@zdnet.com
//
Federal cybersecurity agencies, including the FBI and CISA, have issued an urgent advisory regarding the escalating threat of Medusa ransomware. Since its emergence in 2021, Medusa has targeted over 300 victims across various critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing. The group's activities have accelerated in recent months, prompting immediate action recommendations for organizations. Medusa operates as a Ransomware-as-a-Service (RaaS) model, now recruiting affiliates from criminal forums to launch attacks, encrypt data, and extort victims worldwide.
Medusa actors leverage common ransomware tactics, including phishing campaigns and exploiting unpatched software vulnerabilities. They employ a double extortion strategy by encrypting victim data and threatening to publicly release it if the ransom is not paid. To mitigate the risk, CISA and the FBI recommend organizations update systems regularly to close known vulnerabilities, implement network segmentation to restrict lateral movement, and enable multi-factor authentication for all services. They also urge organizations to report incidents promptly to aid in tracking and combating the growing threat.
Recommended read:
References :
- bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
- www.bleepingcomputer.com: CISA: Medusa ransomware hit over 300 critical infrastructure orgs
- securityonline.info: FBI, CISA, and MS-ISAC Warn Organizations About Medusa Ransomware Attacks
- DataBreaches.Net: #StopRansomware: Medusa Ransomware
- Industrial Cyber: US exposes Medusa ransomware threat, as over 300 organizations targeted across critical infrastructure sector
- securityaffairs.com: SecurityAffairs article: Medusa ransomware hit over 300 critical infrastructure organizations until February 2025
- www.cybersecuritydive.com: Medusa ransomware slams critical infrastructure organizations
- www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
- www.tripwire.com: The Medusa ransomware gang continues to present a major threat to the critical infrastructure sector, according to a newly-released joint advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
- : FBI and CISA Warn of Medusa Ransomware Impacting Critical Infrastructure
- bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
- The DefendOps Diaries: Explore the impact of Medusa ransomware on critical infrastructure and learn strategies to enhance cybersecurity defenses.
- www.scworld.com: Medusa ransomware, a ransomware-as-a-service group, has increased attacks targeting critical infrastructure, potentially preparing for geopolitical conflicts. Recent attacks indicate a 150% increase in this activity.
- Tenable Blog: Tenable article: Cybersecurity Snapshot: Medusa Ransomware Impacting Critical Infrastructure, CISA Warns, While NIST Selects New Quantum-Resistant Algorithm
- SOC Prime Blog: SOC Prime blog: Medusa Ransomware Attacks Covered in AA25-071A Detection
- be4sec: Medusa Ransomware is Targeting Critical Infrastructure
- be4sec: This advisory summarizes the key activities of prominent ransomware groups in January 2025, highlighting a significant increase in Medusa attacks.
- aboutdfir.com: Medusa ransomware group has been actively targeting critical infrastructure organizations, employing a double extortion tactic.
- www.techradar.com: US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
- cyble.com: The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a well-timed advisory on the Medusa ransomware group last week, as Cyble has detected an acceleration in the group’s activities in recent months.
- Email Security - Blog: Medusa Ransomware: Multi-Industry Threat on the Rise
- techxplore.com: Cybersecurity officials warn against potentially costly Medusa ransomware attacks
- Security | TechRepublic: Medusa Ransomware Strikes 300+ Targets: FBI & CISA Urge Immediate Action to #StopRansomware
- eSecurity Planet: Medusa Ransomware Warning: CISA and FBI Issue Urgent Advisory
- Blue Team Con: CISA and the FBI warn about Medusa ransomware, urging organizations to update security, enable MFA, and report incidents to mitigate the growing threat.
- thecyberexpress.com: Medusa Ransomware Surge: 60 Victims in 3 Months—Are You Next?
- www.zdnet.com: How to guard against a vicious Medusa ransomware attack - before it's too late
- www.cysecurity.news: The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a #StopRansomware advisory, warning organizations about the increasing threat of Medusa ransomware.
- Sam Bent: Cybercriminal Group Medusa Targets Critical Infrastructure Sectors A sophisticated cybercriminal group known as Medusa has been targeting many critical infrastructure sectors in the United States.
- The Hacker News: Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates
- www.cybersecuritydive.com: Medusa ransomware using malicious driver as EDR killer
@cyberalerts.io
//
The FBI has issued a warning about the rising trend of cybercriminals using fake file converter tools to distribute malware. These tools, often advertised as free online document converters, are designed to trick users into downloading malicious software onto their computers. While these tools may perform the advertised file conversion, they also secretly install malware that can lead to identity theft, ransomware attacks, and the compromise of sensitive data.
The threat actors exploit various file converter or downloader tools, enticing users with promises of converting files from one format to another, such as .doc to .pdf, or combining multiple files. The malicious code, disguised as a file conversion utility, can scrape uploaded files for personal identifying information, including social security numbers, banking information, and cryptocurrency wallet addresses. The FBI advises users to be cautious of such tools and report any instances of this scam to protect their assets.
The FBI Denver Field Office is warning that they are increasingly seeing scams involving free online document converter tools and encourages victims to report any instances of this scam. Malwarebytes has identified some of these suspect file converters, which include Imageconvertors.com, convertitoremp3.it, convertisseurs-pdf.com and convertscloud.com. The agency emphasized the importance of educating individuals about these threats to prevent them from falling victim to these scams.
Recommended read:
References :
- Talkback Resources: FBI warns of malware-laden websites posing as free file converters, leading to ransomware attacks and data theft.
- gbhackers.com: Beware! Malware Hidden in Free Word-to-PDF Converters
- www.bitdefender.com: Free file converter malware scam “rampant� claims FBI
- Malwarebytes: Warning over free online file converters that actually install malware
- bsky.app: Free file converter malware scam "rampant" claims FBI.
- bsky.app: @bushidotoken.net has dug up some IOCs for the FBI's recent warning about online file format converters being used to distribute malware
- Help Net Security: FBI: Free file converter sites and tools deliver malware
- www.techradar.com: Free online file converters could infect your PC with malware, FBI warns
- bsky.app: Free file converter malware scam "rampant" claims FBI.
- Security | TechRepublic: Scam Alert: FBI ‘Increasingly Seeing’ Malware Distributed In Document Converters
- securityaffairs.com: The FBI warns of a significant increase in scams involving free online document converters to infect users with malware. The FBI warns that threat actors use malicious online document converters to steal users’ sensitive information and infect their systems with malware.
- The DefendOps Diaries: FBI warns against fake file converters spreading malware and stealing data. Learn how to protect yourself from these cyber threats.
- PCMag UK security: PSA: Be Careful Around Free File Converters, They Might Contain Malware
- www.bleepingcomputer.com: FBI warnings are true—fake file converters do push malware
- www.techradar.com: FBI warns some web-based file management services are not as well-intentioned as they seem.
- www.csoonline.com: Improvements Microsoft has made to Office document security that disable macros and other embedded malware by default has forced criminals to up their innovation game, a security expert said Monday.
- www.itpro.com: Fake file converter tools are on the rise – here’s what you need to know
- Cyber Security News: The FBI Denver Field Office has warned sternly about the rising threat of malicious online file converter tools. These seemingly harmless services, often advertised as free tools to convert or merge files, are being weaponized by cybercriminals to install malware on users’ computers. This malware can have devastating consequences, including ransomware attacks and identity theft. […]
Lorenzo Franceschi-Bicchierai@techcrunch.com
//
Rostislav Panev, a dual Russian-Israeli national suspected of being a key developer for the notorious LockBit ransomware operation, has been extradited to the United States. Panev was arrested in Israel in August 2024 following a U.S. provisional arrest request and has now made an initial appearance before a U.S. magistrate, where he was detained pending trial. U.S. authorities allege that Panev played a crucial role in developing the LockBit ransomware from its inception around 2019 through February 2024.
