CyberSecurity news
FlagThis - #ransomware
|
Mandvi@Cyber Security News
//
The Interlock ransomware group is actively deploying a new, sophisticated remote access trojan (RAT) known as NodeSnake in attacks targeting corporate networks. Security researchers have observed this campaign, revealing that Interlock is leveraging NodeSnake as a key component of its attack toolkit to maintain persistent access and enhance its post-exploitation capabilities. NodeSnake, written in Golang, allows the attackers to bypass common detection mechanisms and exfiltrate sensitive data, ensuring continued access even if ransomware binaries are detected and removed.
Two UK-based universities and local government entities have recently fallen victim to NodeSnake within the past few months. Analysis by cybersecurity firm Quorum Cyber has uncovered two new variants of the RAT, strongly attributing them to the Interlock ransomware group. The timing and shared code elements between the incidents suggest a coordinated campaign by the same threat actor, signalling a shift in targets for the Interlock ransomware group which is believed to be behind these attacks. NodeSnake is a type of Remote Access Trojan (RAT). RATs are dangerous because they allow attackers to take control of infected computers from afar. This means attackers can access files, watch what users are doing, change computer settings, and even steal or delete important information remotely while the RATs stay hidden in the system and even introduce other harmful programs. Furthermore, the two NodeSnake variants are from the same family, with the newer one showing significant improvements. This RAT expands the group’s capabilities for reconnaissance, lateral movement, and data exfiltration, facilitating ransomware deployment. Recommended read:
References :
@securityonline.info
//
Cybercriminals are increasingly leveraging the popularity of Artificial Intelligence (AI) to distribute malware, targeting Windows users with fake installers disguised as legitimate AI tools. These malicious campaigns involve ransomware such as CyberLock and Lucky_Gh0$t, as well as a destructive malware called Numero. The attackers create convincing fake websites, often with domain names closely resembling those of actual AI vendors, to trick users into downloading and executing the poisoned software. These threats are primarily distributed through online channels, including SEO poisoning to manipulate search engine rankings and the use of social media and messaging platforms like Telegram.
CyberLock ransomware, for instance, has been observed masquerading as a lead monetization AI platform called NovaLeadsAI, complete with a deceptive website offering "free access" for the first year. Once downloaded, the ‘NovaLeadsAI.exe’ file deploys the ransomware, encrypting various file types and demanding a hefty ransom payment. Another threat, Numero, impacts victims by manipulating the graphical user interface components of their Windows operating system, rendering the machines unusable. Fake AI installers for tools like ChatGPT and InVideo AI are also being used to deliver ransomware and information stealers, often targeting businesses in sales, technology, and marketing sectors. Cisco Talos researchers emphasize the need for users to be cautious about the sources of AI tools they download and install, particularly from untrusted sources. Businesses, especially those in sales, technology, and marketing, are prime targets, highlighting the need for robust endpoint protection and user awareness training. These measures can help mitigate the risks associated with AI-related scams and protect sensitive data and financial assets from falling into the hands of cybercriminals. The attacks underscore the importance of vigilance and verifying the legitimacy of software before installation. Recommended read:
References :
@WhatIs
//
References:
DataBreaches.Net
, The Dysruption Hub
,
A cyberattack struck Covenant Health on Monday, May 26, 2025, disrupting operations at St. Joseph Hospitals in Bangor, Maine, and Nashua, New Hampshire, as well as St. Mary’s Health System and Community Clinics in Lewiston, Maine. The healthcare provider, a Catholic-based nonprofit serving New England and parts of Pennsylvania, was forced to shut down all data systems across its hospitals, clinics, and provider practices as a protective measure against the "cyber incident initiated by an outside group." This action has impacted access to electronic records, appointment scheduling, and internal communications, leading to connectivity issues throughout the organization.
