recovery efforts more difficult.

Another noteworthy aspect of the ransomware is the absence of conventional extortion artifacts. The analyzed sample contains no functionality for dropping a ransom note onto infected systems, nor does it alter the victim's desktop wallpaper to display payment instructions. While such techniques have historically been common among ransomware groups, ThreatDown researchers noted that some organized operations are increasingly shifting away from visible on-system communications.

Instead, attackers may conduct negotiations through external channels such as email correspondence, direct phone contact, or dedicated dark-web portals. By moving communications outside the compromised environment, threat actors leave behind fewer artifacts that investigators can collect and reduce opportunities for automated security tools to identify the extortion phase of an attack.

To assist defenders, ThreatDown has published a collection of indicators of compromise associated with Prinz Eugen activity. These indicators can help security teams, incident responders, and researchers identify potential infections, investigate suspicious activity, and strengthen defenses against future attacks involving the ransomware. 

Ransomware Revenues Climb as Criminal Networks Expand and Adapt like unwanted vines

 




Ransomware operators continue to generate substantial profits, with new research from Rapid7 indicating that several cybercrime groups are recording revenue growth that outpaces many publicly traded businesses.

According to the cybersecurity firm's analysis, ransomware groups collectively received an estimated $529.2 million during the first quarter of 2026. That figure represents a 39% increase compared with the same period a year earlier. Rapid7 noted that none of the companies within the FTSE 350 index reported year-over-year revenue growth exceeding 30% during that quarter, placing ransomware operators among the fastest-growing entities examined in the study.

Several well-established ransomware operations appear to be benefiting from this trend. Rapid7 estimates that the Qilin ransomware group generated approximately $193 million between July 2025 and March 2026. During the same period, the Gentleman group is estimated to have collected roughly $52 million in ransom payments.

Rapid7 researchers argue that modern ransomware operations bear little resemblance to the stereotype of small groups of hackers working independently. Instead, many function through interconnected networks of specialists who focus on specific stages of an attack. Some actors gain access to victim networks, others develop malware, while separate teams handle extortion demands and payment negotiations.

A major factor behind this growth is the emergence of Initial Access Brokers, or IABs. These actors specialize in obtaining access to corporate networks and then selling that access to other criminals. As a result, launching a ransomware attack no longer requires extensive technical expertise. Access to compromised systems, attack tools, and even managed cybercrime services can now be purchased through underground marketplaces.

Researchers say this division of labor has created a more structured criminal economy. Different groups contribute individual services, allowing ransomware campaigns to operate through networks that resemble commercial supply chains rather than isolated criminal crews.

The study also highlights the resilience of these operations. Infrastructure used by ransomware groups, including servers, data leak platforms, and victim negotiation portals, can often be restored quickly after disruptions. Law enforcement agencies, meanwhile, frequently require lengthy investigations and international coordination before conducting enforcement actions. This difference in speed allows many criminal networks to continue operating even when portions of their infrastructure are removed.

Rapid7 CTO EMEA Thom Langford said ransomware groups have demonstrated an ability to continue generating revenue despite disruptions because their operations are designed to function even when individual components are taken offline. In many cases, the removal of a single server or criminal group does not significantly affect the broader ecosystem supporting ransomware activity.

The findings come amid continued financial losses linked to cybercrime. According to the FBI's Internet Crime Complaint Center, organizations and individuals reported more than $16 billion in cybercrime losses during 2024, reflecting the growing economic impact of digital fraud, extortion, and network intrusions.

To reduce ransomware risk, Rapid7 recommends that organizations continuously review their exposed systems and identify weaknesses that could provide attackers with an entry point. Particular attention should be given to misconfigured services, overlooked assets, and internet-facing systems, which are frequently targeted by Initial Access Brokers seeking access to corporate environments.

The company also advises security teams to make greater use of threat intelligence to understand how attackers operate, including the infrastructure, tools, and access methods commonly used during intrusions. Researchers further recommend strengthening identity security through tighter access controls, least-privilege policies, and monitoring for signs that employee credentials have been stolen, resold, or abused.

According to Rapid7, disrupting ransomware attacks before attackers establish access remains one of the most effective defensive strategies. By identifying weaknesses early and restricting opportunities for credential theft, organizations may be able to prevent ransomware incidents before they progress to the extortion stage.

