Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label ransomware attacks. Show all posts
Ransomwares
cryptocurrency Cyber Attacks CyberCriminal cybercriminal group data security Ransom Demands ransomware attacks Ransomware Groups Ransomwares

Romanian Arrested in Diskstation Ransomware Operation Targeting Synology NAS Devices

 

A 44-year-old Romanian national has been arrested as part of a coordinated international law enforcement effort to take down the cybercriminal group behind the Diskstation ransomware campaign. This group is known for targeting Synology Network-Attached Storage (NAS) devices, which are widely used by businesses and organizations for centralized file storage, data backups, and hosting. These attacks have primarily affected entities operating in enterprise environments, where NAS systems are critical to daily operations. 

The Diskstation ransomware group has operated under several aliases, including DiskStation Security, Quick Security, 7even Security, Umbrella Security, and LegendaryDisk Security. Since its emergence in 2021, the group has engaged in multiple ransomware campaigns, encrypting data on NAS devices and demanding cryptocurrency payments in exchange for decryption keys. 

Victims have included international organizations involved in civil rights advocacy, film production, and event management. These attacks left many victims unable to continue operations unless they agreed to pay substantial ransoms. Authorities in Italy launched an investigation after numerous companies in the Lombardy region reported ransomware attacks that rendered their data inaccessible. 

The attackers demanded payments in cryptocurrency, prompting investigators to analyze the affected systems and blockchain transactions. This digital trail eventually led police across borders, uncovering connections in both France and Romania. The operation, dubbed “Elicius,” was coordinated by Europol and culminated in a series of raids in Bucharest in June 2024. During these raids, several individuals believed to be involved in the Diskstation campaign were identified. One suspect was caught in the act of committing a cybercrime. 

The 44-year-old man who was arrested is now in custody and faces charges including unauthorized access to computer systems and extortion. While the Diskstation name is often associated with Synology’s NAS products, this specific campaign received little attention from mainstream cybersecurity outlets. 

However, it caused significant disruption to organizations worldwide. The ransomware gang reportedly demanded payments ranging from $10,000 to several hundred thousand dollars, depending on the organization’s size and data sensitivity. Law enforcement agencies continue to investigate the broader network behind the Diskstation operation. 

The case underscores the growing threat of ransomware campaigns targeting critical infrastructure and storage solutions. As attackers evolve their methods and target widely used systems like Synology NAS, cybersecurity vigilance remains crucial for all organizations, regardless of size or industry.
Read more »
Ransomwares
Advanced Social Engineering Cyber Attacks Cyber SecurityTrojan Attacks Cyber Threat Intelligence Industries Interlock Interlock ransomware ransomware attacks Ransomwares

Interlock RAT Evolves in New KongTuke Web-Inject Attacks Targeting U.S. Industries

 

A recently enhanced version of the Interlock remote access Trojan (RAT) is being deployed in an ongoing web-inject campaign linked to the ransomware group behind it. Known for its double-extortion tactics, Interlock has now shifted its technical approach with a more covert RAT variant written in PHP. According to a new report by The DFIR Report, this marks a significant advancement in the group’s capabilities and strategy.  

Interlock first emerged in late 2024, attacking high-profile targets such as Texas Tech University’s Health Sciences Centers. Earlier this year, cybersecurity firm Quorum Cyber detailed two versions of the group’s malware, named NodeSnake, focused on maintaining persistence and exfiltrating data. The newest version introduces additional stealth features, most notably a transition from JavaScript to PHP, allowing the malware to blend more easily with normal web traffic and avoid detection. 

This enhanced RAT is tied to a broader web-inject threat campaign dubbed “KongTuke,” where victims are tricked into running malicious scripts after visiting compromised websites. Visitors encounter what appears to be a legitimate CAPTCHA but are actually prompted to paste dangerous PowerShell commands into their systems. This action initiates the Interlock RAT, giving attackers access to the machine. 

Once activated, the malware gathers extensive data on the infected system. Using PowerShell, it collects system information, running processes, mounted drives, network connections, and checks its own privilege level. This enables attackers to evaluate the environment quickly and plan further intrusion tactics. It then connects back to command-and-control infrastructure, leveraging services like Cloudflare Tunneling for stealthy communication. Remote desktop protocol (RDP) is used for lateral movement and persistent access. 

