CyberSecurity news

FlagThis - #ransomware

Mandvi@Cyber Security News //
The Interlock ransomware group is actively deploying a new, sophisticated remote access trojan (RAT) known as NodeSnake in attacks targeting corporate networks. Security researchers have observed this campaign, revealing that Interlock is leveraging NodeSnake as a key component of its attack toolkit to maintain persistent access and enhance its post-exploitation capabilities. NodeSnake, written in Golang, allows the attackers to bypass common detection mechanisms and exfiltrate sensitive data, ensuring continued access even if ransomware binaries are detected and removed.

Two UK-based universities and local government entities have recently fallen victim to NodeSnake within the past few months. Analysis by cybersecurity firm Quorum Cyber has uncovered two new variants of the RAT, strongly attributing them to the Interlock ransomware group. The timing and shared code elements between the incidents suggest a coordinated campaign by the same threat actor, signalling a shift in targets for the Interlock ransomware group which is believed to be behind these attacks.

NodeSnake is a type of Remote Access Trojan (RAT). RATs are dangerous because they allow attackers to take control of infected computers from afar. This means attackers can access files, watch what users are doing, change computer settings, and even steal or delete important information remotely while the RATs stay hidden in the system and even introduce other harmful programs. Furthermore, the two NodeSnake variants are from the same family, with the newer one showing significant improvements. This RAT expands the group’s capabilities for reconnaissance, lateral movement, and data exfiltration, facilitating ransomware deployment.

Recommended read:
References :
  • Cyber Security News: Interlock Ransomware Deploys NodeSnake RAT to Maintain Access in Corporate Networks Security researchers have observed a sophisticated cyber campaign in which the Interlock ransomware group is leveraging the NodeSnake remote access trojan (RAT) as part of its attack toolkit against corporate networks.
  • gbhackers.com: Interlock Ransomware Uses NodeSnake RAT for Persistent Access to Corporate Networks In a two UK-based universities have fallen victim to a sophisticated Remote Access Trojan (RAT) dubbed NodeSnake within the past two months.
  • hackread.com: Interlock Ransomware Deploys New NodeSnake RAT in UK Attacks Quorum Cyber identifies two new NodeSnake RAT variants, strongly attributed to Interlock ransomware, impacting UK higher education and local government.
  • BleepingComputer: Interlock ransomware gang deploys new NodeSnake RAT on universities
  • ciso2ciso.com: Interlock Ransomware Deploys New NodeSnake RAT in UK Attacks – Source:hackread.com Source: hackread.com – Author: Deeba Ahmed.
  • cyberpress.org: Interlock Ransomware Deploys NodeSnake RAT to Maintain Access in Corporate Networks Security researchers have observed a sophisticated cyber campaign in which the Interlock ransomware group is leveraging the NodeSnake remote access trojan (RAT) as part of its attack toolkit against corporate networks.

@securityonline.info //
Cybercriminals are increasingly leveraging the popularity of Artificial Intelligence (AI) to distribute malware, targeting Windows users with fake installers disguised as legitimate AI tools. These malicious campaigns involve ransomware such as CyberLock and Lucky_Gh0$t, as well as a destructive malware called Numero. The attackers create convincing fake websites, often with domain names closely resembling those of actual AI vendors, to trick users into downloading and executing the poisoned software. These threats are primarily distributed through online channels, including SEO poisoning to manipulate search engine rankings and the use of social media and messaging platforms like Telegram.

CyberLock ransomware, for instance, has been observed masquerading as a lead monetization AI platform called NovaLeadsAI, complete with a deceptive website offering "free access" for the first year. Once downloaded, the ‘NovaLeadsAI.exe’ file deploys the ransomware, encrypting various file types and demanding a hefty ransom payment. Another threat, Numero, impacts victims by manipulating the graphical user interface components of their Windows operating system, rendering the machines unusable. Fake AI installers for tools like ChatGPT and InVideo AI are also being used to deliver ransomware and information stealers, often targeting businesses in sales, technology, and marketing sectors.

Cisco Talos researchers emphasize the need for users to be cautious about the sources of AI tools they download and install, particularly from untrusted sources. Businesses, especially those in sales, technology, and marketing, are prime targets, highlighting the need for robust endpoint protection and user awareness training. These measures can help mitigate the risks associated with AI-related scams and protect sensitive data and financial assets from falling into the hands of cybercriminals. The attacks underscore the importance of vigilance and verifying the legitimacy of software before installation.

Recommended read:
References :
  • Cisco Talos Blog: Cisco Talos has uncovered new threats, including ransomware like CyberLock and Lucky_Gh0$t, and a destructive malware called Numero, all disguised as legitimate AI tool installers to target victims.
  • The Register - Software: Take care when downloading AI freebies, researcher tells The Register Criminals are using installers for fake AI software to distribute ransomware and other destructive malware.…
  • cyberinsider.com: New Malware “Numero†Masquerading as AI Tool Wrecks Windows Systems
  • Malwarebytes: Fake AI video generator tools lure in Facebook and LinkedIn users to deliver malware
  • The Hacker News: Cybercriminals target AI Users with Malware-Loaded Installers Posing as Popular Tools
  • hackread.com: Fake ChatGPT and InVideo AI Downloads Deliver Ransomware
  • securityonline.info: Warning: Fake AI Tools Spread CyberLock Ransomware and Numero Destructive Malware

@WhatIs //
A cyberattack struck Covenant Health on Monday, May 26, 2025, disrupting operations at St. Joseph Hospitals in Bangor, Maine, and Nashua, New Hampshire, as well as St. Mary’s Health System and Community Clinics in Lewiston, Maine. The healthcare provider, a Catholic-based nonprofit serving New England and parts of Pennsylvania, was forced to shut down all data systems across its hospitals, clinics, and provider practices as a protective measure against the "cyber incident initiated by an outside group." This action has impacted access to electronic records, appointment scheduling, and internal communications, leading to connectivity issues throughout the organization.

