CyberSecurity news

FlagThis - #ransomware

Nathaniel Morales@feeds.trendmicro.com //
Cybercriminals are actively deploying FOG ransomware disguised as communications from the U.S. Department of Government Efficiency (DOGE) via malicious emails. This campaign, which has been ongoing since January, involves cybercriminals spreading FOG ransomware by claiming ties to DOGE in their phishing attempts. The attackers are impersonating the U.S. DOGE to infect targets across multiple sectors, including technology and healthcare. It has been revealed that over 100 victims have been impacted by this -DOGE-themed ransomware campaign since January.

Cybercriminals are distributing a ZIP file named "Pay Adjustment.zip" through phishing emails. Inside this archive is an LNK file disguised as a PDF document. Upon execution, this LNK file triggers a PowerShell script named "stage1.ps1", which downloads additional ransomware components. The script also opens politically themed YouTube videos, potentially to distract the victim. The initial ransomware note makes references to DOGE to add confusion. The attackers utilize a tool called 'Ktool.exe' to escalate privileges by exploiting a vulnerability in the Intel Network Adapter Diagnostic Driver.

The ransomware note, RANSOMNOTE.txt, references DOGE and includes names of individuals associated with the department. Victims are being asked to pay $1,000 in Monero, although it is unclear whether paying the ransom leads to data recovery or if it is an elaborate troll. Trend Micro revealed that the latest samples of Fog ransomware, uploaded to VirusTotal between March 27 and April 2, 2025, spread through distribution of a ZIP file containing a LNK file disguised as a PDF.

Recommended read:
References :
  • cyberinsider.com: FOG Ransomware Impersonates U.S. DOGE to Infect Targets
  • gbhackers.com: Cybercriminals Deploy FOG Ransomware Disguised as DOGE via Malicious Emails
  • www.trendmicro.com: FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE
  • www.scworld.com: Fog ransomware notes troll with DOGE references, bait insider attacks
  • gbhackers.com: Cybercriminals Deploy FOG Ransomware Disguised as DOGE via Malicious Emails
  • securityonline.info: FOG Ransomware Campaign Targets Multiple Sectors with Phishing and Payload Obfuscation
  • darkwebinformer.com: FOG Ransomware Attack Update for the 21st of April 2025

@detect.fyi //
References: detect.fyi , medium.com , wazuh.com ...
The Black Basta ransomware group has demonstrated remarkable resilience and adaptability despite a significant leak of their internal communications, which occurred in the first quarter of 2025. Analysis of the leaked chat logs confirms that key actors within the group, operating under aliases like @usernamegg, @lapa, and @usernameugway, continue to coordinate attacks using shared infrastructure and custom tools. This indicates a high level of operational security and a focus on long-term planning, as the group rotates delivery domains, stages different botnets for specific functions, and carefully avoids detection through staggered attack timing and limited-volume delivery. The group's persistence highlights the challenges faced by defenders in disrupting sophisticated cybercrime enterprises.

Their tactics, techniques, and procedures (TTPs) align closely with those attributed by Microsoft to groups like Storm-1674, Storm-1811, and Storm-2410. These include exploiting vulnerabilities in Citrix and VPN portals, targeting weak authentication on ESXi hypervisors, employing credential stuffing attacks, and leveraging remote access utilities and scripts for payload delivery. Black Basta has also shown an increasing emphasis on social engineering, such as impersonating IT support staff via phone calls, mirroring techniques associated with Storm-2410. This adaptability and willingness to evolve their attack methods underscore the group's sophistication.

Black Basta's operations involve a multi-stage attack chain, starting with initial access gained through various methods, including exploiting vulnerabilities in unpatched systems, phishing campaigns, and social engineering tactics such as impersonating IT help desks via Microsoft Teams. The group also employs lightweight downloaders, memory-based loaders, and obfuscated commands via tools like PowerShell and rundll32.exe, indicating a shift toward stealthier and more precise attack delivery. Detection methods for Black Basta include configuring Endpoint Detection and Response (EDR) tools to look for unusual file behavior, command-line activity, registry changes, and network traffic.

Recommended read:
References :
  • detect.fyi: Analysis of Black Basta's ransomware resilience and evolution after a data leak.
  • medium.com: Information on Black Basta's use of lightweight downloaders, memory-based loaders, and obfuscated commands.
  • valhalla.nextron-systems.com: Report on Black Basta's ransomware operations.
  • wazuh.com: Analysis of the leaked Black Basta chat logs revealing their operational methods.

@The DefendOps Diaries //
The Interlock ransomware gang is actively employing ClickFix attacks to infiltrate corporate networks and deploy file-encrypting malware. This social engineering tactic tricks users into executing malicious PowerShell commands, often under the guise of fixing an error or verifying their identity. By impersonating legitimate IT tools, Interlock bypasses traditional security measures that rely on automated detection, as the malicious code is executed manually by the victim. This represents a significant shift in the cyber threat landscape, highlighting the importance of understanding and defending against these evolving tactics.

ClickFix attacks involve manipulating users through deceptive prompts, such as fake error messages, CAPTCHA verifications, or system update requests. Victims are tricked into copying and pasting harmful commands into their systems, leading to the silent installation of malware. Interlock has been observed using fake browser and VPN client updates to deliver malware, and even uses compromised websites to redirect users to fake popup windows. These windows ask the user to paste scripts into a PowerShell terminal, initiating the malware infection process.

While the infrastructure supporting Interlock's ClickFix campaigns appears dormant since February 2025, the group's use of this technique signals ongoing innovation in their delivery mechanisms. This, combined with their consistent use of credential-stealing malware like LummaStealer and BerserkStealer, and a proprietary Remote Access Trojan (RAT), demonstrates Interlock's sophisticated approach to breaching networks. Organizations must enhance their security awareness training and implement measures to detect and prevent users from falling victim to ClickFix and other social engineering tactics.

Recommended read:
References :
  • securityonline.info: Interlock Ransomware Uses Evolving Tactics to Evade Detection
  • The DefendOps Diaries: The Rise of ClickFix Attacks: Understanding the Interlock Ransomware Gang
  • BleepingComputer: Interlock ransomware gang pushes fake IT tools in ClickFix attacks
  • www.scworld.com: ClickFix increasingly utilized in state-backed malware attacks
  • cyberpress.org: Interlock Ransomware Delivers Malicious Browser Updates via Multi-Stage Attack on Legitimate Websites
  • gbhackers.com: Interlock Ransomware Uses Multi-Stage Attack Through Legitimate Websites to Deliver Malicious Browser Updates
  • Cyber Security News: Reports show the latest ClickFix attack.
  • www.scworld.com: Interlock ransomware evolves tactics with ClickFix, infostealers
  • Talkback Resources: Interlock Ransomware Uses Evolving Tactics to Evade Detection
  • securityonline.info: Security Online discusses interlock ransomware using Evolving Tactics to Evade Detection.
  • gbhackers.com: State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • The Hacker News: State-Sponsored Hackers Weaponize ClickFix Tactic in Targeted Malware Campaigns
  • bsky.app: Interlock ransomware gang pushes fake IT tools in ClickFix attacks ift.tt/TqmAQIF
  • securityonline.info: State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
  • hackread.com: North Korea, Iran, Russia-Backed Hackers Deploy ClickFix in New Attacks

@x.com //
Ahold Delhaize, the multinational retail and wholesale company with operations in both Europe and the United States, has confirmed a data breach following a cyberattack in November 2024. The company, which owns supermarket brands such as Stop & Shop, Giant Food, Food Lion and Hannaford, acknowledged that certain files were stolen from its U.S. business systems. The breach was claimed by the INC ransomware group, which has threatened to release sensitive information if its demands are not met, according to researchers at Arctic Wolf. The company is currently working with outside forensics experts to determine the exact nature of the compromised data and to comply with legal obligations regarding disclosure to affected individuals.

