Category: Ransomware
-
MyPillow listed on ransomware gang’s leak site, but denies it has been breached
MyPillow listed on ransomware gang’s leak site, but denies it has been breached A notorious ransomware gang claims to have stolen MyPillow’s private data, but CEO Mike Lindell calls it a politically motivated “hit job.” With the countdown ticking toward a massive dark web leak, who is telling the truth? Read more in my article…
-
Defenders fall behind, as AI rewrites the rules of a data breach
Defenders fall behind, as AI rewrites the rules of a data breach For almost 20 years, stolen credentials have been the most common route for attackers into organizations, according to the Verizon Data Breach Investigations Report (DBIR). But that’s no longer the case. Read more in my article on the Fortra blog. Graham Cluley Go…
-
FBI warns students and staff that ShinyHunters may come knocking after Canvas breach
FBI warns students and staff that ShinyHunters may come knocking after Canvas breach Having receive a ransom payment for its attack on Canvas, ShinyHunters and other extortion gangs are only likely to be further incentivised to launch similar attacks in future. Read more in my article on the Hot for Security blog. Graham Cluley Go…
-
When ransomware gets physical: cybercriminals turn to threats of violence
When ransomware gets physical: cybercriminals turn to threats of violence Pay up, or we’ll pay someone to pay you a visit. Cybercrime gangs are increasingly turning to real-world threats – and even hiring local muscle to deliver the message. Read more in my article on the Hot for Security blog. Graham Cluley Go to grahamcluley
-
Smashing Security podcast #467: How ShinyHunters hacked the world’s biggest universities
Smashing Security podcast #467: How ShinyHunters hacked the world’s biggest universities Welcome to the largest educational data breach in history – affecting nearly 9,000 institutions, every Ivy League university, and 30 million students mid-finals. When Canvas’s parent company refused to pay and announced they had deployed “security patches” instead, the hackers were less than impressed.…
-
Canvas Breach Disrupts Schools & Colleges Nationwide
Canvas Breach Disrupts Schools & Colleges Nationwide An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework at school districts and universities across the United States today, after a cybercrime group defaced the service’s login page with a ransom demand that threatened to leak data from 275 million students…
-
A Ransomware Negotiator Was Working for a Ransomware Gang
A Ransomware Negotiator Was Working for a Ransomware Gang Someone pleaded guilty to secretly working for a ransomware gang as he negotiated ransomware payments for clients. Bruce Schneier Go to bruce schneier
-
The calm before the ransom: What you see is not all there is
The calm before the ransom: What you see is not all there is A breach claims the systems as well as the confidence that was, in retrospect, a major vulnerability Go to eset
-
What the ransom note won’t say
What the ransom note won’t say An attack is what you see, but a business operation is what you’re up against Go to eset
-
Ransomware Gangs Expand Use of EDR Killers Beyond Vulnerable Drivers, ESET Warns
Ransomware Gangs Expand Use of EDR Killers Beyond Vulnerable Drivers, ESET Warns In recent years, Endpoint Detection and Response (EDR) killers have become a standard, highly effective weapon in modern ransomware intrusions. Before launching their file-encrypting malware, cybercriminals routinely deploy specialized tools to bypass security software. According to a comprehensive new report by ESET Research,…
-
Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab
Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and helped carry out at least…
-
‘CanisterWorm’ Springs Wiper Attack Targeting Iran
‘CanisterWorm’ Springs Wiper Attack Targeting Iran A financially motivated data theft and extortion group is attempting to inject itself into the Iran war, unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran’s time zone or have Farsi set as the default language. Experts say the…
-
LeakNet ransomware: what you need to know
LeakNet ransomware: what you need to know A ransomware gang that claims to be a group of “investigative journalists”? Meet LeakNet – the group using fake CAPTCHA pages to trick employees into hacking themselves. Read more in my article on the Fortra blog. Graham Cluley Go to grahamcluley
-
Authorities Crack Down on 45,000 Malicious IPs Powering Ransomware Attacks
Authorities Crack Down on 45,000 Malicious IPs Powering Ransomware Attacks In a massive international crackdown on cybercrime, law enforcement agencies from 72 countries have successfully dismantled over 45,000 malicious IP addresses and servers. Coordinated by INTERPOL, “Operation Synergia III” targeted the critical infrastructure behind devastating ransomware, malware, and phishing campaigns worldwide. Running from July 18,…
