RANSOMWARE HOME ALERTS GROUP RANSOM BLOG | 2025(79) 2024(49)
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 28.5.24 | StarFire Ransomware Demands $3,000 in Bitcoin | A group or individual calling themselves "StarFire" has recently emerged in the threat landscape, targeting individual machines with ransomware. | RANSOM | |
| 25.5.24 | Not content with attacking retailers, this aggressive group is fighting a turf war with other ransomware operators | Ransom blog | Sophos | |
| 25.5.24 | US indicts leader of Qakbot botnet linked to ransomware attacks | The U.S. government has indicted Russian national Rustam Rafailevich Gallyamov, the leader of the Qakbot botnet malware operation that compromised over 700,000 computers and enabled ransomware attacks. | Ransom | |
| 24.5.24 | 3AM ransomware uses spoofed IT calls, email bombing to breach networks | A 3AM ransomware affiliate is conducting highly targeted attacks using email bombing and spoofed IT support calls to socially engineer employees into giving credentials for remote access to corporate systems. | Ransom | BleepingComputer |
| 24.5.24 | Kettering Health hit by system-wide outage after ransomware attack | Kettering Health, a healthcare network that operates 14 medical centers in Ohio, was forced to cancel inpatient and outpatient procedures following a cyberattack that caused a system-wide technology outage. | Ransom | |
| 24.5.24 | VanHelsing ransomware builder leaked on hacking forum | The VanHelsing ransomware-as-a-service operation published the source code for its affiliate panel, data leak blog, and Windows encryptor builder after an old developer tried to sell it on the RAMP cybercrime forum. | Ransom | BleepingComputer |
| 23.5.24 | Fake KeePass password manager leads to ESXi ransomware attack | Threat actors have been distributing trojanized versions of the KeePass password manager for at least eight months to install Cobalt Strike beacons, steal credentials, and ultimately, deploy ransomware on the breached network. | Ransom | BleepingComputer |
| 23.5.24 | 300 Servers and €3.5M Seized as Europol Strikes Ransomware Networks Worldwide | As part of the latest "season" of Operation Endgame , a coalition of law enforcement agencies have taken down about 300 servers worldwide, neutralized 650 domains, | Ransom | The Hacker News |
| 20.5.24 | Ransomware Gangs Use Skitnet Malware for Stealthy Data Theft and Remote Access | Several ransomware actors are using a malware called Skitnet as part of their post-exploitation efforts to steal sensitive data and establish remote control over | Ransom | The Hacker News |
| 18.5.24 | Ransomware gangs increasingly use Skitnet post-exploitation malware | Ransomware gang members increasingly use a new malware called Skitnet ("Bossnet") to perform stealthy post-exploitation activities on breached networks. | Ransom | BleepingComputer |
| 18.5.24 | Ransomware gangs join ongoing SAP NetWeaver attacks | Ransomware gangs have joined ongoing SAP NetWeaver attacks, exploiting a maximum-severity vulnerability that allows threat actors to gain remote code execution on vulnerable servers. | Ransom | BleepingComputer |
| 17.5.24 | Ransomware Roundup – VanHelsing | The VanHelsing ransomware was first identified in March 2025 and uses TOR sites for ransom negotiations and data leaks. | Ransom blog | FOTINET |
| 17.5.24 | LCRYX Ransomware Utilizes Weak Encryption, Demands $500 Bitcoin Payment | The SonicWall Capture Labs threat research team has recently been tracking LCRYX ransomware. LCRYX is a VBScript-based ransomware strain that first emerged in November 2024 and reappeared in February 2025 with enhanced capabilities. It specifically targets Windows systems, employing a combination of Caesar cipher and XOR encryption to lock files before demanding a $500 ransom in Bitcoin for decryption. While it made its resurgence in February, it is still being seen in the wild today. | Ransom blog | SonicWall |
| 16.5.24 | Kickidler employee monitoring software abused in ransomware attacks | Ransomware operations are using legitimate Kickidler employee monitoring software for reconnaissance, tracking their victims' activity, and harvesting credentials after breaching their networks. | Ransom | |
| 15.5.24 | BianLian and RansomExx Exploit SAP NetWeaver Flaw to Deploy PipeMagic Trojan | At least two different cybercrime groups BianLian and RansomExx are said to have exploited a recently disclosed security flaw in SAP NetWeaver tracked as CVE-2025- | Ransom | The Hacker News |
| 11.5.24 | LockBit ransomware gang hacked, victim negotiations exposed | The LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump. | Ransom | BleepingComputer |
| 11.5.24 | PowerSchool hacker now extorting individual school districts | PowerSchool is warning that the hacker behind its December cyberattack is now individually extorting schools, threatening to release the previously stolen student and teacher data if a ransom is not paid. | Ransom | |
| 10.5.24 | Ransomware Attacks April 2025: Qilin Emerges from Chaos | Global ransomware attacks in April 2025 declined to 450 from 564 in March – the lowest level since November... | Ransom blog | Cyble |
| 10.5.24 | Tracking Ransomware : April 2025 | EXECUTIVE SUMMARY April 2025 witnessed a decline in ransomware incidents, with 470 reported victims worldwide. Qilin remained the dominant group, while newer actors like | Ransom blog | Cyfirma |
| 10.5.24 | Gunra Ransomware – A Brief Analysis | Executive Summary At CYFIRMA, we are committed to delivering timely insights into emerging cyber threats and the evolving tactics of cybercriminals targeting individuals and | Ransom blog | Cyfirma |
| 10.5.24 | Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal | During our monitoring of Agenda ransomware activities, we uncovered campaigns that made use of the SmokeLoader malware and a new loader we've named NETXLOADER. | Ransom blog | Trend Micro |
| 9.5.25 | Mamona Ransomware |
Mamona Ransomware is a newly discovered threat in the
commodity ransomware landscape that operates entirely offline, with no
external communication or data exfiltration. The malware uses custom
encryption routines to encrypt user files, renaming them with the .HAes
extension.