AI-Assisted Malware Lab Found Testing Ways to Evade Security Tools, Sophos Reports

 



Researchers at cybersecurity firm Sophos have uncovered a malware development framework that uses artificial intelligence tools to speed up the creation and testing of ransomware-related software designed to avoid detection by security products.

The investigation began after Sophos analysts discovered suspicious files on a customer system. What initially appeared to be a collection of penetration-testing tools soon revealed signs of criminal activity, including references to ransom notes and organizations listed on ransomware leak sites.

According to Sophos, the framework combines traditional attack tools with AI-assisted development workflows. Researchers found evidence that the operators used coding assistants such as Cursor and Claude Opus during different stages of development, including writing code, reviewing results, refining payloads, and researching techniques that could help malware evade security controls.

One of the framework's primary goals was to bypass Endpoint Detection and Response (EDR) platforms. These security products are designed to identify malicious activity on computers and servers, often detecting attacks that traditional antivirus software might miss.

The toolkit contained several components intended to reduce the chances of detection. Among them were customized Cobalt Strike profiles that made malicious network traffic resemble ordinary web browsing activity, communication channels that routed commands through Telegram, and malware development scripts capable of injecting malicious code into legitimate Windows applications while allowing those programs to continue functioning normally.

Researchers also identified the use of a Cloudflare Worker that acted as an intermediary between infected systems and attacker-controlled infrastructure. This setup can make it more difficult for defenders to identify the true location of command-and-control servers.

A particularly notable feature of the framework was an automated Active Directory discovery system. Active Directory is widely used in enterprise networks to manage users, computers, permissions, and other resources. Because it contains valuable information about an organization's internal structure, attackers frequently attempt to map Active Directory environments after gaining access to a network.

Sophos found that the discovery process relied on a series of AI-assisted agents that gathered information, assessed results, selected follow-up actions, and continued the investigation of the network. Rather than requiring a human operator to manually perform every step, parts of the reconnaissance process could be carried out through predefined automated workflows.

The framework itself appeared to operate through multiple specialized AI agents assigned to different tasks. Sophos reported that one agent coordinated the overall development process while others focused on testing, documentation, operational security improvements, virtual machine deployment, proxy testing, and malware evaluation.

Researchers also discovered that some agents had been tasked with examining publicly available security research. The system collected information from technical reports and research publications, extracted details about detection-evasion methods, mapped those techniques to the MITRE ATT&CK framework, recreated testing environments, and documented the results.

At the center of the operation was a Python-based payload generation tool. This component produced malware written primarily in Rust and Go while combining encryption, execution techniques, and anti-analysis measures intended to make detection more difficult. Sophos observed nearly 80 generated modules being tested against more than 70 separate evasion methods.

The malware was evaluated in laboratory environments against security products from Sophos, CrowdStrike, and Microsoft. Researchers noted that repeated testing and revision cycles appeared to improve the success rate of many payloads. However, they also observed inconsistencies between some reported results and actual testing outcomes, leaving questions about the accuracy of certain internal performance claims.

Despite the extensive use of artificial intelligence during development, Sophos found no indication that AI was embedded within deployed malware or operating independently on victim systems. The technology was primarily used to accelerate the research, testing, and refinement process while human operators remained responsible for directing the activity.

The findings provide another example of how threat actors are incorporating AI into existing workflows. Rather than introducing entirely new attack methods, these tools appear to be helping attackers shorten the time needed to transform publicly available security research into functioning malware capable of challenging modern security defenses.

Virus, Malware, or Spyware? Here’s What They Really Mean

 




Many people casually refer to every cyber threat as a “virus,” but cybersecurity professionals use a much broader classification system. A security program that only defended against traditional computer viruses would offer very limited protection today because viruses represent just one form of malicious software. Modern antivirus platforms are designed to detect and block many different categories of malware, including ransomware, spyware, trojans, credential stealers, rootkits, and bot-driven attacks.

