Ransomware Blog 2025- 2026 2025 2024 2023 2022 2021 2020 2019 2018
AI blog APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog
| 20.12.25 | I am not a robot: ClickFix used to deploy StealC and Qilin | The fake human verification process led to infostealer and ransomware infections | Ransom blog | SOPHOS |
| 20.12.25 | From Linear to Complex: An Upgrade in RansomHouse Encryption | RansomHouse is a ransomware-as-a-service (RaaS) operation run by a group that we track as Jolly Scorpius. Recent samples of the associated binaries used in RansomHouse operations reveal a significant upgrade in encryption. This article explores the upgrade of RansomHouse encryption and the potential impact for defenders. | Ransom blog | Palo Alto |
| 13.12.25 | GOLD SALEM tradecraft for deploying Warlock ransomware | Analysis of the tradecraft evolution across 6 months and 11 incidents | Ransom blog | SOPHOS |
| 13.12.25 | Inside Shanya, a packer-as-a-service fueling modern attacks | The ransomware scene gains another would-be EDR killer | Ransom blog | SOPHOS |
| 13.12.25 | In November 2025, global cyber activity continued its upward trend, with organizations experiencing an average ... | Ransom blog | CHECKPOINT | |
| 13.12.25 | 01flip: Multi-Platform Ransomware Written in Rust | In June 2025, we observed a new ransomware family named 01flip targeting a limited set of victims in the Asia-Pacific region. 01flip ransomware is fully written in the Rust programming language and supports multi-platform architectures by leveraging the cross-compilation feature of Rust. | Ransom blog | |
| 13.12.25 | New BYOVD loader behind DeadLock ransomware attack | Cisco Talos has uncovered a new DeadLock ransomware campaign using a previously unknown BYOVD loader to exploit a Baidu Antivirus driver vulnerability, letting threat actors disable EDR defenses and escalate attacks. | Ransom blog | |
|
6.12.25 |
Ransomware and Supply Chain Attacks Neared Records in November |
Ransomware and supply chain attacks hit their second-highest levels ever in November, and the attack types are overlapping in concerning ways. |
||
|
6.12.25 |
EXECUTIVE SUMMARY November 2025 witnessed a dynamic reshaping of the ransomware landscape, characterized by shifts in group activity and the evolution of attack |
|||
| 22.11.25 | Breaking Down S3 Ransomware: Variants, Attack Paths and Trend Vision One™ Defenses | In this blog entry, Trend™ Research explores how ransomware actors are shifting their focus to cloud-based assets, including the tactics used to compromise business-critical data in AWS environments. | Ransom blog | Trend Micro |
| 22.11.25 | Anatomy of an Akira Ransomware Attack: When a Fake CAPTCHA Led to 42 Days of Compromise | Unit 42 recently assisted a global data storage and infrastructure company that experienced a destructive ransomware attack. This attack was orchestrated by Howling Scorpius, the distributors of Akira ransomware. What began with a single click on what appeared to be a routine website CAPTCHA evolved into a 42-day (yes, we see the irony, too!) compromise that exposed critical gaps. | Ransom blog | Palo Alto |
| 22.11.25 | License to Encrypt: “The Gentlemen” Make Their Move | Cybereason Threat Intelligence Team recently conducted an analysis of "The Gentlemen" ransomware group, which emerged around July 2025 as a ransomware threat actor group with relatively advanced methodologies. | Ransom blog | Cybereason |
| 15.11.25 | Global Overview In October 2025, the global volume of cyber attacks continued its upward trajectory. ... | Ransom blog | CHECKPOINT | |
| 15.11.25 | The State of Ransomware – Q3 2025 | Record fragmentation and decentralization: The number of active extortion groups in Q3 2025 rose to a record of 85 groups, the highest number observed to date. The top 10 groups accounted only for 56% of all published victims, down from 71% in Q1. | Ransom blog | CHECKPOINT |
| 15.11.25 | Unleashing the Kraken ransomware group | In August 2025, Cisco Talos observed big-game hunting and double extortion attacks carried out by Kraken, a Russian-speaking group that has emerged from the remnants of the HelloKitty ransomware cartel. | Ransom blog | CISCO TALOS |