Panev is accused of developing code and maintaining infrastructure for LockBit. The U.S. Department of Justice (DoJ) stated that Panev and his co-conspirators grew LockBit into one of the most active and destructive ransomware groups globally. LockBit operators and affiliates have extracted at least $500 million in ransom payments from victims, causing billions of dollars in lost revenue and recovery costs. The complaint against Panev follows charges brought against other LockBit members, including its alleged primary creator, developer, and administrator, Dmitry Yuryevich Khoroshev, for whom the U.S. is offering a reward of up to $10 million.
Recommended read:
References :
- bsky.app: A dual Russian-Israeli national, suspected of being a key developer for the LockBit ransomware operation, has been extradited to the United States to face charges.
- techcrunch.com: The US Department of Justice announced that Rostislav Panev, who developed code and maintained infrastructure for LockBit, is now in U.S. custody.
- : US authorities have extradited Rostislav Panev on charges of being a developer of the notorious LockBit ransomware
- securityaffairs.com: LockBit ransomware developer Rostislav Panev was extradited from Israel to the U.S.
- BleepingComputer: Suspected LockBit ransomware dev extradited to United States
- The DefendOps Diaries: International Cooperation in Combating Cybercrime: The Extradition of Rostislav Panev
- thecyberexpress.com: Alleged LockBit Ransomware Developer Extradited to U.S. to Stand Trial
- DataBreaches.Net: Dual Russian And Israeli National Extradited To The United States For His Role In The LockBit Ransomware Conspiracy
- The Hacker News: Alleged Israeli LockBit Developer Rostislav Panev Extradited to U.S. for Cybercrime Charges
- The Record: Rostislav Panev, who was arrested in Israel in August 2024 on U.S. charges related to dozens of LockBit ransomware attacks, has been extradited and appeared in a New Jersey federal court, authorities said.
- securityonline.info: Major LockBit Ransomware Developer Extradited to U.S.
- hackread.com: LockBit Developer Rostislav Panev Extradited from Israel to the US
- Talkback Resources: Ransomware Developer Extradited, Admits Working for LockBit [mal]
- www.it-daily.net: LockBit ransomware developer extradited to the USA
- www.scworld.com: US extradites alleged LockBit developer
- www.itpro.com: Alleged LockBit developer extradited to the US
Bill Toulas@BleepingComputer
//
A new ransomware campaign is underway, leveraging critical vulnerabilities in Fortinet's FortiOS and FortiProxy systems. The SuperBlack ransomware, deployed by the cybercriminal group Mora_001, targets Fortinet firewalls by exploiting authentication bypass flaws, specifically CVE-2024-55591 and CVE-2025-24472. Once inside, attackers escalate privileges to super-admin and create new administrator accounts, modifying automation tasks to ensure persistent access, even if initially removed.
The vulnerabilities, disclosed in January and February of 2025, allow attackers to gain unauthorized access and encrypt devices after the initial compromise, attackers map the network and attempt lateral movement using stolen VPN credentials and newly added VPN accounts. They utilize Windows Management Instrumentation (WMIC), SSH, and TACACS+/RADIUS authentication, which are protocols for managing and authenticating network access. Organizations are urged to patch their Fortinet systems to mitigate the risk of SuperBlack ransomware attacks.
Recommended read:
References :
- The DefendOps Diaries: SuperBlack Ransomware: Exploiting Fortinet Vulnerabilities
- BleepingComputer: New SuperBlack ransomware exploits Fortinet auth bypass flaws
- Industrial Cyber: Researchers from Forescout Technologies‘ Forescout Research – Vedere Labs identified a series of intrusions exploiting two Fortinet vulnerabilities
- The Register - Security: New kids on the ransomware block channel Lockbit to raid Fortinet firewalls
- www.cybersecuritydive.com: SuperBlack ransomware strain used in attacks targeting Fortinet vulnerabilities
- Blog: Fortinet flaws targeted by new LockBit-like SuperBlack ransomware
- securityaffairs.com: SuperBlack Ransomware operators exploit Fortinet Firewall flaws in recent attacks
- www.cybersecuritydive.com: SuperBlack ransomware strain used in attacks targeting Fortinet vulnerabilities
- www.csoonline.com: Researchers tracked the exploits back to late November/early December last year.
