The WorldLeaks cybercrime group claims to have stolen information from the footwear and apparel giant’s systems.
The post Nike Probing Potential Security Incident as Hackers Threaten to Leak Data appeared first on SecurityWeek.
In this post, we identify and analyze the top threat actors that have been actively targeting the financial sector between 2024 and 2026.
Table Of ContentsBetween 2024 and 2026, Flashpoint analysts have observed the financial sector as a top target of threat actors, with 406 publicly disclosed victims falling prey to ransomware attacks alone—representing seven percent of all ransomware victim listings during that period.
However, ransomware is just one piece of the complex threat actor puzzle. The financial sector is also grappling with threats stemming from sophisticated Advanced Persistent Threat (APT) groups, the risks associated with third-party compromises, the illicit trade in initial access credentials, the ever-present danger of insider threats, and the emerging challenge of deepfake and impersonation fraud.
The financial sector has long been one of the most attractive targets for threat actors, consistently ranking among the most targeted industries globally.
These institutions manage massive volumes of sensitive data—from high-value financial transactions and confidential customer information to vast sums of capital, making them especially lucrative for threat actors seeking financial gain. Additionally, the urgency and criticality of financial operations increases the chances that victim organizations will succumb to extortion and ransom demands.
Even beyond direct financial incentives, the financial sector remains an attractive target due to its deep interconnectivity with other industries.This means that malicious actors may simply target financial institutions to gain information about another target organization, as a single data breach can have far-reaching and cascading consequences for involved partners and third parties.
To understand the complexities of the financial threat landscape, organizations need a comprehensive understanding of the key players involved. The following threat actors represent some of the most prominent and active groups targeting the financial sector between April 2024 and April 2025:
Despite being a relatively new Ransomware-as-a-Service (RaaS) group that emerged in February 2024, RansomHub quickly rose to prominence, becoming the second-most active ransomware group in 2024. Notably, they claimed 38 victims in the financial sector between April 2024 and April 2025. Their known TTPs include phishing and exploiting vulnerabilities. RansomHub is also known to heavily target the healthcare sector.
Active since March 2023, Akira has demonstrated increasingly sophisticated tactics and has targeted a significant number of victims across various sectors. Between April 2024 and April 2025, they targeted 34 organizations within the financial sector. Evidence suggests a potential link to the defunct Conti ransomware group. Akira commonly gains initial access through compromised credentials, Virtual Private Network (VPN) vulnerabilities, and Remote Desktop Protocol (RDP). They employ a double extortion model, exfiltrating data before encryption.
A long-standing and highly prolific RaaS group operating since at least September 2019, LockBit continued to be a major threat to the financial sector, claiming 29 publicly disclosed victims between April 2024 and April 2025. LockBit utilizes various initial access methods, including phishing, exploitation of known vulnerabilities, and compromised remote services.
Most notably, in June 2024, LockBit claimed it gained access to the US Federal Reserve, stating that they exfiltrated 33 TB of data. However, Flashpoint analysts found that the data posted on the Federal Reserve listing appears to belong to another victim, Evolve Bank & Trust.
This financially motivated threat actor group, originating from Eastern Europe and active since at least 2015, focuses on stealing payment card data. They employ social engineering tactics and create elaborate infrastructure to achieve their goals, reportedly generating over $1 billion USD in revenue between 2015 and 2021. Their targets within the financial sector include interbank transfer systems (SWIFT, SAP), ATM infrastructure, and point-of-sale (POS) terminals. Initial access is often gained through phishing and exploiting public-facing applications.
Emerging in 2022, Scattered Spider has quickly become known for its rapid exploitation of compromised environments, particularly targeting financial services, cryptocurrency services, and more. They are notorious for using SMS phishing and fake Okta single sign-on pages to steal credentials and move laterally within networks. Their primary motivation is financial gain.
This advanced persistent threat (APT) group, backed by the North Korean government, has demonstrated a broad range of targets, including cryptocurrency exchanges and financial institutions. Their campaigns are driven by financial profit, cyberespionage, and sabotage. Lazarus Group employs sophisticated spear-phishing emails, malware disguised in image files, and watering-hole attacks to gain initial access.
Between April 2024 and April 2025, our analysts observed 6,406 posts pertaining to financial sector access listings within Flashpoint’s forum collections. How are these prolific threat actor groups gaining a foothold into financial data and systems? Examining Flashpoint intelligence, malicious actors are capitalizing on third-party compromises, initial access brokers, insider threats, amongst other attack vectors:
Ransomware attacks targeting third-party vendors can have a direct and significant impact on financial institutions through data exposure and compromised credentials. The Clop ransomware gang’s exploitation of the MOVEit vulnerability in December 2024 serves as a stark reminder of this risk.
Initial Access Brokers specialize in gaining initial access to networks and selling these access credentials to other threat groups, including ransomware operators. Their tactics include phishing, the use of information-stealing malware, and exploiting RDP credentials, posing a significant risk to financial entities. Between April 2024 and April 2025, analysts observed 6,406 posts pertaining to financial sector access listings within Flashpoint’s forum collections.
Malicious insiders, whether recruited or acting independently, can provide direct access to sensitive data and systems within financial institutions. Telegram has emerged as a prominent platform for advertising and recruiting insider services targeting the financial sector.