Researchers say the targeting in this campaign appears opportunistic, not industry-specific. Victims across various sectors in the U.S. have been identified, with the attackers casting a wide net and focusing efforts where systems and data seem valuable or more vulnerable.  

Defensive recommendations from experts include improving phishing awareness, restricting the use of the Windows Run dialog box, enforcing least privilege access, and requiring multifactor authentication. Blocking unnecessary use of RDP is also essential. 

The growing sophistication of the Interlock RAT and its integration into mass web-inject campaigns reflects an evolving cyber threat landscape where stealth, automation, and social engineering play a central role.
Read more »
Ransomwares
corporate cyber attacks Cyber Security Cyber Security Tool Cyberattack Cyberthreart Data protection data security Enterprise security Ingram Micro Password Security ransomware attacks Ransomwares

Why Major Companies Are Still Falling to Basic Cybersecurity Failures

 

In recent weeks, three major companies—Ingram Micro, United Natural Foods Inc. (UNFI), and McDonald’s—faced disruptive cybersecurity incidents. Despite operating in vastly different sectors—technology distribution, food logistics, and fast food retail—all three breaches stemmed from poor security fundamentals, not advanced cyber threats. 

Ingram Micro, a global distributor of IT and cybersecurity products, was hit by a ransomware attack in early July 2025. The company’s order systems and communication channels were temporarily shut down. Though systems were restored within days, the incident highlights a deeper issue: Ingram had access to top-tier security tools, yet failed to use them effectively. This wasn’t a tech failure—it was a lapse in execution and internal discipline. 

Just two weeks earlier, UNFI, the main distributor for Whole Foods, suffered a similar ransomware attack. The disruption caused significant delays in food supply chains, exposing the fragility of critical infrastructure. In industries that rely on real-time operations, cyber incidents are not just IT issues—they’re direct threats to business continuity. 

Meanwhile, McDonald’s experienced a different type of breach. Researchers discovered that its AI-powered hiring tool, McHire, could be accessed using a default admin login and a weak password—“123456.” This exposed sensitive applicant data, potentially impacting millions. The breach wasn’t due to a sophisticated hacker but to oversight and poor configuration. All three cases demonstrate a common truth: major companies are still vulnerable to basic errors. 

Threat actors like SafePay and Pay2Key are capitalizing on these gaps. SafePay infiltrates networks through stolen VPN credentials, while Pay2Key, allegedly backed by Iran, is now offering incentives for targeting U.S. firms. These groups don’t need advanced tools when companies are leaving the door open. Although Ingram Micro responded quickly—resetting credentials, enforcing MFA, and working with external experts—the damage had already been done. 

Preventive action, such as stricter access control, routine security audits, and proper use of existing tools, could have stopped the breach before it started. These incidents aren’t isolated—they’re indicative of a larger issue: a culture that prioritizes speed and convenience over governance and accountability. 

Security frameworks like NIST or CMMC offer roadmaps for better protection, but they must be followed in practice, not just on paper. The lesson is clear: when organizations fail to take care of cybersecurity basics, they put systems, customers, and their own reputations at risk. Prevention starts with leadership, not technology.
Read more »
threat report
Business Security Cyber Security HoneyWell ransomware attacks threat report

Ransomware Attacks Continue to Rise in an Alarming Trend

 

The frequency and intensity of cyberthreats seem to be increasing despite businesses' ongoing efforts to thwart malicious actors. Honeywell, a global technology and manufacturing firm that also provides cybersecurity solutions, reported a 46% rise in ransomware extortion attacks between October 1, 2024, and March 31, 2025, as compared to the previous six-month period. 

Win32.Worm.Ramnit, a Trojan that typically targets the banking sector to steal account details, was found in 37% of files blocked by Honeywell's SMX product. That represented a 3,000% rise from the second quarter of 2024, when Honeywell last reported on it. 