The cyberattack disrupted e-commerce operations, particularly affecting Hannaford's pickup and delivery services, which were halted for several days. Other U.S. banners also experienced disruptions and reduced availability for e-commerce services due to "system outages." While physical stores remained open and continued to accept most payment methods, including credit cards, Ahold Delhaize took some systems offline to protect them. The company also notified and updated law enforcement about the incident.

The INC ransomware group claims to have exfiltrated approximately 6 terabytes of data from Ahold Delhaize's U.S. division. This data includes sensitive documents and personal identifiers, raising concerns about potential misuse and privacy violations. Ahold Delhaize is advising customers to be vigilant for phishing attempts and fraudulent activity. The company is currently investigating the extent of the breach and is committed to taking necessary measures to contain the situation and prevent further unauthorized access.

Recommended read:
References :
  • The DefendOps Diaries: Ahold Delhaize Cyberattack: A Deep Dive into the Ransomware Breach
  • BleepingComputer: Ahold Delhaize confirms data theft after INC ransomware claims attack
  • www.cybersecuritydive.com: Ahold Delhaize confirms data stolen after threat group claims credit for November attack
  • www.scworld.com: Data breach confirmed by Ahold Delhaize after INC ransomware claims
  • Cyber Security News: Ahold Delhaize data breach in November 2024.
  • bsky.app: Food retail giant Ahold Delhaize confirms that data was stolen from its U.S. business systems during a November 2024 cyberattack.
  • gbhackers.com: GBHackers articles about Ahold Data stolen
  • www.techradar.com: Food retail giant behind several major US supermarket brands confirms data stolen in major ransomware breach
  • thecyberexpress.com: Ahold Delhaize USA, the parent company of several well-known American supermarket brands, has confirmed that data was stolen during a cyberattack that took place in the fall of 2024.
  • newsroom.aholddelhaize.com: Ahold Delhaize updates statement on Nov. 8, 2024 cybersecurity issue
  • Check Point Research: For the latest discoveries in cyber research for the week of 21st April, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Retail giant Ahold Delhaize has suffered a cyber-attack resulting in data theft of customer information from its US business systems. The attack, claimed by ransomware group INC Ransom, impacted Ahold Delhaize USA […]
  • eSecurity Planet: Retail giant Ahold Delhaize has suffered a cyber-attack resulting in data theft of customer information from its US business systems.
  • thecyberexpress.com: The INC Ransom gang claimed responsibility for the cyberattack on Ahold Delhaize.
  • Davey Winder: Ahold Delhaize USA, the parent company of several well-known American supermarket brands, has confirmed that data was stolen during a cyberattack that took place in the fall of 2024.

@gbhackers.com //
The Interlock ransomware group has escalated its operations across North America and Europe, employing sophisticated techniques to evade detection. Cybersecurity firms such as Sekoia Threat Detection & Research (TDR) are closely monitoring Interlock's activities, revealing their evolving tactics and tools. Unlike typical Ransomware-as-a-Service (RaaS) operations, Interlock operates independently, focusing on targeted attacks known as Big Game Hunting and double extortion campaigns. Their tactics include compromising legitimate websites to host deceptive browser update pages, tricking users into downloading malicious PyInstaller files that appear as legitimate Google Chrome or Microsoft Edge installers.

These fake installers launch PowerShell-based backdoors, which continuously execute HTTP requests to communicate with command-and-control (C2) servers. This PowerShell script collects system information and offers functionality for executing arbitrary commands and establishing persistence. Interlock uses a continuous communication loop with the C2 server to maintain persistence. The C2 server can then issue commands to terminate the backdoor or deploy additional malware, such as keyloggers or credential stealers like LummaStealer and BerserkStealer. These actions bypass automated defenses by tricking victims into manually executing malicious commands.

In early 2025, Interlock began experimenting with ClickFix, a social engineering technique that prompts users to execute malicious PowerShell commands through spoofed CAPTCHAs or browser alerts, supposedly to "fix" an issue. Interlock also uses IP address clustering to maintain infrastructure resilience, often utilizing IPs from BitLaunch, Hetzner Online GmbH, and other autonomous systems. The group commonly uses RDP and stolen credentials for lateral movement within compromised networks, often targeting domain controllers to gain widespread control. Cybersecurity researchers actively adapt defenses against Interlock's techniques.

Recommended read:
References :
  • gbhackers.com: Interlock leverages a multi-stage attack through seemingly benign websites and malicious browser updates, demonstrating its advanced tactics for evasion.
  • securityonline.info: The group is distinguished by its independent operations, focusing on targeted attacks and double-extortion campaigns, and avoiding a RaaS model.
  • BleepingComputer: Interlock ransomware gang pushes fake IT tools in ClickFix attacks

@gbhackers.com //
CrazyHunter, a new ransomware group, has emerged as a significant cyber threat, specifically targeting organizations in Taiwan. Their victims predominantly include those in the healthcare, education, and industrial sectors, indicating a focus on organizations with valuable data and sensitive operations. Since January, CrazyHunter's operations have shown a clear pattern of specifically targeting Taiwanese organizations. The group made their introduction with a data leak site posting ten victims, all located in Taiwan, demonstrating a strategic, regionally focused campaign.

CrazyHunter's toolkit heavily relies on open-source tools sourced from GitHub, with approximately 80% of their arsenal being open-source. The group broadens its toolkit by integrating open-source tools from GitHub, such as the Prince Ransomware Builder and ZammoCide, to further enhance their operational capabilities. This approach significantly reduces the technical barrier for creating tailored, potent ransomware attacks, enabling rapid adaptation and enhancement of their operations. They have also been seen to modify existing open source tools as their capabilities grow.