The increasing sophistication and accessibility of AI tools are enabling new forms of fraud. Deepfakes can bypass traditional security measures by creating convincing audio and video impersonations. While still evolving, this threat vector, along with other impersonation tactics like BEC and vishing, presents a growing concern for the financial sector. Within the past year, analysts observed 1,238 posts across fraud-related Telegram channels discussing impersonation of individuals working for financial institutions.
The financial sector remains a high-value target, facing a persistent and evolving array of threats. Understanding the tactics, techniques, and procedures (TTPs) of these top threat actors, as well as the broader threat landscape, is crucial for financial institutions to develop and implement effective security strategies.
Flashpoint is proud to offer a dedicated threat intelligence solution for banks and financial institutions. Our platform combines comprehensive data collection, AI-powered analysis, and expert human insight to deliver actionable intelligence, safeguarding your critical assets and operations. Request a demo today to see how our intelligence can empower your security team.
The compromised personal information includes names, dates of birth, Social Security numbers, and employment-related data.
The post 42,000 Impacted by Ingram Micro Ransomware Attack appeared first on SecurityWeek.
UH officials refused to provide key information, including which cancer research project had been affected or how much UH paid the hackers to regain access to files.
The post Hackers Accessed University of Hawaii Cancer Center Patient Data; They Weren’t Immediately Notified appeared first on SecurityWeek.
In Q3 2025, the percentage of ICS computers on which malicious objects were blocked decreased from the previous quarter by 0.4 pp to 20.1%. This is the lowest level for the observed period.
Percentage of ICS computers on which malicious objects were blocked, Q3 2022–Q3 2025
Regionally, the percentage of ICS computers on which malicious objects were blocked ranged from 9.2% in Northern Europe to 27.4% in Africa.
Regions ranked by percentage of ICS computers on which malicious objects were blocked
In Q3 2025, the percentage increased in five regions. The most notable increase occurred in East Asia, triggered by the local spread of malicious scripts in the OT infrastructure of engineering organizations and ICS integrators.
Changes in the percentage of ICS computers on which malicious objects were blocked, Q3 2025
The biometrics sector traditionally led the rankings of the industries and OT infrastructures surveyed in this report in terms of the percentage of ICS computers on which malicious objects were blocked.
Rankings of industries and OT infrastructures by percentage of ICS computers on which malicious objects were blocked
In Q3 2025, the percentage of ICS computers on which malicious objects were blocked increased in four of the seven surveyed industries. The most notable increases were in engineering and ICS integrators, and manufacturing.
Percentage of ICS computers on which malicious objects were blocked in selected industries
In Q3 2025, Kaspersky protection solutions blocked malware from 11,356 different malware families of various categories on industrial automation systems.
Percentage of ICS computers on which the activity of malicious objects of various categories was blocked
In Q3 2025, there was a decrease in the percentage of ICS computers on which denylisted internet resources and miners of both categories were blocked. These were the only categories that exhibited a decrease.
Depending on the threat detection and blocking scenario, it is not always possible to reliably identify the source. The circumstantial evidence for a specific source can be the blocked threat’s type (category).
The internet (visiting malicious or compromised internet resources; malicious content distributed via messengers; cloud data storage and processing services and CDNs), email clients (phishing emails), and removable storage devices remain the primary sources of threats to computers in an organization’s technology infrastructure.
In Q3 2025, the percentage of ICS computers on which malicious objects from various sources were blocked decreased.
Percentage of ICS computers on which malicious objects from various sources were blocked
The same computer can be attacked by several categories of malware from the same source during a quarter. That computer is counted when calculating the percentage of attacked computers for each threat category, but is only counted once for the threat source (we count unique attacked computers). In addition, it is not always possible to accurately determine the initial infection attempt. Therefore, the total percentage of ICS computers on which various categories of threats from a certain source were blocked can exceed the percentage of threats from the source itself.
Typical attacks blocked within an OT network are multi-step sequences of malicious activities, where each subsequent step of the attackers is aimed at increasing privileges and/or gaining access to other systems by exploiting the security problems of industrial enterprises, including technological infrastructures.
In Q3 2025, the percentage of ICS computers on which denylisted internet resources were blocked decreased to 4.01%. This is the lowest quarterly figure since the beginning of 2022.
Percentage of ICS computers on which denylisted internet resources were blocked, Q3 2022–Q3 2025
Regionally, the percentage of ICS computers on which denylisted internet resources were blocked ranged from 2.35% in Australia and New Zealand to 4.96% in Africa. Southeast Asia and South Asia were also among the top three regions for this indicator.
The percentage of ICS computers on which malicious documents were blocked has grown for three consecutive quarters, following a decline at the end of 2024. In Q3 2025, it reached 1,98%.
Percentage of ICS computers on which malicious documents were blocked, Q3 2022–Q3 2025
The indicator increased in four regions: South America, East Asia, Southeast Asia, and Australia and New Zealand. South America saw the largest increase as a result of a large-scale phishing campaign in which attackers used new exploits for an old vulnerability (CVE-2017-11882) in Microsoft Office Equation Editor to deliver various spyware to victims’ computers. It is noteworthy that the attackers in this phishing campaign used localized Spanish-language emails disguised as business correspondence.
In Q3 2025, the percentage of ICS computers on which malicious scripts and phishing pages were blocked increased to 6.79%. This category led the rankings of threat categories in terms of the percentage of ICS computers on which they were blocked.
