Ransomware Blog 2024- 2026 2025 2024 2023 2022 2021 2020 2019 2018
AI blog APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog
DATE | NAME | Info | CATEG. | WEB |
|
22.12.24 | Threat Assessment: Howling Scorpius (Akira Ransomware) | Emerging in early 2023, the Howling Scorpius ransomware group is the entity behind the Akira ransomware-as-a-service (RaaS), which has consistently ranked in recent months among the top five most active ransomware groups. Its double extortion strategy significantly amplifies the threat it poses. Unit 42 researchers have been monitoring the Howling Scorpius ransomware group over the past year. | Ransom blog | |
|
22.12.24 | Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware | Unit 42 researchers have observed an increase in BlackSuit ransomware activity beginning in March 2024 that suggests a ramp up of operations. This threat emerged as a rebrand of Royal ransomware, which occurred in May 2023. Unit 42 tracks the group behind this threat as Ignoble Scorpius. Since the rebrand, Unit 42 has observed at least 93 victims globally, a quarter of which were in the construction and manufacturing industries. | Ransom blog | |
|
22.12.24 | Lynx Ransomware: A Rebranding of INC Ransomware | In July 2024, researchers from Palo Alto Networks discovered a successor to INC ransomware named Lynx. Since its emergence, the group behind this ransomware has actively targeted organizations in various sectors such as retail, real estate, architecture, and financial and environmental services in the U.S. and UK. | Ransom blog | |
|
22.12.24 | Russian Ransomware Known As "Assignment" Leaves Victims Helpless | The SonicWall Capture Labs threats research team has been tracking a recently released Russian ransomware known as “Assignment”. The malware is written in Go and contains a large amount of debugging information that was left in by the author. As expected, the malware encrypts files and demands payment for file retrieval. The cost of decryption is 0.222 bitcoin— which is roughly $21,500.00 at the time of writing this alert. However, there is no way to contact the operator to obtain a decryptor. | Ransom blog | |
|
22.12.24 | Inside Akira Ransomware’s Rust Experiment | Check Point Research analyzed the construction and control flow of Akira ransomware’s Rust version that circulated in early 2024, which has specific features uniquely targeting ESXi server. Our analysis demonstrates how Rust idioms, boilerplate code, and compiler strategies come together to account for the complicated assembly. | Ransom blog | |
|
21.12.24 |
In this Threat Analysis report, Cybereason investigates the Ransomware-as-a-Service (RaaS) known as Beast and how to defend against it through the Cybereason Defense Platform. | |||
|
21.12.24 |
Phobos: Stealthy Ransomware That Operated Under the Radar - Until Now |
On November 18th, the US Justice Department unsealed criminal charges against a Russian national for allegedly administering the sale, distribution, and operation of Phobos ransomware. Phobos is considered an evolution of Dharma Ransomware (aka CrySIS). Code similarities and ransom notes suggest that the creators are either the same or closely connected. | ||
|
2.11.24 | New Iranian-based Ransomware Group Charges $2000 for File Retrieval | The SonicWall Capture Labs threat research team has encountered a recently released ransomware from an Iranian team of hackers. The group has named themselves hackersadism. The group does not appear to be targeting large corporations at this time as they only charge $2000 in BNB (Binance coin crypto) for file restoration. The price for file retrieval is also negotiable. During our analysis, we were able to converse directly with the malware operator and negotiate payment. | Ransom blog | SonicWall |
|
2.11.24 | New Iranian-based Ransomware Group Charges $2000 for File Retrieval | The SonicWall Capture Labs threat research team has encountered a recently released ransomware from an Iranian team of hackers. The group has named themselves hackersadism. The group does not appear to be targeting large corporations at this time as they only charge $2000 in BNB (Binance coin crypto) for file restoration. The price for file retrieval is also negotiable. During our analysis, we were able to converse directly with the malware operator and negotiate payment. | Ransom blog | SonicWall |
|
2.11.24 | Jumpy Pisces Engages in Play Ransomware | Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group associated with the Reconnaissance General Bureau of the Korean People's Army, as a key player in a recent ransomware incident. Our investigation indicates a likely shift in the group’s tactics. We believe with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group (Fiddling Scorpius). | Ransom blog | Palo Alto |
