CyberSecurity news
FlagThis - #ransomware
|
@kirbyidau.com
//
MKA Accountants, a Victorian accounting firm, has confirmed it fell victim to a ransomware attack by the Qilin group. The incident, which occurred in May 2025, resulted in the publication of sensitive company documents on Qilin's leak site. The stolen data included internal correspondence, financial statements, and insurance information, highlighting the severity of the breach and the potential impact on the firm's operations and client relationships. This attack underscores the growing threat posed by ransomware groups to organizations of all sizes, regardless of their industry.
The Qilin ransomware group has been rapidly gaining prominence in the cybercrime landscape. As established players like RansomHub and LockBit face internal turmoil and operational setbacks, Qilin has emerged as a technically advanced and full-service cybercrime platform. Recent reports indicate that Qilin is actively recruiting affiliates, possibly absorbing talent from defunct groups, and bolstering its capabilities to conduct sophisticated ransomware attacks. This rise in prominence positions Qilin as a major player in the evolving ransomware-as-a-service (RaaS) ecosystem, posing a significant threat to businesses worldwide. To further pressure victims into paying ransoms, Qilin now offers a "Call Lawyer" feature within its affiliate panel. This addition aims to provide affiliates with legal counsel during ransom negotiations, potentially intimidating victims and increasing the likelihood of payment. Furthermore, Qilin provides other services to help affiliates maximize their success. This includes spam services, PB-scale data storage, a team of in-house journalists, and even the ability to conduct distributed denial-of-service (DDoS) attacks, positioning Qilin as a comprehensive cybercrime operation and increasing it's market share. Recommended read:
References :
Graham Cluley@Blog RSS Feed
//
The Qilin ransomware group is introducing a new tactic to pressure victims into paying larger ransoms. They are now offering a "Call Lawyer" button within their affiliate panel, providing legal counsel to cybercriminals attempting to extort money. This feature aims to give affiliates an edge in ransom negotiations by providing them with on-call legal support. Qilin believes that the presence of a lawyer in communication with victims will increase the likelihood of a successful ransom payment due to the potential legal ramifications and associated costs for the victim company.
Qilin's legal assistance service offers several advantages for its affiliates, including legal assessments of stolen data, classification of legal violations, and evaluation of potential damages. It also provides guidance on how to inflict maximum economic damage on a victim company if they refuse to pay the ransom. This addition is part of Qilin's effort to position itself as a full-service cybercrime platform, offering extensive support options and robust solutions for highly targeted ransomware attacks. This development indicates a shift in the cybercrime landscape, with ransomware groups like Qilin attempting to mimic legitimate business tactics to increase their success rates. Qilin has become a prominent player in the ransomware-as-a-service (RaaS) market, attracting affiliates from other groups and leading in the number of victims targeted in recent months. The group's mature ecosystem, advanced evasion features, and comprehensive operational features position it as a significant threat in the cybercrime world. Recommended read:
References :
Veronika Telychko@SOC Prime Blog
//
Mocha Manakin, a threat actor named by Red Canary, is employing a sophisticated "paste-and-run" technique to compromise systems. This method involves tricking users into executing malicious scripts via PowerShell, leading to the deployment of a custom NodeJS backdoor known as NodeInitRAT. Red Canary's report highlights that this backdoor could potentially lead to ransomware attacks. SocPrime has also released information regarding the detection of Mocha Manakin attacks, emphasizing the backdoor's capabilities.
Red Canary notes the adversary leverages ClickFix technique to deliver NodeJS-based backdoor named NodeInitRAT. Hunting for suspicious events related to PowerShell spawning node.exe can be an effective detection method. Security analysts can monitor process creation events where powershell.exe is the parent process and node.exe is the child process to identify potentially malicious activity associated with the NodeInitRAT backdoor. Soc Prime offers Sigma rules to detect Mocha Manakin paste-and-run attacks spreading the NodeInitRAT backdoor. It's crucial to detect this threat as early as possible, as researchers note overlaps with Interlock ransomware. These rules can aid in identifying suspicious behavior and mitigating the risk of further compromise, including data exfiltration and ransomware deployment. Recommended read:
References :
@www.healthcareitnews.com
//
References:
www.comparitech.com
,
The healthcare sector has been rocked by a recent ransomware attack on Episource, a medical coding, risk adjustment services, and software company. The breach, which occurred in February 2025, resulted in the compromise of sensitive patient health information. According to reports, unauthorized access to Episource's computer systems allowed cybercriminals to view and copy data belonging to the company's healthcare provider and health plan customers. The exposed information includes personal contact information, health insurance plan data, medical diagnoses, test results, and images, raising serious concerns about patient privacy and security.