| 8.11.25 | TRACKING RANSOMWARE : OCTOBER 2025 | EXECUTIVE SUMMARY In October 2025, ransomware activity surged globally, marking a significant resurgence after a period of mid-year stability. Victim counts climbed to 738, | Ransom blog | Cyfirma |
| 1.11.25 | When Money Moves, Hackers Follow: Europe’s Financial Sector Under Siege | Europe’s BFSI sector faces growing deepfake and ransomware threats. CISOs focus on intelligence, resilience, and rapid response to stay ahead. | Ransom blog | Cyble |
| 1.11.25 | Uncovering Qilin attack methods exposed through multiple cases | Cisco Talos investigated the Qilin ransomware group, uncovering its frequent attacks on the manufacturing sector, use of legitimate tools for credential theft and data exfiltration, and sophisticated methods for lateral movement, evasion, and persistence. | Ransom blog | CISCO TALOS |
| 25.10.25 | Ransomware Reality: Business Confidence Is High, Preparedness Is Low | The CrowdStrike State of Ransomware Survey finds a substantial gap between perceived ransomware readiness and actual preparedness, with 76% of respondents struggling to match the speed of AI-powered attacks. | Ransom blog | CROWDSTRIKE |
| 25.10.25 | Warlock Ransomware: Old Actor, New Tricks? | The China-based actor behind the Warlock ransomware may not be a new player and has links to malicious activity dating as far back as 2019. | Ransom blog | SECURITY.COM |
| 25.10.25 | LockBit Returns — and It Already Has Victims | Key Takeaways LockBit is back. After being disrupted in early 2024, the ransomware group has ... | Ransom blog | CHECKPOINT |
| 25.10.25 | Newcomers Fuel Ransomware Explosion in 2025 as Old Groups Fade | Ransomware attacks surged 50% in 2025, with groups like Qilin and newcomers exploiting vulnerabilities, targeting the U.S., South Korea, and other global regions. | Ransom blog | Cyble |
| 25.10.25 | Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques | Trend™ Research identified a sophisticated Agenda ransomware attack that deployed a Linux variant on Windows systems. This cross-platform execution can make detection challenging for enterprises. | Ransom blog | Trend Micro |
| 25.10.25 | LockBit 5.0: Understanding the Latest Developments in Ransomware Threats | LockBit ransomware is one of the most active and notorious ransomware-as-a-service (RaaS) operations, first appearing in 2019 and having evolved through versions that we have analyzed and written about here and here. Last year, it was reported that law enforcement seized LockBit’s infrastructure and arrested affiliates, but several copycats and spinoffs still surfaced. | Ransom blog | SonicWall |
| 25.10.25 | Ransomware attacks and how victims respond | This edition highlights the detailed studies that have been recently published on how ransomware attacks affect victims, from PTSD to burnout, and discusses ways to help deal with the fallout of victimization. | Ransom blog | CISCO TALOS |
| 25.10.25 | Cybersecurity Awareness Month 2025: Building resilience against ransomware | Ransomware rages on and no organization is too small to be targeted by cyber-extortionists. How can your business protect itself against the threat? | Ransom blog | Eset |
| 18.10.25 | Europe and UK Face Relentless Ransomware Onslaught in Q3 2025, Qilin Leads the Charge | Europe recorded 288 ransomware attacks in Q3 2025, with Qilin maintaining dominance at 65 victims and SafePay rapidly ascending to second place. | Ransom blog | Cyble |
| 18.10.25 | Anatomy of an Attack: The "BlackSuit Blitz" at a Global Equipment | Unit 42 recently assisted a prominent manufacturer who experienced a severe ransomware attack orchestrated by Ignoble Scorpius, the group that distributes BlackSuit ransomware. | Ransom blog | Palo Alto |
| 18.10.25 | Ransomware attacks and how victims respond | This edition highlights the detailed studies that have been recently published on how ransomware attacks affect victims, from PTSD to burnout, and discusses ways to help deal with the fallout of victimization. | Ransom blog | CISCO TALOS |
|
11.10.25 |
The Evolution of Chaos Ransomware: Faster, Smarter, and More Dangerous | FortiGuard Labs details Chaos-C++, a ransomware variant using destructive encryption and clipboard hijacking to amplify damage and theft. | Ransom blog | FORTINET |