|
2.11.24 |
Jumpy Pisces Engages in Play Ransomware | Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group associated with the Reconnaissance General Bureau of the Korean People's Army, as a key player in a recent ransomware incident. Our investigation indicates a likely shift in the group’s tactics. We believe with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group (Fiddling Scorpius). | Ransom blog | Palo Alto |
|
2.11.24 |
Embargo ransomware: Rock’n’Rust | Novice ransomware group Embargo is testing and deploying a new Rust-based toolkit | Ransom blog | |
28.9.24 | 2024 SonicWall Threat Brief: Healthcare’s Escalating Cybersecurity Challenge | SonicWall’s 2024 Healthcare Threat Brief reveals at least 14 million U.S. patients affected by malware breaches, as outdated systems leave healthcare providers vulnerable to evolving ransomware threats - underscoring the need for MSPs/MSSPs. | Ransom blog | SonicWall |
21.9.24 | How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections | Trend Micro tracked this group as Water Bakunawa, behind the RansomHub ransomware, employs various anti-EDR techniques to play a high-stakes game of hide and seek with security solutions. | Ransom blog | |
14.9.24 | Key Group Russian Ransomware Gang Uses Extensive Multi-purpose Telegram Channel | The SonicWall Capture Labs threat research team has been recently tracking ransomware known as Key Group. Key Group is a Russian-based malware threat group that was formed in early 2023. | Ransom blog | |
14.9.24 | CosmicBeetle joins the ranks of RansomHub affiliates – Week in security with Tony Anscombe | ESET research also finds that CosmicBeetle attempts to exploit the notoriety of the LockBit ransomware gang to advance its own ends | Ransom blog | |
14.9.24 | CosmicBeetle steps up: Probation period at RansomHub | CosmicBeetle, after improving its own ransomware, tries its luck as a RansomHub affiliate | Ransom blog | |
31.8.24 | In recent investigations, Talos Incident Response has observed the BlackByte ransomware group using techniques that depart from their established tradecraft. Read the full analysis. | |||
24.8.24 | How Trend Micro Managed Detection and Response Pressed Pause on a Play Ransomware Attack | Using the Trend Micro Vision One platform, our MDR team was able to quickly identify and contain a Play ransomware intrusion attempt. | Ransom blog | Trend Micro |
24.8.24 | How regulatory standards and cyber insurance inform each other | Should the payment of a ransomware demand be illegal? Should it be regulated in some way? These questions are some examples of the legal minefield that cybersecurity teams must deal with | Ransom blog | |
10.8.24 | Ransomware Review: First Half of 2024 | Unit 42 monitors ransomware and extortion leak sites closely to keep tabs on threat activity. We reviewed compromise announcements from 53 dedicated leak sites in the first half of 2024 and found 1,762 new posts. This averages to approximately 294 posts a month and almost 68 posts a week. Of the 53 ransomware groups whose leak sites we monitored, six of the groups accounted for more than half of the compromises observed. | Ransom blog | |
27.7.24 | Play Ransomware Group’s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma | Trend Micro threat hunters discovered that the Play ransomware group has been deploying a new Linux variant that targets ESXi environments. Read our blog entry to know more. | ||
27.7.24 | Volcano Demon Group Targets Idealease Inc. Using LukaLocker Ransomware | The SonicWall Capture Labs threats research team has recently been tracking new ransomware known as LukaLocker. | ||
27.7.24 | The ransomware group RA Group, now known as RA World, showed a noticeable uptick in their activity since March 2024. About 37% of all posts on their dark web leak site have appeared since March, suggesting this is an emerging group to watch. This article describes the tactics, techniques and procedures (TTPs) used by RA World. | |||
20.7.24 | Play Ransomware Group’s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma | Trend Micro threat hunters discovered that the Play ransomware group has been deploying a new Linux variant that targets ESXi environments. Read our blog entry to know more. | Ransom blog | Trend Micro |
20.7.24 | Should ransomware payments be banned? – Week in security with Tony Anscombe | Blanket bans on ransomware payments are a much-debated topic in cybersecurity and policy circles. What are the implications of outlawing the payments, and would the ban be effective? | Ransom blog | Eset |