In its investigation report, Honeywell stated that "it can likely be assumed it has been repurposed to extract control system credentials" due to the Trojan's saturation presence in the ecosystems of its industrial clients. "Existing adversaries continue to disrupt operations across critical sectors, even in the absence of new ransomware variants specifically designed for industrial control systems." 

1,929 ransomware incidents were made public throughout the reporting period. Eight verticals accounted for the vast majority (71%) of the cases, with the industries most affected being manufacturing, construction, healthcare, and technology. 

Given that ransomware attacks are normally "more opportunistic, typically creating a normal distribution of attacks across different industries," Honeywell noted that this was a really unusual pattern. The report claims that supply chain disruptions, manual failovers, and forced production outages caused by ransomware have been experienced by manufacturing plants, water treatment facilities, and energy providers. 

In response to the elevated threats, during the reporting period, some organisations "doubled down on best practices that would be considered baseline," according to Honeywell. Such procedures include, for example, immutable data backups and regular vulnerability assessments. According to Honeywell, as of October 2024, victimised organisations had paid out more than $1 billion in ransomware. 

Another new cybersecurity report, from the Information Security Media Group, focused on artificial intelligence, which it described as the "defining force" of cybersecurity-related disruption. 

As businesses use AI to automate threat detection and scale response capabilities, "adversaries are using the same technologies to enhance phishing, generate polymorphic malware, and conduct identity fraud with unprecedented precision," according to the ISMG research. ISMG added that the combination of AI and quantum computing "further signals a critical shift requiring crypto-agility and forward planning.”
Read more »
Ransomwares
Advanced Social Engineering Cyber Attacks cybercriminal group data security FBI FBI cybersecurity advisory Law Firms Luna Moth phishing techniques ransomware attacks Ransomwares

FBI Warns of Silent Ransom Group Using Phishing and Vishing to Target U.S. Law Firms

 

The FBI has issued a warning about a sophisticated cybercriminal group known as the Silent Ransom Group (SRG), also referred to by aliases like Luna Moth, Chatty Spider, and UNC3753. This group has been actively targeting U.S.-based law firms and related organizations through advanced phishing techniques and social engineering scams. The group, which has been operational since 2022, is known for using deceptive communication methods to gain unauthorized access to corporate systems and extract sensitive legal data for ransom demands. In the past, SRG’s activities spanned across industries such as healthcare and insurance. 

However, since the spring of 2023, its focus has shifted to legal entities, likely because of the highly confidential nature of the data managed by law firms. The group commonly uses a method called callback phishing, also known as reverse vishing. In this approach, victims receive emails that appear to originate from reputable companies and warn them of small charges for fake subscriptions. The emails prompt users to call a phone number to cancel the subscription. During these calls, victims are instructed to download remote access software under the guise of resolving the issue. Once the software is installed, SRG gains control of the victim’s device, searches for valuable data, and uses it to demand ransom.  

In March 2025, SRG has adapted their strategy to include voice phishing or vishing. In this new approach, the attackers call employees directly, posing as internal IT staff. These fraudulent callers attempt to convince their targets to join remote access sessions, often under the pretext of performing necessary overnight maintenance. Once inside the system, the attackers move swiftly to locate and exfiltrate data using tools like WinSCP or a disguised version of Rclone. Notably, SRG does not prioritize escalating privileges, instead focusing on immediate data theft. The FBI noted that these voice phishing methods have already resulted in multiple successful breaches. 

SRG reportedly continues to apply pressure during ransom negotiations by making follow-up calls to victim organizations. While the group does maintain a public site for releasing stolen data, its use of this platform is inconsistent, and it does not always follow through on threats to leak information. A significant concern surrounding these attacks is the difficulty in detection. SRG uses legitimate system management and remote access tools, which are often overlooked by traditional antivirus software. The FBI advises organizations to remain vigilant, particularly if there are unexplained downloads of programs such as AnyDesk, Zoho Assist, or Splashtop, or if staff receive unexpected calls from alleged IT personnel. 