The cyberattack has led to significant operational disruptions at the affected facilities. In both Bangor and Nashua, ambulance services have been diverted, and diagnostic scans have been redirected to other locations. Patients have reported difficulties in refilling prescriptions, and outpatient lab services at St. Joseph Hospital in Nashua are now only available on the main hospital campus with a physical order in hand. Staff are working under modified procedures to maintain patient care amidst the system outages. The hospitals have posted notices on their websites acknowledging the disruptions and assuring the public that teams are working to restore full services as quickly as possible.

Covenant Health spokesperson Karen Sullivan confirmed that cybersecurity experts have been engaged to investigate the breach and assist in restoring system functionality. While a timeline for full restoration has not been provided, the organization emphasizes that patient care remains a priority. Cybersecurity analysts are warning that medical institutions are increasingly vulnerable to cyberattacks due to the high value of patient data on illicit markets, stressing the urgent need for enhanced digital defenses across the healthcare sector. The incident is currently under investigation, and updates will be provided as more information becomes available.

Recommended read:
References :
  • DataBreaches.Net: Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations
  • The Dysruption Hub: Cyberattack Disrupts Operations at St. Joseph Hospitals in Maine and New Hampshire
  • WhatIs: Covenant Health cyberattack disrupts New England hospitals

@www.bleepingcomputer.com //
DragonForce ransomware group has been actively exploiting vulnerabilities in SimpleHelp, a remote monitoring and management (RMM) software, to target managed service providers (MSPs) and their customers. This attack serves as a stark reminder of the supply chain risks inherent in relying on third-party software, particularly RMM tools which, if compromised, can grant attackers widespread access to numerous client systems. Sophos researchers uncovered that the DragonForce operator chained three specific SimpleHelp flaws, identified as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, to breach an MSP. This breach resulted in data theft and the subsequent deployment of ransomware across the MSP's customer endpoints, causing significant disruption and potential financial losses.

The vulnerabilities exploited by DragonForce allowed the attackers to perform several malicious actions. CVE-2024-57727 enabled unauthorized remote attackers to download arbitrary files, including server configuration files containing sensitive secrets and hashed user passwords. CVE-2024-57728 permitted admin users to upload arbitrary files, leading to potential arbitrary code execution on the host. Furthermore, CVE-2024-57726 allowed low-privilege technicians to create API keys with excessive permissions, potentially enabling them to escalate privileges to the server administrator role. All of these vulnerabilities were present in SimpleHelp's remote support software version 5.5.7 and earlier, highlighting the critical importance of promptly applying security patches.

The DragonForce attack on the MSP via SimpleHelp illustrates a growing trend of cybercriminals targeting RMM and other remote tools to facilitate software supply chain attacks. By compromising a single MSP, attackers can gain access to a large number of downstream customers, amplifying the impact of their attacks. Security experts warn that MSPs must prioritize the security of their RMM software, including implementing robust patch management processes and closely monitoring for suspicious activity. This incident underscores the need for a proactive and vigilant approach to cybersecurity to mitigate the risk of ransomware and other threats exploiting channel vulnerabilities.

Recommended read:
References :
  • Sophos News: Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer’s network
  • bsky.app: The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
  • securityaffairs.com: Sophos researchers reported that a DragonForce ransomware operator exploited three chained vulnerabilities in SimpleHelp software to attack a managed service provider. SimpleHelp is a remote support and access software designed for IT professionals and support teams. It provides a streamlined way for IT teams to manage and monitor remote systems, making it a valuable tool for MSPs. However, the vulnerabilities exploited by DragonForce highlight the importance of keeping RMM software patched and up to date, as these tools can become attack vectors for ransomware and other threats.
  • www.bleepingcomputer.com: The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
  • BleepingComputer: DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
  • BleepingComputer: DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
  • The Register - Security: Updated DragonForce ransomware infected a managed service provider, and its customers, after attackers exploited security flaws in remote monitoring and management tool SimpleHelp.…
  • www.helpnetsecurity.com: Attackers hit MSP, use its RMM software to deliver ransomware to clients
  • Help Net Security: Attackers hit MSP, use its RMM software to deliver ransomware to clients
  • www.techradar.com: DragonForce ransomware hacks SimpleHelp RMM tool to attack MSPs
  • ciso2ciso.com: DragonForce double-whammy: First hit an MSP, then use RMM software to push ransomware – Source: go.theregister.com
  • Anonymous ???????? :af:: The ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data
  • MicroScope: Sophos warns MSPs over DragonForce threat
  • Daily CyberSecurity: Details of RMM tool abused to spread DragonForce.
  • MSSP feed for Latest: The bad actors exploited flaws in SimpleHelp's software to compromise the MSP and attack clients.
  • thehackernews.com: DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints
  • Tech Monitor: DragonForce exploits SimpleHelp in MSP breach
  • www.bleepingcomputer.com: DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
  • ciso2ciso.com: DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints – Source:thehackernews.com
  • Security Risk Advisors: Sophos Investigates DragonForce Ransomware Attack Exploiting SimpleHelp RMM Vulnerabilities Against MSP
  • www.sentinelone.com: Robbinhood operator pleads guilty, PumaBot hits IoT via SSH brute-force attacks, and DragonForce expands RMM exploits via an affiliate model.
  • ciso2ciso.com: DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints – Source:thehackernews.com
  • news.sophos.com: Sophos Investigates DragonForce Ransomware Attack Exploiting SimpleHelp RMM Vulnerabilities Against MSP

