CyberSecurity news

FlagThis - #ransomware-as-a-service

@cyble.com //

Ransomware Attacks Remain High; DragonForce Takes Over - DragonForce takes over RansomHub’s infrastructure, potentially shifting the RaaS model; ransomware attacks remain elevated, with the U.S. being the most targeted country.
References: bsky.app , cyble.com , BlackFog ...
The ransomware landscape continues to experience significant turbulence as groups target each other's infrastructure and tactics shift. Notably, a group known as DragonForce has been actively hacking its rivals, with RansomHub, a major Ransomware-as-a-Service (RaaS) platform and one of the most active groups, being their latest target. DragonForce has previously targeted Mamona and BlackLock. This takeover of RansomHub could lead to a significant shift in the RaaS model, potentially leading to affiliates developing their own brands and further fragmenting the threat landscape.

Researchers infiltrated the online infrastructure associated with BlackLock ransomware and uncovered configuration files, credentials, and a history of executed commands. This also resulted in clear web IP addresses being revealed, which were hidden behind Tor infrastructure. BlackLock, which emerged in January 2025 and was previously known as El_Dorado, had listed 46 victims prior to the incident. Coincidently (or maybe using the same exploit) BlackLock’s leak site was also defaced.

Hunters International, a RaaS group that some believe evolved from Hive, appears to be rebranding and shifting operations, moving away from an unprofitable and risky ransomware business and focusing solely on exfiltrating data and extorting victims. The decision appears to come in the wake of international law enforcement operations. Hunters appears to be shifting its operations, dropping the encryption part of the equation and focusing purely on data exfiltration and extortion, launching under the name “World Leaks”.

Recommended read:
References :
  • bsky.app: There's a ransomware group named DragonForce going around hacking its rivals. After Mamona and BlackLock, the group has now hacked RansomHub—a major RaaS platform and one of the most active groups today.
  • cyble.com: Ransomware Attack Levels Remain High as Major Change Looms
  • Searchlight Cyber: BlackLock Ransomware Exposed and DragonForce Makes Moves
  • BlackFog: BlackFog Report Reveals Record Number of Ransomware Attacks from January to March
  • www.tripwire.com: Ransomware reaches a record high, but payouts are dwindling
@zdnet.com //

Medusa Ransomware Surges in Attacks - The FBI and CISA have issued an alert regarding the increasing threat of Medusa ransomware, which operates as a RaaS, targeting various sectors and exploiting vulnerabilities, demanding ransoms and threatening to release stolen information.
Federal cybersecurity agencies, including the FBI and CISA, have issued an urgent advisory regarding the escalating threat of Medusa ransomware. Since its emergence in 2021, Medusa has targeted over 300 victims across various critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing. The group's activities have accelerated in recent months, prompting immediate action recommendations for organizations. Medusa operates as a Ransomware-as-a-Service (RaaS) model, now recruiting affiliates from criminal forums to launch attacks, encrypt data, and extort victims worldwide.

Medusa actors leverage common ransomware tactics, including phishing campaigns and exploiting unpatched software vulnerabilities. They employ a double extortion strategy by encrypting victim data and threatening to publicly release it if the ransom is not paid. To mitigate the risk, CISA and the FBI recommend organizations update systems regularly to close known vulnerabilities, implement network segmentation to restrict lateral movement, and enable multi-factor authentication for all services. They also urge organizations to report incidents promptly to aid in tracking and combating the growing threat.