The cyberattack has led to significant operational disruptions at the affected facilities. In both Bangor and Nashua, ambulance services have been diverted, and diagnostic scans have been redirected to other locations. Patients have reported difficulties in refilling prescriptions, and outpatient lab services at St. Joseph Hospital in Nashua are now only available on the main hospital campus with a physical order in hand. Staff are working under modified procedures to maintain patient care amidst the system outages. The hospitals have posted notices on their websites acknowledging the disruptions and assuring the public that teams are working to restore full services as quickly as possible. Covenant Health spokesperson Karen Sullivan confirmed that cybersecurity experts have been engaged to investigate the breach and assist in restoring system functionality. While a timeline for full restoration has not been provided, the organization emphasizes that patient care remains a priority. Cybersecurity analysts are warning that medical institutions are increasingly vulnerable to cyberattacks due to the high value of patient data on illicit markets, stressing the urgent need for enhanced digital defenses across the healthcare sector. The incident is currently under investigation, and updates will be provided as more information becomes available. Recommended read:
References :
@www.bleepingcomputer.com
//
DragonForce ransomware group has been actively exploiting vulnerabilities in SimpleHelp, a remote monitoring and management (RMM) software, to target managed service providers (MSPs) and their customers. This attack serves as a stark reminder of the supply chain risks inherent in relying on third-party software, particularly RMM tools which, if compromised, can grant attackers widespread access to numerous client systems. Sophos researchers uncovered that the DragonForce operator chained three specific SimpleHelp flaws, identified as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, to breach an MSP. This breach resulted in data theft and the subsequent deployment of ransomware across the MSP's customer endpoints, causing significant disruption and potential financial losses.
The vulnerabilities exploited by DragonForce allowed the attackers to perform several malicious actions. CVE-2024-57727 enabled unauthorized remote attackers to download arbitrary files, including server configuration files containing sensitive secrets and hashed user passwords. CVE-2024-57728 permitted admin users to upload arbitrary files, leading to potential arbitrary code execution on the host. Furthermore, CVE-2024-57726 allowed low-privilege technicians to create API keys with excessive permissions, potentially enabling them to escalate privileges to the server administrator role. All of these vulnerabilities were present in SimpleHelp's remote support software version 5.5.7 and earlier, highlighting the critical importance of promptly applying security patches. The DragonForce attack on the MSP via SimpleHelp illustrates a growing trend of cybercriminals targeting RMM and other remote tools to facilitate software supply chain attacks. By compromising a single MSP, attackers can gain access to a large number of downstream customers, amplifying the impact of their attacks. Security experts warn that MSPs must prioritize the security of their RMM software, including implementing robust patch management processes and closely monitoring for suspicious activity. This incident underscores the need for a proactive and vigilant approach to cybersecurity to mitigate the risk of ransomware and other threats exploiting channel vulnerabilities. Recommended read:
References :
@therecord.media
//
MathWorks, the company behind the popular MATLAB software used by over five million people worldwide, has confirmed a ransomware attack that began on May 18, 2025. The attack disrupted online applications and internal systems, impacting licensing and access for users globally. The company has notified federal law enforcement and is working with cybersecurity experts to restore affected systems.
Commercial customers and STEM students have been significantly impacted by the prolonged outage. An IT manager at an engineering firm reported difficulties acquiring new licenses, hindering ongoing projects. Students also faced challenges, particularly with assessment tools like MATLAB Grader and Cody, which were only recently partially restored. Some frustrated users admitted to pirating the software due to the lack of access to the services they had paid for. MathWorks has been issuing updates on its status page, initially citing technical issues before confirming the ransomware attack on May 26. While many systems are being brought back online, full recovery is still underway. The company has not yet disclosed details about the ransomware group responsible, whether a ransom was paid, or if data was exfiltrated. Recommended read:
References :
@cyble.com
//
Nova Scotia Power has officially confirmed it fell victim to a sophisticated ransomware attack, impacting approximately 280,000 customers. The breach, which began several weeks ago, involved unauthorized access to internal systems and the subsequent theft of sensitive data. The cyber incident targeted Nova Scotia Power’s digital infrastructure, encrypting critical systems and exfiltrating customer data. The power utility has confirmed it was hit by ransomware but hasn't paid the ransom, nearly a month after first disclosing the cyberattack.