|
RANSOM | |
| 9.5.25 | Bert Ransomware | In April, a new ransomware actor known as "Bert" was observed operating in the wild and allegedly claimed several organizations as victims, including those in the Healthcare, Technology, and Event Services sectors across the US and Turkey. | RANSOM | |
| 8.5.24 | Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal | During our monitoring of Agenda ransomware activities, we uncovered campaigns that made use of the SmokeLoader malware and a new loader we've named NETXLOADER. | Ransom | Trend Micro |
| 8.5.24 | Qilin Leads April 2025 Ransomware Spike with 45 Breaches Using NETXLOADER Malware | Threat actors with ties to the Qilin ransomware family have leveraged malware known as SmokeLoader along with a previously undocumented .NET compiled | Ransom | The Hacker News |
| 8.5.24 | New "Bring Your Own Installer" EDR bypass used in ransomware attack | New "Bring Your Own Installer" EDR bypass used in ransomware attack | Ransom | BleepingComputer |
| 7.5.24 | Bring Your Own Installer: Bypassing SentinelOne Through Agent Version Change Interruption | Bring Your Own Installer is a technique which can be used by threat actors to bypass EDR protection on a host through timed termination of the agent update process when inadequately configured. | Ransom | Aon.com |
| 7.5.24 | Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization | Threat actors with links to the Play ransomware family exploited a recently patched security flaw in Microsoft Windows as a zero-day as part of an attack targeting an | Ransom | The Hacker News |
| 4.5.24 | Co-op confirms data theft after DragonForce ransomware claims attack | The Co-op cyberattack is far worse than initially reported, with the company now confirming that data was stolen for a significant number of current and past customers. | Ransom | |
| 4.5.24 | US indicts Black Kingdom ransomware admin for Microsoft Exchange attacks | A 36-year-old Yemeni national, who is believed to be the developer and primary operator of 'Black Kingdom' ransomware, has been indicted by the United States for conducting 1,500 attacks on Microsoft Exchange servers. | Ransom | BleepingComputer |
| 3.5.24 | Ukrainian extradited to US for Nefilim ransomware attacks | A Ukrainian national has been extradited from Spain to the United States to face charges over allegedly conducting Nefilim ransomware attacks against companies. | Ransom | |
| 30.4.25 | Marks & Spencer breach linked to Scattered Spider ransomware attack | Ongoing outages at British retail giant Marks & Spencer are caused by a ransomware attack believed to be conducted by threat actors known as "Scattered Spider" BleepingComputer has learned from multiple sources. | Ransom | |
| 30.4.25 | Hitachi Vantara takes servers offline after Akira ransomware attack | Hitachi Vantara, a subsidiary of Japanese multinational conglomerate Hitachi, was forced to take servers offline over the weekend to contain an Akira ransomware attack. | Ransom | |
| 30.4.25 | RansomHub Went Dark April 1; Affiliates Fled to Qilin, DragonForce Claimed Control | Cybersecurity researchers have revealed that RansomHub 's online infrastructure has "inexplicably" gone offline as of April 1, 2025, prompting concerns among | Ransom | The Hacker News |
| 29.4.25 | ELENOR-corp - a new Mimic ransomware variant | ELENOR-corp is a new ransomware variant from the Mimic malware family just recently identified in the wild and reported to be targeting the healthcare sector. The attackers have been also leveraging a persistent Clipper malware as well as a Python-based infostealer during the activities preceding the ransomware payload deployment. | RANSOM | |
| 27.4.25 | DragonForce expands ransomware model with white-label branding scheme | The ransomware scene is re-organizing, with one gang known as DragonForce working to gather other operations under a cartel-like structure. | Ransom | |
| 26.4.25 | ToyMaker Uses LAGTOY to Sell Access to CACTUS Ransomware Gangs for Double Extortion | Cybersecurity researchers have detailed the activities of an initial access broker (IAB) dubbed ToyMaker that has been observed handing over access to double | Ransom | The Hacker News |
| 26.4.25 | Frederick Health data breach impacts nearly 1 million patients | A ransomware attack in January at Frederick Health Medical Group, a major healthcare provider in Maryland, has led to a data breach affecting nearly one million patients. | Ransom | BleepingComputer |
| 26.4.25 | Interlock ransomware claims DaVita attack, leaks stolen data | The Interlock ransomware gang has claimed the cyberattack on DaVita kidney dialysis firm and leaked data allegedly stolen from the organization. | Ransom | |
