CyberSecurity news
FlagThis - #ransomware-as-a-service
|
@x.com
//
Reports indicate a surge in sophisticated ransomware attacks throughout 2025, with groups like Qilin leading the charge. Qilin has solidified its position as a top ransomware group, demonstrating significant success in recruiting affiliates and providing advanced tools. Cybercriminal forums play a crucial role in simplifying ransomware crime development, allowing new threat actors to launch attacks without extensive technical skills. This rise in activity makes it easier than ever for malicious actors to execute ransomware operations through Ransomware-as-a-Service (RaaS) models, employing readily available tools and malware.
Qilin ransomware group topped June 2025 with a staggering 86 victims, surpassing rivals and indicating a shifting threat landscape. One notable victim was newspaper giant Lee Enterprises, where a Qilin attack exposed nearly 40,000 Social Security numbers. This attack not only disrupted publishing operations nationwide but also incurred significant financial damage, with recovery costs reaching $2 million alongside substantial revenue losses. The impact extends beyond financial losses, causing significant operational disruptions and underscoring the widespread threat to businesses of all sizes. The consequences of these attacks are far-reaching. Major organizations have been hit by ransomware and data breaches, emphasizing the urgent need for robust cyber resilience and incident response plans. Cyber incidents have led to unauthorized access to internal systems, disruptions in operations, and the compromise of millions of customer and employee accounts. Experts emphasize that preparedness against cybercrime and building cyber resilience is a critical priority, urging businesses to invest in comprehensive Cyber Incident Response Plans and regular cyber tabletop exercises to simulate real-world attack scenarios and stress-test response capabilities.
Share:
References :
Classification:
Rescana@Rescana
//
A new and dangerous version of the Anubis ransomware has emerged, now equipped with a data wiping module that significantly increases the stakes for victims. The Anubis Ransomware-as-a-Service (RaaS) has been active since December 2024 and now presents a dual-threat by not only encrypting files, but also permanently deleting them. This means that even if victims pay the ransom, data recovery is impossible because of the '/WIPEMODE' parameter which renders file contents to 0 KB, despite preserving the file names and extensions.
The ransomware is being deployed via phishing emails with malicious attachments or deceptive links which bypass endpoint defenses. Once inside a network, it uses lateral movement techniques, such as privilege escalation, to gain deeper access. The primary targets are organizations within the healthcare, hospitality, and construction sectors, impacting entities across Australia, Canada, Peru, and the United States. This dual-threat capability represents an evolution from traditional ransomware, exerting even more pressure on victims to comply with ransom demands. Cybersecurity experts are urging organizations to implement robust backup and recovery procedures to mitigate the impact of Anubis attacks. Trend Micro researchers and others describe Anubis as a "rare dual-threat" that encrypts and permanently erases files. Anubis also operates a flexible affiliate program with negotiable revenue splits, offering additional monetization paths like data extortion and access sales. The discovery of this destructive behavior highlights the increasing sophistication of ransomware operations and the importance of proactive cybersecurity measures.
Share:
References :
Classification:
Dissent@DataBreaches.Net
//
The LockBit ransomware group, a major player in the Ransomware-as-a-Service (RaaS) sector, has suffered a significant data breach. On May 7, 2025, the group's dark web affiliate panels were defaced, revealing a link to a MySQL database dump containing sensitive operational information. This exposed data includes Bitcoin addresses, private communications with victim organizations, user credentials, and other details related to LockBit's illicit activities. The defacement message, "Don't do crime CRIME IS BAD xoxo from Prague," accompanied the data leak, suggesting a possible motive of disrupting or discrediting the ransomware operation.
The exposed data from LockBit's affiliate panel is extensive, including nearly 60,000 unique Bitcoin wallet addresses and over 4,400 victim negotiation messages spanning from December 2024 through April 2025. Security researchers have confirmed the authenticity of the leaked data, highlighting the severity of the breach. The LockBit operator, known as "LockBitSupp," acknowledged the breach but claimed that no private keys were compromised. Despite previous setbacks, such as the "Operation Cronos" law enforcement action in February 2024, LockBit had managed to rebuild its operations, making this recent breach a significant blow to their infrastructure. Analysis of the leaked information has uncovered a list of 20 critical Common Vulnerabilities and Exposures (CVEs) frequently exploited by LockBit in their attacks. These vulnerabilities span multiple vendors and technologies, including Citrix, PaperCut, Microsoft, VMware, Apache, F5 Networks, SonicWall, Fortinet, Ivanti, Fortra, and Potix. Additionally, the leaked negotiations revealed LockBit’s preference for Monero (XMR) cryptocurrency, offering discounts to victims who paid ransoms using this privacy-focused digital currency. Ransom demands typically ranged from $4,000 to $150,000, depending on the scale of the attack.
Share:
References :
Classification: |