Traditional computer viruses have also become less common than they once were. Most modern cybercriminal groups are financially motivated and prefer attacks that generate revenue rather than simple disruption or digital vandalism. Spyware operators profit from stolen personal information, banking trojans attempt to drain financial accounts directly, and ransomware gangs demand cryptocurrency payments from victims in exchange for restoring encrypted files. Because current security tools already defend against a wide range of malicious software, most users do not usually need to distinguish one malware family from another during day-to-day use.

At the same time, understanding these terms still matters. News reports about cyberattacks, data breaches, espionage campaigns, and ransomware incidents often contain technical language that can confuse readers unfamiliar with cybersecurity terminology. Knowing how different forms of malware behave makes it easier to understand how attacks spread, what damage they cause, and why security researchers classify them differently.

A traditional virus spreads when a user unknowingly launches an infected application or boots a compromised storage device such as a USB drive. Viruses generally try to remain unnoticed because their ability to spread depends on avoiding detection long enough to infect additional files, programs, or devices. In many cases, the malicious payload activates only after a specific date, time, or triggering condition. Earlier generations of viruses often focused on deleting files, corrupting systems, or displaying disruptive messages for attention. Modern variants are more likely to steal information quietly or help conduct distributed denial-of-service attacks that overwhelm online services with massive volumes of internet traffic.

Worms share some similarities with viruses but spread differently because they do not necessarily require users to open infected files. Instead, worms automatically replicate themselves across connected systems and networks. One of the earliest examples, the Morris worm of 1988, was originally intended as an experiment to measure the size of the developing internet. However, its aggressive self-replication consumed enormous amounts of bandwidth and disrupted numerous systems despite not being intentionally designed to cause widespread destruction.

Trojan malware takes its name from the ancient Greek story of the Trojan Horse because it disguises malicious code inside software that appears safe or useful. A trojan may present itself as a game, utility, browser tool, mobile application, or software installer while secretly performing harmful actions in the background. These threats often spread when users unknowingly download, share, or install infected files. Banking trojans are particularly dangerous because they can manipulate online financial transactions or steal login credentials directly. Other trojans harvest personal information that can later be sold through underground cybercrime marketplaces.

Some malware categories are defined less by how they spread and more by what they are designed to do. Spyware, for example, focuses on monitoring victims and collecting sensitive information without consent. These programs may capture passwords, browsing histories, financial information, or login credentials. More invasive forms of spyware can activate webcams or microphones to observe victims directly. A related category known as stalkerware is frequently installed on smartphones to monitor calls, messages, locations, and online activity. Because surveillance-focused malware has become increasingly common, many modern security products now include dedicated spyware protection features.

Adware primarily generates unwanted advertisements on infected devices. In some cases, these advertisements are targeted using data gathered through spyware-related tracking techniques. Aggressive adware infections can become so intrusive that they interfere with normal computer use by flooding browsers, redirecting searches, or constantly displaying pop-up windows.

Rootkits are designed to hide malicious activity from operating systems and security software. They manipulate how the system reports files, processes, or registry information so infected components remain invisible during scans. When security software requests a list of files or registry entries, the rootkit can alter the response before it is displayed, effectively concealing the malware’s presence from the user and from defensive tools.

Bot malware usually operates silently in the background and may not visibly damage a computer at first. Instead, infected devices become part of remotely controlled botnets managed by attackers sometimes referred to as bot herders. Once connected to the botnet, systems can receive commands to send spam emails, participate in coordinated cyberattacks, or overwhelm websites with malicious traffic. This arrangement also helps attackers hide their own infrastructure behind thousands of compromised machines.

Cryptojacking malware secretly hijacks a device’s processing power to mine cryptocurrencies such as Bitcoin. Although these infections may not directly destroy data, they can severely slow systems, increase electricity usage, drain battery life, and contribute to overheating problems because of constant processor strain.

The malware ecosystem also includes droppers, which are small programs designed specifically to install additional malicious software onto infected systems. Droppers often operate quietly to avoid attracting attention while continuously delivering new malware payloads. Some receive instructions remotely from attackers regarding which malicious programs should be installed. Cybercriminal operators running these distribution systems may even receive payment from other malware developers for spreading their software.