|
11.10.25 |
TRACKING RANSOMWARE : SEPTEMBER 2025 | EXECUTIVE SUMMARY In September 2025, ransomware activity remained elevated, with 504 global victims, heavily impacting consumer services, professional services, and manufacturing | Ransom blog | Cyfirma |
|
11.10.25 |
The Golden Scale: Bling Libra and the Evolving Extortion Economy | In recent months, threat actors claiming to be part of a new conglomerate dubbed Scattered Lapsus$ Hunters (aka SP1D3R HUNTERS, SLSH) have asserted responsibility for laying siege to customer Salesforce tenants as part of a coordinated effort to steal data and hold it for ransom. | Ransom blog | Palo Alto |
|
11.10.25 |
Velociraptor leveraged in ransomware attacks | Cisco Talos has confirmed that ransomware operators are leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool. | Ransom blog | CISCO TALOS |
| 4.10.25 | YUREI RANSOMWARE : THE DIGITAL GHOST | EXECUTIVE SUMMARY At CYFIRMA, we are committed to delivering timely insights into emerging cyber threats and the evolving tactics of cybercriminals targeting individuals and | Ransom blog | Cyfirma |
| 4.10.25 | HybridPetya Ransomware Shows Why Firmware Security Can't Be an Afterthought | Like many in our field, I thought we’d seen the last of Petya-style attacks after the chaos of 2017. As it turns out, that was wishful thinking. | Ransom blog | Eclypsium |
| 27.9.25 | GOLD SALEM’s Warlock operation joins busy ransomware landscape | The emerging group demonstrates competent tradecraft using a familiar ransomware playbook and hints of ingenuity | Ransom blog | SOPHOS |
| 27.9.25 | Australia Ransomware Landscape 2025: Rich Targets Attract Ransomware Groups | Australia’s high per-capita GDP has led to an outsized number of ransomware attacks. Here are the numbers – and 10 major attacks that hit the ANZ region. | Ransom blog | Cyble |
| 27.9.25 | HybridPetya Ransomware Shows Why Firmware Security Can't Be an Afterthought | Like many in our field, I thought we’d seen the last of Petya-style attacks after the chaos of 2017. | Ransom blog | Eclypsium |
| 27.9.25 | New LockBit 5.0 Targets Windows, Linux, ESXi | Trend™ Research analyzed source binaries from the latest activity from notorious LockBit ransomware with their 5.0 version that exhibits advanced obfuscation, anti-analysis techniques, and seamless cross-platform capabilities for Windows, Linux, and ESXi systems. | Ransom blog | Trend Micro |
| 20.9.25 | The emerging group demonstrates competent tradecraft using a familiar ransomware playbook and hints of ingenuity | Ransom blog | SOPHOS | |
| 20.9.25 | Ransomware Landscape August 2025: Qilin Dominates as Sinobi Emerges | Qilin led in ransomware attacks in all global regions in August, but the rapid rise of Sinobi and The Gentlemen also merits attention by security teams. | Ransom blog | Cyble |
| 20.9.25 | Small businesses, big targets: Protecting your business against ransomware | Long known to be a sweet spot for cybercriminals, small businesses are more likely to be victimized by ransomware than large enterprises | Ransom blog | Eset |
| 13.9.25 | TRACKING RANSOMWARE : August 2025 | EXECUTIVE SUMMARY In Aug 2025, ransomware activity remained elevated with 522 global victims, a slight decline from July but still far above 2023–2024 levels. Professional services, consumer services, and manufacturing… | Ransom blog | Cyfirma |
| 13.9.25 | Yurei & The Ghost of Open Source Ransomware | First observed on September 5, Yurei is a newly emerged ransomware group that targeted a Sri Lankan food manufacturing company as its first leaked victim. The group follows a double-extortion model: they encrypt the victim’s files and exfiltrate sensitive data, and then demand a ransom payment to decrypt and refrain from publishingthe stolen information. | Ransom blog | Checkpoint |
| 13.9.25 | Stopping ransomware before it starts: Lessons from Cisco Talos Incident Response | Explore lessons learned from over two years of Talos IR pre-ransomware engagements, highlighting the key security measures, indicators and recommendations that have proven effective in stopping ransomware attacks before they begin. | Ransom blog | CISCO TALOS |
