CyberSecurity news
FlagThis - #Ransomware
|
Lawrence Abrams@BleepingComputer
//
Ingram Micro, a global IT distributor, has confirmed it was hit by a SafePay ransomware attack, causing a significant outage affecting its websites and internal systems. The attack, which began on July 3, 2025, has disrupted order processing and shipments, impacting customers, vendor partners, and others who rely on the company's services. Ingram Micro, one of the world's largest technology distributors with approximately 24,000 employees and $48 billion in revenue in 2024, is working diligently to restore affected systems.
The company's initial response involved proactively taking certain systems offline and implementing other mitigation measures to secure the environment. Leading cybersecurity experts were engaged to assist with the investigation, and law enforcement was notified. Ingram Micro said that internal alerts, investigation protocols, and communications with key clients and stakeholders were immediately initiated, a statement was released to explain the suspected vulnerabilities exploited by the ransomware. Sources indicate that the SafePay ransomware group gained access through Ingram Micro's GlobalProtect VPN platform. The attack has impacted various systems, including the company's AI-powered Xvantage distribution platform and the Impulse license provisioning platform, leading to shipment backlogs and licensing interruptions across platforms such as Microsoft 365 and Dropbox. While it remains unclear if data was encrypted, the ransomware note claimed to have stolen various types of information. As a result, Ingram Micro's customers may experience delays as the company focuses on restoring its systems. Recommended read:
References :
@www.bleepingcomputer.com
//
The Hunters International ransomware operation has announced its shutdown, stating they will release free decryption keys to their past victims. The group made the announcement on its dark web leak site, removing all previous victim data. In a statement, Hunters International acknowledged the impact their actions have had on organizations, stating the decision to close down was not made lightly. Victims are instructed to visit the ransomware gang's website to obtain the decryption keys and recovery guidance, though some sources indicate victims need to log in to a portal mentioned in the ransom note using existing credentials to obtain the decryption software.
The move to shut down has been met with skepticism from the threat intel community. Several ransomware gangs in the past have released their victims’ decryption keys, then shut down, each of them for different reasons. Some shut down only to return under a new name, perhaps in an attempt to confuse researchers and law enforcement agencies and sometimes toescape sanctions. There is speculation that Hunters International may be rebranding and transitioning to new infrastructure to avoid increased scrutiny from law enforcement. It emerged in late 2023 and was flagged by security researchers and ransomware experts as apotential rebrand of Hive, which had its infrastructure seized earlier that year. Reports indicate that Hunters International launched a separate platform named "World Leaks" in January, advising its affiliates to switch to this new operation. At the time, the group claimed that encryption-based ransomware was no longer profitable and they would be shifting to a hack-and-extort model. However, some sources have found World Leaks victims who also had ransomware deployed on their networks. Hunters International has been linked to almost 300 attacks worldwide including India's Tata Technologies and the US Marshals Service and has earned millions in cryptocurrency. Recommended read:
References :
@x.com
//
References:
thecyberexpress.com
, cyble.com
Reports indicate a surge in sophisticated ransomware attacks throughout 2025, with groups like Qilin leading the charge. Qilin has solidified its position as a top ransomware group, demonstrating significant success in recruiting affiliates and providing advanced tools. Cybercriminal forums play a crucial role in simplifying ransomware crime development, allowing new threat actors to launch attacks without extensive technical skills. This rise in activity makes it easier than ever for malicious actors to execute ransomware operations through Ransomware-as-a-Service (RaaS) models, employing readily available tools and malware.
Qilin ransomware group topped June 2025 with a staggering 86 victims, surpassing rivals and indicating a shifting threat landscape. One notable victim was newspaper giant Lee Enterprises, where a Qilin attack exposed nearly 40,000 Social Security numbers. This attack not only disrupted publishing operations nationwide but also incurred significant financial damage, with recovery costs reaching $2 million alongside substantial revenue losses. The impact extends beyond financial losses, causing significant operational disruptions and underscoring the widespread threat to businesses of all sizes. The consequences of these attacks are far-reaching. Major organizations have been hit by ransomware and data breaches, emphasizing the urgent need for robust cyber resilience and incident response plans. Cyber incidents have led to unauthorized access to internal systems, disruptions in operations, and the compromise of millions of customer and employee accounts. Experts emphasize that preparedness against cybercrime and building cyber resilience is a critical priority, urging businesses to invest in comprehensive Cyber Incident Response Plans and regular cyber tabletop exercises to simulate real-world attack scenarios and stress-test response capabilities. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
McLaren Health Care, a nonprofit healthcare organization based in Grand Blanc, Michigan, is notifying over 743,000 individuals of a significant data breach. The breach, stemming from a ransomware attack that occurred in July 2024, involved unauthorized access to the healthcare provider's systems. The incident was discovered on August 5, 2024, after McLaren detected suspicious activity on its and Karmanos Cancer Institute’s computer systems.