- techcrunch.com: Hackers are exploiting Fortinet firewall bugs to plant ransomware
- Security Risk Advisors: New SuperBlack ransomware exploits Fortinet vulnerabilities for network breaches
- Cyber Security News: CISA Warns: Fortinet FortiOS Vulnerability Actively Exploited
- gbhackers.com: CISA Issues Security Warning on Fortinet FortiOS Authentication Bypass Exploit
- securityonline.info: Cybersecurity Alert: CISA Adds Fortinet and GitHub Action Vulnerabilities to Exploited List
- cyble.com: CISA Alerts Users of CVE-2025-24472
- securityaffairs.com: U.S. CISA adds Fortinet FortiOS/FortiProxy and GitHub Action flaws to its Known Exploited Vulnerabilities catalog
- www.it-daily.net: SuperBlack ransomware exploits Fortinet vulnerability
- : Fortinet Vulnerability Exploited in Ransomware Attack, CISA Warns The US Cybersecurity and Infrastructure Security Agency added flaws in Fortinet and a popular GitHub Action to its Known Exploited Vulnerabilities catalog
- chemical-facility-security-news.blogspot.com: CISA Adds FortiGuard Vulnerability to KEV Catalog – 3-18-25
Mandvi@Cyber Security News
//
A new Ransomware-as-a-Service (RaaS) program, VanHelsingRaaS, has rapidly emerged as a significant threat in the cybercrime world. Launched on March 7, 2025, the program has quickly gained traction, infecting three victims within its first two weeks of operation. The service offers affiliates a control panel and a cross-platform locker, VanHelsing, which is capable of targeting a wide variety of systems, including Windows, Linux, BSD, ARM, and ESXi. This broad platform support allows affiliates to target diverse environments, increasing the potential impact of attacks.
The VanHelsingRaaS program requires a $5,000 deposit for new affiliates, while reputable affiliates can join for free. Affiliates earn 80% of the ransom payments, while the core operators receive the remaining 20%. A key restriction is the prohibition of targeting systems in the Commonwealth of Independent States (CIS). Check Point Research has identified two VanHelsing ransomware variants targeting Windows systems, but the RaaS advertisement indicates wider capabilities. This suggests the ransomware is designed to be adaptable and versatile, posing a significant threat to organizations across various industries and operating systems.
Recommended read:
References :
- gbhackers.com: VanHelsing Ransomware Targets Windows Systems with New Evasion Tactics and File Extension
- Check Point Research: VanHelsing, new RaaS in Town
- Christoffer S.: (checkpoint.com) VanHelsingRaaS: Analysis of a New and Rapidly Expanding Ransomware-as-a-Service Program
- Check Point Blog: The Rise of VanHelsing RaaS: A New Player in the Ransomware Landscape
- Blog: New ‘VanHelsing’ Raas hunts your data, not vampires
- The Hacker News: VanHelsing RaaS Launch: 3 Victims, $5K Entry Fee, Multi-OS, and Double Extortion Tactics
- : VanHelsingRaaS, a new ransomware-as-a-service program, infected three victims within two weeks of release, demanding ransoms of $500,000
- Talkback Resources: VanHelsing RaaS Launch: 3 Victims, $5K Entry Fee, Multi-OS, and Double Extortion Tactics [mal]
- The DefendOps Diaries: VanHelsing Ransomware: A Multi-Platform Threat with Sophisticated Tactics
- Security Risk Advisors: VanHelsing Ransomware hits Windows, Linux, and ESXi with stealthy encryption and demands up to $500K.