The ransomware deployment process includes the use of Bring Your Own Vulnerable Driver (BYOVD) techniques to bypass security measures. A customized process killer derived from the open-source project ZammoCide exploits the zam64.sys driver to neutralize defenses, specifically targeting antivirus and endpoint detection and response (EDR) systems. The ransomware itself, a bespoke variant using the Go programming language, employs advanced ChaCha20 and ECIES encryption to lock files, appending them with a “.Hunter” extension. This demonstrates a sophisticated and targeted approach to ransomware deployment.

Recommended read:
References :
  • gbhackers.com: Analysis of the CrazyHunter group highlights its sophisticated methodology in exploiting accessible open-source tools and targeting various sectors within Taiwan.
  • www.trendmicro.com: Trend Micro details research on emerging ransomware group CrazyHunter, which has launched a sophisticated campaign aimed at Taiwan's essential services.
  • cyberpress.org: CyberPress - CrazyHunter Hackers Leverage GitHub Open-Source Tools to Launch Attacks on Organizations
  • securityonline.info: The group's reliance on readily available GitHub resources underscores a trend of attackers leveraging public repositories for their operations.

@nvd.nist.gov //
Cyble Research and Intelligence Labs (CRIL) has uncovered a new ransomware operation dubbed "DOGE BIG BALLS Ransomware." This campaign uses a finance-themed ZIP file named "Pay Adjustment.zip" to trick users into executing malicious shortcut files. These files then trigger multi-stage PowerShell scripts, ultimately delivering custom payloads that include a kernel-mode exploit tool and reconnaissance modules. The ransomware itself is a modified version of Fog, further customized with a provocative name that references a known public figure.

The attention-grabbing name is likely a deliberate attempt to misdirect attention and create confusion, potentially questioning the effectiveness of governmental cybersecurity efforts. Despite the name's provocative nature, the attack mechanism is relatively simple. The ransomware is typically distributed via a compressed ZIP file, sometimes disguised as a PDF document. Once opened, the malicious payload bypasses traditional security defenses using obfuscation and anti-detection techniques.

The DOGE Big Balls ransomware attack highlights the evolving tactics of cybercriminals, blending technical sophistication with psychological manipulation. It also demonstrates the increasing trend of ransomware attacks targeting the healthcare sector, as seen with the recent attack on DaVita, a Denver-based dialysis firm. This incident underscores the critical need for organizations to bolster their cybersecurity defenses and incident response capabilities to protect sensitive data and maintain operational continuity.

Recommended read:
References :
  • cyble.com: This attack leverages a ZIP file with a deceptive LNK shortcut to silently execute a multi-stage PowerShell-based infection chain, ensuring stealthy deployment. A vulnerable driver ( ) is exploited through a Bring Your Own Vulnerable Driver (BYOVD) technique to gain kernel-level read/write access for privilege escalation. The payload is a customized version of Fog ransomware, branded as "DOGE BIG BALLS Ransomware," reflecting an attempt to add psychological manipulation and misattribution. Ransomware scripts include provocative political commentary and the use of a real individual's name and address, indicating intent to confuse, intimidate, or mislead victims. The malware uses router MAC addresses (BSSIDs) and queries the Wigle.net API to determine the victim’s physical location—offering more accurate geolocation than IP-based methods. Extensive system and network information, including hardware IDs, firewall states, network configuration, and running processes, is collected via PowerShell, aiding attacker profiling. Embedded within the toolkit is a Havoc C2 beacon, hinting at the threat actor’s (TA's) potential to maintain long-term access or conduct additional post-encryption activities.
  • Davey Winder: DOGE Big Balls Ransomware Attack — What You Need To Know
  • thecyberexpress.com: TheCyberExpress: DOGE BIG BALLS Campaign Blurs Lines Between Exploitation, Recon, and Reputation Damage
  • www.cybersecurity-insiders.com: DOGE Big Balls Ransomware turns into a big cyber threat
  • www.cybersecurity-insiders.com: DOGE Big Balls Ransomware turns into a big cyber threat
  • www.cysecurity.news: CySecurity: DOGE Big Balls Ransomware turns into a big cyber threat
  • seceon.com: The TraderTraitor Crypto Heist: Nation-State Tactics Meet Financial Cybercrime

@cyble.com //
References: cyble.com , threatmon.io
Hacktivist groups are increasingly adopting sophisticated and destructive attack methods, moving beyond basic DDoS attacks to target critical infrastructure with ransomware. These groups, motivated by ideological goals, are focusing on government platforms and industrial manufacturers. Pro-Russian hacktivists are primarily targeting NATO-aligned nations and supporters of Ukraine, while pro-Ukrainian, pro-Palestinian, and anti-establishment groups are focusing on Russia, Israel, and the United States. This evolution reflects a shift towards hybrid warfare tactics, combining DDoS, credential leaks, and ICS disruption to overcome single-layer defenses.

The energy sector is particularly vulnerable, with successful cyber breaches posing severe risks to national security, economic stability, and public safety. The CyberAv3ngers, an Iranian state-sponsored hacker group, exemplifies this threat. Despite masquerading as hacktivists, they are actively targeting industrial control systems in water, gas, oil and gas, and other critical infrastructure sectors worldwide. The group has already caused global disruption and shows no signs of slowing down. Their actions represent a rare example of state-sponsored cybersaboteurs crossing the line and disrupting critical infrastructure.

Reports and investigations highlight vulnerabilities within power grids and other key systems. Recent investigations have revealed hidden capabilities in Chinese-manufactured power transformers that could allow remote shutdown from overseas. This discovery prompted concerns about potential "sleeper cells" within critical national systems. Furthermore, ransomware attacks continue to be a major threat, causing operational disruptions, data breaches, and financial losses. The industry is responding with increased cybersecurity investment and proactive strategies as professionals see cybersecurity as the greatest risk to their business.

Recommended read:
References :
  • cyble.com: Cyble report on hacktivists moving into ransomware attacks.
  • threatmon.io: Reports Reports Spyware Based on SpyMax Download Report Ransomware attacks remain one of the most critical threats to modern businesses, leading to severe operational disruptions, data breaches, and substantial financial losses.

@www.microsoft.com //
Microsoft is enhancing the security of its Exchange Server and SharePoint Server platforms by integrating the Windows Antimalware Scan Interface (AMSI). These servers, considered "crown jewels" for many organizations, have become frequent targets for cyberattacks. The AMSI integration provides a vital layer of defense by preventing malicious web requests from reaching backend endpoints, effectively stopping attacks before they can cause harm. Microsoft emphasizes that threat actors often exploit outdated or misconfigured assets and vulnerabilities, highlighting the importance of this proactive security measure.

The integration of AMSI with Exchange and SharePoint Servers enables them to work seamlessly with any AMSI-compatible antimalware product. This measure is designed to counter sophisticated attack vectors targeting on-premises infrastructure. The enhanced AMSI capabilities extend scanning to HTTP request bodies, allowing for a broader detection of malicious payloads. While these features are not enabled by default, Microsoft strongly recommends that organizations activate them to bolster defenses against remote code execution and post-authentication vulnerabilities.