Following the discovery, McLaren Health Care launched an investigation with the assistance of third-party forensic specialists to secure their network and determine the nature and scope of the activity. The investigation revealed that unauthorized access to the network occurred between July 17, 2024, and August 3, 2024. A comprehensive forensic review of the potentially impacted files concluded on May 5, 2025, confirming that personal and protected health information was compromised. The INC ransomware gang was identified as the cause of the breach. The compromised information may include names, Social Security numbers, driver’s license numbers, medical information, and health insurance details. McLaren Health Care is providing impacted individuals with 12 months of free credit monitoring services and guidance on protecting themselves against fraud and identity theft. Written communications outlining the nature of the breach and the steps being taken were sent directly to the affected individuals. As of June 20, 2025, written notification has been issued to those affected by this data breach. Recommended read:
References :
@kirbyidau.com
//
MKA Accountants, a Victorian accounting firm, has confirmed it fell victim to a ransomware attack by the Qilin group. The incident, which occurred in May 2025, resulted in the publication of sensitive company documents on Qilin's leak site. The stolen data included internal correspondence, financial statements, and insurance information, highlighting the severity of the breach and the potential impact on the firm's operations and client relationships. This attack underscores the growing threat posed by ransomware groups to organizations of all sizes, regardless of their industry.
The Qilin ransomware group has been rapidly gaining prominence in the cybercrime landscape. As established players like RansomHub and LockBit face internal turmoil and operational setbacks, Qilin has emerged as a technically advanced and full-service cybercrime platform. Recent reports indicate that Qilin is actively recruiting affiliates, possibly absorbing talent from defunct groups, and bolstering its capabilities to conduct sophisticated ransomware attacks. This rise in prominence positions Qilin as a major player in the evolving ransomware-as-a-service (RaaS) ecosystem, posing a significant threat to businesses worldwide. To further pressure victims into paying ransoms, Qilin now offers a "Call Lawyer" feature within its affiliate panel. This addition aims to provide affiliates with legal counsel during ransom negotiations, potentially intimidating victims and increasing the likelihood of payment. Furthermore, Qilin provides other services to help affiliates maximize their success. This includes spam services, PB-scale data storage, a team of in-house journalists, and even the ability to conduct distributed denial-of-service (DDoS) attacks, positioning Qilin as a comprehensive cybercrime operation and increasing it's market share. Recommended read:
References :
Graham Cluley@Blog RSS Feed
//
The Qilin ransomware group is introducing a new tactic to pressure victims into paying larger ransoms. They are now offering a "Call Lawyer" button within their affiliate panel, providing legal counsel to cybercriminals attempting to extort money. This feature aims to give affiliates an edge in ransom negotiations by providing them with on-call legal support. Qilin believes that the presence of a lawyer in communication with victims will increase the likelihood of a successful ransom payment due to the potential legal ramifications and associated costs for the victim company.
Qilin's legal assistance service offers several advantages for its affiliates, including legal assessments of stolen data, classification of legal violations, and evaluation of potential damages. It also provides guidance on how to inflict maximum economic damage on a victim company if they refuse to pay the ransom. This addition is part of Qilin's effort to position itself as a full-service cybercrime platform, offering extensive support options and robust solutions for highly targeted ransomware attacks. This development indicates a shift in the cybercrime landscape, with ransomware groups like Qilin attempting to mimic legitimate business tactics to increase their success rates. Qilin has become a prominent player in the ransomware-as-a-service (RaaS) market, attracting affiliates from other groups and leading in the number of victims targeted in recent months. The group's mature ecosystem, advanced evasion features, and comprehensive operational features position it as a significant threat in the cybercrime world. Recommended read:
References :
Veronika Telychko@SOC Prime Blog
//
Mocha Manakin, a threat actor named by Red Canary, is employing a sophisticated "paste-and-run" technique to compromise systems. This method involves tricking users into executing malicious scripts via PowerShell, leading to the deployment of a custom NodeJS backdoor known as NodeInitRAT. Red Canary's report highlights that this backdoor could potentially lead to ransomware attacks. SocPrime has also released information regarding the detection of Mocha Manakin attacks, emphasizing the backdoor's capabilities.