Percentage of ICS computers on which malicious scripts and phishing pages were blocked, Q3 2022–Q3 2025
Regionally, the percentage of ICS computers on which malicious scripts and phishing pages were blocked ranged from 2.57% in Northern Europe to 9.41% in Africa. The top three regions for this indicator were Africa, East Asia, and South America. The indicator increased the most in East Asia (by a dramatic 5.23 pp) as a result of the local spread of malicious spyware scripts loaded into the memory of popular torrent clients including MediaGet.
Malicious objects used to initially infect computers deliver next-stage malware — spyware, ransomware, and miners — to victims’ computers. As a rule, the higher the percentage of ICS computers on which the initial infection malware is blocked, the higher the percentage for next-stage malware.
In Q3 2025, the percentage of ICS computers on which spyware and ransomware were blocked increased. The rates were:
The percentage of ICS computers on which miners of both categories were blocked decreased. The rates were:
Self-propagating malware (worms and viruses) is a category unto itself. Worms and virus-infected files were originally used for initial infection, but as botnet functionality evolved, they took on next-stage characteristics.
To spread across ICS networks, viruses and worms rely on removable media and network folders in the form of infected files, such as archives with backups, office documents, pirated games and hacked applications. In rarer and more dangerous cases, web pages with network equipment settings, as well as files stored in internal document management systems, product lifecycle management (PLM) systems, resource management (ERP) systems and other web services are infected.
In Q3 2025, the percentage of ICS computers on which worms and viruses were blocked increased to 1.26% (by 0.04 pp) and 1.40% (by 0.11 pp), respectively.
This category of malware can spread in a variety of ways, so it does not belong to a specific group.
In Q3 2025, the percentage of ICS computers on which AutoCAD malware was blocked slightly increased to 0.30% (by 0.01 pp).
For more information on industrial threats see the full version of the report.
In Q3 2025, the percentage of ICS computers on which malicious objects were blocked decreased from the previous quarter by 0.4 pp to 20.1%. This is the lowest level for the observed period.
Percentage of ICS computers on which malicious objects were blocked, Q3 2022–Q3 2025
Regionally, the percentage of ICS computers on which malicious objects were blocked ranged from 9.2% in Northern Europe to 27.4% in Africa.
Regions ranked by percentage of ICS computers on which malicious objects were blocked
In Q3 2025, the percentage increased in five regions. The most notable increase occurred in East Asia, triggered by the local spread of malicious scripts in the OT infrastructure of engineering organizations and ICS integrators.
Changes in the percentage of ICS computers on which malicious objects were blocked, Q3 2025
The biometrics sector traditionally led the rankings of the industries and OT infrastructures surveyed in this report in terms of the percentage of ICS computers on which malicious objects were blocked.
Rankings of industries and OT infrastructures by percentage of ICS computers on which malicious objects were blocked
In Q3 2025, the percentage of ICS computers on which malicious objects were blocked increased in four of the seven surveyed industries. The most notable increases were in engineering and ICS integrators, and manufacturing.
Percentage of ICS computers on which malicious objects were blocked in selected industries
In Q3 2025, Kaspersky protection solutions blocked malware from 11,356 different malware families of various categories on industrial automation systems.
Percentage of ICS computers on which the activity of malicious objects of various categories was blocked
In Q3 2025, there was a decrease in the percentage of ICS computers on which denylisted internet resources and miners of both categories were blocked. These were the only categories that exhibited a decrease.
Depending on the threat detection and blocking scenario, it is not always possible to reliably identify the source. The circumstantial evidence for a specific source can be the blocked threat’s type (category).
The internet (visiting malicious or compromised internet resources; malicious content distributed via messengers; cloud data storage and processing services and CDNs), email clients (phishing emails), and removable storage devices remain the primary sources of threats to computers in an organization’s technology infrastructure.
In Q3 2025, the percentage of ICS computers on which malicious objects from various sources were blocked decreased.
Percentage of ICS computers on which malicious objects from various sources were blocked
The same computer can be attacked by several categories of malware from the same source during a quarter. That computer is counted when calculating the percentage of attacked computers for each threat category, but is only counted once for the threat source (we count unique attacked computers). In addition, it is not always possible to accurately determine the initial infection attempt. Therefore, the total percentage of ICS computers on which various categories of threats from a certain source were blocked can exceed the percentage of threats from the source itself.
Typical attacks blocked within an OT network are multi-step sequences of malicious activities, where each subsequent step of the attackers is aimed at increasing privileges and/or gaining access to other systems by exploiting the security problems of industrial enterprises, including technological infrastructures.
In Q3 2025, the percentage of ICS computers on which denylisted internet resources were blocked decreased to 4.01%. This is the lowest quarterly figure since the beginning of 2022.
Percentage of ICS computers on which denylisted internet resources were blocked, Q3 2022–Q3 2025
Regionally, the percentage of ICS computers on which denylisted internet resources were blocked ranged from 2.35% in Australia and New Zealand to 4.96% in Africa. Southeast Asia and South Asia were also among the top three regions for this indicator.
The percentage of ICS computers on which malicious documents were blocked has grown for three consecutive quarters, following a decline at the end of 2024. In Q3 2025, it reached 1,98%.
Percentage of ICS computers on which malicious documents were blocked, Q3 2022–Q3 2025
The indicator increased in four regions: South America, East Asia, Southeast Asia, and Australia and New Zealand. South America saw the largest increase as a result of a large-scale phishing campaign in which attackers used new exploits for an old vulnerability (CVE-2017-11882) in Microsoft Office Equation Editor to deliver various spyware to victims’ computers. It is noteworthy that the attackers in this phishing campaign used localized Spanish-language emails disguised as business correspondence.
