CyberSecurity news

FlagThis - #raas

@zdnet.com //
Federal cybersecurity agencies, including the FBI and CISA, have issued an urgent advisory regarding the escalating threat of Medusa ransomware. Since its emergence in 2021, Medusa has targeted over 300 victims across various critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing. The group's activities have accelerated in recent months, prompting immediate action recommendations for organizations. Medusa operates as a Ransomware-as-a-Service (RaaS) model, now recruiting affiliates from criminal forums to launch attacks, encrypt data, and extort victims worldwide.

Medusa actors leverage common ransomware tactics, including phishing campaigns and exploiting unpatched software vulnerabilities. They employ a double extortion strategy by encrypting victim data and threatening to publicly release it if the ransom is not paid. To mitigate the risk, CISA and the FBI recommend organizations update systems regularly to close known vulnerabilities, implement network segmentation to restrict lateral movement, and enable multi-factor authentication for all services. They also urge organizations to report incidents promptly to aid in tracking and combating the growing threat.

Recommended read:
References :
  • bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
  • www.bleepingcomputer.com: CISA: Medusa ransomware hit over 300 critical infrastructure orgs
  • securityonline.info: FBI, CISA, and MS-ISAC Warn Organizations About Medusa Ransomware Attacks
  • DataBreaches.Net: #StopRansomware: Medusa Ransomware
  • Industrial Cyber: US exposes Medusa ransomware threat, as over 300 organizations targeted across critical infrastructure sector
  • securityaffairs.com: SecurityAffairs article: Medusa ransomware hit over 300 critical infrastructure organizations until February 2025
  • www.cybersecuritydive.com: Medusa ransomware slams critical infrastructure organizations
  • www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
  • www.tripwire.com: The Medusa ransomware gang continues to present a major threat to the critical infrastructure sector, according to a newly-released joint advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
  • : FBI and CISA Warn of Medusa Ransomware Impacting Critical Infrastructure
  • bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
  • The DefendOps Diaries: Explore the impact of Medusa ransomware on critical infrastructure and learn strategies to enhance cybersecurity defenses.
  • www.scworld.com: Medusa ransomware, a ransomware-as-a-service group, has increased attacks targeting critical infrastructure, potentially preparing for geopolitical conflicts. Recent attacks indicate a 150% increase in this activity.
  • Tenable Blog: Tenable article: Cybersecurity Snapshot: Medusa Ransomware Impacting Critical Infrastructure, CISA Warns, While NIST Selects New Quantum-Resistant Algorithm
  • SOC Prime Blog: SOC Prime blog: Medusa Ransomware Attacks Covered in AA25-071A Detection
  • be4sec: Medusa Ransomware is Targeting Critical Infrastructure
  • be4sec: This advisory summarizes the key activities of prominent ransomware groups in January 2025, highlighting a significant increase in Medusa attacks.
  • aboutdfir.com: Medusa ransomware group has been actively targeting critical infrastructure organizations, employing a double extortion tactic.
  • www.techradar.com: US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
  • cyble.com: The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a well-timed advisory on the Medusa ransomware group last week, as Cyble has detected an acceleration in the group’s activities in recent months.
  • Email Security - Blog: Medusa Ransomware: Multi-Industry Threat on the Rise
  • techxplore.com: Cybersecurity officials warn against potentially costly Medusa ransomware attacks
  • Security | TechRepublic: Medusa Ransomware Strikes 300+ Targets: FBI & CISA Urge Immediate Action to #StopRansomware
  • eSecurity Planet: Medusa Ransomware Warning: CISA and FBI Issue Urgent Advisory
  • Blue Team Con: CISA and the FBI warn about Medusa ransomware, urging organizations to update security, enable MFA, and report incidents to mitigate the growing threat.
  • thecyberexpress.com: Medusa Ransomware Surge: 60 Victims in 3 Months—Are You Next?
  • www.zdnet.com: How to guard against a vicious Medusa ransomware attack - before it's too late
  • www.cysecurity.news: The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a #StopRansomware advisory, warning organizations about the increasing threat of Medusa ransomware.
  • Sam Bent: Cybercriminal Group Medusa Targets Critical Infrastructure Sectors A sophisticated cybercriminal group known as Medusa has been targeting many critical infrastructure sectors in the United States.
  • The Hacker News: Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates
  • www.cybersecuritydive.com: Medusa ransomware using malicious driver as EDR killer

Mandvi@Cyber Security News //
A new Ransomware-as-a-Service (RaaS) program, VanHelsingRaaS, has rapidly emerged as a significant threat in the cybercrime world. Launched on March 7, 2025, the program has quickly gained traction, infecting three victims within its first two weeks of operation. The service offers affiliates a control panel and a cross-platform locker, VanHelsing, which is capable of targeting a wide variety of systems, including Windows, Linux, BSD, ARM, and ESXi. This broad platform support allows affiliates to target diverse environments, increasing the potential impact of attacks.