Ransomware remains one of the most financially damaging forms of cybercrime. In most attacks, the malware encrypts documents, databases, or entire systems and demands payment in exchange for a decryption key. Security software is generally expected to detect ransomware alongside other malware categories, but many cybersecurity professionals still recommend additional dedicated ransomware defenses because the consequences of missing a single attack can be devastating. Hospitals, schools, businesses, and government organizations around the world have all experienced major operational disruptions linked to ransomware campaigns.

Not every program claiming to improve cybersecurity protection is legitimate. Fake antivirus products, commonly called scareware, are designed to frighten users with fabricated infection warnings and pressure them into paying for unnecessary or malicious software. At best, these programs provide no meaningful protection. At worst, they introduce additional security risks or steal financial information entered during payment. Many scareware campaigns rely on alarming pop-ups and fake scan results to manipulate victims psychologically.

Identifying fake security products has become increasingly difficult because many now imitate legitimate software convincingly. Cybersecurity experts generally recommend checking trusted reviews and downloading security tools only from reputable vendors or established sources. Fraudulent review websites also exist, making careful verification especially important before installing security software.

Modern malware rarely fits neatly into a single category. One malicious program may spread like a virus, steal information like spyware, and hide itself using rootkit techniques simultaneously. Likewise, modern security solutions rely on multiple defensive layers rather than antivirus scanning alone. Comprehensive security suites may include firewalls that block network-based attacks, spam filters that intercept malicious email attachments, phishing protection systems, and virtual private networks that help secure internet traffic. Some VPN services, however, restrict advanced features behind additional subscription payments.

The term “malware” ultimately serves as a broad label covering every type of software intentionally created to harm systems, steal information, spy on users, disrupt operations, or provide unauthorized access. Industry organizations such as Anti-Malware Testing Standards Organization often prefer the term “anti-malware” because it reflects the wider range of threats modern security tools must address. However, most consumers remain more familiar with the word “antivirus,” which continues to dominate the industry despite the changing nature of cyber threats.

Understanding these distinctions does not require becoming a cybersecurity specialist, but it does help people recognize how varied modern digital threats have become. From ransomware and spyware to botnets and credential-stealing trojans, malicious software now exists in many different forms, each designed for a specific purpose within the broader cybercrime economy.

Ivanti Patches New EPMM Vulnerability Linked to Active Zero-Day Exploitation

 



Software provider Ivanti has released security updates for a newly identified vulnerability in its Endpoint Manager Mobile (EPMM) platform after confirming that the flaw has already been used in limited zero-day attacks.

The vulnerability, tracked as CVE-2026-6973, has been classified as high severity. According to Ivanti, the issue is caused by improper input validation, which refers to a weakness in how an application processes and checks incoming data before handling a request. If exploited successfully, the flaw could allow a remote attacker with administrator-level access to run arbitrary code on vulnerable systems.

Ivanti stated that the vulnerability affects EPMM version 12.8.0.0 and earlier releases. To reduce exposure, the company has issued patched versions including EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1. The company is also advising customers to review accounts with administrative privileges and rotate credentials where necessary, particularly in environments where earlier compromise activity may have occurred.

In its advisory, Ivanti said the exploitation activity observed so far appears to be limited in scope and requires valid administrator authentication in order to succeed. The company added that it has not identified active exploitation involving the additional vulnerabilities disclosed alongside CVE-2026-6973.

Ivanti also clarified that the issue impacts only the on-premises version of Endpoint Manager Mobile. The company said the flaw does not affect Ivanti Neurons for MDM, which is its cloud-based endpoint management platform. Other products, including Ivanti EPM and Ivanti Sentry, were also listed as unaffected.

Data published by internet monitoring organization Shadowserver Foundation currently shows more than 850 internet-accessible IP addresses associated with Ivanti EPMM deployments. Most of the exposed systems appear to be located in Europe, followed by North America. However, there is still no public visibility into how many of those servers have already installed the latest patches.

Alongside the actively exploited flaw, Ivanti disclosed fixes for four additional high-severity vulnerabilities identified as CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821. According to the company, these flaws could potentially be used to obtain administrator access, impersonate registered Sentry hosts to receive valid certificate authority-signed client certificates, invoke unauthorized methods, or gain access to restricted information stored within affected environments.