| 30.8.25 | A Tale of Two Ransomware-as-a-Service Threat Groups | Learn about INC and Lynx, two highly successful RaaS groups that share similar tactics and procedures, including a potential connection through shared code. | Ransom blog | TRUSTWAVE |
| 30.8.25 | Australia and New Zealand Threat Landscape in H1 2025 is Worrying, but has a Silver-Lining | The ransomware threats “Down Under” doubled in the first six months of the year as compared to the last year. | Ransom blog | Cyble |
| 23.8.25 | Ransomware Landscape July 2025: Qilin Stays on Top as New Threats Emerge | Qilin was the top ransomware group for the third time in four months – but INC and other rivals aren’t standing still. | Ransom blog | Cyble |
| 23.8.25 | Who are the Top Ransomware Threat Actors of H1 2025 | Ransomware surged in H1 2025. Meet CL0P, Akira, and Qilin — the top threat actors behind over 1,000 global attacks reshaping the cybercrime landscape. | Ransom blog | Cyble |
| 23.8.25 | New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises | We uncovered a campaign that makes use of Charon, a new ransomware family, and advanced APT-style techniques to target organizations with customized ransom demands. | Ransom blog | Trend Micro |
| 23.8.25 | Warlock: From SharePoint Vulnerability Exploit to Enterprise Ransomware | Warlock ransomware exploits unpatched Microsoft SharePoint vulnerabilities to gain access, escalate privileges, steal credentials, move laterally, and deploy ransomware with data exfiltration across enterprise environments. | Ransom blog | Trend Micro |
| 23.8.25 | Crypto24 Ransomware Group Blends Legitimate Tools with Custom Malware for Stealth Attacks | Crypto24 is a ransomware group that stealthily blends legitimate tools with custom malware, using advanced evasion techniques to bypass security and EDR technologies. | Ransom blog | Trend Micro |
| 23.8.25 | Ransomware incidents in Japan during the first half of 2025 | Ransomware attackers continue to primarily target small and medium-sized manufacturing businesses in Japan. | Ransom blog | CISCO TALOS |
| 23.8.25 | Dark Web Roast - July 2025 Edition | From ransomware gangs having public meltdowns over affiliate drama to AI-powered malware that needs to phone home for basic instructions, this month's underground activities showcased the perfect blend of criminal ambition and spectacular incompetence that keeps cybersecurity professionals both entertained and employed. | Ransom blog | Trelix |
| 17.8.25 | From critical infrastructure to classrooms, no sector is being spared. In July 2025, cyber attacks ... | Ransom blog | Checkpoint | |
| 17.8.25 | Ransomware Landscape July 2025: Qilin Stays on Top as New Threats Emerge | Qilin was the top ransomware group for the third time in four months – but INC and other rivals aren’t standing still. | Ransom blog | Cyble |
| 17.8.25 | TRACKING RANSOMWARE : JULY 2025 | EXECUTIVE SUMMARY In July 2025, ransomware activity remained high, with major impacts on consumer services, professional services, and manufacturing. Qilin led in volume, | Ransom blog | Cyfirma |
| 17.8.25 | Crypto24 Ransomware Group Blends Legitimate Tools with Custom Malware for Stealth Attacks | Crypto24 is a ransomware group that stealthily blends legitimate tools with custom malware, using advanced evasion techniques to bypass security and EDR technologies. | Ransom blog | Trend Micro |
| 17.8.25 | New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises | We uncovered a campaign that makes use of Charon, a new ransomware family, and advanced APT-style techniques to target organizations with customized ransom demands. | Ransom blog | Trend Micro |
| 16.8.25 | The State of Ransomware – Q2 2025 | Several prominent RaaS groups, including RansomHub, Babuk-Bjorka, FunkSec, BianLIan, 8Base, Cactus, Hunters International, and Lockbit, stopped publishing new victims. Though the reasons for their disappearances vary, the net effect is a fragmented ransomware ecosystem no longer dominated by one or two major players. | Ransom blog | Checkpoint |
| 16.8.25 | Before ToolShell: Exploring Storm-2603’s Previous Ransomware Operations | Check Point Research (CPR) conducted a focused analysis of Storm-2603, a threat actor associated with recent ToolShell exploitations, together with other Chinese APT groups. | Ransom blog | Checkpoint |