Red Canary notes the adversary leverages ClickFix technique to deliver NodeJS-based backdoor named NodeInitRAT. Hunting for suspicious events related to PowerShell spawning node.exe can be an effective detection method. Security analysts can monitor process creation events where powershell.exe is the parent process and node.exe is the child process to identify potentially malicious activity associated with the NodeInitRAT backdoor. Soc Prime offers Sigma rules to detect Mocha Manakin paste-and-run attacks spreading the NodeInitRAT backdoor. It's crucial to detect this threat as early as possible, as researchers note overlaps with Interlock ransomware. These rules can aid in identifying suspicious behavior and mitigating the risk of further compromise, including data exfiltration and ransomware deployment. Recommended read:
References :
AFox@www.healthcareitnews.com
//
References:
www.comparitech.com
,
,
The healthcare sector has been rocked by a recent ransomware attack on Episource, a medical coding, risk adjustment services, and software company. The breach, which occurred in February 2025, resulted in the compromise of sensitive patient health information. According to reports, unauthorized access to Episource's computer systems allowed cybercriminals to view and copy data belonging to the company's healthcare provider and health plan customers. The exposed information includes personal contact information, health insurance plan data, medical diagnoses, test results, and images, raising serious concerns about patient privacy and security.
Sharp Community Medical Group and Sharp Healthcare, Episource clients, have confirmed that patient data was compromised in the attack. While the incident did not involve unauthorized access to electronic health records or patient portals, the exposed data includes health insurance information and health data, such as medical record numbers, doctors, diagnoses, medications, test results, images, care, and treatments. Episource began notifying affected customers about which individuals and specific data may have been involved starting on April 23, 2025. Sharp Healthcare has also started sending out patient breach notifications. This incident highlights the increasing vulnerability of healthcare organizations to ransomware attacks. Microsoft reports that 389 healthcare companies have been hit by ransomware this year alone, resulting in network shutdowns, offline systems, rescheduled appointments, and delays in critical procedures. The financial impact is significant, with healthcare organizations losing up to $900,000 per day on downtime. Experts emphasize the importance of strengthening cybersecurity measures, including employee training and awareness programs, to protect sensitive patient data and mitigate the risk of future attacks. Episource is working to strengthen its computer systems and has notified law enforcement. Recommended read:
References :
Rescana@Rescana
//
A new and dangerous version of the Anubis ransomware has emerged, now equipped with a data wiping module that significantly increases the stakes for victims. The Anubis Ransomware-as-a-Service (RaaS) has been active since December 2024 and now presents a dual-threat by not only encrypting files, but also permanently deleting them. This means that even if victims pay the ransom, data recovery is impossible because of the '/WIPEMODE' parameter which renders file contents to 0 KB, despite preserving the file names and extensions.
The ransomware is being deployed via phishing emails with malicious attachments or deceptive links which bypass endpoint defenses. Once inside a network, it uses lateral movement techniques, such as privilege escalation, to gain deeper access. The primary targets are organizations within the healthcare, hospitality, and construction sectors, impacting entities across Australia, Canada, Peru, and the United States. This dual-threat capability represents an evolution from traditional ransomware, exerting even more pressure on victims to comply with ransom demands. Cybersecurity experts are urging organizations to implement robust backup and recovery procedures to mitigate the impact of Anubis attacks. Trend Micro researchers and others describe Anubis as a "rare dual-threat" that encrypts and permanently erases files. Anubis also operates a flexible affiliate program with negotiable revenue splits, offering additional monetization paths like data extortion and access sales. The discovery of this destructive behavior highlights the increasing sophistication of ransomware operations and the importance of proactive cybersecurity measures. Recommended read:
References :
@www.healthcarefinancenews.com
//
References:
cyble.com
, cybersecurityventures.com
,
Ransomware groups are continually evolving their tactics, posing an increasing threat to organizations worldwide. Recent reports highlight the exploitation of vulnerabilities in software and the use of sophisticated techniques, such as abusing legitimate employee monitoring software, to breach systems. A Symantec report revealed the discovery of Fog Ransomware, showcasing the attackers' innovative use of tools, including a legitimate security solution (Syteca) capable of recording on-screen activity and monitoring keystrokes, which they deployed using PsExec and SMBExec.