@therecord.media //
MathWorks, the company behind the popular MATLAB software used by over five million people worldwide, has confirmed a ransomware attack that began on May 18, 2025. The attack disrupted online applications and internal systems, impacting licensing and access for users globally. The company has notified federal law enforcement and is working with cybersecurity experts to restore affected systems.

Commercial customers and STEM students have been significantly impacted by the prolonged outage. An IT manager at an engineering firm reported difficulties acquiring new licenses, hindering ongoing projects. Students also faced challenges, particularly with assessment tools like MATLAB Grader and Cody, which were only recently partially restored. Some frustrated users admitted to pirating the software due to the lack of access to the services they had paid for.

MathWorks has been issuing updates on its status page, initially citing technical issues before confirming the ransomware attack on May 26. While many systems are being brought back online, full recovery is still underway. The company has not yet disclosed details about the ransomware group responsible, whether a ransom was paid, or if data was exfiltrated.

Recommended read:
References :
  • The Dysruption Hub: MathWorks confirms ransomware attack disrupted MATLAB services starting May 18, impacting licensing and access for users worldwide.
  • The Register - Software: Commercial customers, STEM students all feeling the pain after mega outage of engineering data-analysis tool Software biz MathWorks is cleaning up a ransomware attack more than a week after it took down MATLAB, its flagship product used by more than five million people worldwide.
  • therecord.media: MathWorks — developer of MATLAB — has updated customers after initially reporting outages on May 18, confirming a ransomware attack that took down online applications and internal systems used by staff.
  • The Record: MathWorks — developer of MATLAB — has updated customers after initially reporting outages on May 18, confirming a ransomware attack that took down online applications and internal systems used by staff.
  • securebulletin.com: When the world’s engineers, scientists, and students logged in to MATLAB on May 18, 2025, many were met with silence—a digital void where powerful tools once lived.
  • bsky.app: MathWorks, a leading developer of mathematical computing and simulation software, has revealed that a recent ransomware attack is behind an ongoing service outage.
  • www.bleepingcomputer.com: MathWorks Blames Ransomware Attack for Ongoing Outages - BleepingComputer
  • BleepingComputer: MathWorks, a leading developer of mathematical computing and simulation software, has revealed that a recent ransomware attack is behind an ongoing service outage.
  • Doug Levin: Doug Levin: MathWorks experienced a ransomware attack.
  • Secure Bulletin: Ransomware attack in MathWorks outage that paralyzed MATLAB
  • DataBreaches.Net: MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Blog: Confirmed: MathWorks outage due to ransomware attack
  • Catalin Cimpanu: MATLAB maker hit by ransomware

@cyble.com //
Nova Scotia Power has officially confirmed it fell victim to a sophisticated ransomware attack, impacting approximately 280,000 customers. The breach, which began several weeks ago, involved unauthorized access to internal systems and the subsequent theft of sensitive data. The cyber incident targeted Nova Scotia Power’s digital infrastructure, encrypting critical systems and exfiltrating customer data. The power utility has confirmed it was hit by ransomware but hasn't paid the ransom, nearly a month after first disclosing the cyberattack.

Nova Scotia Power engaged third-party cybersecurity firms to isolate affected networks, mitigate further damage, and conduct forensic analyses. Investigations suggest the attackers employed advanced techniques to bypass existing safeguards, though specific details about the ransomware variant or entry vectors remain undisclosed. The company emphasized it did not comply with ransom demands, a decision it attributes to adherence to sanctions laws and coordination with law enforcement agencies.

The threat actor publicly released portions of the stolen data, compelling Nova Scotia Power to initiate a large-scale notification campaign. Impacted customers received physical mail detailing the breach’s scope and remediation steps. The compromised information reportedly includes names, addresses, account numbers, and potentially payment histories. To address identity theft risks, Nova Scotia Power partnered with TransUnion to offer affected individuals a two-year subscription to the myTrueIdentity® credit monitoring service at no cost, including real-time credit alerts and dark web surveillance.

Recommended read:
References :
  • thecyberexpress.com: Nova Scotia Power has confirmed it was the victim of a ransomware attack, weeks after initially alerting customers to a cybersecurity breach.
  • Tech Monitor: Nova Scotia Power confirms data breach, customer information compromised
  • cyberpress.org: Nova Scotia Power Confirms Cyberattack Affecting 280K Customers
  • securityaffairs.com: Nova Scotia Power confirms it was hit by a ransomware attack but hasn’t paid the ransom, nearly a month after first disclosing the cyberattack.
  • Cyber Security News: Nova Scotia Power, a key utility provider, faced a significant ransomware attack, which led to the leak of customer data and exposed sensitive information.