| 16.8.25 | ESET Threat Report H1 2025: ClickFix, infostealer disruptions, and ransomware deathmatch | Ransom blog | Eset | |
| 16.8.25 | BlackSuit: A Hybrid Approach with Data Exfiltration and Encryption | In this Threat Analysis Report, Cybereason investigates a recently observed BlackSuit ransomware attack and the tools and techniques the threat actors used. | Ransom blog | Cybereason |
| 16.8.25 | Gang Wars: Breaking Trust Among Cyber Criminals | Over the past few years, the Ransomware-as-a-Service (RaaS) model rose to dominance, structured like criminal empires, complete with brands, affiliate programs, and professional operations. What once looked like organized crime, now more closely resembles a paranoid, fractured ecosystem where loyalty is temporary and betrayal is expected. Today, we’re watching the RaaS model unravel. | Ransom blog | Trelix |
| 26.7.25 | Unmasking the new Chaos RaaS group attacks | Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks. | Ransom blog | CISCO TALOS |
| 19.7.25 | NailaoLocker Ransomware’s “Cheese” | FortiGuard Labs analyzes NailaoLocker ransomware, a unique variant using SM2 encryption and a built-in decryption function. Learn how it works, why it matters, and how Fortinet protects against it. | Ransom blog | FORTINET |
| 19.7.25 | How FortiSandbox 5.0 Detects Dark 101 Ransomware Despite Evasion Techniques | Discover how FortiSandbox 5.0 detects Dark 101 ransomware, even with sandbox evasion tactics. Learn how advanced behavioral analysis blocks file encryption, system tampering, and ransom note deployment. | Ransom blog | FORTINET |
| 19.7.25 | Ransomware Delivered Through GitHub: A PowerShell-Powered Attack | Recently, the SonicWall Capture Labs threat research team identified a PowerShell-based ransomware variant that is abusing GitHub for its distribution. The malware authors are misusing raw.githubusercontent[.]com, a GitHub domain used to host raw content of unprocessed file versions. | Ransom blog | SonicWall |
| 19.7.25 | Talos IR ransomware engagements and the significance of timeliness in incident response | The decision between immediate action and delayed response made the difference between ransomware prevention and complete encryption in these two real-world Talos IR engagements. | Ransom blog | CISCO TALOS |
| 19.7.25 | BlackSuit: A Hybrid Approach with Data Exfiltration and Encryption | In this Threat Analysis Report, Cybereason investigates a recently observed BlackSuit ransomware attack and the tools and techniques the threat actors used. | Ransom blog | Cybereason |
| 16.7.25 | GLOBAL GROUP: Emerging Ransomware-as-a-Service, Supporting AI Driven Negotiation and Mobile Control Panel for Their Affiliates | On June 2, 2025, EclecticIQ analysts observed the emergence of GLOBAL GROUP, a new Ransomware-as-a-Service (RaaS) brand promoted on the Ramp4u forum by the threat actor known as “$$$”. | Ransom blog | blog.eclecticiq |
| 12.7.25 | TRACKING RANSOMWARE : JUNE 2025 | EXECUTIVE SUMMARY In June 2025, ransomware attacks targeted critical industries such as professional services, healthcare, and information technology, exploiting their | Ransom blog | Cyfirma |
| 12.7.25 | Ransomware Delivered Through GitHub: A PowerShell-Powered Attack | Recently, the SonicWall Capture Labs threat research team identified a PowerShell-based ransomware variant that is abusing GitHub for its distribution. | Ransom blog | SonicWall |
| 11.7.25 | BERT Ransomware Group Targets Asia and Europe on Multiple Platforms | BERT is a newly emerged ransomware group that pairs simple code with effective execution—carrying out attacks across Europe and Asia. In this entry, we examine the group’s tactics, how their variants have evolved, and the tools they use to get past defenses and speed up encryption across platforms. | Ransom blog | Trend Micro |
| 11.7.25 | BlackSuit: A Hybrid Approach with Data Exfiltration and Encryption | In this Threat Analysis Report, Cybereason investigates a recently observed BlackSuit ransomware attack and the tools and techniques the threat actors used. | Ransom blog | Cybereason |