In Q3 2025, the percentage of ICS computers on which malicious scripts and phishing pages were blocked increased to 6.79%. This category led the rankings of threat categories in terms of the percentage of ICS computers on which they were blocked.
Percentage of ICS computers on which malicious scripts and phishing pages were blocked, Q3 2022–Q3 2025
Regionally, the percentage of ICS computers on which malicious scripts and phishing pages were blocked ranged from 2.57% in Northern Europe to 9.41% in Africa. The top three regions for this indicator were Africa, East Asia, and South America. The indicator increased the most in East Asia (by a dramatic 5.23 pp) as a result of the local spread of malicious spyware scripts loaded into the memory of popular torrent clients including MediaGet.
Malicious objects used to initially infect computers deliver next-stage malware — spyware, ransomware, and miners — to victims’ computers. As a rule, the higher the percentage of ICS computers on which the initial infection malware is blocked, the higher the percentage for next-stage malware.
In Q3 2025, the percentage of ICS computers on which spyware and ransomware were blocked increased. The rates were:
The percentage of ICS computers on which miners of both categories were blocked decreased. The rates were:
Self-propagating malware (worms and viruses) is a category unto itself. Worms and virus-infected files were originally used for initial infection, but as botnet functionality evolved, they took on next-stage characteristics.
To spread across ICS networks, viruses and worms rely on removable media and network folders in the form of infected files, such as archives with backups, office documents, pirated games and hacked applications. In rarer and more dangerous cases, web pages with network equipment settings, as well as files stored in internal document management systems, product lifecycle management (PLM) systems, resource management (ERP) systems and other web services are infected.
In Q3 2025, the percentage of ICS computers on which worms and viruses were blocked increased to 1.26% (by 0.04 pp) and 1.40% (by 0.11 pp), respectively.
This category of malware can spread in a variety of ways, so it does not belong to a specific group.
In Q3 2025, the percentage of ICS computers on which AutoCAD malware was blocked slightly increased to 0.30% (by 0.01 pp).
For more information on industrial threats see the full version of the report.
Operators behind RansomHouse, a ransomware-as-a-service (RaaS) group, have upgraded their encryption methods from single-phase to complex and layered.
The post From Linear to Complex: An Upgrade in RansomHouse Encryption appeared first on Unit 42.
01flip is a new ransomware family fully written in Rust. Activity linked to 01flip points to alleged dark web data leaks.
The post 01flip: Multi-Platform Ransomware Written in Rust appeared first on Unit 42.
Flashpoint’s forward-looking threat insights for security and executive teams, provides the strategic foresight needed to prepare for the convergence of AI, identity, and physical security threats in 2026.
Table Of ContentsAs the global threat landscape accelerates its transformation, 2026 marks an inflection point requiring defensive strategies to fundamentally shift. The volatility observed in 2025 has paved the way for an era soon to be defined by AI-weaponized autonomy, information-stealing malware, systemic instability of public vulnerability systems, and the complete convergence of digital and physical risk.
Flashpoint offers a unique window into these complexities, providing organizations with the foresight needed to navigate what lies ahead. Drawing from Flashpoint’s leading intelligence and primary source collections, we highlight five key trends shaping the 2026 threat landscape. These insights aim to help organizations not only understand what’s next but also build the resilience needed to withstand and adapt to emerging challenges.
2026 will see continued evolution of AI threats, with future attacks centering on autonomy and integration. Across the deep and dark web, Flashpoint is observing threat actors move past experimentation and into operational use of illegal AI.
As attackers train custom fraud-tuned LLMs (Large Language Models) and multilingual phishing tools directly on illicit data, these AI models will become more capable. The criminal intent shaping their misuse will also become more sophisticated. Additionally, 2026 will see a greater marketplace for paid jailbreaking communities and synthetic media kits for KYC (Know Your Customer) bypass.
These advancements are enabling criminals to move beyond simple tools and engage in scaled, autonomous fraud operations, leading to two major shifts:
“The ubiquity of automation has dramatically increased attack tempo, leaving many security teams behind the curve. While automation can replace repetitive tasks across the enterprise, organizations must not make the critical mistake of substituting human judgement for AI at the intelligence level.
Josh Lefkowitz, CEO at Flashpoint
This is paramount because a critical threat in 2026 is Agentic AI autonomy weaponized against soft targets—API integrations and identity systems. The only winning defense will be human-led and AI-scaled, prioritizing purposeful use to keep organizations ahead of this exponential risk.”
These evolving AI threats will force a fundamental shift in defensive strategies. Defenders will have to shift to deploying systems around AI rather than trust them on their own.
Infostealers will become the entry point, the data broker, the reconnaissance layer, and the fuel for everything that comes after a cyberattack. This shift is already in motion and is accelerating rapidly: in just the first half of 2025, infostealers were responsible for 1.8 billion stolen credentials, an 800% spike from the start of the year. However, 2026 will redefine the malware’s role, making its most valuable output being access, rather than disruption.
Infostealers will become the upstream event that powers the rest of the attack chain. Identity and session data will be increasingly targeted, since it gives attackers immediate access into victim environments. Ransomware, fraud, data theft, and extortion will simply be downstream ways to monetize.