Microsoft also addressed a zero-day vulnerability in the Windows Common Log File System (CLFS), tracked as CVE-2025-29824, with a security update released on April 8, 2025. This vulnerability allowed attackers with user access to escalate privileges and deploy ransomware. The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) discovered exploitation of this flaw against a limited number of targets, including organizations in the IT, real estate, and financial sectors. Microsoft urges organizations to prioritize security updates for elevation of privilege vulnerabilities to defend against ransomware attacks.

Recommended read:
References :
  • Security | TechRepublic: Microsoft warns CVE-2025-29824 lets attackers with user access escalate privileges to deploy ransomware via a flaw in Windows CLFS.
  • Microsoft Security Blog: Exchange Server and SharePoint Server are business-critical assets and considered crown-jewels for many organizations, making them attractive targets for attacks.
  • www.microsoft.com: Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI
  • Microsoft Security Blog: Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a newly discovered zero-day vulnerability in the Windows Common Log File System (CLFS) against a small number of targets.
  • gbhackers.com: Microsoft Boosts Exchange and SharePoint Security with Updated Antimalware Scan

@www.bleepingcomputer.com //
The Fourlis Group, which operates IKEA stores in Greece, Cyprus, Romania, and Bulgaria, has revealed a significant financial impact stemming from a ransomware attack that occurred in November 2024. The attack, which targeted the online IKEA shops just before the busy Black Friday weekend, resulted in substantial operational disruptions and financial losses. The company confirmed that these losses are estimated to be approximately €20 million ($22.8 million).

The initial signs of the attack became public on December 3, 2024, when the Fourlis Group acknowledged technical issues affecting the IKEA online stores, attributing them to a "malicious external action". While the group manages other retail brands such as Intersport, Foot Locker, and Holland & Barrett, the ransomware attack primarily impacted IKEA's online operations. A forensic investigation later revealed that the temporary unavailability of data was quickly restored, and there was no evidence to suggest any data theft or leaks of personal data occurred as a result of the incident.

Despite the significant financial impact and operational disruptions, no ransomware group has claimed responsibility for the attack to date. The lack of a public claim could indicate that the attackers were unsuccessful in stealing data or that they are pursuing a private settlement with the Fourlis Group. The incident underscores the growing threat of ransomware attacks targeting major retailers and the potential for substantial financial losses and operational challenges these attacks can cause.

Recommended read:
References :
  • BleepingComputer: Fourlis Group, the operator of IKEA stores in Greece, Cyprus, Romania, and Bulgaria, confirmed that the ransomware attack they suffered in November 2024 cost them approximately €20 million in losses.
  • BleepingComputer: The Fourlis Group, which operates IKEA stores in several Eastern European countries, has revealed the significant financial impact of the ransomware attack.
  • Techzine Global: This is a summary of the ransomware attack on the Fourlis Group and the significant financial losses incurred.

@hackread.com //
The Medusa ransomware group has claimed responsibility for a cyberattack on NASCAR, alleging the theft of over 1TB of data. In a posting on its dark web leak site, Medusa has demanded a $4 million ransom for the deletion of NASCAR's data. The group has placed a countdown timer on the leak site, threatening to make the stolen data available to anyone on the internet after the deadline. The countdown deadline can be extended at a cost of $100,000 per day.

To verify its claim, Medusa has published screenshots of what it claims are internal NASCAR documents. These include names, email addresses, and phone numbers of NASCAR employees and sponsors, as well as invoices, financial reports, and more. Furthermore, the ransomware gang has published a substantial directory illustrating NASCAR's internal file structure and the names of documents that have been exfiltrated. While NASCAR has not yet confirmed or denied reports of the attack, the details published by Medusa on its leak site appear credible.

The Medusa ransomware group operates under a ransomware-as-a-service (RaaS) model and is known for its double extortion tactics. The FBI and CISA issued a joint cybersecurity advisory last month warning that Medusa ransomware had impacted over 300 organizations, including those in critical infrastructure sectors such as medical, education, legal, insurance, technology, and manufacturing. Past victims include Minneapolis Public Schools, which refused to pay a million-dollar ransom and saw approximately 92 GB of stolen data released to the public.

Recommended read:
References :
  • Rescana: Rescana post about the ransomware attack on NASCAR
  • hackread.com: Medusa Ransomware Claims NASCAR Breach in Latest Attack, Demands $4M Ransom
  • bsky.app: Medusa ransomware gang claims to have hacked NASCAR. https://www.bitdefender.com/en-us/blog/hotforsecurity/medusa-ransomware-hacked-nascar
  • cybersecuritynews.com: The Medusa ransomware group has reportedly launched a major cyberattack on the National Association for Stock Car Auto Racing (NASCAR), demanding a $4 million ransom to prevent the release of sensitive data.
  • www.bitdefender.com: Medusa ransomware gang claims to have hacked NASCAR The Medusa ransomware-as-a-service (RaaS) claims to have compromised the computer systems of NASCAR, the United States' National Association for Stock Car Auto Racing, and made off with more than 1TB of data.
  • www.cysecurity.news: Hackers Demand $4 Million After Alleged NASCAR Data Breach. The motorsports industry has recently been faced with troubling news that NASCAR may have become the latest high-profile target for a ransomware attack as a result of the recent hackread.com report.
  • Cyber Security News: Medusa Ransomware Claims NASCAR Hack, Demands $4 Million Ransom

@Talkback Resources //
Despite recent arrests in 2024, the Scattered Spider cybercrime collective remains active in 2025, continuing to target high-profile organizations with sophisticated social engineering attacks. The group, known for its audacious breaches including attacks against MGM Resorts and Caesars Entertainment in 2023, employs tactics such as impersonating IT staff to steal login credentials and using remote access tools. Security firm Silent Push has uncovered the group's persistence in 2025 and has outlined the group's latest tactics, techniques and procedures.

Scattered Spider is utilizing updated phishing kits and a new version of the Spectre RAT malware to compromise systems and exfiltrate sensitive data. Their phishing campaigns involve impersonating well-known brands and software vendors, including the use of dynamic DNS services to evade detection. Targets in 2025 include organizations such as Klaviyo, HubSpot, Pure Storage, Audemars Piguet, Chick-fil-A, Credit Karma, Forbes, Instacart, Louis Vuitton, Morningstar, New York Digital Investment Group, News Corporation, Nike, Paxos, Twitter/X, Tinder, T-Mobile, and Vodafone.

Law enforcement has made some progress in disrupting Scattered Spider's operations. Noah Michael Urban, also known as "King Bob," a 20-year-old member of the group, pleaded guilty to charges related to SIM swap fraud, aggravated identity theft, and cryptocurrency thefts. He faces potential decades in prison and is required to pay over $13.2 million in restitution to 59 victims. Silent Push made available code for a Spectre RAT string decoder and command and control (C2) emulator that defenders can use in their efforts to squash the eight-legged menace.