-
Notorious ransomware gang allegedly blackmailed by fake FSB officer
Notorious ransomware gang allegedly blackmailed by fake FSB officer There is a certain poetic justice in a cybersecurity-related story that has emerged from Moscow this week: A man has been accused of trying to extort money… from a notorious Russian ransomware gang. Read more in my article on the Hot for Security blog. Graham Cluley…
-
Naming and shaming: How ransomware groups tighten the screws on victims
Naming and shaming: How ransomware groups tighten the screws on victims When corporate data is exposed on a dedicated leak site, the consequences linger long after the attack fades from the news cycle Go to eset
-
Please Don’t Feed the Scattered Lapsus ShinyHunters
Please Don’t Feed the Scattered Lapsus ShinyHunters A prolific data ransom gang that calls itself Scattered Lapsus ShinyHunters (SLSH) has a distinctive playbook when it seeks to extort payment from victim firms: Harassing, threatening and even swatting executives and their families, all while notifying journalists and regulators about the extent of the intrusion. Some victims…
-
FBI takes notorious RAMP ransomware forum offline
FBI takes notorious RAMP ransomware forum offline The FBI has seized control of RAMP, a notorious cybercrime online forum that bragged to be the only place that allowed ransomware, and boasted over 14,000 active users. Now some of those users’ details are likely to be in the hands of the police… Read more in my…
-
Nike Allegedly Hacked by WorldLeaks Ransomware Group
Nike Allegedly Hacked by WorldLeaks Ransomware Group Athletic footwear and apparel manufacturer Nike has become the latest victim of WorldLeaks, a financially motivated ransomware group known for data extortion attacks. The group announced the breach on its darknet leak site on January 22, claiming responsibility for the incident and threatening to release stolen data on…
-
Ransomware Attack on Romanian Waters Authority – 1,000+ IT Systems Compromised
Ransomware Attack on Romanian Waters Authority – 1,000+ IT Systems Compromised Romania’s National Administration “Apele Române” (Romanian Waters) disclosed a severe ransomware attack on December 20, 2025. That compromised approximately 1,000 IT systems across the agency and 10 of its 11 regional water basin administrations. The incident affected critical infrastructure responsible for managing the country’s…
-
Interpol Taken Down 6 Ransomware Variants and Arrested 500+ Suspects
Interpol Taken Down 6 Ransomware Variants and Arrested 500+ Suspects Law enforcement agencies across 19 African nations have achieved a landmark victory against cybercrime. Arresting 574 suspects and dismantling six ransomware variants during Operation Sentinel, a month-long coordinated crackdown that concluded on November 27. The operation, which ran from October 27 to November 27, targeted…
-
Cybersecurity Professionals Plead Guilty to Launching Ransomware Attacks
Cybersecurity Professionals Plead Guilty to Launching Ransomware Attacks In a shocking betrayal of industry trust, two former cybersecurity professionals have pleaded guilty to federal charges for launching ransomware attacks against U.S. businesses. The pair, whose day jobs involved helping companies respond to hacks and negotiate ransoms, admitted to moonlighting as cybercriminals in a plot to…
-
Smashing Security podcast #448: The Kindle that got pwned
Smashing Security podcast #448: The Kindle that got pwned Think your Kindle is harmless? Think again! In this episode, we unpack a Black Hat Europe talk revealing how a boobytrapped audiobook could exploit the Amazon eBook reader – potentially letting an attacker break into your account and seize control of your credit card. Plus a…
-
GOLD SALEM tradecraft for deploying Warlock ransomware
GOLD SALEM tradecraft for deploying Warlock ransomware Analysis of the tradecraft evolution across 6 months and 11 incidents Mindi McDowell Go to sophos
-
Ransomware may have extorted over $2.1 billion between 2022-2024, but it’s not all bad news, claims FinCEN report
Ransomware may have extorted over $2.1 billion between 2022-2024, but it’s not all bad news, claims FinCEN report A new report from the United States’s Financial Crimes Enforcement Network (FinCEN) has shone a revealing light on the state of the criminal industry of ransomware. The report, which examines ransomware incidents from 2022 to 2024, reveals…
-
Four years later, Irish health service offers €750 to victims of ransomware attack
Four years later, Irish health service offers €750 to victims of ransomware attack Remember when a notorious ransomware gang hit the Irish Health Service back in May 2021? Four years on, and it seems victims who had their data exposed will finally receive compensation. Read more in my article on the Hot for Security blog.…
-