| 25.4.25 | FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE | This blog details our investigation of malware samples that conceal within them a FOG ransomware payload. | Ransom blog | Trend Micro |
| 25.4.25 | Extortion and Ransomware Trends January-March 2025 | Unit 42 regularly monitors the cyberthreat landscape, including trends in extortion and ransomware. Ransomware actors continue to evolve to increase the effectiveness of their attacks and the likelihood that organizations will pay what is demanded. In our 2025 Unit 42 Global Incident Response Report, we found that 86% of incidents involved business disruption, spanning operational downtime, reputational damage or both. | Ransom blog | Palo Alto |
| 24.4.25 | PE32 Ransomware | PE32 ransomware is a newly discovered malware strain that leverages Telegram for C2 operations. It employs a dual-extortion model, charging separate fees for file decryption and data non-disclosure. Despite its messy and simplistic code, which uses basic Windows libraries, it poses a significant threat to systems with weak security hygiene. | RANSOM | |
| 24.4.25 | ToyMaker IAB paves way for Cactus ransomware | Initial Access Brokers are oftentimes the first step in a successful campaign for a threat actor. The access brokers work their way into an environment, collect relevant data, and then sell that information to a threat actor for further compromise. | RANSOM | |
| 22.4.25 | Ransomware group Interlock enhances tactics with ClickFix and Infostealers | Reports indicate that the ransomware group Interlock has advanced its attack methods by incorporating ClickFix social engineering techniques alongside infostealers. | ||
| 22.4.25 | Gunra Ransomware | Another ransomware actor operating under the name Gunra has recently surfaced, allegedly claiming several victims in the healthcare, electronics, and beverage manufacturing sectors, as listed on their onion website. In recent activity, the ransomware they deploy appends a .encrt extension to encrypted files and drops a ransom note named r3adm3.txt in multiple directories. | ||
| 21.4.25 | Interlock ransomware | Interlock is a ransomware intrusion set first observed in September 2024 that conducts Big Game Hunting and double extortion campaigns. | RANSOM | RANSOM |
| 20.4.25 | Kidney dialysis firm DaVita hit by weekend ransomware attack | Kidney dialysis firm DaVita disclosed Monday it suffered a weekend ransomware attack that encrypted parts of its network and impacted some of its operations. | Ransom | |
| 21.4.25 | Interlock ransomware gang pushes fake IT tools in ClickFix attacks | The Interlock ransomware gang now uses ClickFix attacks that impersonate IT tools to breach corporate networks and deploy file-encrypting malware on devices. | Ransom | BleepingComputer |
| 21.4.25 | Ahold Delhaize confirms data theft after INC ransomware claims attack | Food retail giant Ahold Delhaize confirms that data was stolen from its U.S. business systems during a November 2024 cyberattack. | Ransom | BleepingComputer |
| 19.4.25 | Hacktivists Target Critical Infrastructure, Move Into Ransomware | Hacktivists are increasingly adopting more sophisticated - and destructive - attack types. | Ransom blog | Ransom blog |
| 19.4.25 | DOGE "Big Balls" Ransomware and the False Connection to Edward Coristine | Cyble investigates the DOGE BIG BALLS Ransomware, analyzing its operation and the false ties made to... | Ransom blog | Ransom blog |
| 19.4.25 | CrazyHunter Campaign Targets Taiwanese Critical Sectors | This blog entry details research on emerging ransomware group CrazyHunter, which has launched a sophisticated campaign aimed at Taiwan's essential services. | Ransom blog | Ransom blog |
| 19.4.25 | Nova RaaS: The Ransomware That ‘Spares’ Schools and Nonprofits—For Now | A new ransomware group calling themselves Nova RaaS, or ransomware-as-a-service, has been active for the past month distributing RaLord ransomware. On their blog, they claim to have no affiliations with other cybercriminal groups—and, in a surprising twist, say they’ve pledged not to target schools or nonprofit organizations. | Ransom blog | Ransom blog |
| 19.4.25 | Year in Review: The biggest trends in ransomware | This week, our Year in Review spotlight is on ransomware—where low-profile tactics led to high-impact consequences. Download our 2 page ransomware summary, or watch our 55 second video. | Ransom blog | Ransom blog |