Pierluigi Paganini@Security Affairs //
The FBI has issued a warning to U.S. law firms regarding an escalating cyber threat posed by the Silent Ransom Group (SRG), also known as Luna Moth or Chatty Spider. This group, active since 2022, has refined its tactics to target law firms specifically since early 2023, likely due to the valuable and confidential client data they possess. The group aims to gain unauthorized access to systems and devices in order to steal sensitive information and extort victims with threats of public data leaks.

SRG's methods include IT-themed social engineering calls and callback phishing emails. In these attacks, they impersonate IT personnel to deceive employees into granting remote access to systems. They may direct the employee to a malicious website or send a link via email that installs remote access software. Once inside, the attackers discreetly extract sensitive files using tools like WinSCP or disguised versions of Rclone. This campaign is particularly dangerous because it leaves minimal digital traces and can bypass traditional security measures.

To defend against these attacks, the FBI urges law firms to enhance staff training to recognize and avoid social engineering tactics. Implementing multi-factor authentication is crucial, as is proactive monitoring for unauthorized access attempts. The agency also advises that victims share any ransom evidence with law enforcement to aid in investigations. Furthermore, CISOs are encouraged to fortify help desk and employee defenses, enhance intrusion detection and tracking capabilities, and recognize that paying ransoms is not a viable strategy.

Recommended read:
References :
  • DataBreaches.Net: DataBreaches.net issues a Private Industry Notification about the Silent Ransom Group targeting law firms.
  • securityaffairs.com: SecurityAffairs reports on Silent Ransom Group targeting law firms, the FBI warns.
  • The DefendOps Diaries: The DefendOps Diaries explores the Silent Ransom Group's new era of cyber extortion.
  • bsky.app: The FBI warned that an extortion gang known as the Silent Ransom Group has been targeting U.S. law firms over the last two years in callback phishing and social engineering attacks.
  • BleepingComputer: FBI warns of Luna Moth extortion attacks targeting law firms
  • ciso2ciso.com: Silent Ransom Group targeting law firms, the FBI warns – Source: securityaffairs.com
  • hackread.com: FBI Warns of Silent Ransom Group Targeting Law Firms via Scam Calls
  • databreaches.net: Private Industry Notification: Silent Ransom Group Targeting Law Firms
  • Security Affairs: The FBI warns that the Silent Ransom Group, active since 2022 and also known as Luna Moth, has targeted U.S. law firms using phishing and social engineering. Linked to BazarCall campaigns, the group previously […]
  • ciso2ciso.com: FBI Warns of Silent Ransom Group Targeting Law Firms via Scam Calls – Source:hackread.com
  • malware.news: Private Industry Notification: Silent Ransom Group Targeting Law Firms
  • ciso2ciso.com: FBI warns law firms: Silent Ransom Group uses phishing emails and fake IT calls to steal data, demanding ransom to prevent public leaks.
  • gbhackers.com: FBI Issues on Silent Ransom Group Using Fake IT Support Calls to Target Victims
  • malware.news: FBI Issues on Silent Ransom Group Using Fake IT Support Calls to Target Victims
  • The Hacker News: The campaign leverages "information technology (IT) themed social engineering calls, and callback phishing emails, to gain remote access to systems or devices and steal sensitive data to extort the victims
  • gbhackers.com: The Federal Bureau of Investigation (FBI) has issued a critical alert regarding the escalating activities of the cyber threat actor known as Silent Ransom Group (SRG), also identified under aliases such as Luna Moth, Chatty Spider, and UNC3753.
  • Tech Monitor: The FBI alerts law firms to rising threat of Silent Ransom Group’s extortion tactics
  • thecyberexpress.com: FBI Warns about Silent Ransom Group Targeting Law Firms
  • eSecurity Planet: The FBI warns law firms of a stealth phishing scam where hackers call victims, pose as IT staff, and use remote access tools to steal sensitive data.
  • www.scworld.com: US law firms facing Luna Moth ransomware threat
  • cyble.com: FBI Warns Silent Ransom Group Targeting U.S. Law Firms Using Social Engineering and Callback Phishing
  • www.esecurityplanet.com: FBI Warns Law Firms: Hackers Are Calling Offices in Stealth Phishing Scam
  • cyble.com: FBI Warns Silent Ransom Group Targeting U.S. Law Firms Using Social Engineering and Callback Phishing
  • www.techradar.com: FBI warns legal firms of Luna Moth extortion attacks where hackers will call their office

Dhara Shrivastava@cysecurity.news //
Marks & Spencer (M&S) and Co-op, major UK retailers, have been hit by a Scattered Spider cyberattack involving DragonForce ransomware. The attack has caused weeks-long disruptions, impacting online transactions and the availability of food, fashion, and home goods. M&S warns that the disruption to online transactions could last until July. The cybercrime gang Scattered Spider is also believed to be behind attacks on other UK retailers, including Harrods.