Inside Shanya, a packer-as-a-service fueling modern attacks
Inside Shanya, a packer-as-a-service fueling modern attacks The ransomware scene gains another would-be EDR killer Gabor Szappanos Go to sophos
-
Asahi cyber attack spirals into massive data breach impacting almost 2 million people
Asahi cyber attack spirals into massive data breach impacting almost 2 million people Asahi Group Holdings, the makers of the popular Japanese beer Asahi Super Dry, has confirmed that the ransomware attack that disrupted its operations in late September also saw a significant data breach that affects more than 1.5 million customers and approximately 275,000…
-
Authorities Sanctioned Russia-based Bulletproof Hosting Provider for Supporting Ransomware Operations
Authorities Sanctioned Russia-based Bulletproof Hosting Provider for Supporting Ransomware Operations The U.S. Department of the Treasury, Australia, and the United Kingdom have announced coordinated sanctions against Media Land. This Russia-based bulletproof hosting company provides infrastructure to ransomware and other cybercriminals. The U.S. Federal Bureau of Investigation also coordinated the action targeting the company’s leadership team…
-
UK’s new cybersecurity bill takes aim at ransomware gangs and state-backed hackers
UK’s new cybersecurity bill takes aim at ransomware gangs and state-backed hackers After years of delays, the UK government has finally introduced landmark cybersecurity legislation that could reshape how British organisations defend against digital attacks. Read more in my article on the Fortra blog. Graham Cluley Go to grahamcluley
-
Russian hacker admits helping Yanluowang ransomware infect companies
Russian hacker admits helping Yanluowang ransomware infect companies A Russian hacker accused of helping ransomware gangs break into businesses across the United States is set to plead guilty, according to recently filed federal court documents. 25-year-old Aleksey Olegovich Volkov worked as an “initial access broker”, a cybercriminal specialist who focuses on the earliest stage of…
-
Hack halts Dutch broadcaster, forcing radio hosts back to LPs
Hack halts Dutch broadcaster, forcing radio hosts back to LPs A Dutch TV and radio broadcaster has found itself at the mercy of cybercriminals after suffering a cyber attack, and leaving it scrambling to find ways to play music to its listeners. Read more in my article on the Hot for Security blog. Graham Cluley…
-
Threat Actors Leveraging RDP Credentials to Deploy Cephalus Ransomware
Threat Actors Leveraging RDP Credentials to Deploy Cephalus Ransomware A newly identified ransomware group, Cephalus, has emerged as a significant threat to organizations worldwide, exploiting stolen Remote Desktop Protocol (RDP) credentials to gain access to networks and deploy powerful encryption attacks. The AhnLab researchers observed in mid-June 2025 that the group poses a persistent, financially…
-
Smashing Security podcast #442: The hack that messed with time, and rogue ransom where negotiators
Smashing Security podcast #442: The hack that messed with time, and rogue ransom where negotiators Time itself comes under attack as a state-backed hacking gang spends two years tunnelling toward a nation’s master clock — with chaos potentially only a tick away. Plus when ransomware negotiators turn to the dark side, what could possibly go…
-
Cybersecurity Professionals Charged for Deploying ALPHV BlackCat Ransomware Against US Companies
Cybersecurity Professionals Charged for Deploying ALPHV BlackCat Ransomware Against US Companies Two cybersecurity professionals have been federally charged for orchestrating a sophisticated ransomware campaign targeting multiple American businesses. Ryan Clifford Goldberg, 28, of Watkinsville, Georgia, and Kevin Tyler Martin, 31, of Roanoke, Texas, face serious criminal charges related to their alleged deployment of the notorious…
-
Akira Ransomware Allegedly Claims Theft of 23GB in Apache OpenOffice Breach
Akira Ransomware Allegedly Claims Theft of 23GB in Apache OpenOffice Breach The notorious Akira ransomware group announced on October 29, 2025, that it successfully breached the systems of Apache OpenOffice, exfiltrating a staggering 23 gigabytes of sensitive corporate data. The group, known for its aggressive double-extortion tactics, posted details on its dark web leak site,…
-
Canada Fines Cybercrime Friendly Cryptomus $176M
Canada Fines Cybercrime Friendly Cryptomus $176M Financial regulators in Canada this week levied $176 million in fines against Cryptomus, a digital payments platform that supports dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services. The penalties for violating Canada’s anti money-laundering laws come ten months after KrebsOnSecurity noted that Cryptomus’s Vancouver street address was…
-
Threat Intelligence Executive Report – Volume 2025, Number 5