Nova Scotia Power engaged third-party cybersecurity firms to isolate affected networks, mitigate further damage, and conduct forensic analyses. Investigations suggest the attackers employed advanced techniques to bypass existing safeguards, though specific details about the ransomware variant or entry vectors remain undisclosed. The company emphasized it did not comply with ransom demands, a decision it attributes to adherence to sanctions laws and coordination with law enforcement agencies. The threat actor publicly released portions of the stolen data, compelling Nova Scotia Power to initiate a large-scale notification campaign. Impacted customers received physical mail detailing the breach’s scope and remediation steps. The compromised information reportedly includes names, addresses, account numbers, and potentially payment histories. To address identity theft risks, Nova Scotia Power partnered with TransUnion to offer affected individuals a two-year subscription to the myTrueIdentity® credit monitoring service at no cost, including real-time credit alerts and dark web surveillance. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
The FBI has issued a warning to U.S. law firms regarding an escalating cyber threat posed by the Silent Ransom Group (SRG), also known as Luna Moth or Chatty Spider. This group, active since 2022, has refined its tactics to target law firms specifically since early 2023, likely due to the valuable and confidential client data they possess. The group aims to gain unauthorized access to systems and devices in order to steal sensitive information and extort victims with threats of public data leaks.
SRG's methods include IT-themed social engineering calls and callback phishing emails. In these attacks, they impersonate IT personnel to deceive employees into granting remote access to systems. They may direct the employee to a malicious website or send a link via email that installs remote access software. Once inside, the attackers discreetly extract sensitive files using tools like WinSCP or disguised versions of Rclone. This campaign is particularly dangerous because it leaves minimal digital traces and can bypass traditional security measures. To defend against these attacks, the FBI urges law firms to enhance staff training to recognize and avoid social engineering tactics. Implementing multi-factor authentication is crucial, as is proactive monitoring for unauthorized access attempts. The agency also advises that victims share any ransom evidence with law enforcement to aid in investigations. Furthermore, CISOs are encouraged to fortify help desk and employee defenses, enhance intrusion detection and tracking capabilities, and recognize that paying ransoms is not a viable strategy. Recommended read:
References :
Dhara Shrivastava@cysecurity.news
//
Marks & Spencer (M&S) and Co-op, major UK retailers, have been hit by a Scattered Spider cyberattack involving DragonForce ransomware. The attack has caused weeks-long disruptions, impacting online transactions and the availability of food, fashion, and home goods. M&S warns that the disruption to online transactions could last until July. The cybercrime gang Scattered Spider is also believed to be behind attacks on other UK retailers, including Harrods.
The financial impact on M&S is expected to be significant. The company anticipates the cyberattack will cut $400 million from its profits and reported losing over £40 million in weekly sales since the attack began over the Easter bank holiday weekend. As a precaution, M&S took down some of its systems, resulting in short-term disruptions. This decision was made to protect its systems, customers, and partners from further compromise. In response to the attack, M&S plans to accelerate its technology improvement plan, shortening the timeframe from two years to six months. This reflects the urgent need to bolster its cybersecurity defenses and prevent future disruptions. The company previously outlined plans in 2023 to improve its technology stack, including investments in infrastructure, network connectivity, store technology, and supply-chain systems. M&S acknowledged that personal data of customers had been stolen, including names, dates of birth, telephone numbers, home and email addresses, and online order histories. However, the retailer insisted that the data theft did not include usable card, payment, or login information. Recommended read:
References :
@securebulletin.com
//
A new wave of cyberattacks is leveraging sophisticated social engineering techniques combined with technical exploits to breach corporate networks. Security firms are reporting a rise in attacks linked to the 3AM ransomware operation. These attacks begin with an overwhelming flood of emails, known as email bombing, directed at specific employees. This is followed by spoofed phone calls where the attackers impersonate the organization's IT support team, attempting to trick the employee into granting remote access to their computer. The attackers’ use of real phone calls marks a notable escalation in social engineering sophistication.
