serisec

Category: Ransomware

  • Smashing Security podcast #416: High street hacks, and Disney’s Wingdings woe

    Smashing Security podcast #416: High street hacks, and Disney’s Wingdings woe Brits face empty shelves and suspended meal deals as cybercriminals hit major high street retailers, and a terminated Disney employee gets revenge with a little help with Wingdings. Plus Graham challenges Carole to a game of “Malware or metal?”, and we wonder just happens…

  • NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked

    NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked The UK’s National Cyber Security Centre (NCSC) has warned the IT helpdesks of retailers to be on their guard against bogus support calls they might receive from hackers pretending to be staff locked out of their accounts. Read more…

  • Threat Actor Bypass SentinelOne EDR to Deploy Babuk Ransomware

    Threat Actor Bypass SentinelOne EDR to Deploy Babuk Ransomware A sophisticated new attack method that disables endpoint security protection has been identified by security researchers, enabling threat actors to deploy ransomware undetected.  The technique, dubbed “Bring Your Own Installer,” was recently discovered by Aon’s Stroz Friedberg Incident Response team during an investigation of a Babuk…

  • Alleged ‘Scattered Spider’ Member Extradited to U.S.

    Alleged ‘Scattered Spider’ Member Extradited to U.S. A 23-year-old Scottish man thought to be a member of the prolific Scattered Spider cybercrime group was extradited last week from Spain to the United States, where he is facing charges of wire fraud, conspiracy and identity theft. U.S. prosecutors allege Tyler Robert Buchanan and co-conspirators hacked into…

  • Ransomware attacks on critical infrastructure surge, reports FBI

    Ransomware attacks on critical infrastructure surge, reports FBI The FBI is set to report that ransomware was the most pervasive cybersecurity threat to US critical infrastructure during the year of 2024, with complaints of ransomware attacks against critical sectors jumping 9% over the previous year. Read more in my article on the Tripwire State of…

  • DragonForce and Anubis Ransomware Operators Unveils New Affiliate Models

    DragonForce and Anubis Ransomware Operators Unveils New Affiliate Models Despite significant disruptions by international law enforcement operations targeting major ransomware schemes, cybercriminal groups continue demonstrating remarkable adaptability in 2025. Two noteworthy ransomware operations, DragonForce and Anubis, have introduced innovative affiliate models designed to expand their reach and increase profitability in the ever-evolving cybercrime landscape. DragonForce…

  • RansomHouse ransomware: what you need to know

    RansomHouse ransomware: what you need to know RansomHouse is a cybercrime operation that follows a Ransomware-as-a-Service (RaaS) business model, where affiliates (who do not require technical skills of their own) use the ransomware operator’s infrastructure to extort money from victims. Read more in my article on the Fortra blog. Graham Cluley Go to grahamcluley

  • Medusa ransomware gang claims to have hacked NASCAR

    Medusa ransomware gang claims to have hacked NASCAR The Medusa ransomware-as-a-service (RaaS) claims to have compromised the computer systems of NASCAR, the United States’ National Association for Stock Car Auto Racing, and made off with more than 1TB of data. Read more in my article on the Hot for Security blog. Graham Cluley Go to…

  • RansomHub Ransomware-as-a-service Facing Internal Conflict as Affiliates Lost Access to Chat Portals

    RansomHub Ransomware-as-a-service Facing Internal Conflict as Affiliates Lost Access to Chat Portals RansomHub, a relatively newer player in the ransomware-as-a-service (RaaS) landscape, is experiencing significant internal turmoil after affiliates suddenly lost access to negotiation chat portals on April 1st, 2025. This disruption has forced affiliates to redirect victim communications to alternative platforms, including those belonging…

  • Ransomware reaches a record high, but payouts are dwindling

    Ransomware reaches a record high, but payouts are dwindling Will you be shedding a tear for the cybercriminals? Read more in my article on the Tripwire blog. Graham Cluley Go to grahamcluley