Threat Intelligence Executive Report – Volume 2025, Number 5 This issue of the Counter Threat Unit’s high-level bimonthly report discusses noteworthy updates in the threat landscape during July and August mindimcdowell Go to sophos
-
NCSC warns companies to prepare for a day when your screens go dark
NCSC warns companies to prepare for a day when your screens go dark The UK’s National Cyber Security Centre warns that the country now faces four nationally significant cyberattacks every week – a 129% jump in a year. Some headlines claim the NCSC is urging organisations to “go back to pen and paper,” but the…
-
LLM-enabled MalTerminal Malware Leverages GPT-4 to Generate Ransomware Code
LLM-enabled MalTerminal Malware Leverages GPT-4 to Generate Ransomware Code Cybersecurity researchers have identified what is believed to be the earliest known instance of malware that leverages a Large Language Model (LLM) to generate malicious code at runtime. Dubbed ‘MalTerminal’ by SentinelLABS, the malware uses OpenAI’s GPT-4 to dynamically create ransomware code and reverse shells, presenting…
-
Smashing Security podcast #438: When your mouse turns snitch, and hackers grow a conscience
Smashing Security podcast #438: When your mouse turns snitch, and hackers grow a conscience Your computer’s mouse might not be as innocent as it looks – and one ransomware crew has a crisis of conscience that nobody saw coming. We talk about how something as ordinary as a web page could turn your mouse into…
-
ShinyHunters Wage Broad Corporate Extortion Spree
ShinyHunters Wage Broad Corporate Extortion Spree A cybercriminal group that used voice phishing attacks to siphon more than a billion records from Salesforce customers earlier this year has launched a website that threatens to publish data stolen from dozens of Fortune 500 firms if they refuse to pay a ransom. The group also claimed responsibility…
-
Japan running dry: Ransomware attack leaves nation days away from Asahi beer shortage
Japan running dry: Ransomware attack leaves nation days away from Asahi beer shortage Beer lovers will be sobbing into their pints at the news that a ransomware attack has brought Japan’s largest brewer to its knees and left the country days away from running out of its most popular beverage. Read more in my article…
-
Feds Tie ‘Scattered Spider’ Duo to $115M in Ransoms
Feds Tie ‘Scattered Spider’ Duo to $115M in Ransoms U.S. prosecutors last week levied criminal hacking charges against 19-year-old U.K. national Thalha Jubair for allegedly being a core member of Scattered Spider, a prolific cybercrime group blamed for extorting at least $115 million in ransom payments from victims. The charges came as Jubair and an…
-
Smashing Security podcast #436: The €600,000 gold heist, powered by ransomware
Smashing Security podcast #436: The €600,000 gold heist, powered by ransomware Ransomware doesn’t just freeze computers – it can silence alarms too. And when the Natural History Museum in Paris went dark, thieves helped themselves to €600,000 worth of gold in a daring late-night heist. Meanwhile, developers have a new headache: a worm dubbed “Shai…
-
INC ransomware: what you need to know
INC ransomware: what you need to know INC is the name of a ransomware-as-a-service (RaaS) operation that first appeared in late summer 2023. Learn more about what it has been up to, and how to protect against its attacks, in my article on the Fortra blog. Graham Cluley Go to grahamcluley
-
BlackLock Ransomware Attacking Windows, Linux, and VMware ESXi Environments
BlackLock Ransomware Attacking Windows, Linux, and VMware ESXi Environments A sophisticated new ransomware operation dubbed BlackLock has emerged as a significant threat to organizations worldwide, demonstrating advanced cross-platform capabilities and targeting diverse computing environments. Originally operating under the name “El Dorado” since March 2024, the group rebranded to BlackLock in September 2024, establishing itself as…
-
GOLD SALEM’s Warlock operation joins busy ransomware landscape
GOLD SALEM’s Warlock operation joins busy ransomware landscape The emerging group demonstrates competent tradecraft using a familiar ransomware playbook and hints of ingenuity mindimcdowell Go to sophos
-
Microsoft Still Uses RC4
Microsoft Still Uses RC4 Senator Ron Wyden has asked the Federal Trade Commission to investigate Microsoft over its continued use of the RC4 encryption algorithm. The letter talks about a hacker technique called Kerberoasting, that exploits the Kerberos authentication system. Bruce Schneier Go to bruce schneier
-
Luxury fashion brands Gucci, Balenciaga and Alexander McQueen hacked – customer data stolen
Luxury fashion brands Gucci, Balenciaga and Alexander McQueen hacked – customer data stolen Luxury fashion group Kering – owner of the prestigious Gucci, Balenciaga, and Alexander McQueen brands, amongst others – has confirmed that hackers stole customer data from its systems in June 2025. Read more in my article on the Hot for Security blog.…