| 5.7.25 | Top Ransomware Groups June 2025: Qilin Reclaims Top Spot | A look at the top ransomware groups, incidents and developments in June 2025. | Ransom blog | Cyble |
| 5.7.25 | Pay2Key: First Ransomware Utilizing I2P Network Instead of Tor | Pay2Key first emerged in late 2020 and primarily targeted Israeli businesses. It gained attention for its alleged links to Iranian threat actors. Today’s sample, however, is an obvious pivot to a ransomware-as-a-service model, welcoming even the most novice users. What sets it apart is its use of I2P, an anonymous network similar to Tor. | Ransom blog | SonicWall |
| 26.6.25 | Dire Wolf Strikes: New Ransomware Group Targeting Global Sectors | Dire Wolf is a newly emerged ransomware group first observed in May 2025 and Trustwave SpiderLabs recently uncovered a Dire Wolf ransomware sample that revealed for the first time key details about how the ransomware operates. | Ransom blog | SPIDERLABS BLOG |
| 21.6.25 | Medusa RaaS Group Continues Company Focused Triple Extortion Attacks | The SonicWall Capture Labs threat research team continues to track the developments of Medusa ransomware. Medusa is a Russian-speaking Ransomware-as-a-Service (RaaS) operation that has been active since mid-2021. | Ransom blog | SonicWall |
| 21.6.25 | Ransomware Gangs Collapse as Qilin Seizes Control | In this Threat Alert, Cybereason explores the rise of Qilin amidst a turbulent realignment of the ransomware landscape. | Ransom blog | Cybereason |
| 14.6.25 | TRACKING RANSOMWARE : MAY 2025 | EXECUTIVE SUMMARY In May 2025, ransomware attacks targeted critical industries such as Professional Goods & Services, Consumer Goods, and Manufacturing, with a total of | Ransom blog | Cyfirma |
| 14.6.25 | Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper | Anubis is an emerging ransomware-as-a-service (RaaS) group that adds a destructive edge to the typical double-extortion model with its file-wiping feature. We explore its origins and examine the tactics behind its dual-threat approach. | Ransom blog | Trend Micro |
| 14.6.25 | Inside LockBit's Admin Panel Leak | the LockBit admin panel was hacked by an anonymous actor who replaced their TOR website with the text ‘Don’t do crime CRIME IS BAD xoxo from Prague’ and shared a SQL dump of their admin panel database in an archived file ‘paneldb_dump.zip’. | Ransom blog | Trelix |
| 13.6.25 | Fog Ransomware: Unusual Toolset Used in Recent Attack | Legitimate employee monitoring software and various pentesting tools deployed. | Ransom blog | SYMANTEC BLOG |
| 13.6.25 | Gone But Not Forgotten: Black Basta’s Enduring Legacy | The ransomware operator “Black Basta” has experienced a sharp decline following the public leak of its internal chat logs, but its legacy lives on. | Ransom blog | RELIAQUEST |
| 7.6.25 | Ransomware Landscape May 2025: SafePay, DevMan Emerge as Major Threats | Top Ransomware Groups of May 2025: SafePay and DevMan Rise | Ransom blog | Cyble |
| 1.6.25 | FBI Warns Silent Ransom Group Targeting U.S. Law Firms Using Social Engineering and Callback Phishing | The U.S. Federal Bureau of Investigation (FBI) has issued a fresh alert warning law firms and cybersecurity professionals about ongoing cyber threat activity linked to the Silent Ransom Group (SRG)—also known as Luna Moth, Chatty Spider, or UNC3753. | Ransom blog | Cyble |
| 1.6.25 | Lyrix Ransomware | EXECUTIVE SUMMARY CYFIRMA’s research team discovered Lyrix Ransomware while monitoring underground forums as part of our Threat Discovery Process. Developed in Python and | Ransom blog | Cyfirma |
| 1.6.25 | NightSpire Ransomware Encrypts Cloud-Stored OneDrive Files | This week, the SonicWall Capture Labs threat research team analyzed a ransomware variant known as NightSpire. While its behavior is typical of most ransomware—encrypting user files and providing recovery instructions via a text file—what makes NightSpire especially concerning is its rapid growth. | Ransom blog | SonicWall |
| 25.5.24 | Not content with attacking retailers, this aggressive group is fighting a turf war with other ransomware operators | Ransom blog | Sophos | |
| 24.5.24 | Ransomware Roundup – VanHelsing | The VanHelsing ransomware was first identified in March 2025 and uses TOR sites for ransom negotiations and data leaks. | Ransom blog | FOTINET |