  • HellCat ransomware: what you need to know

    HellCat ransomware: what you need to know HellCat – the ransomware gang that has been known to demand payment… in baguettes! Are they rolling in the dough? Bread it and weep in my article on the Tripwire State of Security blog. Graham Cluley Go to grahamcluley

  • £3 million fine for healthcare MSP with sloppy security after it was hit by ransomware attack

    £3 million fine for healthcare MSP with sloppy security after it was hit by ransomware attack A UK firm has been hit by a £3.07 million fine after being hit by a ransomware attack that exposed sensitive data related to almost 80,000 people, and disrupted NHS services. Read more in my article on the Exponential-e…

  • VanHelsing ransomware: what you need to know

    VanHelsing ransomware: what you need to know First reported earlier in March 2025, VanHelsing is a new ransomware-as-a-service operation. Read more in my article on the Tripwire State of Security blog. Graham Cluley Go to grahamcluley

  • Malaysian PM says “no way” to $10 million ransom after alleged cyber attack against Kuala Lumpur airport

    Malaysian PM says “no way” to $10 million ransom after alleged cyber attack against Kuala Lumpur airport According to some reports, Kuala Lumpur International Airport had to resort to using whiteboards to communicate with passengers. Read more in my article on the Hot for Security blog. Graham Cluley Go to grahamcluley

  • BlackLock ransomware: What you need to know

    BlackLock ransomware: What you need to know BlackLock has become a big deal, very quickly. It has been predicted to be one of the biggest ransomware-as-a-service operations of 2025. Read more in my article on the Tripwire State of Security blog. Graham Cluley Go to grahamcluley

  • Decrypting Linux/ESXi Akira Ransomware Files Without Paying Ransomware

    Decrypting Linux/ESXi Akira Ransomware Files Without Paying Ransomware A cybersecurity researcher has successfully broken the encryption used by the Linux/ESXI variant of the Akira ransomware, enabling data recovery without paying the ransom demand.  The breakthrough exploits a critical weakness in the ransomware’s encryption methodology. According to the researcher, the malware uses the current time in…

  • SuperBlack Actors Exploiting Two Fortinet Vulnerabilities to Deploy Ransomware

    SuperBlack Actors Exploiting Two Fortinet Vulnerabilities to Deploy Ransomware Between late January and early March 2025, cybersecurity researchers at Forescout’s Vedere Labs uncovered a series of sophisticated intrusions leveraging critical Fortinet vulnerabilities. The attacks, attributed to a newly identified threat actor tracked as “Mora_001,” culminated in the deployment of a custom ransomware strain dubbed “SuperBlack.”…

  • Medusa ransomware: FBI and CISA urge organisations to act now to mitigate threat

    Medusa ransomware: FBI and CISA urge organisations to act now to mitigate threat The Medusa ransomware gang continues to present a major threat to the critical infrastructure sector, according to a newly-released – with at least one organisation hit with a “triple-extortion” threat. Read more in my article on the Tripwire State of Security blog.…

  • Smashing Security podcast #408: A gag order backfires, and a snail mail ransom demand

    Smashing Security podcast #408: A gag order backfires, and a snail mail ransom demand What happens when a healthcare giant’s legal threats ignite a Streisand Effect wildfire… while a ransomware gang appears to ditch the dark web for postage stamps? Find out about this, and more, in the latest edition of the “Smashing Security” podcast…

  • Alleged Co-Founder of Garantex Arrested in India

    Alleged Co-Founder of Garantex Arrested in India Authorities in India today arrested the alleged co-founder of Garantex, a cryptocurrency exchange sanctioned by the U.S. government in 2022 for facilitating tens of billions of dollars in money laundering by transnational criminal and cybercriminal organizations. Sources close to the investigation told KrebsOnSecurity the Lithuanian national Aleksej Besciokov,…

