All articles tagged with #ransomware
ThreatsDay flags AI-enhanced threats accelerating breaches and blurring into everyday activity: Kali Linux now integrates Claude via MCP for natural-language command execution; campaigns include Bitpanda phishing, four-minute lateral movement, and Mac/WinRAR exploits, aided by ad cloaking, typosquatting, and social engineering, as threat actors fragment post-RAMP and increasingly use AI-driven tactics.
Threat actors are exploiting CVE-2026-1731 in BeyondTrust RS/PRA to run OS commands, deploy web shells and backdoors, establish C2, and exfiltrate data across sectors worldwide. Unit 42 reports use of a thin-scc-wrapper via WebSocket to execute commands in the site user context, effectively taking control of appliances and traffic. Campaigns include PHP backdoors, VShell, a bash dropper, and Spark RAT, with staged exfiltration of config files, internal databases, and PostgreSQL dumps. The activity aligns with prior CVE-2024-12356 issues, and CISA KEV confirms exploitation in ransomware operations.
BridgePay Network Solutions suffered a ransomware attack that disabled its payment gateway in a nationwide outage; officials say no payment card data was compromised and any accessed files were encrypted, with the FBI and U.S. Secret Service assisting in the investigation as recovery continues, while some merchants report cash-only transactions amid the disruption.
This weekly cybersecurity digest flags a busy threat landscape: Google disrupted the IPIDEA residential proxy network, shrinking attackers’ exit nodes; Microsoft patched a critical Office zero-day (CVE-2026-21509) and Ivanti fixed EPMM flaws (CVE-2026-1281/1340); CERT Polska linked destructive attacks on wind/solar facilities to Static Tundra; new campaigns include Operation Bizarre Bazaar targeting exposed AI endpoints and a surge of MongoDB extortion against over 1,400 exposed databases; other notes cover Exfil Out&Look via Outlook add-ins, PyRAT’s cross‑platform capabilities, TA584’s evolving attack chain with Tsundere Bot and XWorm, and related cybercrime trends.
Google’s Threat Intelligence Group reports active exploitation of WinRAR CVE-2025-8088 by both state-backed and financially motivated actors, even after a patch (WinRAR 7.13, July 30, 2025). The flaw is used for initial access via a path-traversal method that drops a malicious LNK in the Windows Startup folder/ADS, with campaigns tied to RomCom/UNC4895, UNC2596 (Cuba ransomware), Sandworm, Gamaredon, Turla, and a China-based actor delivering Poison Ivy, deploying payloads such as SnipBot, AsyncRAT, and XWorm and even browser extensions for Brazilian banking sites. The widespread activity underscores an active underground market for exploits and persistent defense gaps, with a separate flaw CVE-2025-6218 also being exploited by multiple groups.
ZDNET reports that 2026 could see AI weaponization reach a new level, with threat actors deploying AI-enabled malware and agentic AI to automate reconnaissance, phishing, lateral movement, and data theft at machine speed, while prompt injection and misconfigurations expand attack surfaces via APIs and AI-enabled browsers. Attacks will target IT and OT, with ransomware evolving into data extortion across supply chains, insiders and North Korean operators widening campaigns, and nation-states pursuing longer-term strategic objectives. CISOs will be held more accountable and cyber-resilience will become a competitive differentiator, driving upskilling and greater use of managed security services.
Two cybersecurity professionals pleaded guilty to running ransomware attacks using their skills to extort victims, including a medical device company that paid $1.2 million, with plans for sentencing in March. They were involved with the ALPHV BlackCat ransomware group, known for major attacks like on Change Healthcare, and face potential 20-year sentences.
Two U.S. cybersecurity professionals, Ryan Goldberg and Kevin Martin, pleaded guilty to conspiring with the ransomware gang ALPHV Blackcat to extort American companies, facing up to 20 years in prison, highlighting concerns about insider threats in the digital protection industry.
Hackers exploit the holiday season when security teams are reduced and companies are less vigilant, leading to a spike in cyberattacks like ransomware and phishing, with many high-profile incidents occurring during this period. Security teams prepare months in advance, and AI tools are suggested to help mitigate burnout and improve defenses during this vulnerable time.
INTERPOL's Operation Sentinel led to the arrest of 574 suspects across 19 African countries, recovering $3 million and dismantling cybercrime networks involved in BEC, digital extortion, and ransomware, with estimated losses over $21 million. Additionally, a Ukrainian national pleaded guilty in the U.S. for Nefilim ransomware activities, highlighting ongoing international cybercrime efforts.
Cybersecurity researchers discovered a vibe-coded malicious VS Code extension with built-in ransomware capabilities, which exfiltrates and encrypts files, and uses GitHub as a command-and-control server. Additionally, 17 npm packages disguised as SDKs were found to stealthily deploy Vidar Stealer, highlighting ongoing supply chain threats in open-source ecosystems. Microsoft has removed the malicious extension from the marketplace, emphasizing the importance of vigilance in software development.
A malicious VS Code extension named susvsex, created with AI assistance and advertising ransomware capabilities, was published on Microsoft's marketplace. Despite being reported for its malicious functions, Microsoft did not remove it. The extension encrypts files and exfiltrates data to a remote server, and uses hardcoded credentials to communicate with a command-and-control server. The incident raises concerns about vetting processes for extensions and the potential misuse of AI in malicious software development.
Microsoft warns Windows 10 users about security vulnerabilities due to unsupported systems, highlighting the high risk of ransomware and malware attacks, and advises upgrading to Windows 11 or strengthening interim protections like security software and backups to mitigate risks.
Volkswagen is suspected to have been targeted by the ransomware group 8Base, which claims to have stolen and leaked sensitive data, including employee and financial information, though the company states its core IT remains unaffected. The incident highlights ongoing cybersecurity threats to major industries and the importance of third-party risk management.
Asahi, Japan's largest brewer, was hit by a ransomware attack that disrupted operations and potentially led to the theft of personal data. The company is investigating the extent of the breach, working with cybersecurity experts, and has temporarily delayed its financial reporting. The attack was claimed by the Russia-based group Qilin, highlighting the increasing frequency of major cyber-attacks on global companies.