| 18.4.25 | DragonForce Ransomware's Campaign Intensifies in 2025 | In 2024, DragonForce ransomware actors were highly active, claiming around 93 victims on their leak website, with likely more that were not disclosed. We're still in early 2025, and the group has already "allegedly" claimed over 40 organizations as potential victims across multiple countries and sectors. | ALERTS | ALERTS |
| 18.4.25 | DOGE BIG BALLS Ransomware | A new ransomware campaign has been reported exploiting the name of a prominent figure within the Department of Government Efficiency (DOGE) to trick victims. The attack delivers a modified variant of Fog ransomware dubbed "DOGE BIG BALLS Ransomware." | ALERTS | ALERTS |
| 15.4.25 | PelDox Ransomware | Unlike typical ransomware, PelDox does not inform victims about the encryption of their files or demand payment for decryption. After encrypting the files and appending the ".lczx" extension, the ransomware displays a full-screen message. | ||
| 13.4.25 | Ransomware attack cost IKEA operator in Eastern Europe $23 million | Fourlis Group, the operator of IKEA stores in Greece, Cyprus, Romania, and Bulgaria, has informed that the ransomware attack it suffered just before Black Friday on November 27, 2024, caused losses estimated to €20 million ($22.8M). | RANSOM | RANSOM |
| 13.4.25 | Sensata Technologies hit by ransomware attack impacting operations | Sensata Technologies (known as Sensata) has suffered a ransomware attack last weekend that encrypted parts of the company network and disrupted operations. | RANSOM | RANSOM |
| 12.4.25 | NanoCrypt Ransomware | NanoCrypt is another "run-of-the-mill" ransomware variant discovered in the wild. The malware encrypts user data and appends .ncrypt to the name of locked files. The ransom note dropped in the form of a text file called README.txt indicates that this malware has been created "for fun" and not intended for any harmful activity. | ||
| 12.4.25 | Chaos Ransomware Variant Targets IT Staff via Fake Security Tool | Chaos ransomware variants continue to emerge, mostly used by actors targeting individual machines through drive-by-download social engineering. These attacks typically demand a smaller ransom compared to double-extortion ransomware actors who target larger organizations through more complex attack chains. | ||
| 12.4.25 | Ransomware Attack Levels Remain High as Major Change Looms | March saw a potential leadership shift in ransomware attacks, sustained high attack volumes, and the rise of new threat groups. | Ransom blog | Ransom blog |
| 12.4.25 | TRACKING RANSOMWARE – MARCH 2025 | In March 2025, ransomware attacks targeted critical industries such as Manufacturing, IT, and Healthcare. Notable groups like Black Basta and Moonstone Sleet evolved new strategies, such as automating brute-force VPN attacks and deploying ransomware-as-a-service models. | Ransom blog | Ransom blog |
| 10.4.25 | Everest ransomware's dark web leak site defaced, now offline | The dark web leak site of the Everest ransomware gang has apparently been hacked over the weekend by an unknown attacker and is now offline. | RANSOM | RANSOM |
| 6.4.25 | Port of Seattle says ransomware breach impacts 90,000 people | Port of Seattle, the U.S. government agency overseeing Seattle's seaport and airport, is notifying roughly 90,000 individuals of a data breach after their personal information was stolen in an August 2024 ransomware attack. | RANSOM | RANSOM |
| 6.4.25 | Hunters International shifts from ransomware to pure data extortion | The Hunters International Ransomware-as-a-Service (RaaS) operation is shutting down and rebranding with plans to switch to data theft and extortion-only attacks. | RANSOM | RANSOM |
| 6.4.25 | Texas State Bar warns of data breach after INC ransomware claims attack | The State Bar of Texas is warning it suffered a data breach after the INC ransomware gang claimed to have breached the organization and began leaking samples of stolen data. | RANSOM | RANSOM |
| 5.4.25 | Ransomware Attack Levels Remain High as Major Change Looms | March saw a potential leadership shift in ransomware attacks, sustained high attack volumes, and the rise of new threat groups. | Ransom blog | Ransom blog |
| 5.4.25 | Hexamethy Ransomware Displays Scary Lock Screen During File Encryption | The Sonicwall Capture Labs threat research team has recently observed new ransomware named HEXAMETHYLCYCLOTRISILOXANE, or Hexamethy in short. This malware produces a scary cinematic display during the encryption process and flashes text stating, “No more files for you,” and “Your files are in hostage by the HEXAMETHYLCYCLOTRISILOXANE Ransomware." | Ransom blog | Ransom blog |