In response, the FBI urges companies to bolster cybersecurity training, establish clear protocols for authenticating internal IT requests, and enforce two-factor authentication across all employee accounts. Victims of SRG attacks are encouraged to share any information that might assist in ongoing investigations, including ransom communications, caller details, and cryptocurrency wallet data.
Read more »
ScatteredSpider
Co-op customer data compromise Cyber Attacks cyber intrusion data security DragonForce DragonForce Ransomware Group Malware. Scattered Spider Marks & Spencer ransomware attacks Ransomwares ScatteredSpider

Scattered Spider Cyberattack Cripples M&S, Co-op: DragonForce Ransomware Causes Weeks-Long Disruption

 

Weeks after a significant cyberattack disrupted operations at major British retailers, companies like Marks & Spencer (M&S) and Co-op are still struggling to restore full functionality. Despite public reassurances, the scope of the attack is proving more serious than initially acknowledged. M&S CEO Stuart Machin recently confirmed that personal customer data had been accessed, prompting the company to require password resets for online accounts. Online orders on the M&S website remain suspended weeks after the breach, and no clear timeline has been offered for full recovery. 

The attack first became public on April 25 when M&S halted its online operations due to a cyber intrusion. Within days, Co-op revealed it had also been targeted in an attempted hack, which disrupted several services. Harrods, another luxury retailer, was also reportedly affected during this wave of cyberattacks. While M&S is still unable to process online sales, Co-op has only just resumed stocking its shelves, and both companies remain silent about when operations might return to normal. Government officials have weighed in on the seriousness of the incident. 

Cabinet Office Minister Pat McFadden called the attack a “wake-up call” for British businesses, highlighting the urgent need for enhanced cybersecurity protocols. Financial losses have been steep. M&S is reportedly losing £3.5 million per day while its website remains offline, and its stock has dropped by an estimated half a billion pounds in market value. Co-op also disclosed that customer data had been compromised, and they experienced issues with card payments at the height of the disruption. 

Investigations suggest the cybercriminal group known as Scattered Spider is responsible. Known for targeting large enterprises, the group is believed to have used a ransomware strain called DragonForce to paralyze systems. According to cybersecurity experts, the attackers may have exploited unpatched vulnerabilities and misconfigured systems to gain entry. Reports indicate they employed SIM-swapping tactics to hijack phone numbers and impersonate employees, fooling IT help desks into granting system access. Once inside, the hackers are believed to have compromised Microsoft Active Directory—a central hub that connects internal networks—potentially gaining access to crucial files and passwords. 

Though it’s unlikely they decrypted these password files directly, the level of access would have allowed them to severely disrupt internal systems. Experts say this level of infiltration can cripple multiple areas of a business, making recovery extremely challenging without a full rebuild of core IT infrastructure. One reason for the prolonged disruption may be that both M&S and Co-op chose not to pay the ransom, in line with UK government advice. While this decision aligns with best practices to avoid funding cybercrime, it also means recovery will take significantly longer. 

Despite the chaos, M&S has emphasized that no payment information or account passwords were compromised. The company is urging customers to reset their passwords for peace of mind and has provided guidelines on staying safe online. Co-op has resumed deliveries to most of its stores but acknowledged that some shelves may still lack regular stock. Empty shelves and apology signs have appeared across affected stores, as customers share their frustrations online. 

This incident underscores the growing threat posed by sophisticated cybercriminals and the urgent need for companies to prioritize cybersecurity. From exploiting human error to using advanced ransomware tools, the tactics are evolving, and so must the defenses.
Read more »
Sensitive data
Cloud Security Cyber Attacks Data Theft Employee Training enterprise cybersecurity fake ads Malicious Ads ransomware attacks Ransomwares Sensitive data

Employee Monitoring Tool Kickidler Targeted in Ransomware Attacks

 

Cybersecurity researchers have discovered that cybercriminals are misusing a legitimate employee monitoring tool called Kickidler to execute targeted ransomware attacks. Originally developed to help businesses track productivity and ensure compliance, Kickidler offers features like real-time screen monitoring, keystroke logging, and activity tracking—functionalities that have now become attractive tools for threat actors. Security firms Varonis and Synacktiv have reported observing these attacks actively taking place. 