-
Authorities Arrested Admins Of “LockerGoga,” “MegaCortex,” And “Nefilim” Ransomware Gangs
Authorities Arrested Admins Of “LockerGoga,” “MegaCortex,” And “Nefilim” Ransomware Gangs The U.S. District Court for the Eastern District of New York has unsealed a superseding indictment against a Ukrainian national, charging him with his alleged role as an administrator in the LockerGoga, MegaCortex, and Nefilim ransomware operations. The schemes reportedly extorted over 250 companies in…
-
Lovesac warns customers their data was breached after suspected RansomHub attack six months ago
Lovesac warns customers their data was breached after suspected RansomHub attack six months ago American furniture maker Lovesac, known for its modular couches and comfy beanbags, has warned customers that their data was breached by hackers earlier this year, and that they should remain vigilant to the threat of identity theft. Read more in my…
-
US charges suspected ransomware kingpin, and offers $10 million bounty for his capture
US charges suspected ransomware kingpin, and offers $10 million bounty for his capture A US federal court has unssealed charges against a Ukrainian national who authorities allege was a key figure behind several strains of ransomware, including LockerGoga, MegaCortex, and Nefilim. Read more in my article on the Fortra blog. Graham Cluley Go to grahamcluley
-
Smashing Security podcast #433: How hackers turned AI into their new henchman
Smashing Security podcast #433: How hackers turned AI into their new henchman Your AI reads the small print, and that’s a problem. This week in episode 433 of “Smashing Security” we dig into LegalPwn – malicious instructions tucked into code comments and disclaimers that sweet-talks AI into rubber-stamping dangerous payloads (or even pretending they’re a…
-
Sweden scrambles after ransomware attack puts sensitive worker data at risk
Sweden scrambles after ransomware attack puts sensitive worker data at risk Municipal government organisations across Sweden have found themselves impacted after a ransomware attack at a third-party software service supplier. Read more in my article on the Hot for Security blog. Graham Cluley Go to grahamcluley
-
Microsoft Unveils Storm-0501’s Advanced Cloud Ransomware Attack Tactics
Microsoft Unveils Storm-0501’s Advanced Cloud Ransomware Attack Tactics Microsoft Threat Intelligence has released a detailed report exposing a significant evolution in ransomware attacks, pioneered by the financially motivated threat actor Storm-0501. The group has shifted from traditional on-premises ransomware to a more destructive, cloud-native strategy that involves data exfiltration and destruction, fundamentally changing the nature…
-
Cephalus ransomware: What you need to know
Cephalus ransomware: What you need to know Cephalus is a relatively new ransomware operation that emerged in mid-2025, and has already been linked to a wave of high-profile data leaks. Read more about it in my article on the Fortra blog. Graham Cluley Go to grahamcluley
-
Europol says Telegram post about 50,000 Qilin ransomware award is fake
Europol says Telegram post about 50,000 Qilin ransomware award is fake Some cybersecurity news outlets were duped a few days ago by a claim that Europol was offering a $50,000 bounty for information about two members of the Qilin ransomware group. Turns out it was all a hoax. Read more details about what happened in…
-
Warlock ransomware: What you need to know
Warlock ransomware: What you need to know The Warlock ransomware has hit a number of organisations including government agencies and departments, and most recently UK-based telecoms firm Colt. Read more in my article on the Fortra blog. Graham Cluley Go to grahamcluley
-
The MedusaLocker ransomware gang is hiring penetration testers
The MedusaLocker ransomware gang is hiring penetration testers MedusaLocker, the ransomware-as-a-service group that has been active since 2019 is openly recruiting for penetration testers to help it compromise more businesses. Read more in my article on the Fortra blog. Graham Cluley Go to grahamcluley
-
US reveals it seized $1 million worth of Bitcoin from Russian BlackSuit ransomware gang
US reveals it seized $1 million worth of Bitcoin from Russian BlackSuit ransomware gang The United States Department of Justice has revealed that the recent takedown of the BlackSuit ransomware gang’s servers, domains, and dark web extortion site, also saw the seizure of US $1,091,453 worth of cryptocurrency. Read more in my article on the…
-
DarkBit Hackers Attacking VMware ESXi Servers to Deploy Ransomware and Encrypt VMDK Files