- Broadcom Software Blogs: VanHelsing RaaS is a burgeoning ransomware-as-a-service (RaaS) platform that launched on March 7, 2025.
- Cyber Security News: VanHelsingRaaS, a newly launched ransomware-as-a-service (RaaS) program, has quickly gained traction in the cybercrime landscape.
- www.bleepingcomputer.com: New VanHelsing ransomware targets Windows, ARM, ESXi systems
- securityonline.info: VanHelsingRaaS: A New Player in the Ransomware Game
- CyberInsider: New VanHelsing ransomware demands $500,000 ransom payments
- Information Security Buzz: VanHelsingRaaS Strikes: Sinking Its Fangs into Windows, Linux, and More
- securityonline.info: CYFIRMA’s Research and Advisory Team has uncovered a new ransomware strain, “VanHelsing�.
- The Register - Security: VanHelsing ransomware emerges to put a stake through your Windows heart
- www.csoonline.com: New VanHelsing ransomware claims three victims within a month
Nathaniel Morales@feeds.trendmicro.com
//
The Albabat ransomware has evolved, now targeting Windows, Linux, and macOS systems, according to recent research. This marks a significant expansion in the group's capabilities, showcasing increased sophistication in exploiting multiple operating systems. Trend Micro researchers uncovered this evolution, noting the ransomware group leverages GitHub to streamline their operations, enhancing the efficiency and reach of their attacks.
Albabat ransomware version 2.0 gathers system and hardware information on Linux and macOS systems and uses a GitHub account to store and deliver configuration files. This allows attackers to manage operations centrally and update tools efficiently. The GitHub repository, though private, is accessible through an authentication token, demonstrating active development through its commit history.
Recent versions of Albabat ransomware retrieve configuration data through the GitHub REST API, utilizing a User-Agent string labeled "Awesome App." It encrypts file extensions, including .exe, .dll, .mp3, and .pdf, while ignoring folders like Searches and AppData. The ransomware also terminates processes like taskmgr.exe and regedit.exe to evade detection. It tracks infections and payments through a PostgreSQL database, potentially selling stolen data.
Recommended read:
References :
- Cyber Security News: The Albabat ransomware has expanded its operation by utilizing GitHub to streamline its operation.
- gbhackers.com: The Albabat ransomware group has been observed expanding its operations to target not only Windows but also Linux and macOS systems, marking a significant evolution in its capabilities. They are leveraging GitHub to streamline their ransomware operations.
- : Trend Micro observed a continuous development of Albabat ransomware, designed to expand attacks and streamline operations. The authors seem to be targeting Linux and macOS systems now.
- www.trendmicro.com: New versions of Albabat ransomware have been detected that target Windows, Linux, and macOS devices. The group is utilizing GitHub to streamline their operations.
- hackread.com: New Attacks Exploit Year-Old ServiceNow Flaws – Israel Hit Hardest
- Carly Page: Mastodon: Hackers are ramping up attempts to exploit a trio of year-old ServiceNow vulnerabilities to break into unpatched company instances
- techcrunch.com: TechCrunch: Hackers are ramping up attacks using year-old ServiceNow security bugs to break into unpatched systems
- www.scworld.com: Attacks involving ServiceNow vulnerabilities escalate
- bsky.app: Albabat Ransomware Group Potentially Expands Targets to Multiple OS, Uses GitHub to Streamline Operations https://buff.ly/IWRowB3
- Talkback Resources: New Attacks Exploit Year-Old ServiceNow Flaws - Israel Hit Hardest [app] [exp]
- www.itpro.com: Old ServiceNow vulnerabilities could cause havoc for unpatched customers
- Rescana: ServiceNow Vulnerabilities: Critical Exploits Impacting Israel and Global Systems
- Cyber Security News: Albabat Ransomware Adds Linux and macOS to its Expanding List of Targets
- gbhackers.com: Albabat Ransomware Expands Reach to Target Linux and macOS Platforms
- www.cysecurity.news: Albabat Ransomware Evolves with Cross-Platform Capabilities and Enhanced Attack Efficiency
- ciso2ciso.com: New versions of the Albabat ransomware target Windows, Linux, and macOS, and retrieve configuration files from GitHub. The post appeared first on SecurityWeek.
