Kidney Dialysis Services Provider DaVita Hit by Ransomware
DaVita has not named the ransomware group behind the incident or share details on the attacker’s ransom demands
Ransomware Group Claims Hacking of Oregon Regulator After Data Breach Denial
The Rhysida ransomware gang claims to have stolen 2.5 Tb of files from the Oregon Department of Environmental Quality.
Someone hacked ransomware gang Everest’s leak site
"Don't do crime," the ransomware gang's dark web leak site reads.
Ransomware crews add EDR killers to their arsenal
interview: Crims are disabling security tools early in attacks, Talos says
Blacklock Ransomware: A Late Holiday Gift with Intrusion into the Threat Actor
Dubbed “BlackLock” (aka "El Dorado" or "Eldorado"), the ransomware-as-a-service (RaaS) outfit has existed since March 2024. In Q4 of last year, it increased its number of data leak posts by a staggering 1,425% quarter-on-quarter. According to independent reporting, a relatively new group has rapidly accelerated attacks and could become the most dominant RaaS group in 2025. Fortunately, it will not happen due to certain events happening "behind the scenes." As you may know, Christmas and Winter Holidays are the best times for cybercriminals to attack, defraud, and extort victims globally. But in some cases, they may expect unexpected gifts too. Around that time, Resecurity identified a vulnerability present at the Data Leak Site (DLS) of BlackLock in the TOR network - successful exploitation of which allowed our analysts to collect substantial intelligence about their activity outside of the public domain.
VanHelsing Ransomware
orums as part of our Threat Discovery Process. Designed to target Windows systems, this ransomware employs advanced encryption techniques and appends a unique file extension to compromised files. Its stealthy evasion tactics and persistence mechanisms make detection and removal challenging. This highlights the need for proactive cybersecurity measures and a robust incident response strategy to safeguard data integrity and minimize breach risks. Target Technologies: Windows Target Geography: France, USA. Target Industry: Government, Manufacturing, Pharma. Encrypted file extension: .vanhelsing Observed First: 2025-03-16 Threat actor Communication mode: Tor
VSCode extensions found downloading early-stage ransomware
Two malicious VSCode Marketplace extensions were found deploying in-development ransomware from a remote server, exposing critical gaps in Microsoft's review process.
Decrypting Encrypted files from Akira Ransomware (Linux/ESXI variant 2024) using a bunch of GPUs
I recently helped a company recover their data from the Akira ransomware without paying the ransom. I’m sharing how I did it, along with the full source code. The code is here: https://github.com/yohanes/akira-bruteforce To clarify, multiple ransomware variants have been named Akira over the years, and several versions are currently circulating. The variant I encountered has been active from late 2023 to the present (the company was breached this year).
Akira ransomware can be cracked with sixteen RTX 4090 GPUs in around ten hours — new counterattack breaks encryption | Tom's Hardware
Tinyhack publishes a full how-to guide on brute-forcing past the Akira ransomware's encryption attack and freeing captive files.
New Ransomware Operator Exploits Fortinet Vulnerability Duo
Between late January and early March, Forescout Research – Vedere Labs identified a series of intrusions based on two Fortinet vulnerabilities. It began with the exploitation of Fortigate firewall appliances — culminating in the deployment of a newly discovered ransomware strain we have dubbed SuperBlack.
Medusa Ransomware Activity Continues to Increase
Attacks using this ransomware have displayed consistent TTPs and grown steadily since 2023.
Des cybercriminels s'en prennent à Cistec, fournisseur suisse de système clinique | ICTjournal
Cistec, fournisseur suisse de système d'information d'information clinique, d'une attaque par ransom
La série noire continue pour Ruag et l’armée suisse, à la suite d’une cyberattaque massive - Le Temps
A travers la caisse de compensation de Swissmem, la faîtière de l’industrie des machines et des technologies, les données des employés de 180 firmes travaillant pour la Confédération et l’armée ont été mises en ligne. Une faille de sécurité majeure pour la Suisse
Ransomware : sur la piste trouble de l’un des leaders de Black Basta
Les échanges internes au groupe Black Basta divulgués la semaine dernière offrent une nouvelle opportunité d’enquêter sur l’un de ses leaders : tramp. Il pourrait avoir été arrêté en Arménie en juin 2024, avant d’être relâché.
Confluence Exploit Leads to LockBit Ransomware
Key Takeaways The intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, ultimately leading to the deployment of LockBit ransomware across the environment.…
Black Basta is latest ransomware group to be hit by leak of chat logs
Cybersecurity researchers are analyzing about 200,000 messages from inside the high-profile Black Basta ransomware operation that were leaked recently.