DarkBit Hackers Attacking VMware ESXi Servers to Deploy Ransomware and Encrypt VMDK Files A newly discovered ransomware campaign has targeted enterprise VMware ESXi environments with military precision, deploying custom-built encryption tools that specifically hunt for virtual machine disk files across VMFS datastores. Security researchers have successfully reverse-engineered the attack methodology and developed breakthrough decryption techniques,…
-
KrebsOnSecurity in New ‘Most Wanted’ HBO Max Series
KrebsOnSecurity in New ‘Most Wanted’ HBO Max Series A new documentary series about cybercrime airing next month on HBO Max features interviews with Yours Truly. The four-part series follows the exploits of Julius Kivimäki, a prolific Finnish hacker recently convicted of leaking tens of thousands of patient records from an online psychotherapy practice while attempting…
-
Ransomware plunges insurance company into bankruptcy
Ransomware plunges insurance company into bankruptcy Collapsed company’s founder says that its fortunes were hampered by the refusal of authorities to release the criminals’ seized funds to victims. Read more in my article on the Fortra blog. Graham Cluley Go to grahamcluley
-
Free decryptor for victims of Phobos ransomware released
Free decryptor for victims of Phobos ransomware released There is good news for any organisation which has been hit by the Phobos ransomware. Japanese police have released a free decryptor capable of recovering files encrypted by both the notorious Phobos ransomware, and its offshoot 8Base. Read more in my article on the Fortra blog. Graham…
-
UK to ban public sector from paying ransomware demands
UK to ban public sector from paying ransomware demands Ransomware, considered by British authorities to be the UK’s greatest cybercrime threat, costing the nation billions of pounds and with the capbility to bring essential services to a standstill, is in the gunsights of government. Read more in my article on the Hot for Security blog.…
-
Police dismantle DiskStation ransomware gang targeting NAS devices, arrest suspected ringleader
Police dismantle DiskStation ransomware gang targeting NAS devices, arrest suspected ringleader Police have struck a blow against the DiskStation ransomware gang which targets Synology NAS devices, and arresting its suspected ringleader. Make sure that you have properly hardened the security of your Network Access Storage devices to reduce the chances of your data being locked…
-
Authorities Dismantled “Diskstation” Ransomware Attacking Synology NAS Devices Worldwide
Authorities Dismantled “Diskstation” Ransomware Attacking Synology NAS Devices Worldwide Italian State Police, in collaboration with French and Romanian law enforcement agencies, have successfully dismantled the dangerous “Diskstation” ransomware group that specifically targeted Synology Network-Attached Storage (NAS) devices across multiple countries. The operation, coordinated through EUROPOL, resulted in the arrest of several Romanian nationals and exposed…
-
Russian basketball player arrested in ransomware case despite being “useless with computers”
Russian basketball player arrested in ransomware case despite being “useless with computers” A Russian professional basketball player has been arrested for allegedly acting as a negotiator for a ransomware gang… and despite his lawyer claiming he’s “useless” with computers. Read more in my article on the Hot for Security blog. Graham Cluley Go to grahamcluley
-
UK Arrests Four in ‘Scattered Spider’ Ransom Group
UK Arrests Four in ‘Scattered Spider’ Ransom Group Authorities in the United Kingdom this week arrested four people aged 17 to 20 in connection with recent data theft and extortion attacks against the retailers Marks & Spencer and Harrods, and the British food retailer Co-op Group. The breaches have been linked to a prolific but…
-
AiLock ransomware: What you need to know
AiLock ransomware: What you need to know The AiLock ransomware gang gives its victims just 72 hours to respond and five days to pay up… or else. If you don’t comply? They will grass you up to regulators, email your competitors, and leak your data for good measure. What a lovely bunch of cybercriminals… Read…
-
BERT Ransomware Forcibly Shut Down ESXi Virtual Machines to Disrupt Recovery
BERT Ransomware Forcibly Shut Down ESXi Virtual Machines to Disrupt Recovery New ransomware group employs advanced virtualization attack tactics to maximize damage and hinder organizational recovery efforts. A newly emerged ransomware group known as BERT has introduced a particularly disruptive capability that sets it apart from traditional ransomware operations: the ability to forcibly terminate ESXi…
-
Technical difficulties or cyber attack? Ingram Micro’s website goes down just in time for the holiday weekend
Technical difficulties or cyber attack? Ingram Micro’s website goes down just in time for the holiday weekend Nothing says “Holiday Weekend” like a mysterious IT outage. Graham Cluley Go to grahamcluley
-
Hunters International ransomware group shuts down – but will it regroup under a new guise?