Bill Toulas@BleepingComputer
//
The Black Basta ransomware operation has developed a new automated brute-forcing framework called 'BRUTED' to compromise edge networking devices such as firewalls and VPNs. This framework is designed to automate the process of gaining unauthorized access to sensitive networks, which can lead to ransomware deployment and data theft. Security experts warn that this new tool empowers attackers to more efficiently breach enterprise VPNs and firewalls, marking a worrying escalation in ransomware tactics.
EclecticIQ analysts, after analyzing the source code, confirmed the primary capability of the tool is the automated internet scanning and credential stuffing against edge network devices. This framework targets widely used firewalls and VPN solutions in corporate networks. This tool is able to exploit weak or reused credentials, gaining an initial foothold for lateral movement and ransomware deployment.
Recommended read:
References :
- KubikPixel: Ransomware gang creates tool to automate VPN brute-force attacks The Black Basta ransomware operation created an automated brute-forcing framework dubbed 'BRUTED' to breach edge networking devices like firewalls and VPNs. �
- The DefendOps Diaries: Explore the BRUTED framework, a new tool by Black Basta, automating brute-force attacks on VPNs, posing a global threat to organizations.
- Davey Winder: Hackers now have the tools to automate brute force attacks of your VPNs and firewalls during ransomware campaigns.
- Talkback Resources: Inside BRUTED: Black Basta (RaaS) Members Used Automated Brute Forcing Framework to Target Edge Network Devices [net] [mal]
- BleepingComputer: Ransomware gang creates tool to automate VPN brute-force attacks
- bsky.app: The Black Basta ransomware operation created an automated brute-forcing framework dubbed 'BRUTED' to breach edge networking devices like firewalls and VPNs. https://www.bleepingcomputer.com/news/security/black-basta-ransomware-creates-automated-tool-to-brute-force-vpns/
- bsky.app: The Black Basta ransomware operation created an automated brute-forcing framework dubbed 'BRUTED' to breach edge networking devices like firewalls and VPNs.
- bsky.app: The BlackBasta ransomware gang developed and used its own custom tool to brute-force enterprise firewalls and VPN remote-access products.
- www.techradar.com: Infamous ransomware hackers reveal new tool to brute-force VPNs
- www.cybersecuritydive.com: Black Basta uses brute-forcing tool to attack edge devices
- www.scworld.com: Automated brute forcing tool leveraged in Black Basta ransomware intrusions
- www.cysecurity.news: Ransomware gang creates tool to automate VPN brute-force attacks The Black Basta ransomware operation created an automated brute-forcing framework dubbed 'BRUTED' to breach edge networking devices like firewalls and VPNs.
Carly Page@TechCrunch
//
The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, has announced a significant data breach affecting over 500,000 members. The breach, which occurred in July 2024, resulted in attackers stealing sensitive personal information. PSEA is now notifying the impacted individuals about the incident and the potential risks.
The stolen data includes highly sensitive information, such as government-issued identification documents, Social Security numbers, passport numbers, medical information, and financial data like card numbers with PINs and expiration dates. Member account numbers, PINs, passwords, and security codes were also accessed. PSEA took steps to ensure, to the best of its ability and knowledge, that the stolen data was deleted.
Recommended read:
References :
- bsky.app: The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, is notifying over half a million individuals that attackers stole their personal information in a July 2024 security breach.
- BleepingComputer: The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, is notifying over half a million individuals that attackers stole their personal information in a July 2024 security breach.