  • SecP0 Ransomware Group Threatens Organizations to Leak Vulnerability Details

    SecP0 Ransomware Group Threatens Organizations to Leak Vulnerability Details A new ransomware group, SecP0, has emerged on the cybercrime landscape, adopting a novel and deeply concerning tactic: demanding ransom payments not for encrypted data, but for undisclosed software vulnerabilities.  This shift in strategy represents a significant evolution in ransomware operations, targeting organizations’ cybersecurity weaknesses rather…

  • Cactus ransomware: what you need to know

    Cactus ransomware: what you need to know Cactus is a ransomware-as-a-service (RaaS) group that encrypts victim’s data and demands a ransom for a decryption key. Read more about it in my article on the Tripwire State of Security blog. Graham Cluley Go to grahamcluley

  • Stop targeting Russian hackers, Trump administration orders US Cyber Command

    Stop targeting Russian hackers, Trump administration orders US Cyber Command The Trump administration has told US cyber command and CISA to stop following or reporting on Russian cyber threats. Yes, Russia! That country everyone used to agree was home to lots of ransomware gangs and hackers. Hmmm… Read more in my article on the Hot…

  • Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab

    Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab One of the most notorious providers of abuse-friendly “bulletproof” web hosting for cybercriminals has started routing its operations through networks run by the Russian antivirus and security firm Kaspersky Lab, KrebsOnSecurity has learned. Security experts say the Russia-based service provider Prospero OOO (the triple O is…

  • Smashing Security podcast #405: A crypto con exchange, and soaring ticket scams

    Smashing Security podcast #405: A crypto con exchange, and soaring ticket scams From shadowy Bitcoin exchanges to Interpol’s most wanted, Alexander Vinnik was the alleged kingpin behind BTC-e, a $4bn crypto laundering empire. Learn more about him, and how he became a geopolitical pawn between the US, France, and Russia. Plus! Hear how concert-goers are…

  • Russian Government Proposed New Penalties to Combat Cybercrime

    Russian Government Proposed New Penalties to Combat Cybercrime The Russian government announced a comprehensive legislative package on February 10, 2025, introducing severe penalties for cybercrimes.  The reforms, which amend over 30 existing laws, aim to modernize Russia’s cybersecurity framework by escalating prison terms, expanding asset confiscation protocols, and mandating public trials for high-profile cybercriminals.  The…

  • Beware of Fake Outlook Troubleshooting Calls that Ends Up In Ransomware Deployment

    Beware of Fake Outlook Troubleshooting Calls that Ends Up In Ransomware Deployment A sophisticated cyber threat has emerged in recent weeks, targeting unsuspecting users with fake Outlook troubleshooting calls. These calls, designed to appear legitimate, ultimately lead to the deployment of ransomware on the victim’s system. The scam involves a malicious binary named CITFIX#37.exe, which…

  • US charges two Russian men in connection with Phobos ransomware operation

    US charges two Russian men in connection with Phobos ransomware operation Roman Berezhnoy and Egor Nikolaevich Glebov are alleged to have extorted over US $16 million in ransom payments using the Phobos ransomware, impacting over 1000 organisations in the United States. Read more in my article on the Hot for Security blog. Graham Cluley Go…

  • Smashing Security podcast #404: Podcast not found

    Smashing Security podcast #404: Podcast not found The story of how hackers managed to compromise the US Government’s official SEC Twitter account to boost the price of Bitcoins, AI isn’t helping reduce the rife conspiracy theories inside classrooms, and is the funeral bell tolling for ransomware? All this and more is discussed in the latest…

  • Akira Ransomware Leads The Number of Ransomware Attacks For January 2025

    Akira Ransomware Leads The Number of Ransomware Attacks For January 2025 January 2025 marked a significant month in the ransomware landscape, with Akira emerging as the leading threat. According to recent reports, Akira was responsible for 72 attacks globally, highlighting its rapid rise in prominence. This surge in activity is part of a broader trend…