This upstream approach defines the new reality of the attack chain, which is already operational. Nearly every major stealer strain Flashpoint observes now exfiltrates the following:
An organization’s attack surface is no longer just composed of their own networks. It is the entire digital identity of their employees and partners. This new reality requires security teams to take a new approach. Instead of attempting to block attacks, they must proactively detect compromised credentials before they are weaponized. This will be the difference between reacting to a data breach and preventing one.
“The infostealer economy has fully industrialized the attack chain, making initial compromise a low-cost commodity. Multiple security incidents in 2025 tie back to credentials found in infostealer logs. This reality has underscored the critical importance of digital trust—specifically, verifying who can access what resources. For 2026, identity is the perimeter to watch, and security teams must proactively hunt for compromised credentials before they’re weaponized.”
Ian Gray, Vice President of Intelligence at Flashpoint
The temporary funding crisis at CVE in April 2025 and the subsequent CISA stopgap extension through March 2026 exposed the systemic fragility of a centralized vulnerability intelligence model. With the future of the CVE/NVD system hanging in the balance, 2026 will be defined by the urgent need for redundancy and diversification in vulnerability intelligence.
In today’s vulnerability intelligence ecosystem, nearly every organization’s vulnerability management framework relies on CVE and NVD—including its “alternatives” such as the EUVD (European Union Vulnerability Database). The CVE system has grown into a critical global cybersecurity utility, relied upon by nearly all vulnerability scanners, SIEM platforms, patch management tools, threat intelligence feeds, and compliance reports. A complete shutdown of CVE would result in a widespread loss of institutional infrastructure.
The next generation of security needs to be built on practices that are resilient, diversified, and intelligence-driven. It should be focused on providing insights that can be used to take action such as threat actor behavior, likelihood of exploitation in the wild, relevance to ransomware campaigns, and business context. Security teams will need to leverage a comprehensive source of vulnerability intelligence such as Flashpoint’s VulnDB that provides full coverage for CVE, while also cataloging more than 100,000 vulnerabilities missed by CVE and NVD.
The continued blurring of lines between cyber, physical, and geopolitical threats will elevate the risk to organizational leadership, turning executive protection into a holistic intelligence function in 2026. The rise of information warfare combined with physical world convergence means the threat to key personnel is no longer purely digital.
In the aftermath of the tragic December 2024 assassination of United Healthcare’s CEO, Flashpoint has seen the continued circulation and glorification of “wanted-style posters” of executives in extremist communities. Additionally, Flashpoint has seen nation-state actors participate, using espionage and influence to target high-value individuals.
Organizations must adopt an integrated approach that connects insights from threat actor chatter and a wealth of other OSINT sources. This fusion of intelligence is essential for applying frameworks to ensure the safety of leadership and key personnel.
2025 was marked by several large-scale extortion campaigns, demonstrating how the threat landscape is rapidly evolving. Ransomware operations have shifted into a straight extortion play. Flashpoint has observed a surge in new entrants to the ransomware market, accompanied by a decline in the quality and decorum of ransomware groups.
Furthermore, vishing campaigns attributed to “Scattered Spider” have highlighted weaknesses in identity, trust, and verification. Campaigns from “Scattered LAPSUS$ Hunters” have also exposed vulnerabilities in third-party integrations. These attacks culminated in extortion, showcasing that modern attacks will target trusted users and trusted applications for initial access, and will forgo ransomware in place of data access.
As this shift continues into 2026, threat actors will increasingly focus their efforts on exploiting human behavior and identity systems. Instead of attempting to spend resources on breaking network perimeters, attackers will instead socially engineer employees to gain access to corporate systems at scale. This change in TTPs will undoubtedly greatly increase supply chain risk, especially for third parties.
These five predictions highlight the transformative trends shaping the future of cybersecurity and threat intelligence. Staying ahead of these challenges demands more than just reactive measures—it requires actionable intelligence, strategic foresight, and cross-sector collaboration. By embracing these principles and investing in proactive security strategies, organizations can not only mitigate risks but also seize opportunities to enhance their resilience.
As the threat landscape continues to rapidly evolve, staying informed and prepared are critical components of risk mitigation. With the right tools, insights, and partnerships, security teams can navigate the complexities ahead and safeguard what matters most.
The post Flashpoint’s Top 5 Predictions for the 2026 Threat Landscape appeared first on Flashpoint.
A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations. But the tables seem to have turned somewhat for “Rey,” the moniker chosen by the technical operator and public face of the hacker group: Earlier this week, Rey confirmed his real life identity and agreed to an interview after KrebsOnSecurity tracked him down and contacted his father.
Scattered LAPSUS$ Hunters (SLSH) is thought to be an amalgamation of three hacking groups — Scattered Spider, LAPSUS$ and ShinyHunters. Members of these gangs hail from many of the same chat channels on the Com, a mostly English-language cybercriminal community that operates across an ocean of Telegram and Discord servers.
In May 2025, SLSH members launched a social engineering campaign that used voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal. The group later launched a data leak portal that threatened to publish the internal data of three dozen companies that allegedly had Salesforce data stolen, including Toyota, FedEx, Disney/Hulu, and UPS.
The new extortion website tied to ShinyHunters, which threatens to publish stolen data unless Salesforce or individual victim companies agree to pay a ransom.
Last week, the SLSH Telegram channel featured an offer to recruit and reward “insiders,” employees at large companies who agree to share internal access to their employer’s network for a share of whatever ransom payment is ultimately paid by the victim company.