Recommended read:
References :
  • bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
  • www.bleepingcomputer.com: CISA: Medusa ransomware hit over 300 critical infrastructure orgs
  • securityonline.info: FBI, CISA, and MS-ISAC Warn Organizations About Medusa Ransomware Attacks
  • DataBreaches.Net: #StopRansomware: Medusa Ransomware
  • Industrial Cyber: US exposes Medusa ransomware threat, as over 300 organizations targeted across critical infrastructure sector
  • securityaffairs.com: SecurityAffairs article: Medusa ransomware hit over 300 critical infrastructure organizations until February 2025
  • www.cybersecuritydive.com: Medusa ransomware slams critical infrastructure organizations
  • www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
  • www.tripwire.com: The Medusa ransomware gang continues to present a major threat to the critical infrastructure sector, according to a newly-released joint advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
  • : FBI and CISA Warn of Medusa Ransomware Impacting Critical Infrastructure
  • bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
  • The DefendOps Diaries: Explore the impact of Medusa ransomware on critical infrastructure and learn strategies to enhance cybersecurity defenses.
  • www.scworld.com: Medusa ransomware, a ransomware-as-a-service group, has increased attacks targeting critical infrastructure, potentially preparing for geopolitical conflicts. Recent attacks indicate a 150% increase in this activity.
  • Tenable Blog: Tenable article: Cybersecurity Snapshot: Medusa Ransomware Impacting Critical Infrastructure, CISA Warns, While NIST Selects New Quantum-Resistant Algorithm
  • SOC Prime Blog: SOC Prime blog: Medusa Ransomware Attacks Covered in AA25-071A Detection
  • be4sec: Medusa Ransomware is Targeting Critical Infrastructure
  • be4sec: This advisory summarizes the key activities of prominent ransomware groups in January 2025, highlighting a significant increase in Medusa attacks.
  • aboutdfir.com: Medusa ransomware group has been actively targeting critical infrastructure organizations, employing a double extortion tactic.
  • www.techradar.com: US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
  • cyble.com: The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a well-timed advisory on the Medusa ransomware group last week, as Cyble has detected an acceleration in the group’s activities in recent months.
  • Email Security - Blog: Medusa Ransomware: Multi-Industry Threat on the Rise
  • techxplore.com: Cybersecurity officials warn against potentially costly Medusa ransomware attacks
  • Security | TechRepublic: Medusa Ransomware Strikes 300+ Targets: FBI & CISA Urge Immediate Action to #StopRansomware
  • eSecurity Planet: Medusa Ransomware Warning: CISA and FBI Issue Urgent Advisory
  • Blue Team Con: CISA and the FBI warn about Medusa ransomware, urging organizations to update security, enable MFA, and report incidents to mitigate the growing threat.
  • thecyberexpress.com: Medusa Ransomware Surge: 60 Victims in 3 Months—Are You Next?
  • www.zdnet.com: How to guard against a vicious Medusa ransomware attack - before it's too late
  • www.cysecurity.news: The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a #StopRansomware advisory, warning organizations about the increasing threat of Medusa ransomware.
  • Sam Bent: Cybercriminal Group Medusa Targets Critical Infrastructure Sectors A sophisticated cybercriminal group known as Medusa has been targeting many critical infrastructure sectors in the United States.
  • The Hacker News: Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates
  • www.cybersecuritydive.com: Medusa ransomware using malicious driver as EDR killer
do son@Daily CyberSecurity //

Medusa Ransomware Impacts Critical Infrastructure Sectors - Medusa ransomware has impacted over 300 organizations in critical infrastructure sectors, employing a double extortion model.
The Medusa ransomware operation has significantly impacted critical infrastructure sectors, affecting over 300 organizations in the United States by February 2025. According to CISA, these attacks have targeted essential services across various industries, including medical, education, legal, insurance, technology, and manufacturing. This widespread impact highlights the vulnerability of critical infrastructure and the potential for severe disruptions. The healthcare sector has been a primary target, with ransom demands ranging from $100,000 to $15 million, potentially disrupting patient care and compromising sensitive data.

Educational institutions have also been significantly affected, with 21 attacks reported in February 2025 alone. These attacks disrupt academic activities and compromise personal information of students and staff. In response, CISA, in partnership with the FBI and MS-ISAC, released a joint Cybersecurity Advisory providing tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and detection methods associated with known Medusa ransomware activity. The advisory encourages organizations to ensure operating systems and software are up to date, segment networks to restrict lateral movement, and filter network traffic to prevent unauthorized access.