The company stated that it currently has no evidence showing these four vulnerabilities have been exploited in real-world attacks. Ivanti also noted that CVE-2026-7821 affects only organizations using Apple Device Enrollment configurations.

The latest disclosure follows earlier security incidents involving Ivanti EPMM earlier this year. In January, the company disclosed two separate code-injection vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, which were also exploited as zero-days against what Ivanti described at the time as a very limited number of customers.

Ivanti now says customers who followed its earlier recommendation to rotate credentials after the January incidents are likely to face a significantly lower risk of exploitation from CVE-2026-6973. The guidance reflects a growing concern within the cybersecurity industry that attackers often attempt to reuse stolen administrative credentials across multiple intrusion campaigns.

The issue also drew attention from the U.S. Cybersecurity and Infrastructure Security Agency earlier this year. In April, the agency instructed federal civilian agencies to secure vulnerable systems against attacks involving CVE-2026-1340 within four days after adding the flaw to its Known Exploited Vulnerabilities catalog.

Ivanti products have repeatedly appeared in incident response investigations over the last several years, particularly because endpoint and device management platforms typically operate with elevated privileges across enterprise networks. Security agencies and researchers have warned that these systems remain attractive targets for threat actors seeking broad administrative control over organizational infrastructure.

According to data previously published by CISA, 33 Ivanti vulnerabilities have been publicly identified as exploited in the wild, including 12 that were also linked to ransomware-related activity.

Ivanti says it currently serves more than 40,000 customers worldwide through a partner network consisting of over 7,000 organizations.

Ubuntu Services Remain Disrupted After DDoS Attack Targets Canonical Infrastructure

 



Several Ubuntu users reported problems installing updates and downloading packages after parts of Canonical’s infrastructure were disrupted during a Distributed Denial of Service (DDoS) attack. Canonical, the company behind the Ubuntu Linux distribution, confirmed that its online systems had been targeted.

In a statement released during the outage, Canonical said its web infrastructure was facing what it described as a sustained cross-border cyberattack and that teams were working to restore affected services. The company added that further updates would be shared through official channels once more information became available.

Discussions across Ubuntu community forums suggested that multiple services were affected during the incident, including Ubuntu’s security API and several Canonical-operated websites. Users also stated that software installations and system updates were temporarily unavailable or failing to complete properly.

Responsibility for the attack was later claimed by a group calling itself “The Islamic Cyber Resistance in Iraq 313 Team.” In Telegram posts attributed to the group, the attackers allegedly said they used a DDoS-for-hire platform known as “Beamed” to carry out the operation.

Beamed is described as a “booter” or “stresser” service, which are platforms that allow customers to pay for DDoS attacks. These services are often advertised as tools for testing website traffic capacity, although security researchers have repeatedly linked them to disruptive cyber operations. According to claims associated with the platform, Beamed is capable of generating attacks reaching 3.5 terabits per second, enough traffic to overwhelm major online infrastructure.

A DDoS attack works by flooding a server or network with enormous volumes of internet traffic from large numbers of connected devices at the same time. Once systems become overloaded, legitimate users may no longer be able to access websites, applications, or online services. Unlike ransomware campaigns or data breaches, the primary goal of most DDoS attacks is to interrupt availability rather than steal information directly.

To create these attack networks, threat actors typically compromise internet-connected devices using malware. Weak passwords, exposed systems, outdated software, and poorly secured smart devices are commonly targeted. Once infected, the devices become part of a botnet that can be remotely controlled through centralized management panels.

Access to these botnets is frequently sold through underground marketplaces and subscription-based services. Depending on the size and duration of the attack, prices can range from as little as $10 for lower-powered services to hundreds of dollars per month for larger and more persistent attacks.

The disruption drew attention within the open-source community because Ubuntu infrastructure is widely used across enterprise servers, development environments, cloud systems, and research institutions worldwide. Problems affecting package repositories or security update services can delay software deployments and patch management for organizations that rely on Ubuntu systems daily.

The incident also reflects how accessible DDoS-for-hire services have become over the past few years. Platforms offering attack infrastructure continue to reduce the technical barrier required to launch disruptive cyberattacks, allowing even low-skilled actors to rent large-scale attack capabilities for relatively small amounts of money.