Hunters International ransomware group shuts down – but will it regroup under a new guise? The notorious Hunters International ransomware-as-a-service operation has announced that it has shut down, in a message posted on its dark web leak site. In a statement on its extortion site, the ransomware group says that it has not only “decided…
-
Swiss government warns attackers have stolen sensitive data, after ransomware attack at Radix
Swiss government warns attackers have stolen sensitive data, after ransomware attack at Radix The Swiss government has issued a warning after a third-party service provider suffered a ransomware attack, which saw sensitive information stolen from its systems and leaked onto the dark web. Read more in my article on the Fortra blog. Graham Cluley Go…
-
SafePay ransomware: What you need to know
SafePay ransomware: What you need to know SafePay is a relatively new ransomware that is making a big impact. Find out how it is different from other ransomware, and read more in my article on the Fortra blog. Graham Cluley Go to grahamcluley
-
Smashing Security podcast #423: Operation Endgame, deepfakes, and dead slugs
Smashing Security podcast #423: Operation Endgame, deepfakes, and dead slugs In this episode of the “Smashing Security” podcast, Graham unravels Operation Endgame – the surprisingly stylish police crackdown that is seizing botnets, mocking malware authors with anime videos, and taunting cybercriminals via Telegram. And BBC cyber correspondent Joe Tidy joins us to talk about “Ctrl-Alt-Chaos”,…
-
Cybercrime is surging across Africa
Cybercrime is surging across Africa A new INTERPOL report has sounded the alarm over a dramatic increase in cybercrime across Africa, with digital crime now accounting for a significant proportional of all criminal activity across the continent. Read more in my article on the Hot for Security blog. Graham Cluley Go to grahamcluley
-
Aflac, one of the USA’s largest insurers, is the latest to fall “under siege” to hackers
Aflac, one of the USA’s largest insurers, is the latest to fall “under siege” to hackers The Wall Street Journal reports that Aflac is investigating a breach that may have exposed claims information, health details, Social Security numbers, and other personal data. Graham Cluley Go to grahamcluley
-
Marks & Spencer ransomware attack was good news for other retailers
Marks & Spencer ransomware attack was good news for other retailers When Marks & Spencer paused online orders after it was hit by ransomware, it was bad news for them… but GOOD news for other big online retailers. Fashion rivals like Next, John Lewis, and Zara saw a nice little bump while M&S sales floundered.…
-
Qilin offers “Call a lawyer” button for affiliates attempting to extort ransoms from victims who won’t pay
Qilin offers “Call a lawyer” button for affiliates attempting to extort ransoms from victims who won’t pay Imagine for one moment that you are a cybercriminal. You have compromised an organisation’s network, you have stolen their data, you have encrypted their network, and you are now knee-deep in the ransomware negotiation. However, there’s a problem.…
-
Authorities Busted Ransomware Gang – Nine Laptops and 15 Mobile Devices Were Seized
Authorities Busted Ransomware Gang – Nine Laptops and 15 Mobile Devices Were Seized Thai law enforcement successfully dismantled a sophisticated ransomware operation during a coordinated raid at the Antai Holiday Hotel in central Pattaya on Monday, June 16, 2025. The operation resulted in the arrest of six Chinese nationals specifically tasked with distributing malicious links…
-
Ransomware gang busted in Thailand hotel raid
Ransomware gang busted in Thailand hotel raid In a dramatic raid at a hotel in central Pattaya this week, Thai police have unearthed a criminal gang that was operating a ransomware and illicit gambling operation. Read more in my article on the Hot for Security blog. Graham Cluley Go to grahamcluley
-
Bert ransomware: what you need to know
Bert ransomware: what you need to know Bert is a recently-discovered strain of ransomware that encrypts victims’ files and demands a payment for the decryption key. Read more in my article on the Fortra blog. Graham Cluley Go to grahamcluley
-
Empty shelves after US’s largest natural and organic food distributor suffers cyber attack