Sharp Community Medical Group and Sharp Healthcare, Episource clients, have confirmed that patient data was compromised in the attack. While the incident did not involve unauthorized access to electronic health records or patient portals, the exposed data includes health insurance information and health data, such as medical record numbers, doctors, diagnoses, medications, test results, images, care, and treatments. Episource began notifying affected customers about which individuals and specific data may have been involved starting on April 23, 2025. Sharp Healthcare has also started sending out patient breach notifications. This incident highlights the increasing vulnerability of healthcare organizations to ransomware attacks. Microsoft reports that 389 healthcare companies have been hit by ransomware this year alone, resulting in network shutdowns, offline systems, rescheduled appointments, and delays in critical procedures. The financial impact is significant, with healthcare organizations losing up to $900,000 per day on downtime. Experts emphasize the importance of strengthening cybersecurity measures, including employee training and awareness programs, to protect sensitive patient data and mitigate the risk of future attacks. Episource is working to strengthen its computer systems and has notified law enforcement. Recommended read:
References :
Rescana@Rescana
//
A new and dangerous version of the Anubis ransomware has emerged, now equipped with a data wiping module that significantly increases the stakes for victims. The Anubis Ransomware-as-a-Service (RaaS) has been active since December 2024 and now presents a dual-threat by not only encrypting files, but also permanently deleting them. This means that even if victims pay the ransom, data recovery is impossible because of the '/WIPEMODE' parameter which renders file contents to 0 KB, despite preserving the file names and extensions.
The ransomware is being deployed via phishing emails with malicious attachments or deceptive links which bypass endpoint defenses. Once inside a network, it uses lateral movement techniques, such as privilege escalation, to gain deeper access. The primary targets are organizations within the healthcare, hospitality, and construction sectors, impacting entities across Australia, Canada, Peru, and the United States. This dual-threat capability represents an evolution from traditional ransomware, exerting even more pressure on victims to comply with ransom demands. Cybersecurity experts are urging organizations to implement robust backup and recovery procedures to mitigate the impact of Anubis attacks. Trend Micro researchers and others describe Anubis as a "rare dual-threat" that encrypts and permanently erases files. Anubis also operates a flexible affiliate program with negotiable revenue splits, offering additional monetization paths like data extortion and access sales. The discovery of this destructive behavior highlights the increasing sophistication of ransomware operations and the importance of proactive cybersecurity measures. Recommended read:
References :
@www.healthcarefinancenews.com
//
References:
cyble.com
, cybersecurityventures.com
,
Ransomware groups are continually evolving their tactics, posing an increasing threat to organizations worldwide. Recent reports highlight the exploitation of vulnerabilities in software and the use of sophisticated techniques, such as abusing legitimate employee monitoring software, to breach systems. A Symantec report revealed the discovery of Fog Ransomware, showcasing the attackers' innovative use of tools, including a legitimate security solution (Syteca) capable of recording on-screen activity and monitoring keystrokes, which they deployed using PsExec and SMBExec.
The Cybersecurity and Infrastructure Security Agency (CISA) issued Advisory AA25‑163A, warning of ransomware actors exploiting CVE-2024-57727 in unpatched SimpleHelp Remote Monitoring and Management (RMM) software, specifically versions 5.5.7 and earlier. This vulnerability allowed attackers to compromise a utility billing software provider and initiate double-extortion attacks. The attacks targeting unpatched SimpleHelp deployments have been observed since January 2025, indicating a sustained and targeted effort to exploit this vulnerability. In addition to software vulnerabilities, data breaches are also occurring through direct hacks. Zoomcar, an Indian car-sharing company, recently acknowledged a data breach affecting 8.4 million users, where hackers accessed customer names, phone numbers, car registration numbers, personal addresses, and emails. While sensitive information like passwords and financial details were reportedly not exposed, the breach raises concerns about the security of personal data stored by such platforms. Furthermore, the DragonForce group has started posting new victims to their darknet site, publicly extorting two new organizations, highlighting the continued use of double extortion tactics by ransomware groups. Recommended read:
References :
Anna Ribeiro@Industrial Cyber
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding ransomware actors exploiting unpatched instances of SimpleHelp Remote Monitoring and Management (RMM) software. These attacks target customers of utility billing software providers, leveraging a vulnerability to gain unauthorized access. According to a report by The Register, the exploitation involves CVE-2024-57727, a high-severity path traversal vulnerability affecting SimpleHelp versions 5.5.7 and earlier. The attacks, ongoing since January 2025, have led to service disruptions and double extortion incidents, where sensitive data is stolen and systems are encrypted.