The financial impact on M&S is expected to be significant. The company anticipates the cyberattack will cut $400 million from its profits and reported losing over £40 million in weekly sales since the attack began over the Easter bank holiday weekend. As a precaution, M&S took down some of its systems, resulting in short-term disruptions. This decision was made to protect its systems, customers, and partners from further compromise.

In response to the attack, M&S plans to accelerate its technology improvement plan, shortening the timeframe from two years to six months. This reflects the urgent need to bolster its cybersecurity defenses and prevent future disruptions. The company previously outlined plans in 2023 to improve its technology stack, including investments in infrastructure, network connectivity, store technology, and supply-chain systems. M&S acknowledged that personal data of customers had been stolen, including names, dates of birth, telephone numbers, home and email addresses, and online order histories. However, the retailer insisted that the data theft did not include usable card, payment, or login information.

Recommended read:
References :
  • www.cysecurity.news: Scattered Spider Cyberattack Cripples M&S, Co-op: DragonForce Ransomware Causes Weeks-Long Disruption
  • www.cybersecuritydive.com: M&S warns April cyberattack will cut $400 million from profits
  • Tech Monitor: Marks & Spencer faces £300m impact on profit from cyberattack
  • techxplore.com: Marks & Spencer cyberattack: How can retailers regain customers' trust after a hack?

@securebulletin.com //
A new wave of cyberattacks is leveraging sophisticated social engineering techniques combined with technical exploits to breach corporate networks. Security firms are reporting a rise in attacks linked to the 3AM ransomware operation. These attacks begin with an overwhelming flood of emails, known as email bombing, directed at specific employees. This is followed by spoofed phone calls where the attackers impersonate the organization's IT support team, attempting to trick the employee into granting remote access to their computer. The attackers’ use of real phone calls marks a notable escalation in social engineering sophistication.

Once the attackers have gained the trust of the employee, they will try to convince them to run Microsoft Quick Assist, a legitimate remote access tool. This grants the attackers remote access to the victim's machine under the guise of fixing a problem. This initial access is then used to deploy a malicious payload, which may include virtual machines or other tools designed to evade detection by security software. After gaining control of the system they install malicious software, create new user accounts, and gain admin privileges.

Sophos has documented multiple ransomware actors leveraging an attack pattern first reported by Microsoft using “email bombing” to overload a targeted organization’s employee with unwanted emails, and then making a voice or video call over Microsoft Teams posing as a tech support team member to deceive that employee into allowing remote access to their computer. BleepingComputer reports that highly targeted intrusions involving email bombing and fake IT support calls have been launched by threat actors linked to the 3AM ransomware operation during the first quarter of this year. This allows the attackers to perform reconnaissance, create local admin accounts, and install remote management tools for persistence and lateral movement within the network, often resulting in significant data exfiltration.

Recommended read:
References :
  • bsky.app: Bsky post about 3AM ransomware posing as a call from IT support to compromise networks.
  • securebulletin.com: Secure Bulletin post covering 3AM Ransomware attacks
  • www.bleepingcomputer.com: BleepingComputer post about 3AM ransomware uses spoofed IT calls
  • www.tripwire.com: Tripwire State of Security blog post on 3AM ransomware attack posing as a call from IT support.
  • www.scworld.com: BleepingComputer reports that highly targeted intrusions involving email bombing and fake IT support calls have been launched by threat actors linked to the 3AM ransomware operation during the first quarter of this year.
  • BleepingComputer: A 3AM ransomware affiliate is conducting highly targeted attacks using email bombing and spoofed IT support calls to socially engineer employees into giving credentials for remote access to corporate systems.
  • The DefendOps Diaries: Explore the sophisticated tactics of 3AM ransomware, including social engineering and advanced encryption, to protect your network.
  • Graham Cluley: 3AM ransomware attack poses as a call from IT support to compromise networks

@www.bleepingcomputer.com //
The US government has indicted Rustam Rafailevich Gallyamov, a 48-year-old Russian national from Moscow, as the leader of the Qakbot botnet malware conspiracy. Gallyamov, also known as "Cortes" and other aliases, is accused of leading a group of cybercriminals responsible for developing and deploying the Qakbot malware since 2008. This indictment is part of an ongoing multinational effort involving the United States, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada to combat cybercrime. The Justice Department has also filed a civil forfeiture complaint against Gallyamov, seeking to seize over $24 million in cryptocurrency allegedly obtained through his criminal activities.

According to court documents, Gallyamov used the Qakbot malware to infect over 700,000 computers globally, establishing a vast network or "botnet" of compromised machines. Starting in 2019, this botnet was leveraged to facilitate ransomware attacks against innocent victims worldwide, causing significant financial losses. The FBI and its international partners crippled Gallyamov's bot network in 2023, but he allegedly continued to deploy alternative methods to make his malware available to criminal cyber gangs. The Qakbot malware, also known as Qbot and Pinkslipbot, evolved over time from a banking trojan into a tool used for malware dropping and keystroke logging.

Officials emphasize the commitment to holding cybercriminals accountable and disrupting their activities. "Today’s announcement of the Justice Department’s latest actions to counter the Qakbot malware scheme sends a clear message to the cybercrime community,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. U.S. Attorney Bill Essayli for the Central District of California added, "The criminal charges and forfeiture case announced today are part of an ongoing effort with our domestic and international law enforcement partners to identify, disrupt, and hold accountable cybercriminals." The case demonstrates the FBI’s commitment to relentlessly pursuing individuals who target Americans and demand ransom, even when they reside overseas.

Recommended read:
References :
  • bsky.app: Leader of Qakbot Malware Conspiracy Indicted for Involvement in Global Ransomware Scheme
  • DataBreaches.Net: Russian national and leader of Qakbot malware conspiracy indicted in long-running global ransomware scheme
  • www.bleepingcomputer.com: The U.S. government has indicted Russian national Rustam Rafailevich Gallyamov, the leader of the Qakbot botnet malware operation that compromised over 700,000 computers and enabled ransomware attacks.
  • The DefendOps Diaries: The Indictment of Rustam Rafailevich Gallyamov: A Turning Point in Cybercrime Battle
  • thecyberexpress.com: The U.S. Justice Department has unsealed an indictment against Rustam Rafailevich Gallyamov, a Russian national accused of running a cybercrime group responsible for one of the most notorious malware threats in recent years:.
  • BleepingComputer: US indicts leader of Qakbot botnet linked to ransomware attacks
  • The Register - Security: Feds finger Russian 'behind Qakbot malware' that hit 700K computers Agents thought they shut this all down in 2023, but the duck quacked again Uncle Sam on Thursday unsealed criminal charges and a civil forfeiture case against a Russian national accused of leading the cybercrime ring behind Qakbot, the notorious malware that infected hundreds of thousands of computers worldwide and helped fuel ransomware attacks costing victims tens of millions of dollars.
  • Tech Monitor: The U.S. Justice Department has indicted Rustam Rafailevich Gallyamov, the alleged leader of the Qakbot botnet malware operation.
  • www.justice.gov: Justice Department Announces Leader of Qakbot Malware Conspiracy Indicted for Involvement in Global Ransomware Scheme
  • Security Affairs: Leader of Qakbot cybercrime network indicted in U.S. crackdown
  • BleepingComputer: The U.S. government has indicted Russian national Rustam Rafailevich Gallyamov, the leader of the Qakbot botnet malware operation that compromised over 700,000 computers and enabled ransomware attacks.
  • securityaffairs.com: Leader of Qakbot cybercrime network indicted in U.S. crackdown
  • Daily CyberSecurity: Europol and Eurojust have dismantled the digital backbone of several major malware strains used in ransomware operations.
  • www.helpnetsecurity.com: DanaBot botnet disrupted, QakBot leader indicted
  • ComputerWeekly.com: US makes fresh indictments over DanaBot, Qakbot malwares

@ketteringhealth.org //
Kettering Health, a healthcare network operating 14 medical centers and over 120 outpatient facilities in western Ohio, has been hit by a ransomware attack causing a system-wide technology outage. The cyberattack, which occurred on Tuesday, May 20, 2025, has forced the cancellation of elective inpatient and outpatient procedures and has disrupted access to critical patient care systems, including phone lines, the call center, and the MyChart patient portal. Emergency services remain operational, but emergency crews are being diverted to other facilities due to the disruption. Kettering Health has confirmed they are responding to the cybersecurity incident involving unauthorized access to its network and has taken steps to contain and mitigate the breach, while actively investigating the situation.

The ransomware attack is suspected to involve the Interlock ransomware gang, which emerged last fall and has targeted various sectors, including tech, manufacturing firms, and government organizations. A ransom note, viewed by CNN, claimed the attackers had secured Kettering Health's most vital files and threatened to leak stolen data unless the health network began negotiating an extortion fee. In response to the disruption, Kettering Health has canceled elective procedures and is rescheduling them for a later date. Additionally, the organization is cautioning patients about scam calls from individuals posing as Kettering Health team members requesting credit card payments and has halted normal billing calls as a precaution.

The incident highlights the increasing cybersecurity challenges facing healthcare systems. According to cybersecurity experts, healthcare networks often operate with outdated technology and lack comprehensive cybersecurity training for staff, making them vulnerable to attacks. There is a call to action to invest in healthcare cybersecurity, with recommendations for the government and its partners to address understaffed healthcare cyber programs by tweaking federal healthcare funding programs to cover critical cybersecurity expenditures, augmenting healthcare cybersecurity workforces and incentivizing cyber maturity.

Recommended read:
References :
  • industrialcyber.co: Ransomware suspected in Kettering Health cyberattack disrupting patient services, canceling elective procedures
  • BleepingComputer: Kettering Health, a healthcare network that operates 14 medical centers in Ohio, was forced to cancel inpatient and outpatient procedures following a cyberattack that caused a system-wide technology outage.
  • www.bleepingcomputer.com: Kettering Health, a healthcare network that operates 14 medical centers in Ohio, was forced to cancel inpatient and outpatient procedures following a cyberattack that caused a system-wide technology outage. [...]
  • DataBreaches.Net: Elective inpatient and outpatient procedures were canceled.
  • thecyberexpress.com: Kettering Health Hit by Cyberattack: Network Outage and Scam Calls Reported
  • The DefendOps Diaries: Strengthening Cybersecurity in Healthcare: Lessons from the Kettering Health Ransomware Attack
  • BleepingComputer: Kettering Health hit by system-wide outage after ransomware attack
  • The Dysruption Hub: Reports Ransomware Attack Cripples Kettering Health Systems Across Ohio
  • www.healthcareitnews.com: Kettering Health faces a ransomware attack and confirms a scam targeting its patients
  • www.scworld.com: Apparent ransomware attack leads to systemwide outage for Kettering Health
  • Industrial Cyber: Reports Ransomware suspected in Kettering Health cyberattack disrupting patient services, canceling elective procedures
  • www.itpro.com: The incident at Kettering Health disrupted procedures for patients
  • www.cybersecuritydive.com: Ohio’s Kettering Health hit by cyberattack

Dhara Shrivastava@cysecurity.news //
British retailer giant Marks & Spencer (M&S) is facing a major financial impact following a recent cyberattack, with potential profit losses estimated at £300 million, equivalent to $402 million. The attack has caused widespread operational and sales disruptions, particularly affecting the company's online retail systems. According to a recent filing with the London Stock Exchange, M&S anticipates these disruptions to continue until at least July, impacting its fiscal year 2025/26 profits.

The cyberattack has significantly impacted M&S’s online sales channels, forcing the company to temporarily halt online shopping in its Fashion, Home & Beauty divisions. This downtime has led to substantial revenue loss, despite the resilience of its physical stores. The company has also faced increased logistics and waste management costs as it reverted to manual processes. CEO Stuart Machin acknowledged the challenging situation but expressed confidence in the company's recovery, emphasizing a focus on restoring systems and accelerating technical transformation.

M&S is actively implementing strategies to mitigate the financial repercussions, including cost management, insurance claims, and strategic trading actions. The retailer is reportedly preparing to claim up to £100 million from its cyber insurance policy to offset some of the losses. The company views this crisis as an opportunity to expedite its technical transformation, although specific details of this transformation have not yet been disclosed. The costs related to the attack itself and technical recovery are expected to be communicated at a later date as an adjustment item.

Recommended read:
References :
  • The Register - Security: Marks & Spencer warns of a £300M dent in profits from cyberattack
  • The DefendOps Diaries: Marks & Spencer Faces Major Financial Impact from Cyberattack
  • BleepingComputer: Marks & Spencer faces $402 million profit hit after cyberattack
  • ComputerWeekly.com: M&S cyber attack disruption likely to last until July
  • BleepingComputer: British retailer giant Marks & Spencer (M&S) is bracing for a potential profit hit of up to £300 million £300 million ($402 million) following a recent cyberattack that led to widespread operational and sales disruptions.
  • techxplore.com: Marks & Spencer cyberattack: How can retailers regain customers' trust after a hack?
  • www.cybersecuritydive.com: M&S warns April cyberattack will cut $400 million from profits
  • The Hacker News: Russian cyber threat actors have been attributed to a state-sponsored campaign targeting Western logistics entities and technology companies since 2022.
  • DataBreaches.Net: Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
  • techxplore.com: Cyberattack costs UK retailer Marks & Spencer £300 mn
  • www.cysecurity.news: Scattered Spider Cyberattack Cripples M&S, Co-op: DragonForce Ransomware Causes Weeks-Long Disruption
  • Tech Monitor: Marks & Spencer faces £300m impact on profit from cyberattack
  • www.bleepingcomputer.com: Marks & Spencer faces $402 million profit hit after cyberattack
  • socprime.com: A joint advisory from cybersecurity and intelligence agencies across North America, Europe, and Australia confirms a two-year-long cyberespionage campaign by russian GRU Unit 26165 (APT28, Forest Blizzard, Fancy Bear).
  • www.esecurityplanet.com: Russian military hackers are targeting Western firms aiding Ukraine, using cyberespionage to infiltrate logistics networks and spy on arms shipments.

Ashish Khaitan@The Cyber Express //
Peter Green Chilled, a key food distributor supplying major UK supermarkets including Tesco, Aldi, and Sainsbury's, has fallen victim to a ransomware attack. The cyberattack, which took hold around May 14th, has disrupted the delivery of fresh meat products, putting pallets of food at risk of going to waste. While the specific ransomware group responsible has not been publicly identified, the company has reported the incident to the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) and is implementing "workarounds" to continue deliveries. One of their customers has expressed concern that thousands of products are at risk.

The ransomware attack has forced Peter Green Chilled to halt operations, as confirmed by their Managing Director, Tom Binks. The company has stated it will issue "regular updates" to clients while the attack continues. It appears to be an incident involving encryption and not just data exfiltration. The phone number listed for Peter Green Chilled on its website appears to be blocking inbound calls, and its general enquiries email address is not accepting incoming messages from senders outside the organization.

The incident highlights the increasing threat of cyberattacks targeting the retail sector and supply chains. Wilfred Emmanuel-Jones, founder of The Black Farmer, told the BBC that his company has thousands of packets of meat sitting in limbo due to the attack. Similar cyber-related issues are currently affecting Co-op and M&S. Cyberattacks, particularly ransomware attacks, have become a significant threat to retail businesses worldwide and can lead to product shortages and significant disruption.