| 4.4.25 | Lockbit 4.0 ransomware | Lockbit 4.0 is the most recent iteration of the infamous ransomware attributed to the threat actor called Syrphid. The ransomware is operated based on a Ransomware-as-a-Service (RaaS) model with various affiliates carrying out the attacks and often employing different tactics, techniques, and procedures (TTPs). | ||
| 4.4.25 | CrazyHunter - a new Prince ransomware variant | CrazyHunter is a new Go-based ransomware variant based on the open-source Prince encryptor malware family. The malware encrypts user data and drops ransom note in form of a text file called "Decryption Instructions.txt". This note is written in identical format as the one observed from older Prince ransomware variant deployments. | ||
|
30.3.25 |
Retail giant Sam’s Club investigates Clop ransomware breach claims | Sam's Club, an American warehouse supermarket chain owned by U.S. retail giant Walmart, is investigating claims of a Clop ransomware breach. | RANSOM | RANSOM |
|
30.3.25 |
UK fines software provider £3.07 million for 2022 ransomware breach | The UK Information Commissioner's Office (ICO) has fined Advanced Computer Software Group Ltd £3.07 million over a 2022 ransomware attack that exposed the sensitive personal data of 79,404 people, including National Health Service (NHS) patients. | RANSOM | RANSOM |
|
29.3.25 |
VanHelsing, new RaaS in Town | In recent weeks, a new and rapidly expanding ransomware-as-a-service (RaaS) program called VanHelsingRaaS has been making waves in the cybercrime world. Launched on March 7, 2025, this service has already demonstrated its rapid growth and deadly potential, having infected three victims within just two weeks of its introduction | Ransom blog | Ransom blog |
|
29.3.25 |
RansomHub affiliates linked to rival RaaS gangs | ESET researchers also examine the growing threat posed by tools that ransomware affiliates deploy in an attempt to disrupt EDR security solutions | Ransom blog | Ransom blog |
|
29.3.25 |
Shifting the sands of RansomHub’s EDRKillShifter | Ransom blog | Ransom blog | |
|
29.3.25 |
The Curious Case of PlayBoy Locker | Cybereason issues Threat Analysis reports to investigate emerging threats and provide practical recommendations for protecting against them. | Ransom blog | Ransom blog |
|
29.3.25 |
BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability | In what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called | RANSOM | RANSOM |
|
29.3.25 |
RedCurl cyberspies create ransomware to encrypt Hyper-V servers | A threat actor named 'RedCurl,' known for stealthy corporate espionage operations since 2018, is now using a ransomware encryptor designed to target Hyper-V virtual machines. | RANSOM | RANSOM |
|
28.3.25 |
New VanHelsing ransomware targets Windows, ARM, ESXi systems | A new multi-platform ransomware-as-a-service (RaaS) operation named VanHelsing has emerged, targeting Windows, Linux, BSD, ARM, and ESXi systems. | RANSOM | RANSOM |
|
28.3.25 |
Hackers Repurpose RansomHub's EDRKillShifter in Medusa, BianLian, and Play Attacks | A new analysis has uncovered connections between affiliates of RansomHub and other ransomware groups like Medusa , BianLian , and Play . The connection | RANSOM | RANSOM |
|
28.3.25 |
RALord Ransomware | RALord is a new Rust-based ransomware variant identified in the wild. The malware encrypts user data and appends ".RALord" extension to the names of the locked files. | ||
|
27.3.25 |
PlayBoy Locker Ransomware | PlayBoy Locker is a ransomware variant discovered last September and initially distributed in form of a Ransomware-as-a-Service (RaaS) offering. The ransomware platform offered multi-OS support including Windows, NAS and ESXi operating systems. | ||
|
26.3.25 |
Dragon RaaS Group: Ransomware targeting the US and European countries | Dragon RaaS, a ransomware group that emerged in July 2024, primarily targets organizations in the US, Israel, UK, France and Germany. The group leverages web application vulnerabilities, brute-force attacks and stolen credentials as its main attack vectors using two ransomware variants: a Windows-focused encryptor, likely a modified version of StormCry and a PHP webshell which provides both backdoor functionality and persistent ransomware capabilities. | ALERTS | ALERTS |
|
25.3.25 |
SANS Institute Warns of Novel Cloud-Native Ransomware Attacks | The latest Palo Alto Networks Unit 42 Cloud Threat Report found that sensitive data is found in 66% of cloud storage buckets. This data is vulnerable to | RANSOM | RANSOM |
|
24.3.25 |