  • Data breaches at UK law firms are on the rise, research reveals

    Data breaches at UK law firms are on the rise, research reveals British legal professionals have seen a “significant surge” in data breaches, according to new research from NetDocuments, a firm that provides a cloud-based content management platform for the legal sector. Read more in my article on the Tripwire State of Security blog. Graham…

  • Smashing Security podcast #403: Coinbase crypto heists, QR codes, and ransomware in the classroom

    Smashing Security podcast #403: Coinbase crypto heists, QR codes, and ransomware in the classroom In episode 403 of “Smashing Security” we dive into the mystery of $65 million vanishing from Coinbase users faster than J-Lo slipped into Graham’s DMs, Geoff gives a poor grade for PowerSchool’s security, and Carole takes a curious look at QR…

  • WantToCry Ransomware Exploits SMB Vulnerabilities to Remotely Encrypts NAS Drives 

    WantToCry Ransomware Exploits SMB Vulnerabilities to Remotely Encrypts NAS Drives  The notorious WantToCry ransomware group leverages misconfigured Server Message Block (SMB) services to infiltrate networks and launch widespread attacks. The weaknesses in SMBs, such as weak credentials, outdated software, and poor security configurations, are providing attackers with an easy entry point through which attackers exploit…

  • DeepSeek R1 Jailbroken to Generate Ransomware Development Scripts

    DeepSeek R1 Jailbroken to Generate Ransomware Development Scripts DeepSeek R1, the latest AI model from China, is making waves in the tech world for its reasoning capabilities. Positioned as a challenger to AI giants like OpenAI, it has already climbed to 6th place on the Chatbot Arena benchmarking list, surpassing notable models such as Meta’s…

  • CISA Under Trump

    CISA Under Trump Jen Easterly is out as the Director of CISA. Read her final interview: There’s a lot of unfinished business. We have made an impact through our ransomware vulnerability warning pilot and our pre-ransomware notification initiative, and I’m really proud of that, because we work on preventing somebody from having their worst day.…

  • Akira’s New Linux Ransomware Attacking VMware ESXi Servers

    Akira’s New Linux Ransomware Attacking VMware ESXi Servers The Akira ransomware group, a prominent player in the Ransomware-as-a-Service (RaaS) domain since March 2023, has intensified its operations with a new Linux variant targeting VMware ESXi servers. Initially focused on Windows systems, Akira expanded its scope in April 2023 by deploying a Linux-based encryptor specifically designed…

  • Medusa ransomware: what you need to know

    Medusa ransomware: what you need to know Medusa is a ransomware-as-a-service (RaaS) platform that has targeted organisations around the world. Read more about it in my article on the Tripwire State of Security blog. Graham Cluley Go to grahamcluley

  • Space Bears ransomware: what you need to know

    Space Bears ransomware: what you need to know The Space Bears ransomware gang stands out from the crowd by presenting itself better than many legitimate companies, with corporate stock images and a professional-looking leak site. Read more in my article on the Tripwire State of Security blog. Graham Cluley Go to grahamcluley

  • Criminal Complaint against LockBit Ransomware Writer

    Criminal Complaint against LockBit Ransomware Writer The Justice Department has published the criminal complaint against Dmitry Khoroshev, for building and maintaining the LockBit ransomware. Bruce Schneier Go to bruce schneier

  • Smashing Security podcast #398: Fake CAPTCHAs, Harmageddon, and Krispy Kreme

    Smashing Security podcast #398: Fake CAPTCHAs, Harmageddon, and Krispy Kreme This week, we delve into the dark world of fake CAPTCHAs designed to hijack your computer. Plus, the AI safety clock is ticking down – is doomsday closer than we think? And to top it off, we uncover the sticky situation of Krispy Kreme facing…