Recommended read:
References :
  • Talkback Resources: Scattered Spider adds new phishing kit, malware to its web
  • www.scworld.com: Scattered Spider persists with use of Spectre RAT, new phishing kit
  • cyberpress.org: Article on conducting advances campaigns to steal login credentials and MFA tokens
  • gbhackers.com: The cyber threat landscape has witnessed remarkable adaptation from the notorious hacker collective known as Scattered Spider. Active since at least 2022, this group has been consistently refining its strategies for system compromise, data exfiltration, and identity theft. Silent Push analysts have tracked the evolution of Scattered Spider’s tactics, techniques, and procedures (TTPs) through early
  • cybersecuritynews.com: Scattered Spider Employs Sophisticated Attacks to Steal Login Credentials & MFA Tokens
  • gbhackers.com: Scattered Spider Launches Sophisticated Attacks to Steal Login Credentials and MFA Tokens

info@thehackernews.com (The@The Hacker News //
Microsoft has issued a critical security update as part of its April 2025 Patch Tuesday to address a zero-day vulnerability (CVE-2025-29824) in the Windows Common Log File System (CLFS). The vulnerability, classified as an elevation of privilege flaw, is being actively exploited by the RansomEXX ransomware gang to gain SYSTEM privileges on compromised systems. According to Microsoft, the attacks have targeted a limited number of organizations across various sectors and countries, including the IT and real estate sectors in the United States, the financial sector in Venezuela, a software company in Spain, and the retail sector in Saudi Arabia.

Microsoft Threat Intelligence Center (MSTIC) has attributed the exploitation activity to a group tracked as Storm-2460, which deployed the PipeMagic malware to facilitate the attacks. Successful exploitation of CVE-2025-29824 allows an attacker with a standard user account to escalate privileges, enabling them to install malware, modify system files, disable security features, access sensitive data, and maintain persistent access. This can result in full system compromise and lateral movement across networks, leading to the widespread deployment and detonation of ransomware within the affected environment.

The zero-day vulnerability is located in the CLFS kernel driver and is due to a use-after-free weakness. Microsoft recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks. While Microsoft has issued security updates for impacted Windows versions, patches for Windows 10 x64 and 32-bit systems are pending release. In addition to fixing the zero-day flaw, Microsoft's April 2025 Patch Tuesday includes fixes for 134 other vulnerabilities, with 11 of them classified as critical remote code execution vulnerabilities.

Recommended read:
References :
  • isc.sans.edu: This month, Microsoft has released patches addressing a total of 125 vulnerabilities.
  • The DefendOps Diaries: Microsoft's April 2025 Patch Tuesday addresses 134 vulnerabilities, including a critical zero-day, highlighting the need for robust security.
  • Cyber Security News: Microsoft’s April 2025 Patch Tuesday update has arrived, delivering critical fixes for 121 security vulnerabilities across its broad suite of software products.
  • BleepingComputer: Today is Microsoft's April 2025 Patch Tuesday, which includes security updates for 134 flaws, including one actively exploited zero-day vulnerability.
  • Tenable Blog: Microsoft’s April 2025 Patch Tuesday Addresses 121 CVEs (CVE-2025-29824)
  • Cisco Talos Blog: Microsoft Patch Tuesday for April 2025 — Snort rules and prominent vulnerabilities
  • CyberInsider: Microsoft Fixes Actively Exploited CLFS Zero-Day Used in Ransomware Attacks
  • bsky.app: Microsoft says the RansomEXX ransomware gang has been exploiting a high-severity zero-day flaw (CVE-2025-29824) in the Windows Common Log File System to gain SYSTEM privileges on victims' systems.
  • The DefendOps Diaries: Understanding the Impact of CVE-2025-29824: A Critical Windows Vulnerability
  • Threats | CyberScoop: Microsoft patches zero-day actively exploited in string of ransomware attacks
  • thecyberexpress.com: TheCyberExpress article on Microsoft Patch Tuesday April 2025.
  • cyberinsider.com: Microsoft Fixes Actively Exploited CLFS Zero-Day Used in Ransomware Attacks
  • www.microsoft.com: Microsoft Security Blog on CLFS zero-day exploitation.
  • BleepingComputer: Microsoft says the RansomEXX ransomware gang has been exploiting a high-severity zero-day flaw (CVE-2025-29824) in the Windows Common Log File System to gain SYSTEM privileges on victims' systems.
  • bsky.app: Sky News post on Microsoft April 2025 Patch Tuesday.
  • Cyber Security News: CybersecurityNews article on Windows CLFS Zero-Day Vulnerability Actively Exploited by Ransomware Group
  • Microsoft Security Blog: Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a newly discovered zero-day vulnerability in the Windows Common Log File System (CLFS) against a small number of targets.
  • Malwarebytes: Microsoft releases April 2025 Patch Tuesday updates, including fixes for 121 vulnerabilities, one of which is an actively exploited zero-day in the Windows Common Log File System (CLFS) driver.
  • isc.sans.edu: Microsoft today released updates to plug at least 121 security holes in its Windows operating systems and software, including one vulnerability that is already being exploited in the wild.
  • Blog RSS Feed: Report on the April 2025 Patch Tuesday analysis, including CVE-2025-29824.
  • krebsonsecurity.com: Microsoft today released updates to plug at least 121 security holes in its Windows operating systems and software, including one vulnerability that is already being exploited in the wild.
  • securityonline.info: SecurityOnline discusses Windows CLFS Zero-Day Exploited to Deploy Ransomware
  • securityonline.info: Windows CLFS Zero-Day Exploited to Deploy Ransomware
  • securityaffairs.com: U.S. CISA adds Gladinet CentreStack and ZTA Microsoft Windows Common Log File System (CLFS) Driver flaws to its Known Exploited Vulnerabilities catalog
  • www.cybersecuritydive.com: Windows CLFS zero-day exploited in ransomware attacks
  • Security | TechRepublic: Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’
  • The Register - Software: Bad luck, Windows 10 users. No fix yet for ransomware-exploited bug
  • The Hacker News: Microsoft released security fixes to address a massive set of 126 flaws affecting its software products, including one vulnerability that it said has been actively exploited in the wild.
  • www.microsoft.com: Read how cyberattackers exploit domain controllers to gain privileged system access where they deploy ransomware that causes widespread damage and operational disruption.
  • The Hacker News: PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware
  • securityonline.info: Recently, the Cybersecurity and Infrastructure Security Agency (CISA) added two significant vulnerabilities to its Known Exploited Vulnerabilities Catalog, highlighting the urgency for users to apply necessary patches.
  • Arctic Wolf: On April 8, 2025, Microsoft released its April 2025 security update, addressing 126 newly disclosed vulnerabilities.
  • arcticwolf.com: On April 8, 2025, Microsoft released its April 2025 security update, addressing 126 newly disclosed vulnerabilities. Arctic Wolf has highlighted five vulnerabilities affecting Microsoft Windows in this security bulletin, including one exploited vulnerability and four vulnerabilities that Microsoft has labeled as Critical.Â
  • Know Your Adversary: Hello everyone! I think you already heard about a zero-day vulnerability in the Common Log File System (CLFS) weaponized by RansomEXX affiliates. I'm talking about  CVE 2025-29824 .
  • Sophos News: One actively exploited issue patched; five Critical-severity Office vulns exploitable via Preview Pane
  • Security | TechRepublic: One CVE was used against “a small number of targets.†Windows 10 users needed to wait a little bit for their patches.
  • www.threatdown.com: April’s Patch Tuesday fixes a whopping 126 Microsoft vulnerabilities.
  • Logpoint: The Microsoft Security blog highlights the active exploitation of CVE-2025-24983, a zero-day vulnerability in the Windows Common Log File System (CLFS) that allows local privilege escalation to SYSTEM-level access.
  • Arctic Wolf: Microsoft Patch Tuesday: April 2025
  • www.logpoint.com: The Microsoft Security blog highlights the active exploitation of CVE-2025-24983, a zero-day vulnerability in the Windows Common Log File System (CLFS) that allows local privilege escalation to SYSTEM-level access.
  • arcticwolf.com: Microsoft Patch Tuesday: April 2025
  • ciso2ciso.com: Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’
  • Security Risk Advisors: New CLFS Zero-Day (CVE-2025-29824) Enables Rapid Privilege Escalation, Leading to Ransomware Deployment
  • cyberscoop.com: Microsoft patches zero-day actively exploited in string of ransomware attacks
  • www.tenable.com: Tenable's analysis of the CLFS vulnerability and its exploitation by Storm-2460.
  • Help Net Security: Article on Week in review: Microsoft patches exploited Windows CLFS 0-day, WinRAR MotW bypass flaw fixed