CISA and FBI: Ghost ransomware breached orgs in 70 countries
CISA and the FBI said attackers deploying Ghost ransomware have breached victims from multiple industry sectors across over 70 countries, including critical infrastructure organizations. #CISA #Computer #Cring #Critical #FBI #Ghost #InfoSec #Infrastructure #Ransomware #Security
UK healthcare giant HCRG confirms hack after ransomware gang claims theft of sensitive data
The prolific Medusa ransomware group claims to have stolen troves of data from HCRG, including patients’ sensitive health data
Threat Spotlight: Inside the World's Fastest Rising Ransomware Operator — BlackLock
First observed in March 2024, “BlackLock” (aka El Dorado or Eldorado) has rapidly emerged as a major player in the ransomware-as-a-service (RaaS) ecosystem. By Q4 2024, it ranked as the 7th most prolific ransomware group on data-leak sites, fueled by a staggering 1,425% increase in activity from Q3. BlackLock uses a double extortion tactic—encrypting data while stealing sensitive information—to pressure victims with the threat of public exposure. Its ransomware is built to target Windows, VMWare ESXi, and Linux environments, though the Linux variant offers fewer features than its Windows counterpart.
Investigating Anonymous VPS services used by Ransomware Gangs
One of the challenges with investigating cybercrime is the infrastructure the adversaries leverage to conduct attacks. Cybercriminal infrastructure has evolved drastically over the last 25 years, which now involves hijacking web services, content distribution networks (CDNs), residential proxies, fast flux DNS, domain generation algorithms (DGAs), botnets of IoT devices, the Tor network, and all sorts of nested services. This blog shall investigate a small UK-based hosting provider known as BitLaunch as an example of how challenging it can be to tackle cybercriminal infrastructure. Research into this hosting provider revealed that they appear to have a multi-year history of cybercriminals using BitLaunch to host command-and-control (C2) servers via their Anonymous VPS service.
Key figures behind Phobos and 8Base ransomware arrested in international cybercrime crackdown
This follows a series of high-impact arrests targeting Phobos ransomware:An administrator of Phobos was arrested in South Korea in June 2024 and extradited to the United States in November of the same year. He is now facing prosecution for orchestrating ransomware attacks that encrypted critical infrastructure, business systems, and personal data for ransom.A key Phobos affiliate was arrested in Italy...
Cisco Says Ransomware Group’s Leak Related to Old Hack
A fresh post on the Kraken ransomware group’s leak website refers to data stolen in a 2022 cyberattack, Cisco says. The data, a list of credentials apparently exfiltrated from Cisco’s systems, appeared over the weekend on a new data leak site operated by the Kraken ransomware group. “Cisco is aware of certain reports regarding a security incident. The incident referenced in the reports occurred back in May 2022, and we fully addressed it at that time,” a Cisco spokesperson said, responding to a SecurityWeek inquiry.
Ransomware payments dropped 35% in 2024
Chainalysis says a combination of law enforcement actions and better defenses led to less money going out to ransomware actors.
Deloitte to provide Rhode Island $5M for ransomware recovery
After a ransomware attack on the state's health and social services system, Deloitte is giving Rhode Island $5 million to help cover expenses.
Swissmem: vol de donnée par des hackers russes
La caisse de compensation de Swissmem a subi un piratage, avec vol de 10 % des données. L'origine des attaquants semble provenir de Russie.
Genève: un fournisseur de logiciels bancaires piraté | Tribune de Genève
L’entreprise ITSS Global, basée à Plan-les-Ouates et spécialisée dans les logiciels bancaires, a été victime d’une attaque par ransomware.
Une cyberattaque paralyse Radio Top et Tele Top à Winterthour
La radio et la chaîne télévisée du groupe TOP à Winterthour sont à l'arrêt après avoir été piratées ce week-end. Les diffusions en direct n'étaient plus possibles dimanche en milieu de journée.
Exposed SMB: The Hidden Risk Behind ‘WantToCry’ Ransomware Attacks
Learn how the WantToCry ransomware group is exploiting vulnerable SMB (Server Message Block) services to launch devastating attacks. Understand the risks of misconfigured SMB and discover best practices to protect your organization from ransomware.
Tata Technologies says ransomware attack hit IT assets, investigation ongoing
India's Tata Technologies has disclosed a ransomware attack affecting its IT assets.
Updated: Frederick Health takes systems offline due to ransomware attack
Frederick Health Hospital's emergency department was not accepting new patients on Monday morning, according to a state emergency medical services website.