The VanHelsingRaaS program requires a $5,000 deposit for new affiliates, while reputable affiliates can join for free. Affiliates earn 80% of the ransom payments, while the core operators receive the remaining 20%. A key restriction is the prohibition of targeting systems in the Commonwealth of Independent States (CIS). Check Point Research has identified two VanHelsing ransomware variants targeting Windows systems, but the RaaS advertisement indicates wider capabilities. This suggests the ransomware is designed to be adaptable and versatile, posing a significant threat to organizations across various industries and operating systems.

Recommended read:
References :
  • gbhackers.com: VanHelsing Ransomware Targets Windows Systems with New Evasion Tactics and File Extension
  • Check Point Research: VanHelsing, new RaaS in Town
  • Christoffer S.: (checkpoint.com) VanHelsingRaaS: Analysis of a New and Rapidly Expanding Ransomware-as-a-Service Program
  • Check Point Blog: The Rise of VanHelsing RaaS: A New Player in the Ransomware Landscape
  • Blog: New ‘VanHelsing’ Raas hunts your data, not vampires
  • The Hacker News: VanHelsing RaaS Launch: 3 Victims, $5K Entry Fee, Multi-OS, and Double Extortion Tactics
  • : VanHelsingRaaS, a new ransomware-as-a-service program, infected three victims within two weeks of release, demanding ransoms of $500,000
  • Talkback Resources: VanHelsing RaaS Launch: 3 Victims, $5K Entry Fee, Multi-OS, and Double Extortion Tactics [mal]
  • The DefendOps Diaries: VanHelsing Ransomware: A Multi-Platform Threat with Sophisticated Tactics
  • Security Risk Advisors: VanHelsing Ransomware hits Windows, Linux, and ESXi with stealthy encryption and demands up to $500K.
  • Broadcom Software Blogs: VanHelsing RaaS is a burgeoning ransomware-as-a-service (RaaS) platform that launched on March 7, 2025.
  • Cyber Security News: VanHelsingRaaS, a newly launched ransomware-as-a-service (RaaS) program, has quickly gained traction in the cybercrime landscape.
  • www.bleepingcomputer.com: New VanHelsing ransomware targets Windows, ARM, ESXi systems
  • securityonline.info: VanHelsingRaaS: A New Player in the Ransomware Game
  • CyberInsider: New VanHelsing ransomware demands $500,000 ransom payments
  • Information Security Buzz: VanHelsingRaaS Strikes: Sinking Its Fangs into Windows, Linux, and More
  • securityonline.info: CYFIRMA’s Research and Advisory Team has uncovered a new ransomware strain, “VanHelsingâ€�.
  • The Register - Security: VanHelsing ransomware emerges to put a stake through your Windows heart
  • www.csoonline.com: New VanHelsing ransomware claims three victims within a month

Aman Mishra@gbhackers.com //
ESET researchers have uncovered connections between RansomHub affiliates and other ransomware groups, including Medusa, BianLian, and Play. This link is established through the shared use of EDRKillShifter, a custom tool designed to disable endpoint detection and response (EDR) software on compromised systems. EDRKillShifter utilizes a "Bring Your Own Vulnerable Driver" (BYOVD) tactic, leveraging a legitimate but vulnerable driver to terminate security solutions, ensuring the smooth execution of ransomware encryptors without detection.

This sharing of tools highlights an evolving trend in the ransomware landscape, where groups collaborate and repurpose tooling from rivals. ESET's analysis reveals that even closed ransomware-as-a-service (RaaS) operations like Play and BianLian, known for their consistent use of core tools, have members utilizing EDRKillShifter in their attacks. RansomHub, a relatively new player, quickly rose to prominence in the ransomware scene after emerging in February 2024, dominating the landscape by recruiting affiliates from disrupted groups such as LockBit and BlackCat. The tool, custom-developed by RansomHub, is offered to its affiliates as part of its RaaS program.

Recommended read:
References :
  • DataBreaches.Net: The RansomHub ransomware-as-a-service (RaaS) operation affiliates were linked to established gangs Medusa, BianLian, and Play, which share the use of RansomHub’s custom-developed EDRKillShifter.
  • The Hacker News: Hackers Repurpose RansomHub's EDRKillShifter in Medusa, BianLian, and Play Attacks
  • hackread.com: Cybercriminals exploit AbyssWorker driver to disable EDR systems, deploying MEDUSA ransomware with revoked certificates for stealthy attacks.
  • gbhackers.com: New Research Links RansomHub’s EDRKillShifter to Established Ransomware Gangs
  • Cyber Security News: New Research Reveals RansomHub’s EDRKillShifter Connected to Major Ransomware Gangs
  • www.cybersecuritydive.com: Custom tool developed by RansomHub, dubbed “EDRKillShifter,â€� is used by several other rival ransomware gangs.

@www.reliaquest.com //
References: AAKL , Christoffer S. , www.reliaquest.com ...
ReliaQuest researchers are warning that the BlackLock ransomware group is poised to become the most prolific ransomware-as-a-service (RaaS) operation in 2025. BlackLock, also known as El Dorado, first emerged in early 2024 and quickly ascended the ranks of ransomware groups. By the fourth quarter of 2024, it was already the seventh most prolific group based on data leaks, experiencing a massive 1,425% increase in activity compared to the previous quarter.

BlackLock's success is attributed to its active presence and strong reputation within the RAMP forum, a Russian-language platform for ransomware activities. The group is also known for its aggressive recruitment of traffers, initial access brokers, and affiliates. They employ double extortion tactics, encrypting data and exfiltrating sensitive information, threatening to publish it if a ransom is not paid. Their custom-built ransomware targets Windows, VMWare ESXi, and Linux environments.

Recommended read:
References :
  • AAKL: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock More: Infosecurity-Magazine: BlackLock On Track to Be 2025’s Most Prolific Ransomware Group
  • Christoffer S.: ReliaQuest Inside the World’s Fastest Rising Ransomware Operator - BlackLock Somewhat of a deep dive into a relatively new RaaS (BlackLock), a very active group both on RAMP and with adding new victims to their leaksite.
  • www.helpnetsecurity.com: BlackLock ransomware onslaught: What to expect and how to fight it
  • www.reliaquest.com: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock
  • Help Net Security: In-depth analysis of the BlackLock ransomware group and their operational methods.
  • www.infosecurity-magazine.com: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock More: Infosecurity-Magazine: BlackLock On Track to Be 2025’s Most Prolific Ransomware Group
  • cyberpress.org: BlackLock Ransomware Evolves: Threatens Windows, VMware ESXi, and Linux Systems
  • gbhackers.com: BlackLock Ransomware Targets Windows, VMware ESXi, & Linux Environments
  • Cyber Security News: BlackLock Ransomware Evolves: Threatens Windows, VMware ESXi, and Linux Systems
  • gbhackers.com: BlackLock Ransomware Targets Windows, VMware ESXi, & Linux Environments

@securityonline.info //
Two Ransomware-as-a-Service (RaaS) operations, HellCat and Morpheus, are exhibiting striking similarities in their attack methods, according to a recent analysis by SentinelOne. Both groups have been found to be using nearly identical payloads to encrypt victim’s data, utilizing the Windows Cryptographic Application Programming Interface (CAPI). Furthermore, both direct victims to access .onion portals via the Tor browser and provided credentials to receive ransom instructions. This overlap in tools and techniques suggests a potential collaboration between HellCat and Morpheus or, perhaps, a shared origin.

The shared code base indicates that affiliates across both groups are compiling payloads that contain almost identical code. Despite differences in victim-specific details, the core functionality of the ransomware is the same: it encrypts file contents, leaving extensions and metadata intact, and delivers a ransom note instructing victims to connect via a Tor browser. While no direct link has been found between the HellCat and Morpheus operators, the identical code suggests the possibility of a common builder application used by affiliates. With ransom demands as high as 32 Bitcoin, approximately $3 million, it is vital that businesses and organizations have a strong threat detection system to mitigate these growing threats.

Recommended read:
References :
  • cyberpress.org: The cybersecurity landscape has witnessed a surge in ransomware activity over the past six months, driven by new actors and the resurgence of established groups. Notably, the emergence of ransomware families like FunkSec, Nitrogen, and Termite has been accompanied by the reappearance of Cl0p and the rollout of LockBit 4.0. Simultaneously, Ransomware-as-a-Service (RaaS) offerings such […] The post appeared first on .
  • securityonline.info: Over the past six months, ransomware activity has surged, with new operations like HellCat and Morpheus making their The post appeared first on .
  • www.scworld.com: HellCat, Morpheus RaaS operations leverage similar payloads
  • www.sentinelone.com: SentinelOne's Jim Walter analyses payloads from both HellCat and Morpheus ransomware operations and show how affiliates across both operations are compiling payloads that contain almost identical code.
  • Virus Bulletin: SentinelOne's Jim Walter analyses payloads from both HellCat and Morpheus ransomware operations and show how affiliates across both operations are compiling payloads that contain almost identical code.
  • Cyber Security News: HellCat and Morpheus Ransomware Using Identical Payloads for Infection
  • securityonline.info: HellCat and Morpheus: Ransomware Affiliates Using Identical Payloads to Escalate Attacks
  • securityonline.info: From Victim Profiles to Data Leaks: Inside the Lynx Ransomware-as-a-Service Ecosystem