Mandvi@Cyber Security News //
The Everest ransomware gang's dark web leak site has been compromised in a brazen act of cyber defiance. The site, typically used by the gang to publish stolen data and extort victims, was hacked and defaced, disrupting their operations significantly. The attackers replaced the usual content with a taunting message: "Don’t do crime CRIME IS BAD xoxo from Prague," showcasing a clear intent to disrupt and mock the cybercriminals.

This incident marks a rare occasion where a ransomware group becomes the target of a cyberattack, highlighting vulnerabilities even within sophisticated cybercriminal networks. Security experts speculate that the attackers may have exploited weaknesses in Everest’s web infrastructure, potentially a WordPress vulnerability. The takedown of the site disrupts Everest’s ability to pressure victims and underscores the risks faced by cybercriminal organizations, showing they are not immune to being targeted themselves.

The breach of Everest's leak site underscores an emerging trend of counterattacks and internal sabotage targeting ransomware groups. While the identity of the attacker remains unknown, the defacement underscores vulnerabilities within cybercriminal networks, potentially stemming from insider threats or rival factions. This attack comes amid broader shifts in the ransomware landscape, with recent data indicating a decline in victim payouts during 2024, as more organizations adopt robust cybersecurity measures and refuse to comply with ransom demands.

Recommended read:
References :
  • Cyber Security News: In a significant cybersecurity incident, the leak site operated by the Everest ransomware gang was hacked and defaced over the weekend.
  • The DefendOps Diaries: News about Everest Ransomware's Dark Web Leak Site Defaced and Taken Offline
  • BleepingComputer: Everest ransomware's dark web leak site defaced, now offline
  • cyberpress.org: Hackers Breach and Deface Everest Ransomware Gang’s Leak Site
  • Secure Bulletin: Secure Bulletin discusses how the Everest ransomware gang faced an unprecedented blow, with their leak site hacked and defaced.
  • techcrunch.com: TechCrunch reports the dark web leak site of the Everest ransomware gang got hacked.
  • gbhackers.com: Everest ransomware's dark web leak site defaced, highlighting vulnerabilities in cybercriminal networks and impacting their operations.
  • The Hacker News: The darknet leak site used by the ransomware gang Everest went offline Monday after being apparently hacked and defaced over the weekend.
  • The Record: The darknet leak site used by the ransomware gang Everest went offline Monday after being apparently hacked and defaced over the weekend. Everest ransomware group’s darknet site offline following defacement
  • Cyber Security News: Everest Ransomware Gang Leak Site Hacked and Defaced
  • Techzine Global: Leak site of ransomware gang Everest has been hacked
  • gbhackers.com: gbhackers article highlighting the defacement of the Everest ransomware leak site
  • securityaffairs.com: SecurityAffairs article about Everest ransomware group’s Tor leak site offline after a defacement.
  • securebulletin.com: In a surprising turn of events, the Everest ransomware gang—a notorious Russia-linked cybercriminal organization—has suffered a significant setback.
  • www.scworld.com: Cyberattack takes down Everest ransomware leak site
  • ciso2ciso.com: Everest ransomware group’s Tor leak site offline after a defacement – Source: securityaffairs.com
  • therecord.media: The darknet leak site used by the ransomware gang Everest went offline Monday after being apparently hacked and defaced over the weekend.

Graham Cluley@Graham Cluley //
Noah Urban, a 20-year-old from Palm Coast, Florida, has pleaded guilty to charges related to cryptocurrency thefts, conspiracy, wire fraud, and identity theft. Urban, known online as "King Bob," was a key member of the notorious Scattered Spider hacking gang. The charges stem from two federal cases, one in Florida and another in California. Urban's activities involved orchestrating sophisticated attacks, including SIM swapping, to steal hundreds of thousands of dollars in cryptocurrency from investors. He was arrested in January 2024, and during the raid, he reportedly attempted to wipe his computer and social media history in an effort to destroy evidence.

The cybercriminal's operations involved stealing victims' personal information and using it to hijack their phone numbers through SIM swap fraud. This allowed Urban and his accomplices to bypass two-factor authentication and gain unauthorized access to cryptocurrency wallets. They then transferred the cryptocurrency to their own accounts, netting significant profits. Urban's activities also extended to leaking songs from famous music artists after breaking into the accounts of music industry executives, disrupting planned album releases and causing financial and emotional strain on the artists involved.

As part of his plea agreement, Urban has agreed to forfeit his jewelry, currency, and cryptocurrency assets. He will also pay US $13 million in restitution to 59 victims. Urban is expected to be sentenced within the next 75 days. He faces a potentially long prison term, which will include an additional two-year sentence for aggravated identity theft, as it cannot be served concurrently with other charges. Other suspected members of the Scattered Spider gang remain under investigation, highlighting the ongoing efforts to combat this cybercriminal syndicate.