- techcrunch.com: US teachers’ union says hackers stole sensitive personal data on over 500,000 members
- www.bleepingcomputer.com: Pennsylvania education union data breach hit 500,000 people
- The Register - Security: Attackers swipe data of 500k+ people from Pennsylvania teachers union
- The DefendOps Diaries: Understanding the PSEA Data Breach: Lessons and Future Prevention
- : The Pennsylvania State Education Association (PSEA) has sent breach notifications to over 500,000 current and former members
- Zack Whittaker: Pennsylvania's biggest union for educators had a data breach, exposing over half a million members' personal information.
- securityaffairs.com: Pennsylvania State Education Association data breach impacts 500,000 individuals
- Carly Page: The Pennsylvania State Education Association says hackers stole the sensitive personal and financial information of more than half a million of its members. PSEA said it “took steps†to ensure the stolen data was deleted, suggesting it was the target of a ransomware or data extortion attack, and subsequently paid a ransom demand to the hackers responsible
- www.techradar.com: Data breach at Pennsylvania education union potentially exposes 500,000 victims
@itpro.com
//
Advanced Computer Software Group, an NHS software supplier, has been fined £3 million by the Information Commissioner's Office (ICO) for security failures that led to a disruptive ransomware attack in 2022. The ICO determined that Advanced Computer Software Group failed to implement appropriate security measures prior to the attack, which compromised the personal information of tens of thousands of NHS patients. The LockBit ransomware group was identified as the perpetrator, gaining access through a customer account lacking multi-factor authentication (MFA).
Personal information belonging to 79,404 people was taken in the attack, including instructions for carers on how to gain entry into the properties of 890 people who were receiving care at home. The stolen data included checklists for medics on how to get into vulnerable people's homes. The ICO cited gaps in applying MFA policies across the organization, a lack of vulnerability scanning, and inadequate patch management as the primary facilitators of the attack.
Recommended read:
References :
- bsky.app: NHS provider Advanced has been fined £3m by ICO for security failures that led to the hugely disruptive ransomware hack in 2022. One shocking new detail - not only was personal info of 79k people taken - it included instructions for carers on how to gain entry into 890 patient's homes.
- The Register - Security: Data stolen included checklist for medics on how to get into vulnerable people's homes The UK's data protection watchdog is dishing out a £3.07 million ($3.95 million) fine to Advanced Computer Software Group, whose subsidiary's security failings led to a ransomware attack affecting NHS care.
- techcrunch.com: NHS vendor Advanced will pay just over £3 million ($3.8 million) in fines for not implementing basic security measures before it suffered a ransomware attack in 2022, the U.K.’s data protection regulator has confirmed.
- www.itpro.com: The Information Commissioner's Office (ICO) said Advanced Computer Software Group failed to use appropriate security measures before the 2022 attack, which put the personal information of tens of thousands of NHS patients at risk.
- DataBreaches.Net: The UK’s data protection watchdog is dishing out a £3.07 million ($3.95 million) fine to Advanced Computer Software Group, whose subsidiary’s security failings led to a ransomware attack affecting NHS care. This is nearly half the fine the Information Commissioner’s Office provisionally floated...
- www.cybersecurity-insiders.com: NHS LockBit ransomware attack yields £3.07 million penalty on tech provider
- www.bleepingcomputer.com: UK fines software provider £3.07 million for 2022 ransomware breach
- The DefendOps Diaries: Understanding the 2022 NHS Ransomware Attack: Lessons and Future Preparedness
- Tech Monitor: UK ICO fines Advanced Computer Software £3m after NHS data breach
Pierluigi Paganini@securityaffairs.com
//
A new ransomware group named Arkana Security is claiming responsibility for breaching WideOpenWest (WOW!), one of the largest U.S. cable and broadband providers. Arkana Security also claims the hack of US telco provider WideOpenWest (WOW!). This nascent ransomware gang’s breach purportedly compromised over 403,000 WOW! user accounts, pilfering data, including full names, usernames, salted passwords, email addresses, login histories, and security questions and answers.