Once the attackers have gained the trust of the employee, they will try to convince them to run Microsoft Quick Assist, a legitimate remote access tool. This grants the attackers remote access to the victim's machine under the guise of fixing a problem. This initial access is then used to deploy a malicious payload, which may include virtual machines or other tools designed to evade detection by security software. After gaining control of the system they install malicious software, create new user accounts, and gain admin privileges. Sophos has documented multiple ransomware actors leveraging an attack pattern first reported by Microsoft using “email bombing” to overload a targeted organization’s employee with unwanted emails, and then making a voice or video call over Microsoft Teams posing as a tech support team member to deceive that employee into allowing remote access to their computer. BleepingComputer reports that highly targeted intrusions involving email bombing and fake IT support calls have been launched by threat actors linked to the 3AM ransomware operation during the first quarter of this year. This allows the attackers to perform reconnaissance, create local admin accounts, and install remote management tools for persistence and lateral movement within the network, often resulting in significant data exfiltration. Recommended read:
References :
@www.bleepingcomputer.com
//
The US government has indicted Rustam Rafailevich Gallyamov, a 48-year-old Russian national from Moscow, as the leader of the Qakbot botnet malware conspiracy. Gallyamov, also known as "Cortes" and other aliases, is accused of leading a group of cybercriminals responsible for developing and deploying the Qakbot malware since 2008. This indictment is part of an ongoing multinational effort involving the United States, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada to combat cybercrime. The Justice Department has also filed a civil forfeiture complaint against Gallyamov, seeking to seize over $24 million in cryptocurrency allegedly obtained through his criminal activities.
According to court documents, Gallyamov used the Qakbot malware to infect over 700,000 computers globally, establishing a vast network or "botnet" of compromised machines. Starting in 2019, this botnet was leveraged to facilitate ransomware attacks against innocent victims worldwide, causing significant financial losses. The FBI and its international partners crippled Gallyamov's bot network in 2023, but he allegedly continued to deploy alternative methods to make his malware available to criminal cyber gangs. The Qakbot malware, also known as Qbot and Pinkslipbot, evolved over time from a banking trojan into a tool used for malware dropping and keystroke logging. Officials emphasize the commitment to holding cybercriminals accountable and disrupting their activities. "Today’s announcement of the Justice Department’s latest actions to counter the Qakbot malware scheme sends a clear message to the cybercrime community,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. U.S. Attorney Bill Essayli for the Central District of California added, "The criminal charges and forfeiture case announced today are part of an ongoing effort with our domestic and international law enforcement partners to identify, disrupt, and hold accountable cybercriminals." The case demonstrates the FBI’s commitment to relentlessly pursuing individuals who target Americans and demand ransom, even when they reside overseas. Recommended read:
References :
@ketteringhealth.org
//
Kettering Health, a healthcare network operating 14 medical centers and over 120 outpatient facilities in western Ohio, has been hit by a ransomware attack causing a system-wide technology outage. The cyberattack, which occurred on Tuesday, May 20, 2025, has forced the cancellation of elective inpatient and outpatient procedures and has disrupted access to critical patient care systems, including phone lines, the call center, and the MyChart patient portal. Emergency services remain operational, but emergency crews are being diverted to other facilities due to the disruption. Kettering Health has confirmed they are responding to the cybersecurity incident involving unauthorized access to its network and has taken steps to contain and mitigate the breach, while actively investigating the situation.
The ransomware attack is suspected to involve the Interlock ransomware gang, which emerged last fall and has targeted various sectors, including tech, manufacturing firms, and government organizations. A ransom note, viewed by CNN, claimed the attackers had secured Kettering Health's most vital files and threatened to leak stolen data unless the health network began negotiating an extortion fee. In response to the disruption, Kettering Health has canceled elective procedures and is rescheduling them for a later date. Additionally, the organization is cautioning patients about scam calls from individuals posing as Kettering Health team members requesting credit card payments and has halted normal billing calls as a precaution. The incident highlights the increasing cybersecurity challenges facing healthcare systems. According to cybersecurity experts, healthcare networks often operate with outdated technology and lack comprehensive cybersecurity training for staff, making them vulnerable to attacks. There is a call to action to invest in healthcare cybersecurity, with recommendations for the government and its partners to address understaffed healthcare cyber programs by tweaking federal healthcare funding programs to cover critical cybersecurity expenditures, augmenting healthcare cybersecurity workforces and incentivizing cyber maturity. Recommended read:
References :
Dhara Shrivastava@cysecurity.news
//
British retailer giant Marks & Spencer (M&S) is facing a major financial impact following a recent cyberattack, with potential profit losses estimated at £300 million, equivalent to $402 million. The attack has caused widespread operational and sales disruptions, particularly affecting the company's online retail systems. According to a recent filing with the London Stock Exchange, M&S anticipates these disruptions to continue until at least July, impacting its fiscal year 2025/26 profits.