  • 27 DDoS-for-hire services disrupted in run-up to holiday season

    27 DDoS-for-hire services disrupted in run-up to holiday season Operation PowerOFF has disrupted what was anticipated to be a surge of distributed denial-of-service (DDoS) attacks over the Christmas period by taking over two dozen “booter” or “stresser” websites offline. Read more in my article on the Tripwire State of Security blog. Graham Cluley Go to…

  • Doughnut orders disrupted! Krispy Kreme suffers hack attack

    Doughnut orders disrupted! Krispy Kreme suffers hack attack Krispy Kreme, the dispenser of delectable doughnuts, says that it suffered a cyber attack at the end of last month which saw its IT systems compromised and has disrupted online orders in parts of the United States. Read more in my article on the Hot for Security…

  • Keeping it real: Sophos and the 2024 MITRE ATT&CK Evaluations: Enterprise

    Keeping it real: Sophos and the 2024 MITRE ATT&CK Evaluations: Enterprise Sophos X-Ops looks at the realism of this year’s MITRE ATT&CK Evaluations Michael Wood Go to sophos

  • 3AM ransomware: what you need to know

    3AM ransomware: what you need to know The 3AM ransomware first emerged in late 2023. Like other ransomware, 3AM exfiltrates victims’ data (demanding a ransom is paid) and encrypts the copies left behind. Here’s what you need to know. Read more in my article on the Tripwire State of Security blog. Graham Cluley Go to…

  • Russian money-laundering network linked to drugs and ransomware disrupted, 84 arrests

    Russian money-laundering network linked to drugs and ransomware disrupted, 84 arrests The UK’s National Crime Agency (NCA) has revealed details of Operation Destabilise, a years-long international law enforcement investigation into a giant Russian money laundering enterprise that handled billions of dollars for drug traffickers and ransomware gangs worldwide. Read more in my article on the…

  • Ransomware-hit vodka maker Stoli files for bankruptcy in the United States

    Ransomware-hit vodka maker Stoli files for bankruptcy in the United States Stoli Group USA, the US subsidiary of vodka maker Stoli, has filed for bankruptcy – and a ransomware attack is at least partly to blame. The American branch of Stoli, which imports and distributes Stoli brands in the United States, as well as the…

  • Tech support scams leverage Google ads again and again, fleecing unsuspecting internet users

    Tech support scams leverage Google ads again and again, fleecing unsuspecting internet users It’s not a new technique, but that doesn’t mean that cybercriminals cannot make rich rewards from SEO poisoning. Read more in my article on the Tripwire State of Security blog. Graham Cluley Go to grahamcluley

  • No guarantees of payday for ransomware gang that claims to have hacked children’s hospital

    No guarantees of payday for ransomware gang that claims to have hacked children’s hospital What is the point of INC Ransom’s attack on Alder Hey? They are not likely to be paid, and the attack on a children’s hospital only increases the chances that they will one day find their collars felt by law enforcement.…

  • UK hospital, hit by cyberattack, resorts to paper and postpones procedures

    UK hospital, hit by cyberattack, resorts to paper and postpones procedures A British hospital is grappling with a major cyberattack that has crippled its IT systems and disrupted patient care. Read more in my article on the Hot for Security blog. Graham Cluley Go to grahamcluley

  • Mimic ransomware: what you need to know

    Mimic ransomware: what you need to know What makes Mimic particularly unusual is that it exploits the API of a legitimate Windows file search tool (“Everything” by Voidtools) to quickly locate files for encryption. Find out more about the threat in my article on the Tripwire State of Security blog. Graham Cluley Go to grahamcluley

  • Hacker in Snowflake Extortions May Be a U.S. Soldier

    Hacker in Snowflake Extortions May Be a U.S. Soldier Two men have been arrested for allegedly stealing data from and extorting dozens of companies that used the cloud data storage company Snowflake, but a third suspect — a prolific hacker known as Kiberphant0m — remains at large and continues to publicly extort victims. However, this…