Recommended read:
References :
  • bsky.app: Wild details here from a Scattered Spider hacker who pleaded guilty last week. Noah Urban from Florida was known online as 'King Bob' (yes from the Minions movie) and was making insane money from his hacking gang from the age of just 17...
  • DataBreaches.Net: A 20-year-old Palm Coast man linked to a massive cybercriminal gang pleaded guilty in a Jacksonville federal courtroom Friday morning to charges including conspiracy and wire fraud.
  • Cyber Security News: Noah Michael Urban, a 20-year-old Palm Coast resident known online as “King Bob,†pleaded guilty on April 7, 2025, to charges related to an extensive cryptocurrency theft operation.
  • securityaffairs.com: Noah Urban, a 20-year-old from Palm Coast, pleaded guilty to conspiracy, wire fraud, and identity theft in two federal cases, one in Florida and another in California.
  • www.bitdefender.com: Noah Urban, a 20-year-old man linked to the Scattered Spider hacking gang, pleaded guilty to charges related to cryptocurrency thefts.
  • cyberpress.org: A 20-year-old Palm Coast resident known online as “King Bob,” pleaded guilty on April 7, 2025, to charges related to an extensive cryptocurrency theft operation.
  • Cyber Security News: A 20-year-old Florida man identified as a key member of the notorious "Scattered Spider" cybercriminal collective has pleaded guilty to orchestrating sophisticated ransomware attacks and cryptocurrency theft schemes targeting major corporations.
  • The Register - Security: Alleged Scattered Spider SIM-swapper must pay back $13.2M to 59 victims
  • gbhackers.com: A 20-year-old Noah Urban, a resident of Palm Coast, Florida, pleaded guilty to a series of federal charges in a Jacksonville courtroom.
  • www.404media.co: Wild details here from a Scattered Spider hacker who pleaded guilty last week.
  • www.scworld.com: Scattered Spider persists with use of Spectre RAT, new phishing kit

@cyberpress.org //
EncryptHub, an up-and-coming cybercriminal group known for its ransomware operations and data theft, has been exposed due to a series of operational security (OPSEC) blunders and its reliance on ChatGPT. This threat actor, which has been rapidly expanding its operations, has been linked to over 600 ransomware and infostealer attacks globally. Researchers have gained unprecedented insights into EncryptHub's tactics, techniques, and procedures (TTPs) due to these failures, offering a clearer picture of the individual or group behind the malicious activities.

One of the key mistakes made by EncryptHub was enabling directory listings on their servers, which exposed sensitive malware configuration files. They also reused passwords across multiple accounts and left Telegram bot configurations used for data exfiltration accessible. These OPSEC errors allowed researchers to uncover vital details about their infrastructure and campaigns, including the mapping of their attack chain. The exposure of unprotected stealer logs stored alongside malware executables further aided the investigation.

A unique aspect of EncryptHub's operations is its extensive use of ChatGPT as a development assistant. The AI chatbot was used to create malware components, configure command-and-control (C2) servers, develop phishing sites, and draft posts for underground forums. EncryptHub also leveraged ChatGPT for vulnerability research, even exploiting vulnerabilities they had previously reported under an alias. This reliance on AI, coupled with their OPSEC failures, ultimately led to their exposure and provides insight into the evolving landscape of cybercrime.

Recommended read:
References :

@cyberalerts.io //
Microsoft has publicly credited EncryptHub, a cybercriminal actor linked to over 618 breaches, for disclosing vulnerabilities in Windows. This revelation highlights the complex and often contradictory nature of modern cybersecurity, where a known threat actor can also contribute to improving system security. The vulnerabilities reported by EncryptHub, tracked under the alias "SkorikARI with SkorikARI," included a Mark-of-the-Web security feature bypass (CVE-2025-24061) and a File Explorer spoofing vulnerability (CVE-2025-24071), both of which were patched in Microsoft's latest Patch Tuesday update.

Outpost24 KrakenLabs, a Swedish security company, has been investigating EncryptHub, unmasking details about their operations, infrastructure, and the mistakes that led to their exposure. These operational security (OPSEC) failures, combined with the actor's reliance on ChatGPT, allowed researchers to gain unprecedented insights into their tactics, techniques, and procedures (TTPs). EncryptHub's activities have been traced back to a lone wolf actor who allegedly fled Ukraine for Romania, seeking computer-related jobs while studying computer science through online courses. EncryptHub compromised 618+ targets using Microsoft flaws and custom malware after failed freelance attempts.

EncryptHub's reliance on ChatGPT as a development assistant is a notable aspect of their operations. The AI chatbot was used to create malware components, configure command-and-control (C2) servers, develop phishing sites, and even draft posts for underground forums. In one instance, EncryptHub used ChatGPT to draft posts selling exploits for vulnerabilities they had previously reported under an alias to Microsoft’s Security Response Center (MSRC). The actor’s most recent exploit, CVE-2025-26633 (aka MSC EvilTwin), targeted the Microsoft Management Console to deliver info stealers and zero-day backdoors. Despite EncryptHub's technical capabilities, their operational sloppiness, including self-infections and reused credentials, ultimately led to their exposure.

Recommended read:
References :
  • thehackernews.com: Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws
  • Cyber Security News: ChatGPT Clues and OPSEC Errors Expose EncryptHub Ransomware Operators
  • Sam Bent: Microsoft Publicly Credits Hacker Behind 618+ Attacks—EncryptHub Exposed as Dual-Use Operator
  • gbhackers.com: EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures
  • DataBreaches.Net: Unmasking EncryptHub: Help from ChatGPT & OPSEC blunders
  • Cyber Security News: has been exposed due to a series of operational security failures and unconventional use of AI tools.
  • BleepingComputer: EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
  • ciso2ciso.com: The controversial case of the threat actor EncryptHub – Source: securityaffairs.com
  • securityaffairs.com: The controversial case of the threat actor EncryptHub
  • ciso2ciso.com: The controversial case of the threat actor EncryptHub – Source: securityaffairs.com
  • bsky.app: EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
  • BleepingComputer: EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
  • Techzine Global: EncryptHub plays dual role as cybercriminal and Windows researcher
  • The DefendOps Diaries: Decrypting EncryptHub: A Cybersecurity Enigma
  • bsky.app: BSky post about EncryptHub's dual life as a cybercriminal and Windows bug bounty researcher
  • www.bleepingcomputer.com: EncryptHub's dual life: Cybercriminal vs Windows bug-bounty researcher
  • www.scworld.com: Report: EncryptHub moonlighting in vulnerability research
  • Anonymous ???????? :af:: EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
  • BleepingComputer: EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.

@cyble.com //
References: bsky.app , cyble.com , BlackFog ...
The ransomware landscape continues to experience significant turbulence as groups target each other's infrastructure and tactics shift. Notably, a group known as DragonForce has been actively hacking its rivals, with RansomHub, a major Ransomware-as-a-Service (RaaS) platform and one of the most active groups, being their latest target. DragonForce has previously targeted Mamona and BlackLock. This takeover of RansomHub could lead to a significant shift in the RaaS model, potentially leading to affiliates developing their own brands and further fragmenting the threat landscape.