Recommended read:
References :
  • Industrial Cyber: Recent findings from Symantec indicate a significant rise in Medusa ransomware activity, which is reportedly being operated as...
  • securityaffairs.com: Medusa ransomware has claimed nearly 400 victims since January 2023, with attacks increasing by 42% between 2023 and 2024.
  • : Symantec found that Medusa has listed almost 400 victims on its data leaks site since early 2023, demanding ransom payments as high as $15m
  • Broadcom Software Blogs: Attacks using this ransomware have displayed consistent TTPs and grown steadily since 2023.
  • bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
  • The DefendOps Diaries: Medusa Ransomware: A Growing Threat to Critical Infrastructure
  • RedPacket Security: CISA: CISA and Partners Release Cybersecurity Advisory on Medusa Ransomware
  • gbhackers.com: Medusa Ransomware Hits 300+ Critical Infrastructure Organizations Worldwide
  • securityonline.info: FBI, CISA, and MS-ISAC Warn Organizations About Medusa Ransomware Attacks
  • www.bleepingcomputer.com: CISA: Medusa ransomware hit over 300 critical infrastructure orgs
  • securityaffairs.com: Medusa ransomware hit over 300 critical infrastructure organizations until February 2025
  • Industrial Cyber: US exposes Medusa ransomware threat, as over 300 organizations targeted across critical infrastructure sector
  • www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
  • CyberInsider: FBI: Medusa Ransomware Has Breached 300 Critical Infrastructure Organizations
  • www.tripwire.com: The Medusa ransomware gang continues to present a major threat to the critical infrastructure sector, according to a newly-released - with at least one organisation hit with a "triple-extortion" threat. Read more in my article on the Tripwire State of Security blog.
  • Resources-2: On March 12, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Medusa ransomware [1]. Medusa ransomware emerged as Ransomware-as-a-Service in June 2021 and gained infamy by compromising over 300 victims from critical infrastructure sectors, including healthcare, insurance, technology, manufacturing, legal, and technology.
  • : CISA, FBI Warn of Medusa Ransomware Impacting Critical Infrastructure
  • www.cybersecuritydive.com: The ransomware-as-a-service gang tallied more than 300 victims in industries such as healthcare, manufacturing and technology.
  • The Register - Security: Medusa ransomware affiliate tried triple extortion scam – up from the usual double demand
  • DataBreaches.Net: #StopRansomware: Medusa Ransomware
  • hackread.com: FBI and CISA Urge Enabling 2FA to Counter Medusa Ransomware
  • Talkback Resources: #StopRansomware: Medusa Ransomware | CISA [net] [mal]
  • Tenable Blog: Cybersecurity Snapshot: Medusa Ransomware Impacting Critical Infrastructure, CISA Warns, While NIST Selects New Quantum-Resistant Algorithm
  • SOC Prime Blog: Medusa Ransomware Detection: The FBI, CISA & Partners Warn of Increasing Attacks by Ransomware Developers and Affiliates Against Critical Infrastructure
  • www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
@www.reliaquest.com //

BlackLock Ransomware Group Becomes Prolific Operator - The BlackLock ransomware group is expected to be a prolific RaaS operator in 2025, known for its activity on the RAMP forum, aggressive recruitment, and custom-built ransomware that can evade analysis.
References: AAKL , Christoffer S. , www.reliaquest.com ...
ReliaQuest researchers are warning that the BlackLock ransomware group is poised to become the most prolific ransomware-as-a-service (RaaS) operation in 2025. BlackLock, also known as El Dorado, first emerged in early 2024 and quickly ascended the ranks of ransomware groups. By the fourth quarter of 2024, it was already the seventh most prolific group based on data leaks, experiencing a massive 1,425% increase in activity compared to the previous quarter.

BlackLock's success is attributed to its active presence and strong reputation within the RAMP forum, a Russian-language platform for ransomware activities. The group is also known for its aggressive recruitment of traffers, initial access brokers, and affiliates. They employ double extortion tactics, encrypting data and exfiltrating sensitive information, threatening to publish it if a ransom is not paid. Their custom-built ransomware targets Windows, VMWare ESXi, and Linux environments.

Recommended read:
References :
  • AAKL: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock More: Infosecurity-Magazine: BlackLock On Track to Be 2025’s Most Prolific Ransomware Group
  • Christoffer S.: ReliaQuest Inside the World’s Fastest Rising Ransomware Operator - BlackLock Somewhat of a deep dive into a relatively new RaaS (BlackLock), a very active group both on RAMP and with adding new victims to their leaksite.
  • www.helpnetsecurity.com: BlackLock ransomware onslaught: What to expect and how to fight it
  • www.reliaquest.com: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock
  • Help Net Security: In-depth analysis of the BlackLock ransomware group and their operational methods.
  • www.infosecurity-magazine.com: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock More: Infosecurity-Magazine: BlackLock On Track to Be 2025’s Most Prolific Ransomware Group
  • cyberpress.org: BlackLock Ransomware Evolves: Threatens Windows, VMware ESXi, and Linux Systems
  • gbhackers.com: BlackLock Ransomware Targets Windows, VMware ESXi, & Linux Environments
  • Cyber Security News: BlackLock Ransomware Evolves: Threatens Windows, VMware ESXi, and Linux Systems
  • gbhackers.com: BlackLock Ransomware Targets Windows, VMware ESXi, & Linux Environments
@techcrunch.com //

International Operation Targets 8Base Ransomware Gang - International law enforcement disrupted the 8Base ransomware group, arresting four individuals in Thailand and seizing their dark web infrastructure after they stole information from 1000 organizations.
A global law enforcement operation has successfully disrupted the 8Base ransomware group, leading to the arrest of four individuals accused of being key figures in the operation. The suspects were apprehended in Phuket, Thailand, and are alleged to have amassed $16 million through ransomware attacks targeting over 1,000 organizations worldwide. Authorities have also seized the dark web infrastructure utilized by the group.

This coordinated effort resulted in the dismantling of 8Base's dark web data leak and negotiation sites, effectively crippling their ability to further extort victims. The operation, codenamed "Phobos Aetor", involved coordinated raids across multiple locations, resulting in the seizure of laptops, smartphones, and cryptocurrency wallets.

Recommended read:
References :
  • BleepingComputer: A global law enforcement operation targeting the Phobos ransomware gang has led to the arrest of four suspected hackers in Phuket, Thailand, and the seizure of 8Base's dark web sites. The suspects are accused of conducting cyberattacks on over 1,000 victims worldwide.
  • Carly Page: A global law enforcement operation has led to the arrest of four individuals who authorities accuse of being key figures in the 8base ransomware operation. The four suspects are accused of amassing $16 million through ransomware attacks against more than 1,000 organizations globally
  • securityaffairs.com: Operation Phobos Aetor: Police dismantled 8Base ransomware gang
  • BleepingComputer: A global law enforcement operation targeting the Phobos ransomware gang has led to the arrest of four suspected hackers in Phuket, Thailand, and the seizure of 8Base's dark web sites. The suspects are accused of conducting cyberattacks on over 1,000 victims worldwide. [...]
  • cyberscoop.com: Thai authorities detain four Europeans in ransomware crackdown
  • The Register - Security: All your 8Base are belong to us: Ransomware crew busted in global sting
  • socradar.io: International Operation Targets 8Base and Phobos Ransomware Gangs
  • securityboulevard.com: Authorities Seize 8Base Ransomware Infrastructure, Arrest Four Russians
  • techcrunch.com: Authorities arrest four suspects in global 8base ransomware takedown

Posts

Blogs

Research Tools