Recommended read:
References :
  • DataBreaches.Net: Supplier to major UK supermarkets Aldi, Tesco & Sainsbury’s hit by cyber attack with ransom demand
  • The Register - Security: Ransomware attack on food distributor spells more pain for UK supermarkets
  • ComputerWeekly.com: Retail cyber attacks hit food distributor Peter Green Chilled
  • thecyberexpress.com: Peter Green Chilled Cyberattack Disrupts Supermarket Supply Chain Across the UK
  • www.cybersecurity-insiders.com: In a troubling development, a new victim of ransomware has emerged today, targeting a key food distributor that supplies refrigerated goods and groceries to major UK supermarket chains, including Tesco, Aldi, and Sainsbury’s.
  • www.cybersecurity-insiders.com: Ransomware attack on UK Food Distributor to supermarkets
  • www.itpro.com: Everything we know about the Peter Green Chilled cyber attack
  • Tech Monitor: Ransomware attack hits Peter Green Chilled, disrupting UK retail supply chain
  • bsky.app: Maybe you've never heard of Peter Green Chilled, but it supplies food to some of the UK's largest supermarkets.... and it's just been hit ransomware. Delivery of fresh meat products have been disrupted, and pallets of food are at risk of going to waste.

info@thehackernews.com (The@The Hacker News //
A new cybersecurity threat, dubbed Hazy Hawk, has emerged, exploiting misconfigured DNS records to hijack abandoned cloud resources. Since at least December 2023, the threat actor has been using DNS CNAME hijacking to seize control of abandoned cloud endpoints belonging to reputable organizations, including Amazon S3 buckets and Microsoft Azure endpoints. By registering new cloud resources with the same names as the abandoned ones, Hazy Hawk redirects traffic to malicious sites, incorporating these hijacked domains into large-scale scam delivery and traffic distribution systems (TDS). This allows them to distribute scams, fake applications, and malware to unsuspecting users, leveraging the trust associated with the original domains.

Infoblox researchers first detected Hazy Hawk's activities in February 2025, when the group successfully took control of subdomains belonging to the U.S. Centers for Disease Control (CDC). Further investigation revealed that global government agencies, major universities, and international corporations such as Deloitte and PricewaterhouseCoopers have also been targeted. Hazy Hawk scans for domains with CNAME records pointing to abandoned cloud endpoints, determining this through passive DNS data validation. They then register a new cloud resource with the same name, causing the original domain's subdomain to resolve to the attacker's controlled resource.

The attack chains often involve cloning legitimate websites to appear trustworthy, and URL obfuscation techniques are employed to hide malicious destinations. Hazy Hawk uses hijacked domains to host malicious URLs that redirect users to scams and malware. What makes Hazy Hawk's operations particularly concerning is the use of trusted domains to serve malicious content, enabling them to bypass detection and exploit the reputation of high-profile entities. Cybersecurity experts advise organizations to diligently monitor and manage their DNS records, ensuring that CNAME records pointing to abandoned cloud resources are removed to prevent unauthorized domain hijacking.

Recommended read:
References :
  • BleepingComputer: Threat actors have been using DNS CNAME hijacking to hijack abandoned cloud endpoints of domains belonging to trusted organizations and incorporate them in large-scale scam delivery and traffic distribution systems (TDSes).
  • BleepingComputer: Hazy Hawk gang exploits DNS misconfigs to hijack trusted domains
  • The Hacker News: Hazy Hawk Exploits DNS Records to Hijack CDC, Corporate Domains for Malware Delivery
  • hackread.com: Infoblox reveals Hazy Hawk, a new threat exploiting abandoned cloud resources (S3, Azure) and DNS gaps since Dec…
  • The DefendOps Diaries: Explore Hazy Hawk's DNS hijacking tactics and learn how to protect your domains from this emerging cybersecurity threat.
  • bsky.app: A threat actor named 'Hazy Hawk' has been using DNS CNAME hijacking to hijack abandoned cloud endpoints of domains belonging to trusted organizations and incorporate them in large-scale scam delivery and traffic distribution systems (TDS).
  • www.bleepingcomputer.com: Hazy Hawk has been observed hijacking abandoned cloud resources.
  • Virus Bulletin: Researchers Jacques Portal & Renée Burton look into Hazy Hawk, a threat actor that hijacks abandoned cloud resources of high-profile organizations.
  • blogs.infoblox.com: Hazy Hawk is a threat actor that hijacks abandoned cloud resources of high-profile organizations.
  • www.scworld.com: Misconfigured DNS, neglected cloud assets harnessed in Hazy Hawk domain hijacking attacks
  • Infoblox Blog: Cloudy with a Chance of Hijacking Forgotten DNS Records Enable Scam Actor
  • DomainTools: Report on the threat actor's tactics and techniques, including targeting abandoned cloud resources.
  • Security Risk Advisors: Hazy Hawk Actor Hijacks Abandoned Cloud DNS Records of High-Profile Organizations for Scam Distribution
  • cyble.com: Cyble reports on Hazy Hawk campaign hijacks abandoned cloud DNS records from CDC, Berkeley, & 100+ major orgs to distribute scams.
  • BleepingComputer: Hazy Hawk exploits abandoned cloud resources from high-profile organizations to distribute scams and malware through traffic distribution systems (TDSes).
  • cyberscoop.com: Coordinated effort took down seven kinds of malware and targeted initial access brokers.
  • securityonline.info: A significant takedown neutralized ransomware delivery and initial access malware infrastructure.
  • BleepingComputer: International law enforcement took down hundreds of servers and domains.