The Cybersecurity and Infrastructure Security Agency (CISA) issued Advisory AA25‑163A, warning of ransomware actors exploiting CVE-2024-57727 in unpatched SimpleHelp Remote Monitoring and Management (RMM) software, specifically versions 5.5.7 and earlier. This vulnerability allowed attackers to compromise a utility billing software provider and initiate double-extortion attacks. The attacks targeting unpatched SimpleHelp deployments have been observed since January 2025, indicating a sustained and targeted effort to exploit this vulnerability. In addition to software vulnerabilities, data breaches are also occurring through direct hacks. Zoomcar, an Indian car-sharing company, recently acknowledged a data breach affecting 8.4 million users, where hackers accessed customer names, phone numbers, car registration numbers, personal addresses, and emails. While sensitive information like passwords and financial details were reportedly not exposed, the breach raises concerns about the security of personal data stored by such platforms. Furthermore, the DragonForce group has started posting new victims to their darknet site, publicly extorting two new organizations, highlighting the continued use of double extortion tactics by ransomware groups. Recommended read:
References :
Anna Ribeiro@Industrial Cyber
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding ransomware actors exploiting unpatched instances of SimpleHelp Remote Monitoring and Management (RMM) software. These attacks target customers of utility billing software providers, leveraging a vulnerability to gain unauthorized access. According to a report by The Register, the exploitation involves CVE-2024-57727, a high-severity path traversal vulnerability affecting SimpleHelp versions 5.5.7 and earlier. The attacks, ongoing since January 2025, have led to service disruptions and double extortion incidents, where sensitive data is stolen and systems are encrypted.
CISA's advisory follows reports of the DragonForce ransomware group breaching a managed service provider (MSP) and using its SimpleHelp RMM platform to infiltrate downstream customers. Sophos attributes the breach to a string of known SimpleHelp vulnerabilities, including CVE-2024-57726 through CVE-2024-57728. Once inside, DragonForce actors conducted network reconnaissance, leading to ransomware deployment and data exfiltration. The Register reported that SimpleHelp patched the flaw in January, but many organizations have not applied the update, leaving them vulnerable to exploitation. CISA urges organizations using SimpleHelp RMM to immediately patch their systems, conduct thorough threat hunting, and monitor network traffic for any unusual activity. This is crucial to mitigate the risk of compromise and prevent further disruptions. ConnectWise has also issued warnings, advising users of ScreenConnect and Automate to update to the latest build and validate agent updates to avoid disruptions. The attacks highlight the broader trend of ransomware actors targeting the supply chain, emphasizing the importance of proactive security measures and timely patching. Recommended read:
References :
Threat Hunter@Broadcom Software Blogs
//
The Fog ransomware gang is employing increasingly sophisticated tactics, including the use of legitimate employee monitoring software in their attacks. A recent Symantec report reveals that Fog leveraged Syteca, a security solution designed for on-screen activity recording and keystroke monitoring, alongside open-source pen-testing tools. This unusual approach was observed during a May 2025 attack on a financial institution in Asia, marking a significant shift in the gang's methods. The threat actors even utilized PsExec and SMBExec to execute the Syteca client on remote systems, highlighting their advanced understanding of system administration tools.
Researchers noted that the use of legitimate software like Syteca makes detection more challenging. However, specific event types, such as process creation events with "syteca" as the process file product name, can be used for threat hunting. The attackers also deployed several open-source pentesting tools, including GC2, Adaptix, and Stowaway, which are not commonly used during ransomware attacks. This combination of legitimate and malicious tools allows the attackers to blend in with normal network activity, making their actions harder to detect. This incident indicates a multi-stage attack where the threat actors were present on the target's network for approximately two weeks before deploying the ransomware. What is also unusual is that after the initial ransomware deployment, the attackers established a service to maintain persistence on the network. This behavior contrasts with typical ransomware attacks, where malicious activity ceases after data exfiltration and ransomware deployment. The shift suggests a desire to maintain long-term access to the compromised network. The initial infection vector is unknown, but two of the infected machines were Exchange Servers. Recommended read:
References :
Tyler McGraw@Rapid7 Cybersecurity Blog
//
References:
Rapid7 Cybersecurity Blog
, BlackFog
The BlackSuit ransomware group is continuing its campaign of social engineering attacks, a tactic that cybersecurity experts believe they adopted from the Black Basta ransomware group. This shift in tactics comes after Rapid7 observed a significant decrease in social engineering attacks attributed to Black Basta since late December 2024, possibly indicating a change in Black Basta's operations due to internal conflicts or other factors. BlackSuit's persistence in employing social engineering highlights the ongoing threat landscape where ransomware groups readily adapt and evolve their methods to maximize their success in breaching target networks.
