CyberSecurity news

FlagThis - #ransomware-as-a-service

Rescana@Rescana //
A new and dangerous version of the Anubis ransomware has emerged, now equipped with a data wiping module that significantly increases the stakes for victims. The Anubis Ransomware-as-a-Service (RaaS) has been active since December 2024 and now presents a dual-threat by not only encrypting files, but also permanently deleting them. This means that even if victims pay the ransom, data recovery is impossible because of the '/WIPEMODE' parameter which renders file contents to 0 KB, despite preserving the file names and extensions.

The ransomware is being deployed via phishing emails with malicious attachments or deceptive links which bypass endpoint defenses. Once inside a network, it uses lateral movement techniques, such as privilege escalation, to gain deeper access. The primary targets are organizations within the healthcare, hospitality, and construction sectors, impacting entities across Australia, Canada, Peru, and the United States. This dual-threat capability represents an evolution from traditional ransomware, exerting even more pressure on victims to comply with ransom demands.

Cybersecurity experts are urging organizations to implement robust backup and recovery procedures to mitigate the impact of Anubis attacks. Trend Micro researchers and others describe Anubis as a "rare dual-threat" that encrypts and permanently erases files. Anubis also operates a flexible affiliate program with negotiable revenue splits, offering additional monetization paths like data extortion and access sales. The discovery of this destructive behavior highlights the increasing sophistication of ransomware operations and the importance of proactive cybersecurity measures.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • The Hacker News: Anubis Ransomware Encrypts and Wipes Files, Making Recovery Impossible Even After Payment
  • Davey Winder: This New Ransomware Can Irrevocably Destroy Your Files — Backup Now
  • Rescana: Anubis Ransomware Incident Analysis: Dual-Threat Cyber Attack with Irreversible File Wiping in Healthcare, Hospitality, and Construction Systems
  • securityaffairs.com: New Anubis RaaS includes a wiper module
  • DataBreaches.Net: Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper
  • Security Risk Advisors: 🚩 Anubis Ransomware Emerges with Dual Encryption and File Destruction Capabilities
  • www.trendmicro.com: Trend Micro article Anubis Ransomware Emerges with Dual Encryption and File Destruction Capabilities
Classification:
  • HashTags: #Ransomware #DataWiper #Anubis
  • Company: Trend Micro
  • Target: Healthcare, Hospitality, and Construction Systems
  • Attacker: Anubis
  • Product: Ransomware-as-a-Service
  • Feature: data wiper
  • Malware: Anubis
  • Type: Ransomware
  • Severity: Disaster
Dissent@DataBreaches.Net //
The LockBit ransomware group, a major player in the Ransomware-as-a-Service (RaaS) sector, has suffered a significant data breach. On May 7, 2025, the group's dark web affiliate panels were defaced, revealing a link to a MySQL database dump containing sensitive operational information. This exposed data includes Bitcoin addresses, private communications with victim organizations, user credentials, and other details related to LockBit's illicit activities. The defacement message, "Don't do crime CRIME IS BAD xoxo from Prague," accompanied the data leak, suggesting a possible motive of disrupting or discrediting the ransomware operation.

The exposed data from LockBit's affiliate panel is extensive, including nearly 60,000 unique Bitcoin wallet addresses and over 4,400 victim negotiation messages spanning from December 2024 through April 2025. Security researchers have confirmed the authenticity of the leaked data, highlighting the severity of the breach. The LockBit operator, known as "LockBitSupp," acknowledged the breach but claimed that no private keys were compromised. Despite previous setbacks, such as the "Operation Cronos" law enforcement action in February 2024, LockBit had managed to rebuild its operations, making this recent breach a significant blow to their infrastructure.