VanHelsing RaaS Launch: 3 Victims, $5K Entry Fee, Multi-OS, and Double Extortion Tactics | A ransomware-as-a-service (RaaS) operation called VanHelsing has already claimed three victims since it launched on March 7, 2025. "The RaaS model allows | RANSOM | RANSOM |
|
24.3.25 |
VSCode Marketplace Removes Two Extensions Deploying Early-Stage Ransomware | Cybersecurity researchers have uncovered two malicious extensions in the Visual Studio Code (VSCode) Marketplace that are designed to deploy ransomware that's | RANSOM | RANSOM |
|
23.3.25 |
VSCode extensions found downloading early-stage ransomware | Two malicious VSCode Marketplace extensions were found deploying in-development ransomware from a remote server, exposing critical gaps in Microsoft's review process. | RANSOM | RANSOM |
|
23.3.25 |
RansomHub ransomware uses new Betruger ‘multi-function’ backdoor | Security researchers have linked a new backdoor dubbed Betruger, deployed in several recent ransomware attacks, to an affiliate of the RansomHub operation. | RANSOM | RANSOM |
|
22.3.25 |
Albabat Ransomware Group Potentially Expands Targets to Multiple OS, Uses GitHub to Streamline Operations | Trend Research encounters new versions of the Albabat ransomware, which appears to target Windows, Linux, and macOS devices. We also reveal the group’s use of GitHub to streamline their ransomware operation. | Ransom blog | Ransom blog |
|
22.3.25 |
WormLocker Ransomware Resurfaces: Infection Cycle, Encryption Tactics, and Prevention | WormLocker was first spotted in late 2020. Since its discovery, it has been observed spreading through phishing emails and exploiting vulnerabilities. The SonicWall Capture Labs threat research team has received what appears to be a more recent sample of this ransomware. Given the dynamic nature of ransomware threats, this might signify its potential resurgence. | Ransom blog | Ransom blog |
|
22.3.25 |
Analysis of Black Basta Ransomware Chat Leaks | Trellix obtained access to Black Basta's chat leaks at the end of February 2025 and immediately began analyzing the chat logs. Given that Black Basta is a rebrand of Conti RaaS, our approach mirrored that which we took in Conti Leaks: Examining the Panama Papers of Ransomware. | Ransom blog | Ransom blog |
|
22.3.25 |
New variants of the Albabat ransomware implement multi-OS capabilities | A new strain of the Albabat ransomware has been reported to offer multi-OS support, according to latest report from Trend Micro. New Albabat variant is still under active development and it adds Linux and macOS to the list of the targeted platforms. | ALERTS | ALERTS |
|
22.3.25 |
VanHelsing Ransomware | VanHelsing is a new ransomware variant recently identified in the wild. The malware encrypts user data and appends .vanhelsing or .vanlocker extension to the locked files. VanHelsing drops the ransom note in form of a text file called “README.txt” and it is also able to modify the desktop wallpaper. | ||
|
21.3.25 |
Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates | The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a | RANSOM | RANSOM |
|
20.3.25 |
Leaked Black Basta Chats Suggest Russian Officials Aided Leader's Escape from Armenia | The recently leaked trove of internal chat logs among members of the Black Basta ransomware operation has revealed possible connections between the e-crime | RANSOM | RANSOM |
|
20.3.25 |
NailaoLocker Ransomware | NailaoLocker is a ransomware variant distributed last year in campaigns targeting various European healthcare organizations. The attackers responsible for the attacks have been leveraging previously disclosed Check Point Security Gateway vulnerability CVE-2024-24919 in the initial attack stages. | ||
|
19.3.25 |
Protection Highlight: Thwarting Ransomware with Carbon Black Endpoint Standard | Today's ransomware is innovating at a rapid pace. Going beyond simple file encryption, ransomware increasingly leverages unknown variants and fileless techniques. | ALERTS | ALERTS |
|
16.3.25 |
New Akira ransomware decryptor cracks encryptions keys using GPUs | Security researcher Yohanes Nugroho has released a decryptor for the Linux variant of Akira ransomware, which utilizes GPU power to retrieve the decryption key and unlock files for free. | RANSOM | RANSOM |
|
16.3.25 |
Ransomware gang creates tool to automate VPN brute-force attacks | The Black Basta ransomware operation created an automated brute-forcing framework dubbed 'BRUTED' to breach edge networking devices like firewalls and VPNs. | RANSOM | RANSOM |
|
16.3.25 |
Suspected LockBit ransomware dev extradited to United States | A dual Russian-Israeli national, suspected of being a key developer for the LockBit ransomware operation, has been extradited to the United States to face charges. | RANSOM | RANSOM |
|
16.3.25 |
New SuperBlack ransomware exploits Fortinet auth bypass flaws | A new ransomware operator named 'Mora_001' is exploiting two Fortinet vulnerabilities to gain unauthorized access to firewall appliances and deploy a custom ransomware strain dubbed SuperBlack. | RANSOM | RANSOM |
|
16.3.25 |
CISA: Medusa ransomware hit over 300 critical infrastructure orgs | CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month. | RANSOM | RANSOM |
|
15.3.25 |
SocGholish’s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware |
Trend Research analyzed SocGholish’s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks. |
||
| 14.3.25 | Live Ransomware Demo: See How Hackers Breach Networks and Demand a Ransom | Cyber threats evolve daily. In this live webinar, learn exactly how ransomware attacks unfold—from the initial breach to the moment hackers demand payment. | RANSOM | RANSOM |
| 14.3.25 | SuperBlack - a new Lockbit ransomware variant | SuperBlack is a new ransomware variant based on the leaked Lockbit builder. According to recent reports, a newly observed distribution of this malware has been attributed to the threat actor dubbed as Mora_001 (a possible Lockbit affiliate). | ||
| 14.3.25 | LithiumWare Ransomware | LithiumWare is a new ransomware strain observed in the wild. The malware encrypts user data and appends random four-character extensions to the locked files. | ||
| 14.3.25 | Hellcat: Ransomware-as-a-Service group | Since its identification in late 2024, the Hellcat Ransomware Group has emerged as a prominent Ransomware-as-a-Service (RaaS) threat claiming attacks on critical national infrastructure and government organizations. | ||
| 13.3.25 | Malicious operations attributed to the EncryptHub threat actor | EncryptHub is a new threat actor engaging in malicious operations distributing ransomware and infostealers (StealC, Rhadamanthys) to the unsuspecting victims. | ||
| 10.3.25 | Boramae Ransomware | Boramae is a new ransomware discovered just recently in the threat landscape and a suspected variant of the Beast aka BlackLockbit malware family. The malware encrypts user files and appends ".boramae" to them. | ||
| 10.3.25 | Ebyte Ransomware | Desert Dexter is a recently reported malicious operation targeting users based in Middle East and North Africa. The responsible threat actors are distributing malicious binaries hosted on legitimate file-sharing portals or via seemingly harmless Telegram channels. | ||
| 9.3.25 | Microsoft: North Korean hackers join Qilin ransomware gang | Microsoft says a North Korean hacking group tracked as Moonstone Sleet has deployed Qilin ransomware payloads in a limited number of attacks. | RANSOM | RANSOM |
| 9.3.25 | Ransomware gang encrypted network from a webcam to bypass EDR | The Akira ransomware gang was spotted using an unsecured webcam to launch encryption attacks on a victim's network, effectively circumventing Endpoint Detection and Response (EDR), which was blocking the encryptor in Windows. | RANSOM | RANSOM |
| 9.3.25 | US seizes domain of Garantex crypto exchange used by ransomware gangs | The U.S. Secret Service has seized the domain of the sanctioned Russian cryptocurrency exchange Garantex in collaboration with the Department of Justice's Criminal Division, the FBI, and Europol. | RANSOM | RANSOM |
| 8.3.25 | Toronto Zoo shares update on last year's ransomware attack | The Toronto Zoo, the largest zoo in Canada, has provided more information about the data stolen during a ransomware attack in January 2024. | RANSOM | RANSOM |
| 8.3.25 | Fake BianLian ransom notes mailed to US CEOs in postal mail scam | Scammers are impersonating the BianLian ransomware gang in fake ransom notes sent to US companies via snail mail through the United States Postal Service. | RANSOM | RANSOM |
| 8.3.25 | Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware | New research has uncovered further links between the Black Basta and Cactus ransomware gangs, with members of both groups utilizing the same social engineering attacks and the BackConnect proxy malware for post-exploitation access to corporate networks. | RANSOM | RANSOM |
| 8.3.25 | Hunters International ransomware claims attack on Tata Technologies | The Hunters International ransomware gang has claimed responsibility for a January cyberattack attack on Tata Technologies, stating they stole 1.4TB of data from the company. | RANSOM | RANSOM |
| 8.3.25 | Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks | Microsoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows. | RANSOM | RANSOM |