The attack campaign begins with malicious advertisements placed on the Google Ads network. These ads are cleverly designed to trick users searching for a legitimate utility called RVTools—a free Windows application used to connect to VMware vCenter or ESXi environments. Victims are lured into downloading a trojanized version of RVTools, which secretly installs a backdoor named SMOKEDHAM. Once SMOKEDHAM gains access to the system, attackers use it to deploy Kickidler, with a focus on targeting enterprise administrators. 

By infiltrating admin machines, the attackers can monitor keystrokes and capture sensitive data, such as credentials for off-site backups or cloud platforms. This method allows them to bypass more secure authentication systems that are often separated from Windows domains, a common defense strategy in many organizations. According to the researchers, the ransomware groups Qilin and Hunters International have been leveraging this approach to expand their reach within enterprise networks. 

These groups appear to be focusing on cloud backup systems and VMware ESXi infrastructure. Hunters International, in particular, was observed using VMware PowerCLI and WinSCP Automation tools to enable SSH access, deploy ransomware, and execute it on ESXi servers. Their payloads encrypted VMDK virtual hard disks, disrupting operations and access to virtual environments. 

One of the most concerning aspects of this campaign is how stealthily it operates. By capturing data directly from administrators’ screens and inputs, the attackers avoid using higher-risk tactics like memory dumps or privilege escalation, which are more likely to be flagged by security systems. The misuse of Kickidler demonstrates a growing trend of cybercriminals weaponizing legitimate enterprise tools to bypass traditional defenses and maintain stealth within targeted networks. 

These attacks highlight the need for increased vigilance around software downloads, especially from third-party sources, and reinforce the importance of strong endpoint protection, regular software audits, and employee awareness training. 

As cyberattacks grow more sophisticated, defenders must adapt by tightening controls, decoupling critical system access from everyday credentials, and monitoring for unusual activity—even from tools considered safe.
Read more »
Ransomwares
CVE CVEs Cyber Attacks Malware Attack Malwares Microsoft ransomware attacks Ransomware group Ransomwares

Windows CLFS Zero-Day CVE-2025-29824 Exploited by Ransomware Group Storm-2460

 

A newly disclosed Windows zero-day vulnerability, tracked as CVE-2025-29824, is being actively exploited in cyberattacks to deliver ransomware, Microsoft has warned. This flaw affects the Windows Common Log File System (CLFS) driver and enables local privilege escalation—a method often used by attackers after gaining initial access. 

Microsoft’s Threat Intelligence and Security Response teams revealed that the bug is classified as a “use-after-free” vulnerability with a severity score of 7.8. While attackers need to compromise a system before they can exploit this flaw, it remains highly valuable in ransomware operations. Cybercriminals often rely on these types of vulnerabilities to turn a limited foothold into full administrative control across networks. 

The cybercrime group currently leveraging this zero-day is known as Storm-2460. Microsoft reports that the group is using the exploit to deploy a custom backdoor named PipeMagic, which in turn facilitates the installation of RansomEXX ransomware—a variant not commonly observed but still capable of serious disruption. So far, Storm-2460 has targeted organizations in industries such as IT, finance, and retail, with victims located in countries including the United States, Spain, Saudi Arabia, and Venezuela. 

Microsoft emphasized that the number of known cases remains small, but the sophistication of the exploit is concerning. This attack is notable for being part of a “post-compromise” campaign, meaning the attacker already has a presence within the system before using the flaw. These types of exploits are frequently used to escalate privileges and move laterally within a network, eventually leading to broader ransomware deployment. Microsoft issued a security advisory for CVE-2025-29824 on April 8 and urged organizations to install updates immediately. Failure to do so could leave critical systems vulnerable to privilege escalation and full network compromise. 

To mitigate risk, Microsoft advises businesses to prioritize patch management, restrict unnecessary administrative privileges, and closely monitor for unusual behavior across endpoints. Cybersecurity teams are also encouraged to review logs for any indicators of compromise related to PipeMagic or RansomEXX. As ransomware tactics continue to evolve, the exploitation of vulnerabilities like CVE-2025-29824 reinforces the need for proactive defense strategies and rapid incident response protocols.
Read more »
Subscribe to: Posts (Atom)