SLSH has solicited insider access previously, but their latest call for disgruntled employees started making the rounds on social media at the same time news broke that the cybersecurity firm Crowdstrike had fired an employee for allegedly sharing screenshots of internal systems with the hacker group (Crowdstrike said their systems were never compromised and that it has turned the matter over to law enforcement agencies).
The Telegram server for the Scattered LAPSUS$ Hunters has been attempting to recruit insiders at large companies.
Members of SLSH have traditionally used other ransomware gangs’ encryptors in attacks, including malware from ransomware affiliate programs like ALPHV/BlackCat, Qilin, RansomHub, and DragonForce. But last week, SLSH announced on its Telegram channel the release of their own ransomware-as-a-service operation called ShinySp1d3r.
The individual responsible for releasing the ShinySp1d3r ransomware offering is a core SLSH member who goes by the handle “Rey” and who is currently one of just three administrators of the SLSH Telegram channel. Previously, Rey was an administrator of the data leak website for Hellcat, a ransomware group that surfaced in late 2024 and was involved in attacks on companies including Schneider Electric, Telefonica, and Orange Romania.
A recent, slightly redacted screenshot of the Scattered LAPSUS$ Hunters Telegram channel description, showing Rey as one of three administrators.
Also in 2024, Rey would take over as administrator of the most recent incarnation of BreachForums, an English-language cybercrime forum whose domain names have been seized on multiple occasions by the FBI and/or by international authorities. In April 2025, Rey posted on Twitter/X about another FBI seizure of BreachForums.
On October 5, 2025, the FBI announced it had once again seized the domains associated with BreachForums, which it described as a major criminal marketplace used by ShinyHunters and others to traffic in stolen data and facilitate extortion.
“This takedown removes access to a key hub used by these actors to monetize intrusions, recruit collaborators, and target victims across multiple sectors,” the FBI said.
Incredibly, Rey would make a series of critical operational security mistakes last year that provided multiple avenues to ascertain and confirm his real-life identity and location. Read on to learn how it all unraveled for Rey.
According to the cyber intelligence firm Intel 471, Rey was an active user on various BreachForums reincarnations over the past two years, authoring more than 200 posts between February 2024 and July 2025. Intel 471 says Rey previously used the handle “Hikki-Chan” on BreachForums, where their first post shared data allegedly stolen from the U.S. Centers for Disease Control and Prevention (CDC).
In that February 2024 post about the CDC, Hikki-Chan says they could be reached at the Telegram username @wristmug. In May 2024, @wristmug posted in a Telegram group chat called “Pantifan” a copy of an extortion email they said they received that included their email address and password.
The message that @wristmug cut and pasted appears to have been part of an automated email scam that claims it was sent by a hacker who has compromised your computer and used your webcam to record a video of you while you were watching porn. These missives threaten to release the video to all your contacts unless you pay a Bitcoin ransom, and they typically reference a real password the recipient has used previously.
“Noooooo,” the @wristmug account wrote in mock horror after posting a screenshot of the scam message. “I must be done guys.”
A message posted to Telegram by Rey/@wristmug.
In posting their screenshot, @wristmug redacted the username portion of the email address referenced in the body of the scam message. However, they did not redact their previously-used password, and they left the domain portion of their email address (@proton.me) visible in the screenshot.
Searching on @wristmug’s rather unique 15-character password in the breach tracking service Spycloud finds it is known to have been used by just one email address: cybero5tdev@proton.me. According to Spycloud, those credentials were exposed at least twice in early 2024 when this user’s device was infected with an infostealer trojan that siphoned all of its stored usernames, passwords and authentication cookies (a finding that was initially revealed in March 2025 by the cyber intelligence firm KELA).
Intel 471 shows the email address cybero5tdev@proton.me belonged to a BreachForums member who went by the username o5tdev. Searching on this nickname in Google brings up at least two website defacement archives showing that a user named o5tdev was previously involved in defacing sites with pro-Palestinian messages. The screenshot below, for example, shows that 05tdev was part of a group called Cyb3r Drag0nz Team.
Rey/o5tdev’s defacement pages. Image: archive.org.
A 2023 report from SentinelOne described Cyb3r Drag0nz Team as a hacktivist group with a history of launching DDoS attacks and cyber defacements as well as engaging in data leak activity.
“Cyb3r Drag0nz Team claims to have leaked data on over a million of Israeli citizens spread across multiple leaks,” SentinelOne reported. “To date, the group has released multiple .RAR archives of purported personal information on citizens across Israel.”
The cyber intelligence firm Flashpoint finds the Telegram user @05tdev was active in 2023 and early 2024, posting in Arabic on anti-Israel channels like “Ghost of Palestine” [full disclosure: Flashpoint is currently an advertiser on this blog].
Flashpoint shows that Rey’s Telegram account (ID7047194296) was particularly active in a cybercrime-focused channel called Jacuzzi, where this user shared several personal details, including that their father was an airline pilot. Rey claimed in 2024 to be 15 years old, and to have family connections to Ireland.
Specifically, Rey mentioned in several Telegram chats that he had Irish heritage, even posting a graphic that shows the prevalence of the surname “Ginty.”
Rey, on Telegram claiming to have association to the surname “Ginty.” Image: Flashpoint.
Spycloud indexed hundreds of credentials stolen from cybero5dev@proton.me, and those details indicate that Rey’s computer is a shared Microsoft Windows device located in Amman, Jordan. The credential data stolen from Rey in early 2024 show there are multiple users of the infected PC, but that all shared the same last name of Khader and an address in Amman, Jordan.