The cyberattack has significantly impacted M&S’s online sales channels, forcing the company to temporarily halt online shopping in its Fashion, Home & Beauty divisions. This downtime has led to substantial revenue loss, despite the resilience of its physical stores. The company has also faced increased logistics and waste management costs as it reverted to manual processes. CEO Stuart Machin acknowledged the challenging situation but expressed confidence in the company's recovery, emphasizing a focus on restoring systems and accelerating technical transformation. M&S is actively implementing strategies to mitigate the financial repercussions, including cost management, insurance claims, and strategic trading actions. The retailer is reportedly preparing to claim up to £100 million from its cyber insurance policy to offset some of the losses. The company views this crisis as an opportunity to expedite its technical transformation, although specific details of this transformation have not yet been disclosed. The costs related to the attack itself and technical recovery are expected to be communicated at a later date as an adjustment item. Recommended read:
References :
Ashish Khaitan@The Cyber Express
//
Peter Green Chilled, a key food distributor supplying major UK supermarkets including Tesco, Aldi, and Sainsbury's, has fallen victim to a ransomware attack. The cyberattack, which took hold around May 14th, has disrupted the delivery of fresh meat products, putting pallets of food at risk of going to waste. While the specific ransomware group responsible has not been publicly identified, the company has reported the incident to the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) and is implementing "workarounds" to continue deliveries. One of their customers has expressed concern that thousands of products are at risk.
The ransomware attack has forced Peter Green Chilled to halt operations, as confirmed by their Managing Director, Tom Binks. The company has stated it will issue "regular updates" to clients while the attack continues. It appears to be an incident involving encryption and not just data exfiltration. The phone number listed for Peter Green Chilled on its website appears to be blocking inbound calls, and its general enquiries email address is not accepting incoming messages from senders outside the organization. The incident highlights the increasing threat of cyberattacks targeting the retail sector and supply chains. Wilfred Emmanuel-Jones, founder of The Black Farmer, told the BBC that his company has thousands of packets of meat sitting in limbo due to the attack. Similar cyber-related issues are currently affecting Co-op and M&S. Cyberattacks, particularly ransomware attacks, have become a significant threat to retail businesses worldwide and can lead to product shortages and significant disruption. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A new cybersecurity threat, dubbed Hazy Hawk, has emerged, exploiting misconfigured DNS records to hijack abandoned cloud resources. Since at least December 2023, the threat actor has been using DNS CNAME hijacking to seize control of abandoned cloud endpoints belonging to reputable organizations, including Amazon S3 buckets and Microsoft Azure endpoints. By registering new cloud resources with the same names as the abandoned ones, Hazy Hawk redirects traffic to malicious sites, incorporating these hijacked domains into large-scale scam delivery and traffic distribution systems (TDS). This allows them to distribute scams, fake applications, and malware to unsuspecting users, leveraging the trust associated with the original domains.
Infoblox researchers first detected Hazy Hawk's activities in February 2025, when the group successfully took control of subdomains belonging to the U.S. Centers for Disease Control (CDC). Further investigation revealed that global government agencies, major universities, and international corporations such as Deloitte and PricewaterhouseCoopers have also been targeted. Hazy Hawk scans for domains with CNAME records pointing to abandoned cloud endpoints, determining this through passive DNS data validation. They then register a new cloud resource with the same name, causing the original domain's subdomain to resolve to the attacker's controlled resource. The attack chains often involve cloning legitimate websites to appear trustworthy, and URL obfuscation techniques are employed to hide malicious destinations. Hazy Hawk uses hijacked domains to host malicious URLs that redirect users to scams and malware. What makes Hazy Hawk's operations particularly concerning is the use of trusted domains to serve malicious content, enabling them to bypass detection and exploit the reputation of high-profile entities. Cybersecurity experts advise organizations to diligently monitor and manage their DNS records, ensuring that CNAME records pointing to abandoned cloud resources are removed to prevent unauthorized domain hijacking. Recommended read:
References :
|