The social engineering tactics employed by BlackSuit echo those previously used by Black Basta, including email bombing and Microsoft Teams phishing. According to a report from ReliaQuest in June 2025, attackers have recently begun incorporating Python scripts alongside these techniques, utilizing cURL requests to retrieve and deploy malicious payloads. This demonstrates an increasing sophistication in their approach, aimed at establishing persistent access to targeted systems and evading traditional security measures. These attacks often masquerade as legitimate communications, such as help desk personnel, to trick unsuspecting users into divulging sensitive information or executing malicious code. ReliaQuest's findings reveal that a substantial portion of Teams phishing attacks originated from onmicrosoft[.]com domains or breached domains, making it difficult to distinguish malicious traffic from legitimate network activity. The affected sectors include finance, insurance, and construction. This transition towards more sophisticated and stealthy methods poses a significant challenge to organizations, as they must enhance their detection capabilities to identify and mitigate these evolving threats effectively. Recommended read:
References :
@cyberpress.org
//
Marks & Spencer (M&S), the prominent retail giant, was recently hit by a significant ransomware attack over the Easter period. The cyberattack, orchestrated by the DragonForce hacker group, disrupted crucial business functions, including online ordering and staff clocking systems. The attackers employed "double extortion" tactics, indicating that they stole sensitive data before encrypting the company's servers. This aggressive move puts M&S at risk of both data loss and public exposure.
An exclusive report reveals that the CEO of M&S received an offensive extortion email detailing the timeline and nature of the attack. The email, reportedly filled with abusive language, claimed that DragonForce had "mercilessly raped" the company and encrypted its servers. In response to the attack, M&S took drastic measures by switching off the VPN used by staff for remote work, which successfully contained the spread of the ransomware, but further disrupted business operations. The financial impact of this cyber incident has been substantial, with reports indicating losses of approximately £40 million per week in sales. DragonForce, the ransomware group behind the attack, has reportedly compromised over 120 victims in the past year, establishing itself as a major player in the cybercrime landscape. The group has evolved from a Ransomware-as-a-Service (RaaS) model to a fully-fledged ransomware cartel, targeting organizations across various sectors, including manufacturing, healthcare, and retail. While the origins of DragonForce are speculative, technical indicators suggest a Russian alignment, including the use of Russian-linked infrastructure and recruitment efforts through Russian-speaking cybercrime forums. M&S has pointed to "human error" as the cause of the breach, with scrutiny falling on an employee of Tata Consultancy Services (TCS), which provides IT services to the retailer, although M&S has officially disputed claims that it didn't have proper plans to handle a ransomware incident. Recommended read:
References :
Sam Silverstein@cybersecuritydive.com
//
United Natural Foods (UNFI), a major grocery distributor serving over 30,000 stores across North America including Whole Foods Market, is grappling with disruptions to customer orders following a recent cyberattack. The company, which acts as the "primary distributor" for Whole Foods, detected unauthorized activity on its IT systems on June 5th. In response, UNFI initiated its incident response plan, proactively taking certain systems offline to contain the breach. The incident has already caused temporary disruptions to business operations, and the company anticipates these disruptions will continue as they work to restore their systems.
UNFI has engaged third-party cybersecurity professionals and notified law enforcement as part of its efforts to assess, mitigate, and remediate the incident. The company is implementing workarounds to continue servicing customers where possible. Kristen Jimenez, a UNFI spokesperson, declined to comment on the nature of the cyberattack or whether any ransom demands have been made. UNFI is one of the largest grocery distributors in North America, supplying fresh produce, goods, and food products to a vast network of retailers, including major chains like Amazon, Target, and Walmart. In their most recent financial report they declared $8.2 billion in net sales. This cyberattack on UNFI highlights the increasing vulnerability of the food supply chain to malicious actors. The incident follows a series of recent cyberattacks affecting the wider retail and grocery sector. UNFI did not say when it expects to recover its systems but assured customers, suppliers and associates that it was working to minimize disruption as much as possible. The company's agreement to be the primary distributor for Whole Foods, has been extended to May 2032. Recommended read:
References :
|