The “autofill” data lifted from Rey’s family PC contains an entry for a 46-year-old Zaid Khader that says his mother’s maiden name was Ginty. The infostealer data also shows Zaid Khader frequently accessed internal websites for employees of Royal Jordanian Airlines.
The infostealer data makes clear that Rey’s full name is Saif Al-Din Khader. Having no luck contacting Saif directly, KrebsOnSecurity sent an email to his father Zaid. The message invited the father to respond via email, phone or Signal, explaining that his son appeared to be deeply enmeshed in a serious cybercrime conspiracy.
Less than two hours later, I received a Signal message from Saif, who said his dad suspected the email was a scam and had forwarded it to him.
“I saw your email, unfortunately I don’t think my dad would respond to this because they think its some ‘scam email,'” said Saif, who told me he turns 16 years old next month. “So I decided to talk to you directly.”
Saif explained that he’d already heard from European law enforcement officials, and had been trying to extricate himself from SLSH. When asked why then he was involved in releasing SLSH’s new ShinySp1d3r ransomware-as-a-service offering, Saif said he couldn’t just suddenly quit the group.
“Well I cant just dip like that, I’m trying to clean up everything I’m associated with and move on,” he said.
The former Hellcat ransomware site. Image: Kelacyber.com
He also shared that ShinySp1d3r is just a rehash of Hellcat ransomware, except modified with AI tools. “I gave the source code of Hellcat ransomware out basically.”
Saif claims he reached out on his own recently to the Telegram account for Operation Endgame, the codename for an ongoing law enforcement operation targeting cybercrime services, vendors and their customers.
“I’m already cooperating with law enforcement,” Saif said. “In fact, I have been talking to them since at least June. I have told them nearly everything. I haven’t really done anything like breaching into a corp or extortion related since September.”
Saif suggested that a story about him right now could endanger any further cooperation he may be able to provide. He also said he wasn’t sure if the U.S. or European authorities had been in contact with the Jordanian government about his involvement with the hacking group.
“A story would bring so much unwanted heat and would make things very difficult if I’m going to cooperate,” Saif said. “I’m unsure whats going to happen they said they’re in contact with multiple countries regarding my request but its been like an entire week and I got no updates from them.”
Saif shared a screenshot that indicated he’d contacted Europol authorities late last month. But he couldn’t name any law enforcement officials he said were responding to his inquiries, and KrebsOnSecurity was unable to verify his claims.
“I don’t really care I just want to move on from all this stuff even if its going to be prison time or whatever they gonna say,” Saif said.
The line between research tool and threat creation engine is thin. We examine the capabilities of WormGPT 4 and KawaiiGPT, two malicious LLMs.
The post The Dual-Use Dilemma of AI: Malicious LLMs appeared first on Unit 42.
Unit 42 outlines a Howling Scorpius attack delivering Akira ransomware that originated from a fake CAPTCHA and led to a 42-day compromise.
The post Anatomy of an Akira Ransomware Attack: When a Fake CAPTCHA Led to 42 Days of Compromise appeared first on Unit 42.
Ready, set, pack! Summer travel season is here and that means family road trips, beach vacations, international adventures and more. While summertime is prime time for getaways, did you know it’s also prime time for online fraud? Scammers are targeting the travel industry, putting millions of travelers at increased risk. Research shows that the travel and tourism sector ranked third in cyberattacks, with nearly 31% of hospitality organizations experiencing a data breach and a record 340 million people affected by cybercrimes. According to Mastercard, travel-related fraud in 2024 increased by 18% during the summer peak season and 28% in the winter peak season.
Being in an unfamiliar environment can put your personal information at risk if you’re relying on public Wi-Fi networks, using shared devices, and carrying valuable personal and business data on mobile devices. Let’s be honest, when you go into “vacation mode” and start relaxing, it’s only natural that you might also start letting your guard down. Even the best trips can have stressful moments, and when you miss a flight or get lost in a new destination, it’s easy to become less vigilant about protecting your cybersecurity. This is especially true when you travel to foreign countries. In fact, 90% of international travelers admit to risky tech practices while abroad. Fewer than 1 in 3 travelers (31%) protect their data with a virtual private network (VPN) when traveling internationally.
Believe it or not, the risks to your data security start long before your vacation begins. As soon as you start booking your trip, the cybercriminals start circling. Fraud rates in sectors associated with the early stages of trip planning increased more than 12% between 2023 and 2024. At a time when inflation and economic pressures are on the rise, people are looking for deep discounts, and scammers are seizing the opportunity to steal your private data and your money.
Before you hit the road, help protect your digital data and devices with a few simple security practices.
No matter what your summer destination, make cybersecurity part of your travel plans. From securing your Wi-Fi connection and turning off Bluetooth to enabling two-factor authentication, small steps can make a big difference. Let Webroot keep all your digital data safe while you’re on the go. Then all you have to worry about is remembering to turn on your out-of-office reply!
Looking for more information?
Fighting Back Against Loyalty Fraud
Protect Yourself Against AI Phishing Attacks
The post Tips to make your summer travels cyber safe appeared first on Webroot Blog.