| 24.5.24 | Xoxo to Prague | In this week’s newsletter, Thor inspects the LockBit leak, finding $10,000 “security tips,” ransom negotiations gone wrong and a rare glimpse into the human side of cybercrime. | Ransom blog | CISCO TALOS |
| 17.5.24 | Ransomware Roundup – VanHelsing | The VanHelsing ransomware was first identified in March 2025 and uses TOR sites for ransom negotiations and data leaks. | Ransom blog | FOTINET |
| 17.5.24 | LCRYX Ransomware Utilizes Weak Encryption, Demands $500 Bitcoin Payment | The SonicWall Capture Labs threat research team has recently been tracking LCRYX ransomware. LCRYX is a VBScript-based ransomware strain that first emerged in November 2024 and reappeared in February 2025 with enhanced capabilities. It specifically targets Windows systems, employing a combination of Caesar cipher and XOR encryption to lock files before demanding a $500 ransom in Bitcoin for decryption. While it made its resurgence in February, it is still being seen in the wild today. | Ransom blog | SonicWall |
| 10.5.24 | Ransomware Attacks April 2025: Qilin Emerges from Chaos | Global ransomware attacks in April 2025 declined to 450 from 564 in March – the lowest level since November... | Ransom blog | Cyble |
| 10.5.24 | Tracking Ransomware : April 2025 | EXECUTIVE SUMMARY April 2025 witnessed a decline in ransomware incidents, with 470 reported victims worldwide. Qilin remained the dominant group, while newer actors like | Ransom blog | Cyfirma |
| 10.5.24 | Gunra Ransomware – A Brief Analysis | Executive Summary At CYFIRMA, we are committed to delivering timely insights into emerging cyber threats and the evolving tactics of cybercriminals targeting individuals and | Ransom blog | Cyfirma |
| 10.5.24 | Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal | During our monitoring of Agenda ransomware activities, we uncovered campaigns that made use of the SmokeLoader malware and a new loader we've named NETXLOADER. | Ransom blog | Trend Micro |
| 25.4.25 | FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE | This blog details our investigation of malware samples that conceal within them a FOG ransomware payload. | Ransom blog | Trend Micro |
| 25.4.25 | Extortion and Ransomware Trends January-March 2025 | Unit 42 regularly monitors the cyberthreat landscape, including trends in extortion and ransomware. Ransomware actors continue to evolve to increase the effectiveness of their attacks and the likelihood that organizations will pay what is demanded. In our 2025 Unit 42 Global Incident Response Report, we found that 86% of incidents involved business disruption, spanning operational downtime, reputational damage or both. | Ransom blog | Palo Alto |
| 19.4.25 | Hacktivists Target Critical Infrastructure, Move Into Ransomware | Hacktivists are increasingly adopting more sophisticated - and destructive - attack types. | Ransom blog | Cyble |
| 19.4.25 | DOGE "Big Balls" Ransomware and the False Connection to Edward Coristine | Cyble investigates the DOGE BIG BALLS Ransomware, analyzing its operation and the false ties made to... | Ransom blog | Cyble |
| 19.4.25 | CrazyHunter Campaign Targets Taiwanese Critical Sectors | This blog entry details research on emerging ransomware group CrazyHunter, which has launched a sophisticated campaign aimed at Taiwan's essential services. | Ransom blog | Trend Micro |
| 19.4.25 | Nova RaaS: The Ransomware That ‘Spares’ Schools and Nonprofits—For Now | A new ransomware group calling themselves Nova RaaS, or ransomware-as-a-service, has been active for the past month distributing RaLord ransomware. On their blog, they claim to have no affiliations with other cybercriminal groups—and, in a surprising twist, say they’ve pledged not to target schools or nonprofit organizations. | Ransom blog | SonicWall |
| 19.4.25 | Year in Review: The biggest trends in ransomware | This week, our Year in Review spotlight is on ransomware—where low-profile tactics led to high-impact consequences. Download our 2 page ransomware summary, or watch our 55 second video. | Ransom blog | Palo Alto |