Researchers infiltrated the online infrastructure associated with BlackLock ransomware and uncovered configuration files, credentials, and a history of executed commands. This also resulted in clear web IP addresses being revealed, which were hidden behind Tor infrastructure. BlackLock, which emerged in January 2025 and was previously known as El_Dorado, had listed 46 victims prior to the incident. Coincidently (or maybe using the same exploit) BlackLock’s leak site was also defaced.

Hunters International, a RaaS group that some believe evolved from Hive, appears to be rebranding and shifting operations, moving away from an unprofitable and risky ransomware business and focusing solely on exfiltrating data and extorting victims. The decision appears to come in the wake of international law enforcement operations. Hunters appears to be shifting its operations, dropping the encryption part of the equation and focusing purely on data exfiltration and extortion, launching under the name “World Leaks”.

Recommended read:
References :
  • bsky.app: There's a ransomware group named DragonForce going around hacking its rivals. After Mamona and BlackLock, the group has now hacked RansomHub—a major RaaS platform and one of the most active groups today.
  • cyble.com: Ransomware Attack Levels Remain High as Major Change Looms
  • Searchlight Cyber: BlackLock Ransomware Exposed and DragonForce Makes Moves
  • BlackFog: BlackFog Report Reveals Record Number of Ransomware Attacks from January to March
  • www.tripwire.com: Ransomware reaches a record high, but payouts are dwindling

Bill Toulas@BleepingComputer //
The State Bar of Texas has confirmed a data breach following a ransomware attack claimed by the INC ransomware gang. The breach, which occurred between January 28 and February 9, 2025, involved unauthorized access to the organization's network, leading to the exfiltration of sensitive information. The incident was discovered on February 12, 2025, prompting immediate action to secure the network and initiate an investigation with the assistance of third-party forensic specialists. The organization is the second-largest bar association in the United States, with over 100,000 licensed attorneys, regulating the legal profession in Texas by overseeing licensing, continuing legal education, ethical compliance, and disciplinary actions.

Approximately 2,700 individuals were affected by the breach. The compromised data includes full names, Social Security numbers, financial account details such as credit and debit card numbers, driver’s licenses, and medical and health insurance details. The exposure of such a wide array of sensitive information poses significant risks of identity theft and financial fraud. The Texas State Bar has emphasized that there is no current evidence of misuse or fraudulent activity involving the compromised data but is urging affected parties to remain vigilant and monitor their financial accounts and credit reports for suspicious activity over the next 12 to 24 months.

In response to the data breach, the State Bar of Texas has implemented additional security measures to prevent future incidents and is reviewing its data privacy policies. Affected individuals are being notified directly and offered complimentary credit monitoring services through Experian for a specified period, including features such as credit monitoring, identity restoration support, and identity theft insurance coverage up to $1 million. Recipients were advised to consider activating a credit freeze or placing a fraud alert on their credit files to mitigate potential risks from the data exposure. The incident serves as a wake-up call for legal cybersecurity, highlighting the vulnerabilities inherent in even the most established institutions and emphasizing the need for robust data protection measures.

Recommended read:
References :
  • The DefendOps Diaries: Texas State Bar data breach: A wake-up call for legal cybersecurity
  • BleepingComputer: Texas State Bar warns of data breach after INC ransomware claims attack
  • www.scworld.com: Separate breaches reported by Texas city's utility payment site, state bar
  • gbhackers.com: Texas State Bar Confirms Data Breach, Begins Notifying Affected Consumers
  • Cyber Security News: CyberPress article on State Bar data breach
  • bsky.app: The State Bar of Texas is warning it suffered a data breach after the INC ransomware gang claimed to have breached the organization and began leaking samples of stolen data.
  • BleepingComputer: The State Bar of Texas is warning it suffered a data breach after the INC ransomware gang claimed to have breached the organization and began leaking samples of stolen data.
  • Jon Greig: The Texas State Bar announced a data breach on the same day

@cyberalerts.io //
The Port of Seattle, the U.S. government agency responsible for Seattle's seaport and airport, is currently notifying approximately 90,000 individuals about a significant data breach. The breach occurred after a ransomware attack in August 2024, where personal information was stolen from previously used port systems. The compromised data includes names, dates of birth, Social Security numbers, driver’s licenses, ID cards, and some medical information. The organization runs Seattle-Tacoma International Airport, parks, and container terminals. Of those affected, about 71,000 are Washington state residents.

The August 24 incident severely damaged the systems used by the city’s port and airport, forcing workers to take extraordinary measures to help travelers. The ransomware attack caused considerable disruption, knocking out the airport’s Wi-Fi, and employees had to resort to using dry-erase boards for flight and baggage information. Screens throughout the facility were down, and some airlines had to manually sort through bags. Legacy systems utilized for employee data were specifically targeted, and the post-mortem revealed that encryptions and system disconnections impacted services like baggage handling, check-in kiosks, ticketing, Wi-Fi, passenger display boards, the Port of Seattle website, the flySEA app, and reserved parking.

Following the attack, the Rhysida ransomware group claimed responsibility and demanded a ransom. However, port officials confirmed in September that they refused to pay, with executive director Steve Metruck explaining that “paying the criminal organization would not reflect Port values or our pledge to be a good steward of taxpayer dollars.” The Port is offering one year of free credit monitoring services to the victims and has posted the breach notice online for those without available mailing addresses. The agency emphasizes that the attack did not affect the proprietary systems of major airline and cruise partners or the systems of federal partners like the Federal Aviation Administration, Transportation Security Administration, and U.S. Customs and Border Protection.

Recommended read:
References :
  • BleepingComputer: ​Port of Seattle, the U.S. government agency overseeing Seattle's seaport and airport, is notifying roughly 90,000 individuals of a data breach after their personal information was stolen in an August 2024 ransomware attack.
  • The DefendOps Diaries: Ransomware Breach at Port of Seattle: An In-Depth Analysis
  • www.bleepingcomputer.com: Port of Seattle says ransomware breach impacts 90,000 people
  • bsky.app: ​Port of Seattle, the U.S. government agency overseeing Seattle's seaport and airport, is notifying roughly 90,000 individuals of a data breach after their personal information was stolen in an August 2024 ransomware attack.
  • therecord.media: Port of Seattle says 90,000 people impacted in 2024 ransomware attack
  • securityaffairs.com: SecurityAffairs article discussing Port of Seattle data breach impacts 90,000 people
  • Talkback Resources: Port of Seattle August data breach impacted 90,000 people [mal]
  • Cybernews: Port of Seattle has informed approximately 90,000 individuals about a data breach that happened last year.
  • www.scworld.com: Officials at the Port of Seattle confirmed that nearly 90,000 individuals, most of whom are from Washington state, had their data stolen following an August attack by the Rhysida ransomware operation, reports Security Affairs.