13.7.24 | HardBit Ransomware version 4.0 | In this Threat Analysis report, Cybereason Security Services investigates HardBit Ransomware version 4.0, a new version observed in the wild. | Ransom blog | Cybereason |
13.7.24 | Cactus Ransomware: New strain in the market | Cactus is another variant in the ransomware family. It exploits VPN vulnerability(CVE-2023-38035) to enter into an internal organization network and deploys varies payloads for persistence(Scheduled Task/Job), C2 connection via RMM tools(Anydesk.exe) and encryption. | Ransom blog | Trelix |
13.7.24 | Inside the ransomware playbook: Analyzing attack chains and mapping common TTPs | Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in TTPs, along with several notable differences and outliers. | Ransom blog | Cisco Blog |
| 29.6.24 | Attackers in Profile: menuPass and ALPHV/BlackCat | To test the effectiveness of managed services like our Trend Micro managed detection and response offering, MITRE Engenuity™ combined the tools, techniques, and practices of two globally notorious bad actors: menuPass and ALPHV/BlackCat. | Ransom blog | Trend Micro |
| 15.6.24 | TargetCompany’s Linux Variant Targets ESXi Environments | In this blog entry, our researchers provide an analysis of TargetCompany ransomware’s Linux variant and how it targets VMware ESXi environments using new methods for payload delivery and execution. | Ransom blog | Trend Micro |
| 8.6.24 | INC Ransomware Behind Linux Threat | This week, the SonicWall Capture Labs Research team analyzed a sample of Linux ransomware. The group behind this ransomware, called INC Ransomware, has been active since it was first reported a year ago. | Ransom blog | SonicWall |
25.5.24 | Mandatory reporting for ransomware attacks? – Week in security with Tony Anscombe | As the UK mulls new rules for ransomware disclosure, what would be the wider implications of such a move, how would cyber-insurance come into play, and how might cybercriminals respond? | Ransom blog | Eset |
| 4.5.24 | Pay up, or else? – Week in security with Tony Anscombe | Organizations that fall victim to a ransomware attack are often caught between a rock and a hard place, grappling with the dilemma of whether to pay up or not | Ransom blog | Eset |
| 23.3.24 | The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions | Talos explores the recent law enforcement takedown of LockBit, a prolific ransomware group that claimed to resume their operations 7 days later. | Ransom blog | Cisco Blog |
| 17.3.24 | Healthcare still a prime target for cybercrime gangs – Week in security with Tony Anscombe | Healthcare organizations remain firmly in attackers' crosshairs, representing 20 percent of all victims of ransomware attacks among critical infrastructure entities in | Ransom blog | Eset |
| 9.3.24 | GhostSec’s joint ransomware operation and evolution of their arsenal | Cisco Talos observed a surge in GhostSec, a hacking group’s malicious activities since this past year. GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware. | Ransom blog | Cisco Blog |
| 10.2.24 | Ransomware Retrospective 2024: Unit 42 Leak Site Analysis | The ransomware landscape experienced significant transformations and challenges in 2023. The year saw a 49% increase in victims reported by ransomware leak sites, with a total of 3,998 posts from various ransomware groups. | Ransom blog | Palo Alto |
| 10.2.24 | Ransomware payments hit a record high in 2023 – Week in security with Tony Anscombe | Called a "watershed year for ransomware", 2023 marked a reversal from the decline in ransomware payments observed in the previous year | Ransom blog | Eset |
| 4.2.24 | Significant increase in ransomware activity found in Talos IR engagements, while education remains one of the most-targeted sectors | Talos IR observed operations involving Play, Cactus, BlackSuit and NoEscape ransomware for the first time this quarter. | Ransom blog | Cisco Blog |
14.1.24 | Medusa Ransomware Turning Your Files into Stone | Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. | Ransom blog | Palo Alto |
14.1.24 | New decryptor for Babuk Tortilla ransomware variant released | Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor. | Ransom blog | Cisco Blog |
14.1.24 | Medusa Ransomware Turning Your Files into Stone | Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. | Ransom blog | Palo Alto |
14.1.24 | New decryptor for Babuk Tortilla ransomware variant released | Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor. | Ransom blog | Cisco Blog |