CISA's advisory follows reports of the DragonForce ransomware group breaching a managed service provider (MSP) and using its SimpleHelp RMM platform to infiltrate downstream customers. Sophos attributes the breach to a string of known SimpleHelp vulnerabilities, including CVE-2024-57726 through CVE-2024-57728. Once inside, DragonForce actors conducted network reconnaissance, leading to ransomware deployment and data exfiltration. The Register reported that SimpleHelp patched the flaw in January, but many organizations have not applied the update, leaving them vulnerable to exploitation. CISA urges organizations using SimpleHelp RMM to immediately patch their systems, conduct thorough threat hunting, and monitor network traffic for any unusual activity. This is crucial to mitigate the risk of compromise and prevent further disruptions. ConnectWise has also issued warnings, advising users of ScreenConnect and Automate to update to the latest build and validate agent updates to avoid disruptions. The attacks highlight the broader trend of ransomware actors targeting the supply chain, emphasizing the importance of proactive security measures and timely patching. Recommended read:
References :
Threat Hunter@Broadcom Software Blogs
//
The Fog ransomware gang is employing increasingly sophisticated tactics, including the use of legitimate employee monitoring software in their attacks. A recent Symantec report reveals that Fog leveraged Syteca, a security solution designed for on-screen activity recording and keystroke monitoring, alongside open-source pen-testing tools. This unusual approach was observed during a May 2025 attack on a financial institution in Asia, marking a significant shift in the gang's methods. The threat actors even utilized PsExec and SMBExec to execute the Syteca client on remote systems, highlighting their advanced understanding of system administration tools.
Researchers noted that the use of legitimate software like Syteca makes detection more challenging. However, specific event types, such as process creation events with "syteca" as the process file product name, can be used for threat hunting. The attackers also deployed several open-source pentesting tools, including GC2, Adaptix, and Stowaway, which are not commonly used during ransomware attacks. This combination of legitimate and malicious tools allows the attackers to blend in with normal network activity, making their actions harder to detect. This incident indicates a multi-stage attack where the threat actors were present on the target's network for approximately two weeks before deploying the ransomware. What is also unusual is that after the initial ransomware deployment, the attackers established a service to maintain persistence on the network. This behavior contrasts with typical ransomware attacks, where malicious activity ceases after data exfiltration and ransomware deployment. The shift suggests a desire to maintain long-term access to the compromised network. The initial infection vector is unknown, but two of the infected machines were Exchange Servers. Recommended read:
References :
Tyler McGraw@Rapid7 Cybersecurity Blog
//
References:
Rapid7 Cybersecurity Blog
, BlackFog
The BlackSuit ransomware group is continuing its campaign of social engineering attacks, a tactic that cybersecurity experts believe they adopted from the Black Basta ransomware group. This shift in tactics comes after Rapid7 observed a significant decrease in social engineering attacks attributed to Black Basta since late December 2024, possibly indicating a change in Black Basta's operations due to internal conflicts or other factors. BlackSuit's persistence in employing social engineering highlights the ongoing threat landscape where ransomware groups readily adapt and evolve their methods to maximize their success in breaching target networks.
The social engineering tactics employed by BlackSuit echo those previously used by Black Basta, including email bombing and Microsoft Teams phishing. According to a report from ReliaQuest in June 2025, attackers have recently begun incorporating Python scripts alongside these techniques, utilizing cURL requests to retrieve and deploy malicious payloads. This demonstrates an increasing sophistication in their approach, aimed at establishing persistent access to targeted systems and evading traditional security measures. These attacks often masquerade as legitimate communications, such as help desk personnel, to trick unsuspecting users into divulging sensitive information or executing malicious code. ReliaQuest's findings reveal that a substantial portion of Teams phishing attacks originated from onmicrosoft[.]com domains or breached domains, making it difficult to distinguish malicious traffic from legitimate network activity. The affected sectors include finance, insurance, and construction. This transition towards more sophisticated and stealthy methods poses a significant challenge to organizations, as they must enhance their detection capabilities to identify and mitigate these evolving threats effectively. Recommended read:
References :
@cyberpress.org
//
Marks & Spencer (M&S), the prominent retail giant, was recently hit by a significant ransomware attack over the Easter period. The cyberattack, orchestrated by the DragonForce hacker group, disrupted crucial business functions, including online ordering and staff clocking systems. The attackers employed "double extortion" tactics, indicating that they stole sensitive data before encrypting the company's servers. This aggressive move puts M&S at risk of both data loss and public exposure.