The attackers boast of full backend control and have even created a music video montage to demonstrate their level of access. Additionally, they claim to have exfiltrated a separate CSV file with 2.2 million records, including names, addresses, phone numbers, and devices. While WOW! has yet to acknowledge Arkana Security's claims, threat researchers traced the attack's origins to an infostealer infection in September last year that enabled access to WOW!'s critical systems.
Recommended read:
References :
- Cyber Security News: The largest US internet provider, WideOpenWest (WOW!), is allegedly compromised by Arkana Security, a recently discovered ransomware group.
- securityaffairs.com: Arkana Security, a new ransomware group, claims to have breached the telecommunications provider WideOpenWest (WOW!), stealing customer data.
- www.scworld.com: WideOpenWest purportedly breached by nascent ransomware gang
- CyberInsider: Arkana ransomware group has claimed responsibility for breaching WideOpenWest (WOW!), one of the largest U.S. cable and broadband providers.
- BleepingComputer: The new ransomware group Arkana Security claims to have hacked US telecom provider WOW!, stealing customer data.
- Information Security Buzz: A new ransomware gang, Arkana Security, is claiming responsibility for an enormous breach at WideOpenWest (WoW), one of the largest cable operators and ISPs in the US. The malicious actors boasted they had full backend control and even put a music video montage together to illustrate exactly how much access they had.
- DataBreaches.Net: A cyber-crime ring calling itself Arkana has made a cringe music video to boast of an alleged theft of subscriber account data from Colorado-based cableco WideOpenWest (literally, WOW!)
- PCMag UK security: Hacking group Arkana Security gives WideOpenWest (WOW!) until 5 p.m. PST today to pay a ransom, or it will sell customer data to the highest bidder. WOW! says it's investigating.
Pierluigi Paganini@Security Affairs
//
The LockBit ransomware group, known for impacting numerous organizations globally, has faced a significant development with the extradition of Rostislav Panev to the United States. Panev, a dual Russian-Israeli national, is suspected of being a key developer for the LockBit ransomware operation. He was apprehended in Israel last August, where authorities discovered incriminating evidence on his laptop, including credentials for LockBit's internal control panel and source code for LockBit encryptors and the gang's StealBit data theft tool.
Panev is accused by the U.S. Department of Justice of developing LockBit's ransomware encryptors and StealBit, with activities spanning from June 2022 to February 2024. The LockBit ransomware group has been active since 2019, impacting over 2,500 victims across 120 countries. The extradition signifies a major step in holding individuals accountable for their roles in facilitating the widespread damage caused by LockBit ransomware.
Recommended read:
References :
- securityaffairs.com: The LockBit ransomware group has impacted over 2,500 victims in 120 countries.
- BleepingComputer: LockBit ransomware operator Rostislav Panev was extradited to the US, admitting to development and maintenance of the malware and providing technical guidance to the group.
- www.scworld.com: The LockBit ransomware group has been active since 2019 and has impacted over 2,500 victims in 120 countries, causing significant financial damage.
Sam Bent@Sam Bent
//
Ascom, a Swiss global solutions provider specializing in healthcare and enterprise communication systems, has confirmed a cyberattack on its IT infrastructure. The attack, suspected to be carried out by the Hellcat group, exploited vulnerabilities in Jira servers. The company revealed that hackers breached its technical ticketing system.
The Hellcat group claimed responsibility, stating they stole approximately 44GB of data potentially impacting all of Ascom's divisions. Hellcat hackers are known for using compromised credentials to infiltrate Jira systems, leading to data breaches in multiple organizations. Security experts advise implementing multi-factor authentication, regular security audits, prompt patching, and employee training to mitigate such attacks.
Recommended read:
References :
- Sam Bent: Ascom Hit by Cyberattack: Hellcat Group Exploits Jira Server Vulnerabilities
- The DefendOps Diaries: HellCat Hackers Exploit Jira: A Global Cybersecurity Threat
- BleepingComputer: Hellcat hackers go on a worldwide Jira hacking spree
- securityaffairs.com: Security Affairs Article about Ransomware Group Claims Attacks on Ascom
|
|