| 12.4.25 | Ransomware Attack Levels Remain High as Major Change Looms | March saw a potential leadership shift in ransomware attacks, sustained high attack volumes, and the rise of new threat groups. | Ransom blog | Cyble |
| 12.4.25 | TRACKING RANSOMWARE – MARCH 2025 | In March 2025, ransomware attacks targeted critical industries such as Manufacturing, IT, and Healthcare. Notable groups like Black Basta and Moonstone Sleet evolved new strategies, such as automating brute-force VPN attacks and deploying ransomware-as-a-service models. | Ransom blog | Cyfirma |
| 5.4.25 | Ransomware Attack Levels Remain High as Major Change Looms | March saw a potential leadership shift in ransomware attacks, sustained high attack volumes, and the rise of new threat groups. | Ransom blog | Cyble |
| 5.4.25 | Hexamethy Ransomware Displays Scary Lock Screen During File Encryption | The Sonicwall Capture Labs threat research team has recently observed new ransomware named HEXAMETHYLCYCLOTRISILOXANE, or Hexamethy in short. This malware produces a scary cinematic display during the encryption process and flashes text stating, “No more files for you,” and “Your files are in hostage by the HEXAMETHYLCYCLOTRISILOXANE Ransomware." | Ransom blog | SonicWall |
|
29.3.25 |
VanHelsing, new RaaS in Town | In recent weeks, a new and rapidly expanding ransomware-as-a-service (RaaS) program called VanHelsingRaaS has been making waves in the cybercrime world. Launched on March 7, 2025, this service has already demonstrated its rapid growth and deadly potential, having infected three victims within just two weeks of its introduction | Ransom blog | Checkpoint |
|
29.3.25 |
RansomHub affiliates linked to rival RaaS gangs | ESET researchers also examine the growing threat posed by tools that ransomware affiliates deploy in an attempt to disrupt EDR security solutions | Ransom blog | |
|
29.3.25 |
Shifting the sands of RansomHub’s EDRKillShifter | Ransom blog | ||
|
29.3.25 |
The Curious Case of PlayBoy Locker | Cybereason issues Threat Analysis reports to investigate emerging threats and provide practical recommendations for protecting against them. | Ransom blog | Cybereason |
|
22.3.25 |
Albabat Ransomware Group Potentially Expands Targets to Multiple OS, Uses GitHub to Streamline Operations | Trend Research encounters new versions of the Albabat ransomware, which appears to target Windows, Linux, and macOS devices. We also reveal the group’s use of GitHub to streamline their ransomware operation. | Ransom blog | |
|
22.3.25 |
WormLocker Ransomware Resurfaces: Infection Cycle, Encryption Tactics, and Prevention | WormLocker was first spotted in late 2020. Since its discovery, it has been observed spreading through phishing emails and exploiting vulnerabilities. The SonicWall Capture Labs threat research team has received what appears to be a more recent sample of this ransomware. Given the dynamic nature of ransomware threats, this might signify its potential resurgence. | Ransom blog | SonicWall |
|
22.3.25 |
Analysis of Black Basta Ransomware Chat Leaks | Trellix obtained access to Black Basta's chat leaks at the end of February 2025 and immediately began analyzing the chat logs. Given that Black Basta is a rebrand of Conti RaaS, our approach mirrored that which we took in Conti Leaks: Examining the Panama Papers of Ransomware. | Ransom blog | Trelix |
|
15.3.25 |
SocGholish’s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware |
Trend Research analyzed SocGholish’s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks. |
||
| 1.3.25 | This month in security with Tony Anscombe – February 2025 edition | Ransomware payments trending down, the cyber-resilience gap facing SMBs, and APT groups embracing generative AI – it's a wrap on another month filled with impactful security news | Ransom blog | |
|
22.2.25 |
In this Threat Analysis report, Cybereason investigates the the Phorpiex botnet that delivers LockBit Black Ransomware (aka LockBit 3.0). |
|||
|
22.2.25 |
State-aligned actors are increasingly deploying ransomware – and that’s bad news for everyone |
|||
|
11.1.25 | FunkSec – Alleged Top Ransomware Group Powered by AI | The FunkSec ransomware group emerged in late 2024 and published over 85 victims in December, surpassing every other ransomware group that month. | Ransom blog |