An exclusive report reveals that the CEO of M&S received an offensive extortion email detailing the timeline and nature of the attack. The email, reportedly filled with abusive language, claimed that DragonForce had "mercilessly raped" the company and encrypted its servers. In response to the attack, M&S took drastic measures by switching off the VPN used by staff for remote work, which successfully contained the spread of the ransomware, but further disrupted business operations. The financial impact of this cyber incident has been substantial, with reports indicating losses of approximately £40 million per week in sales. DragonForce, the ransomware group behind the attack, has reportedly compromised over 120 victims in the past year, establishing itself as a major player in the cybercrime landscape. The group has evolved from a Ransomware-as-a-Service (RaaS) model to a fully-fledged ransomware cartel, targeting organizations across various sectors, including manufacturing, healthcare, and retail. While the origins of DragonForce are speculative, technical indicators suggest a Russian alignment, including the use of Russian-linked infrastructure and recruitment efforts through Russian-speaking cybercrime forums. M&S has pointed to "human error" as the cause of the breach, with scrutiny falling on an employee of Tata Consultancy Services (TCS), which provides IT services to the retailer, although M&S has officially disputed claims that it didn't have proper plans to handle a ransomware incident. Recommended read:
References :
Sam Silverstein@cybersecuritydive.com
//
United Natural Foods (UNFI), a major grocery distributor serving over 30,000 stores across North America including Whole Foods Market, is grappling with disruptions to customer orders following a recent cyberattack. The company, which acts as the "primary distributor" for Whole Foods, detected unauthorized activity on its IT systems on June 5th. In response, UNFI initiated its incident response plan, proactively taking certain systems offline to contain the breach. The incident has already caused temporary disruptions to business operations, and the company anticipates these disruptions will continue as they work to restore their systems.
UNFI has engaged third-party cybersecurity professionals and notified law enforcement as part of its efforts to assess, mitigate, and remediate the incident. The company is implementing workarounds to continue servicing customers where possible. Kristen Jimenez, a UNFI spokesperson, declined to comment on the nature of the cyberattack or whether any ransom demands have been made. UNFI is one of the largest grocery distributors in North America, supplying fresh produce, goods, and food products to a vast network of retailers, including major chains like Amazon, Target, and Walmart. In their most recent financial report they declared $8.2 billion in net sales. This cyberattack on UNFI highlights the increasing vulnerability of the food supply chain to malicious actors. The incident follows a series of recent cyberattacks affecting the wider retail and grocery sector. UNFI did not say when it expects to recover its systems but assured customers, suppliers and associates that it was working to minimize disruption as much as possible. The company's agreement to be the primary distributor for Whole Foods, has been extended to May 2032. Recommended read:
References :
Matt Burgess,@WIRED
//
References:
arstechnica.com
, WIRED
German law enforcement has identified the alleged leader of the Trickbot and Conti cybercriminal groups, known online as "Stern," as Vitaly Nikolaevich Kovalev, a 36-year-old Russian national. The Bundeskriminalamt (BKA), Germany’s federal police agency, and local prosecutors made the announcement, alleging Kovalev is the "ringleader" of a "criminal organization." An Interpol red notice has been issued for Kovalev, who is believed to be in Russia, potentially shielding him from extradition. For years, Stern’s true identity remained a mystery despite law enforcement disruptions and leaks of internal chat messages from both Trickbot and Conti.
The Trickbot group, comprised of approximately 100 cybercriminals, has unleashed a relentless hacking spree on the world for years, attacking thousands of victims, including businesses, schools, and hospitals, orchestrating attacks under the direction of Stern. The group is believed to have stolen hundreds of millions of dollars over roughly six years. A mysterious leaker known as GangExposed initially outed Stern’s identity as Kovalev before the German police confirmed the information. Alexander Leslie, a threat intelligence analyst at Recorded Future, stated that Stern’s naming is a significant event that bridges gaps in our understanding of Trickbot, one of the most notorious transnational cybercriminal groups to ever exist. Leslie added that as Trickbot's ‘big boss’ and one of the most noteworthy figures in the Russian cybercriminal underground, Stern remained an elusive character, and his real name was taboo for years. It has long been speculated that global law enforcement may have strategically withheld Stern’s identity as part of ongoing investigations. Recommended read:
References :
Rescana@Rescana
//
Recent ransomware attacks have underscored the persistent and evolving threat landscape facing organizations globally. Notably, Coca-Cola and its bottling partner, Coca-Cola Europacific Partners (CCEP), were targeted in separate cyber incidents. The Everest ransomware gang claimed responsibility for breaching Coca-Cola's systems, asserting access to sensitive internal documents and the personal information of nearly a thousand employees. Concurrently, the Gehenna hacking group claimed to have breached CCEP's Salesforce dashboard, potentially compromising over 23 million records. These incidents highlight the vulnerabilities inherent in interconnected digital ecosystems, emphasizing the need for robust cybersecurity measures and vigilant monitoring of network activities.