Analysis of the leaked information has uncovered a list of 20 critical Common Vulnerabilities and Exposures (CVEs) frequently exploited by LockBit in their attacks. These vulnerabilities span multiple vendors and technologies, including Citrix, PaperCut, Microsoft, VMware, Apache, F5 Networks, SonicWall, Fortinet, Ivanti, Fortra, and Potix. Additionally, the leaked negotiations revealed LockBit’s preference for Monero (XMR) cryptocurrency, offering discounts to victims who paid ransoms using this privacy-focused digital currency. Ransom demands typically ranged from $4,000 to $150,000, depending on the scale of the attack.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • DataBreaches.Net: CoinPedia reports: “Don’t do crime. CRIME IS BAD. xoxo from Prague.” That’s the message left behind after hackers gave LockBit – a ransomware gang known for extorting millions. Yes, they just got a brutal taste of their own medicine.
  • Metacurity: All of the ransomware gang's admin panels now state. "Don't do crime CRIME IS BAD xoxo from Prague," with a link to download a "paneldb_dump.zip." LockBit ransomware gang hacked, victim negotiations exposed
  • Searchlight Cyber: Searchlight’s threat intelligence team shares their early observations from the LockBit data leak On May 7 2025 it was reported that the dark web affiliate panel of the Ransomware-as-a-Service (RaaS) group LockBit has been hijacked.
  • www.bitdegree.org: LockBit Hacked: 60,000 Bitcoin Addresses and 4,400 Ransom Chats Go Public
  • BleepingComputer: The LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump.
  • hackread.com: LockBit’s dark web domains were hacked, exposing internal data, affiliate tools, and over 60,000 Bitcoin wallets in a…
  • Davey Winder: 60,000 Bitcoin Wallets Leaked As LockBit Ransomware Hackers Get Hacked
  • www.it-daily.net: LockBit hacker group was hacked
  • socradar.io: LockBit Hacked: 60,000 Bitcoin Addresses Leaked
  • securityaffairs.com: The LockBit ransomware site was breached, database dump was leaked online
  • slcyber.io: Early Analysis of the LockBit Data Leak
  • hackread.com: LockBit’s Dark Web Domains Hacked, Internal Data and Wallets Leaked
  • The DefendOps Diaries: LockBit Ransomware Gang Hacked: Internal Operations Exposed
  • www.scworld.com: Data breach exposes LockBit ransomware gang
  • www.itpro.com: LockBit ransomware group falls victim to hackers itself
  • Help Net Security: LockBit Hacked: What does the leaked data show?
  • Talkback Resources: Valuable information leaked from LockBit ransomware operation's administration panel, revealing details on affiliates, ransom negotiations, and potential infighting within the cybercriminal community.
  • ComputerWeekly.com: reports analysis of the LockBit 3.0 data leak
  • Tech Monitor: Ransomware group LockBit faces breach, affiliate data exposed
  • www.tripwire.com: LockBit ransomware gang breached, secrets exposed
  • cybersecuritynews.com: The affiliate panel of the infamous LockBit Ransomware-as-a-Service (RaaS) group has been hacked and defaced, showing a link to a MySQL database dump ostensibly containing leaked data relating to the group’s operations.
  • bsky.app: LockBit Ransomware Gang Breached, Secrets Exposed
  • OODAloop: LockBit ransomware group was hacked, exposing internal operations data, potentially affecting future operations.
Classification:
  • HashTags: #RansomwareLeak #CybersecurityAttack #LockBit3
  • Company: LockBit
  • Target: LockBit Victims
  • Attacker: LockBit
  • Product: LockBit Ransomware
  • Feature: Internal Operations
  • Malware: LockBit 3.0
  • Type: Ransomware
  • Severity: Major
@cyble.com //
The ransomware landscape continues to experience significant turbulence as groups target each other's infrastructure and tactics shift. Notably, a group known as DragonForce has been actively hacking its rivals, with RansomHub, a major Ransomware-as-a-Service (RaaS) platform and one of the most active groups, being their latest target. DragonForce has previously targeted Mamona and BlackLock. This takeover of RansomHub could lead to a significant shift in the RaaS model, potentially leading to affiliates developing their own brands and further fragmenting the threat landscape.

Researchers infiltrated the online infrastructure associated with BlackLock ransomware and uncovered configuration files, credentials, and a history of executed commands. This also resulted in clear web IP addresses being revealed, which were hidden behind Tor infrastructure. BlackLock, which emerged in January 2025 and was previously known as El_Dorado, had listed 46 victims prior to the incident. Coincidently (or maybe using the same exploit) BlackLock’s leak site was also defaced.

Hunters International, a RaaS group that some believe evolved from Hive, appears to be rebranding and shifting operations, moving away from an unprofitable and risky ransomware business and focusing solely on exfiltrating data and extorting victims. The decision appears to come in the wake of international law enforcement operations. Hunters appears to be shifting its operations, dropping the encryption part of the equation and focusing purely on data exfiltration and extortion, launching under the name “World Leaks”.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • bsky.app: There's a ransomware group named DragonForce going around hacking its rivals. After Mamona and BlackLock, the group has now hacked RansomHub—a major RaaS platform and one of the most active groups today.
  • cyble.com: Ransomware Attack Levels Remain High as Major Change Looms
  • Searchlight Cyber: BlackLock Ransomware Exposed and DragonForce Makes Moves
  • BlackFog: BlackFog Report Reveals Record Number of Ransomware Attacks from January to March
  • www.tripwire.com: Ransomware reaches a record high, but payouts are dwindling
Classification: