Found 51 bookmarks
Newest
Lyrix Ransomware
Lyrix Ransomware
CYFIRMA’s research team discovered Lyrix Ransomware while monitoring underground forums as part of our Threat Discovery Process. Developed in Python and compiled with PyInstaller — allowing it to run as a standalone executable with all dependencies—Lyrix targets Windows systems using strong encryption and appends a unique file extension to encrypted files. Its advanced evasion techniques and persistence mechanisms make it challenging to detect and remove. This discovery underscores the need for proactive cybersecurity measures and a robust incident response strategy to safeguard data and reduce the risk of breaches. Target Technologies Windows Operating System Written In Python Encrypted file extension Original file names appended with ‘.02dq34jROu’ extension Observed First 2025-04-20 Problem Statement Lyrix Ransomware targets Windows operating systems using advanced evasion and anti-analysis techniques to reduce the likelihood of detection. Its tactics include obfuscating malicious behavior, bypassing rule-based detection systems, employing strong encryption, issuing ransom demands, and threatening to leak stolen data on underground forums. Lyrix Ransomware Basic Details Filename Encryptor.exe Size 20.43 MB Signed Not signed File Type Win32 EXE Timestamp Sun Apr 20 09:04:34 2025 (UTC) SHA 256 Hash fcfa43ecb55ba6a46d8351257a491025022f85e9ae9d5e93d945073f612c877b
#cyfirma#EN#2025#Lyrix#Ransomware#analysis
·cyfirma.com·
Lyrix Ransomware
DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists
DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists
DragonForce ransomware group is targeting major UK retailers. Learn about this evolving threat and what steps can be taken to mitigate risk. In recent weeks, the DragonForce ransomware group has been targeting UK retailers in a series of coordinated attacks causing major service disruptions. Prominent retailers such as Harrods, Marks and Spencer, and the Co-Op have all reported ongoing incidents affecting payment systems, inventory, payroll and other critical business functions. DragonForce has previously been attributed for a number of notable cyber incidents including attacks on Honolulu OTS (Oahu Transit Services), the Government of Palau, Coca-Cola (Singapore), the Ohio State Lottery, and Yakult Australia. In this post, we offer a high-level overview of the DragonForce group, discuss its targeting, initial access methods, and payloads. We further provide a comprehensive list of indicators and defensive recommendations to help security teams and threat hunters better protect their organizations. Background DragonForce ransomware operations emerged in August 2023, primarily out of Malaysia (DragonForce Malaysia). The group originally positioned itself as a Pro-Palestine hacktivist-style operation; however, over time their goals have shifted and expanded. The modern-day operation is focused on financial gain and extortion although the operation still targets government entities, making it something of a hybrid actor, both politically aligned and profit-motivated. The group operates a multi-extortion model, with victims threatened with data leakage via the group’s data leak sites, alongside reputational damage. Recent DragonForce victims have included government institutions, commercial enterprises, and organizations aligned with specific political causes. The group is also known to heavily target law firms and medical practices. Notably, the group has targeted numerous entities in Israel, India, Saudi Arabia, and more recently several retail outlets in the United Kingdom. Some components of the UK retail attacks have been attributed to an individual affiliated with the loose threat actor collective ‘The Com’, with claims that members are leveraging DragonForce ransomware. Our assessment indicates that the affiliate in question exhibits behavioral and operational characteristics consistent with those previously associated with The Com. However, due to the lack of strong technical evidence and shifting boundaries of The Com, that attribution remains inconclusive and subject to further analysis.
#sentinelone#EN#2025#DragonForce#Ransomware#Gang#analysis
·sentinelone.com·
DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists
LockBit Ransomware v4.0
LockBit Ransomware v4.0
Malware Analysis Report - LockBit Ransomware v4.0 In this blog post, I’m going over my analysis for the latest variant of LockBit ransomware - version 4.0. Throughout this blog, I’ll walk through all the malicious functionalities discovered, complete with explanations and IDA screenshots to show my reverse engineering process step by step. This new version of LockBit 4.0 implements a hybrid-cryptography approach, combining Curve25519 with XChaCha20 for its file encryption scheme. This version shares similarities with the older LockBit Green variant that is derived from Conti ransomware. While the multi-threading architecture seems more streamlined than previous versions, it still delivers an encryption speed that outpaces most other ransomware families. As always, LockBit is still my most favorite malware to look at, and I certainly enjoyed doing a deep dive to understand how this version works.
#chuongdong#EN#2025#Malware#Analysis#Report#LockBit#LockBit4.0#ransomware
·chuongdong.com·
LockBit Ransomware v4.0
VanHelsing Ransomware
VanHelsing Ransomware
orums as part of our Threat Discovery Process. Designed to target Windows systems, this ransomware employs advanced encryption techniques and appends a unique file extension to compromised files. Its stealthy evasion tactics and persistence mechanisms make detection and removal challenging. This highlights the need for proactive cybersecurity measures and a robust incident response strategy to safeguard data integrity and minimize breach risks. Target Technologies: Windows Target Geography: France, USA. Target Industry: Government, Manufacturing, Pharma. Encrypted file extension: .vanhelsing Observed First: 2025-03-16 Threat actor Communication mode: Tor
#cyfirma#EN#2025#VanHelsing#Ransomware#analysis#RaaS
·cyfirma.com·
VanHelsing Ransomware
Threat Spotlight: Inside the World's Fastest Rising Ransomware Operator — BlackLock
Threat Spotlight: Inside the World's Fastest Rising Ransomware Operator — BlackLock
First observed in March 2024, “BlackLock” (aka El Dorado or Eldorado) has rapidly emerged as a major player in the ransomware-as-a-service (RaaS) ecosystem. By Q4 2024, it ranked as the 7th most prolific ransomware group on data-leak sites, fueled by a staggering 1,425% increase in activity from Q3. BlackLock uses a double extortion tactic—encrypting data while stealing sensitive information—to pressure victims with the threat of public exposure. Its ransomware is built to target Windows, VMWare ESXi, and Linux environments, though the Linux variant offers fewer features than its Windows counterpart.
#reliaquest#EN#2025#BlackLock#Eldorado#RaaS#analysis#ransomware#gang
·reliaquest.com·
Threat Spotlight: Inside the World's Fastest Rising Ransomware Operator — BlackLock
FunkSec – Alleged Top Ransomware Group Powered by AI
FunkSec – Alleged Top Ransomware Group Powered by AI
  • The FunkSec ransomware group emerged in late 2024 and published over 85 victims in December, surpassing every other ransomware group that month. FunkSec operators appear to use AI-assisted malware development which can enable even inexperienced actors to quickly produce and refine advanced tools. The group’s activities straddle the line between hacktivism and cybercrime, complicating efforts to understand their true motivations. Many of the group’s leaked datasets are recycled from previous hacktivism campaigns, raising doubts about the authenticity of their disclosures. Current methods of assessing ransomware group threats often rely on the actors’ own claims, highlighting the need for more objective evaluation techniques.
#checkpoint#EN#2024#FunkSec#analysis#ransomware
·research.checkpoint.com·
FunkSec – Alleged Top Ransomware Group Powered by AI
Lynx Ransomware: A Rebranding of INC Ransomware
Lynx Ransomware: A Rebranding of INC Ransomware
Discover recent attacks using Lynx ransomware, a rebrand of INC, targeting multiple crucial sectors in the U.S. and UK with prevalent double-extortion tactics. Discover recent attacks using Lynx ransomware, a rebrand of INC, targeting multiple crucial sectors in the U.S. and UK with prevalent double-extortion tactics.
#paloaltonetworks#EN#2024#Lynx#Ransomware#INC#US#UK#analysis
·unit42.paloaltonetworks.com·
Lynx Ransomware: A Rebranding of INC Ransomware
Event Log Talks a Lot: Identifying Human-operated Ransomware through Windows Event Logs - JPCERT/CC Eyes
Event Log Talks a Lot: Identifying Human-operated Ransomware through Windows Event Logs - JPCERT/CC Eyes
The difficult part of the initial response to a human-operated ransomware attack is identifying the attack vector. You may already know from recent security incident trends that the vulnerabilities of VPN devices are likely to be exploited, but it often...
#jpcert#EN#2024#event#analysis#windows-events#Log#human-operated#Ransomware
·blogs.jpcert.or.jp·
Event Log Talks a Lot: Identifying Human-operated Ransomware through Windows Event Logs - JPCERT/CC Eyes
Kryptina RaaS | From Unsellable Cast-Off to Enterprise Ransomware
Kryptina RaaS | From Unsellable Cast-Off to Enterprise Ransomware
Kryptina's adoption by Mallox affiliates complicates malware tracking as ransomware operators blend different codebases into new variants. Kryptina evolved from a free tool on public forums to being actively used in enterprise attacks, particularly under the Mallox ransomware family. In May 2024, a Mallox affiliate leaked staging server data, revealing that their Linux ransomware was based on a modified version of Kryptina. The affiliate made superficial changes to source code and documentation, stripping Kryptina branding but retaining core functionality. The adoption of Kryptina by Mallox affiliates exemplifies the commoditization of ransomware tools, complicating malware tracking as affiliates blend different codebases into new variants. * This original research was presented by the author at LABScon 2024 in Scottsdale, Arizona.
#sentinelone#EN#2024#Kryptina#RaaS#Mallox#Ransomware#analysis#LABScon2024
·sentinelone.com·
Kryptina RaaS | From Unsellable Cast-Off to Enterprise Ransomware
Major Payment Disruption: Ransomware Strikes Indian Banking Infrastructure
Major Payment Disruption: Ransomware Strikes Indian Banking Infrastructure
CloudSEK's threat research team has uncovered a ransomware attack disrupting India's banking system, targeting banks and payment providers. Initiated through a misconfigured Jenkins server at Brontoo Technology Solutions, the attack is linked to the RansomEXX group.
#cloudsek#EN#ransomware#analysis#Jenkins#India#RansomEXX#CVE-2024-23897
·cloudsek.com·
Major Payment Disruption: Ransomware Strikes Indian Banking Infrastructure
Arctic Wolf Labs has observed Fog ransomware being deployed against US organizations in the education and recreation sectors.
Arctic Wolf Labs has observed Fog ransomware being deployed against US organizations in the education and recreation sectors.
On May 2, 2024, Arctic Wolf Labs began monitoring deployment of a new ransomware variant referred to as Fog. The ransomware activity was observed in several Arctic Wolf Incident Response cases, each exhibiting similar elements. All victim organizations were located in the United States, 80% of which were in the education sector and 20% in the recreation sector. We are sharing details of this emerging variant to help organizations defend against this threat. Please note that we may add further detail to this article as we uncover additional information in our ongoing investigation.
#arcticwolf#EN#2024#Fog#ransomware#USA#analysis
·arcticwolf.com·
Arctic Wolf Labs has observed Fog ransomware being deployed against US organizations in the education and recreation sectors.
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment – The DFIR Report
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment – The DFIR Report
Key Takeaways In October 2023, we observed an intrusion that began with a spam campaign, distributing a forked IcedID loader. The threat actor used Impacket’s wmiexec and RDP to install Scree…
#thedfirreport#EN#2024#analysis#IceID#ScreenConnect#incident#ALPHV#Ransomware
·thedfirreport.com·
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment – The DFIR Report
Analysis of TargetCompany's Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware)
Analysis of TargetCompany's Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware)
While monitoring attacks targeting MS-SQL servers, AhnLab SEcurity intelligence Center (ASEC) recently identified cases of the TargetCompany ransomware group installing the Mallox ransomware. The TargetCompany ransomware group primarily targets improperly managed MS-SQL servers to install the Mallox ransomware. While these attacks have been ongoing for several years, here we will outline the correlation between the newly identified malware and previous attack cases involving the distribution of the Tor2Mine CoinMiner and BlueSky ransomware.
#asec.ahnlab#EN#2024#MS-SQL#servers#CoinMiner#BlueSky#ransomware#analysis
·asec.ahnlab.com·
Analysis of TargetCompany's Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware)
Interesting Multi-Stage StopCrypt Ransomware Variant Propagating in the Wild
Interesting Multi-Stage StopCrypt Ransomware Variant Propagating in the Wild
Overview The SonicWall Capture Labs threat research team recently observed an interesting variant of StopCrypt ransomware. The ransomware executes its malicious activities by utilizing multi-stage shellcodes before launching a final payload that contains the file […]
#SonicWall#EN#2024#StopCrypt#ransomware#analysis
·blog.sonicwall.com·
Interesting Multi-Stage StopCrypt Ransomware Variant Propagating in the Wild
The ticking time bomb of Microsoft Exchange Server 2013
The ticking time bomb of Microsoft Exchange Server 2013
I monitor (in an amateur, clueless way) ransomware groups in my spare time, to see what intelligence can be gained from looking at victim orgs and what went wrong. Basically, I’m a giant big dork with too much free time. I’ve discovered two organisations with ransomware incidents, where the entry point appears to have been Exchange Server 2013 with Outlook Web Access enabled, where all available security updates were applied.
#doublepulsar#EN#2023#analysis#ransomware#Microsoft-Exchange#Exchange-Server2013#risk
·medium.com·
The ticking time bomb of Microsoft Exchange Server 2013
Tracing Ransomware Threat Actors Through Stylometric Analysis and Chat Log Examination
Tracing Ransomware Threat Actors Through Stylometric Analysis and Chat Log Examination
I stumbled upon an intriguing concept presented by Will Thomas (BushidoToken) in his blog post titled “Unmasking Ransomware Using Stylometric Analysis: Shadow, 8BASE, Rancoz.” This concept revolves around utilizing stylometry to identify potential modifications in new ransomware variants based on existing popular strains. If you’re interested, you can read the blog post here. (Notably, Will Thomas also appeared on Dark Net Diaries, discussing his tracking of the Revil ransomware.)
#callyso0414#YUCA#medium#EN#2023#ransomware#logs#log#chats#Stylometric#Analysis
·medium.com·
Tracing Ransomware Threat Actors Through Stylometric Analysis and Chat Log Examination
Nokoyawa ransomware attacks with Windows zero-day
Nokoyawa ransomware attacks with Windows zero-day
in February 2023, Kaspersky technologies detected a number of attempts to execute similar elevation-of-privilege exploits on Microsoft Windows servers belonging to small and medium-sized businesses in the Middle East, in North America, and previously in Asia regions. These exploits were very similar to already known Common Log File System (CLFS) driver exploits that we analyzed previously, but we decided to double check and it was worth it – one of the exploits turned out to be a zero-day, supporting different versions and builds of Windows, including Windows 11. The exploit was highly obfuscated with more than 80% of the its code being “junk” elegantly compiled into the binary, but we quickly fully reverse-engineered it and reported our findings to Microsoft. Microsoft assigned CVE-2023-28252 to the Common Log File System elevation-of-privilege vulnerability, and a patch was released on April 11, 2023, as part of April Patch Tuesday.
#securelist#EN#2023#Nokoyawa#zero-day#Kaspersky#CVE-2023-28252#analysis#ransomware#CLFS
·securelist.com·
Nokoyawa ransomware attacks with Windows zero-day