The healthcare sector has been particularly vulnerable, with Interlock ransomware causing significant disruption at Kettering Health, a network of hospitals in Ohio. The attackers leaked almost a terabyte of data, including patient information, financial records, and employee details after claiming responsibility. This breach led to canceled medical procedures, and a temporary reliance on paper-based systems. Covenant Health also experienced a cyberattack that forced the shutdown of their systems across multiple hospitals. Similarly, Bailey’s catering services, associated with a restaurant group in Louisiana, has been listed as a victim by the Medusa ransomware group, with attackers demanding a $100,000 ransom. These events underscore the severe consequences of ransomware attacks on essential services and sensitive data. In response to the rising ransomware threat, some countries are implementing stricter regulations. Australia, for example, now requires businesses with an annual turnover exceeding AUS $3 million to report ransomware payments to the Australian Signals Directorate within 72 hours. This legislation aims to improve the tracking of ransomware incidents and inform cybersecurity strategies, even though paying ransoms is still technically legal. The law also includes a six-month grace period for organizations to adapt to the new reporting requirements. Additionally, recent law enforcement operations like Operation Endgame have demonstrated progress in disrupting the ransomware ecosystem by targeting malware testing services and initial access malware strains. Recommended read:
References :
Pauline Dornig@it-daily.net
//
The ransomware group Interlock has claimed responsibility for the recent cyberattack on Kettering Health, a US healthcare organization comprised of hospitals, clinics, and medical centers in Ohio. The attack, which initially disrupted the healthcare system on May 20th, forced the shutdown of all computer systems and has left Kettering Health struggling to fully recover over two weeks later. CNN first reported on Interlock’s involvement in the breach, but at the time, the group had not publicly taken credit, leading to speculation that ransom negotiations might be underway. However, Interlock has now come forward, potentially indicating that negotiations with Kettering Health have been unsuccessful.
Interlock announced its involvement by posting alleged stolen data on its dark web site, claiming to have exfiltrated over 940 gigabytes of data from Kettering Health’s internal network. A preliminary review of the posted files indicates that the stolen data includes sensitive private health information, such as patient names, patient numbers, and detailed clinical summaries. These summaries contain sensitive information including mental status assessments, medication lists, health concerns, and other specific details about patients' medical conditions. The stolen data also encompasses employee information and the contents of shared drives, raising concerns about further potential privacy breaches. The cyberattack has severely impacted Kettering Health's operations. Since the initial breach, numerous medical procedures have been canceled or postponed, forcing healthcare professionals to revert to paper-based documentation. This digital standstill has significantly affected clinical care for approximately 1.5 million patients annually. While Kettering Health has reported progress in restoring its systems, including bringing the electronic health record (EHR) system "Epic" back online with the help of around 200 employees, the full extent of the damage and the long-term consequences of the data breach are still unfolding. Recommended read:
References :
Pradeep Bairaboina@Tech Monitor
//
The Play ransomware group has been actively targeting organizations worldwide since June 2022, with the FBI reporting that approximately 900 entities have been compromised as of May 2025. These attacks span across North America, South America, and Europe, targeting a diverse range of businesses and critical infrastructure. The group employs a "double extortion" tactic, exfiltrating sensitive data before encrypting systems, putting additional pressure on victims to pay the ransom.
The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) have issued updated advisories regarding the Play ransomware, highlighting new tactics, techniques, and procedures (TTPs) employed by the group. One notable tactic includes exploiting vulnerabilities in the SimpleHelp remote access tool. Specifically, multiple ransomware groups, including those affiliated with Play, have been actively targeting the CVE-2024-57727 path traversal vulnerability, which allows attackers to download arbitrary files from the SimpleHelp server. The advisories also note that Play operators regularly contact victims via phone, threatening to release stolen data if ransom demands are not met. To mitigate the threat posed by Play ransomware, authorities recommend several proactive security measures, including implementing multifactor authentication, maintaining offline data backups, and developing and testing a recovery plan. It is also critical to keep all operating systems, software, and firmware updated to patch known vulnerabilities. SimpleHelp has released security updates to address the exploited vulnerabilities and strongly urges customers to apply these fixes immediately. While Play ransomware has been linked to attacks on critical infrastructure, including nine attacks impacting healthcare, experts recommend constant vigilance and proactive security strategies across all sectors. Recommended read:
References :
|