| 7.3.25 | Medusa ransomware activity on the rise | Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024. | ||
| 7.3.25 | EncryptHub Deploys Ransomware and Stealer via Trojanized Apps, PPI Services, and Phishing | The financially motivated threat actor known as EncryptHub has been observed orchestrating sophisticated phishing campaigns to deploy information stealers | RANSOM | RANSOM |
| 7.3.25 | Medusa Ransomware Hits 40+ Victims in 2025, Demands $100K–$15M Ransom | The threat actors behind the Medusa ransomware have claimed nearly 400 victims since it first emerged in January 2023, with the financially motivated attacks | RANSOM | RANSOM |
| 5.3.25 | Researchers Link CACTUS Ransomware Tactics to Former Black Basta Affiliates | Threat actors deploying the Black Basta and CACTUS ransomware families have been found to rely on the same BackConnect (BC) module for maintaining | RANSOM | RANSOM |
| 5.3.25 | Danger & Loches - recent Globeimposter ransomware variants seen in the wild | Dange and Loches are the two most recently identified variants of the Globeimposter ransomware family. The malware will encrypt user data and append .danger or .loches extension to the locked files respectively. | ||
| 1.3.25 | Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks | Microsoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows. | RANSOM | RANSOM |
| 1.3.25 | Qilin ransomware claims attack at Lee Enterprises, leaks stolen data | The Qilin ransomware gang has claimed responsibility for the attack at Lee Enterprises that disrupted operations on February 3, leaking samples of data they claim was stolen from the company. | RANSOM | RANSOM |
| 1.3.25 | Southern Water says Black Basta ransomware attack cost £4.5M in expenses | United Kingdom water supplier Southern Water has disclosed that it incurred costs of £4.5 million ($5.7M) due to a cyberattack it suffered in February 2024. | RANSOM | RANSOM |
| 1.3.25 | This month in security with Tony Anscombe – February 2025 edition | Ransomware payments trending down, the cyber-resilience gap facing SMBs, and APT groups embracing generative AI – it's a wrap on another month filled with impactful security news | Ransom blog | Ransom blog |
| 1.3.25 | LCRYX Ransomware | LCRYX is a VBScript-based ransomware discovered in the wild last year. The malware encrypts user data, appends ‘.lcryx’ to the locked files and demands ransom payment in the Bitcoin cryptocurrency. | ALERTS | ALERTS |
| 26.2.25 | Leaked Black Basta Ransomware Chat Logs Reveal Inner Workings and Internal Conflicts | More than a year's worth of internal chat logs from a ransomware gang known as Black Basta have been published online in a leak that provides unprecedented | RANSOM | RANSOM |
| 22.2.25 | China-Linked Attackers Exploit Check Point Flaw to Deploy ShadowPad and Ransomware | A previously unknown threat activity cluster targeted European organizations, particularly those in the healthcare sector, to deploy PlugX and its successor, | RANSOM | RANSOM |
|
22.2.25 |
In this Threat Analysis report, Cybereason investigates the the Phorpiex botnet that delivers LockBit Black Ransomware (aka LockBit 3.0). |
|||
|
22.2.25 |
State-aligned actors are increasingly deploying ransomware – and that’s bad news for everyone |
|||
|
16.1.25 | Inside a 90-Minute Attack: Breaking Ground with All-New AI Defeating Black Basta Tactics | Have you ever had your lunch interrupted by a sudden barrage of security alerts? That’s exactly what happened to one of our clients when a frantic call from their Security Operations Center revealed a flood of suspicious emails. The culprit? A brand-new cyberattack mimicking the notorious Black Basta group’s latest technique—and it hit with lightning speed. | RANSOM | RANSOM |
|
11.1.25 | FunkSec – Alleged Top Ransomware Group Powered by AI | The FunkSec ransomware group emerged in late 2024 and published over 85 victims in December, surpassing every other ransomware group that month. | Ransom blog | Ransom blog |
|
3.1.25 | French govt contractor Atos denies Space Bears ransomware attack claims | French tech giant Atos, which secures communications for the country's military and secret services, has denied claims made by the Space Bears ransomware gang that they compromised one of its databases. | RANSOM | RANSOM |
|
3.1.25 | Ransomware gang leaks data stolen in Rhode Island's RIBridges Breach | The Brain Cipher ransomware gang has begun to leak documents stolen in an attack on Rhode Island's "RIBridges" social services platform. | RANSOM | RANSOM |