Empty shelves after US’s largest natural and organic food distributor suffers cyber attack The spate of cyber attacks impacting the retail industry continues, with the latest victim being United Natural Foods (UNFI), which supplies organic produce to Whole Foods, Amazon, Target, and Walmart, amongst many others. Read more in my article on the Hot for…
-
DragonForce Ransomware Claimed To Compromise Over 120 Victims in The Past Year
DragonForce Ransomware Claimed To Compromise Over 120 Victims in The Past Year DragonForce, a sophisticated ransomware operation that emerged in fall 2023, has established itself as a formidable threat in the cybercriminal landscape by claiming over 120 victims across the past year. Unlike traditional ransomware-as-a-service models, this threat actor has evolved into what security experts…
-
Marks & Spencer’s ransomware nightmare – more details emerge
Marks & Spencer’s ransomware nightmare – more details emerge Over Easter, retail giant Marks & Spencer (M&S) discovered that it had suffered a highly damaging ransomware attack that left some shop shelves empty, shut down online ordering, some staff unable to clock in and out, and caused some of its major suppliers to resort to…
-
Australia Requires Ransomware Victims to Declare Payments
Australia Requires Ransomware Victims to Declare Payments A new Australian law requires larger companies to declare any ransomware payments they have made. Bruce Schneier Go to bruce schneier
-
Interlock ransomware: what you need to know
Interlock ransomware: what you need to know “We don’t just want payment; we want accountability.” The malicious hackers behind the Interlock ransomware try to justify their attacks. Learn more about what you need to know about Interlock in my article on the Tripwire State of Security blog. Graham Cluley Go to grahamcluley
-
3AM ransomware attack poses as a call from IT support to compromise networks
3AM ransomware attack poses as a call from IT support to compromise networks Cybercriminals are getting smarter. Not by developing new types of malware or exploiting zero-day vulnerabilities, but by simply pretending to be helpful IT support desk workers. Find out how they do it in my article on the Tripwire State of Security blog.…
-
DragonForce targets rivals in a play for dominance
DragonForce targets rivals in a play for dominance Not content with attacking retailers, this aggressive group is fighting a turf war with other ransomware operators Angela Gunn Go to sophos
-
Beyond the kill chain: What cybercriminals do with their money (Part 1)
Beyond the kill chain: What cybercriminals do with their money (Part 1) Sophos X-Ops investigates what financially motivated threat actors invest their ill-gotten profits in, once the dust has settled Matt Wixey Go to sophos
-
Beyond the kill chain: What cybercriminals do with their money (Part 2)
Beyond the kill chain: What cybercriminals do with their money (Part 2) In the second of our five-part series, Sophos X-Ops investigates the so-called ‘white’ (legitimate) business interests of threat actors Matt Wixey Go to sophos
-
Beyond the kill chain: What cybercriminals do with their money (Part 3)
Beyond the kill chain: What cybercriminals do with their money (Part 3) In the third of our five-part series, Sophos X-Ops explores the more legally and ethically dubious business interests of financially motivated threat actors Matt Wixey Go to sophos
-
Beyond the kill chain: What cybercriminals do with their money (Part 4)
Beyond the kill chain: What cybercriminals do with their money (Part 4) In the fourth of our five-part series, Sophos X-Ops explores threat actors’ real-world criminal business interests Matt Wixey Go to sophos
-
Beyond the kill chain: What cybercriminals do with their money (Part 5)
Beyond the kill chain: What cybercriminals do with their money (Part 5) In the last of our five-part series, Sophos X-Ops explores the implications and opportunities arising from threat actors’ involvement in real-world industries and crimes Matt Wixey Go to sophos
-
Two years’ jail for down-on-his-luck man who sold ransomware online
Two years’ jail for down-on-his-luck man who sold ransomware online A man has been jailed in Ireland for two years after pleading guilty to offences related to his illegal online business that sold ransomware and other malware, as well as stolen credit card details, and false bank accounts. Read more in my article on the…
-
LockBit ransomware gang breached, secrets exposed
LockBit ransomware gang breached, secrets exposed Oh dear, what a shame, never mind. Read more in my article on the Tripwire State of Security blog. Graham Cluley Go to grahamcluley