The month of June is a time for fun in the sun and a break from the school year, but did you know it’s also the perfect time to step up your family’s online security? June is Internet Safety Month, a yearly reminder to strengthen your defenses against online threats. In today’s hyper-connected world, we use the internet for just about everything, from shopping to banking to streaming and work. That goes for your kids as well. Many of their favorite activities, including gaming and connecting with friends on social media, are connected to the internet. While all this access means added convenience, it also means constant threats to your family’s online safety.
From phishing scams to malware, hackers are constantly looking for ways to exploit weaknesses in cybersecurity systems and software. Their goal is always the same: to get access to personal data and use it for profit. The rising numbers tell the story. In 2024, the FBI’s Internet Crime Complaint Center (IC3) received more than 850,000 cybercrime complaints, with reported losses exceeding $10.3 billion. This is partly due to the increase in data breaches. Studies show that 51% of Americans report they’ve been victims of a data breach, and 64% say they’ve changed their online behavior for fear of escalating online threats like ransomware and identity theft.
It’s not just adults getting targeted online. Children and teens are increasingly exposed to scams (even extortion scams), cyberbullying, and inappropriate content—especially during summer when screen time surges. A recent Pew Research study found that 45% of teens are online almost constantly. So how do you let your kids enjoy their screens safely? Webroot Total Protection and Webroot Essentials offer parental controls that make it easy to manage your children’s online activity and content access. You can block specific websites, filter out inappropriate content and set daily limits on computer time. You can also monitor what sites your kids visit and interact with, and even tailor different levels of protection for each child. Whether your kids are watching YouTube, chatting on Discord, or gaming with friends, it’s a simple way to keep them safe without having to hover over them every time they’re online.
As we spend more time on our mobile devices, cybercriminals are following suit. A recent security report shows that 70% of fraud is now carried out through mobile channels. From phones and tablets to laptops, the mobile devices your family relies on daily are brimming with personal data. Now more than ever, we need to take steps to protect ourselves and our family. Webroot Essentials provides multi-device protection with real-time threat intelligence. Whether you’re on Android, iOS, Windows or Mac, all the devices in your household are constantly safeguarded against the latest online threats.
Are you still using passwords like your dog’s name and 123? And what about your kids? Chances are their Roblox passwords aren’t as tough to hack as they should be. If there’s one weak link in most people’s security, it’s their passwords. Cybercriminals know that, and they’re taking full advantage. In fact, the 2025 Verizon Data Breach Investigations Report found 81% of data breaches were caused by compromised passwords. Here are some tips to keep all your family’s passwords secure.
It’s important to stay aware of the latest online threats. Social engineering scams are designed to gain your trust and then trick you into sharing sensitive details by clicking on fake links or downloading malicious software. The most common type of social engineering is phishing. In a phishing attack, hackers pretend to be someone you trust and use fraudulent emails, texts and websites to try and steal personal information.
Scammers often use phishing to target children. They pose as friends, influencers, or game platforms to trick them into clicking fake links and handing over details like credit card numbers. These scams often start with an offer of an exciting reward or a prize. Take some time to talk with your kids about these common scams.
Home security means more than just deadbolts and alarms. With smart TVs, video doorbells, and wireless thermostats, our homes are more connected than ever. While all these Internet of Things (IoT) devices making our lives more convenient, each one is a potential entry point for hackers. Webroot Secure VPN provides encrypted connections for safe browsing at home. When your family is on the go, it protects your online privacy on unsecured networks and shields your personal information from cyberthieves.
Cybercriminals never take a break and neither should you. Internet Safety Month is the perfect opportunity to step up the digital safety of your entire household. And remember – online security isn’t just an annual event. Your sensitive data deserves year-round protection, and you can get it with family-friendly solutions from Webroot. Don’t wait for a data breach or other disaster to take action. Keep your kids safe and your data secure by strengthening your digital defenses today!
Avoiding Scams that Target Kids and Teens
Protecting Young Online Gamers
How Americans View Data Privacy
Social Security Numbers and Identity Theft
Protect Yourself from AI-Enabled Phishing
Common Types of Phishing Attacks
Defending Your Digital Identity from Evolving Threats
The post Build strong digital defenses for your entire family appeared first on Webroot Blog.
In today’s digital world, your personal data is like cold hard cash, and that’s why cyberthieves are always looking for ways to steal it. Whether it’s an email address, a credit card number, or even medical records, your personal information is incredibly valuable in the wrong hands.
For hackers, breaking into a company database is like hitting the mother lode, giving them access to millions of personal records. Why? Because whether you know it or not, many companies are collecting and storing your private data. Think about all the information you hand over when you order something online, like your full name, your credit card number, your home address, and maybe even your birthdate just to snag an extra discount. If a company you do business with becomes part of a data breach, cybercriminals may have full access to your confidential information.
Unfortunately, data breaches are on the rise and affecting more companies and consumers than ever. In 2024, more than 1.3 billion people received notices that their information was exposed in a data breach. Chances are you’ve received at least one of these letters, which means you have been put at risk for identity theft and major financial losses.
Data breaches occur when sensitive, protected, or confidential data is hacked or leaked from a company or organization. Sometimes businesses are targeted because they have outdated or weak security. While no industry is immune, some sectors are more likely to become victims of breaches because of the sensitive nature of the data they handle. Here are some of the most likely targets for access to consumer data:
The type of information stolen in data breaches varies depending on the organization, but here’s a list of the kind of data cybercriminals are seeking:
Once data is exposed in a breach, cybercriminals will test your usernames and password combinations across thousands of sites, knowing that most people recycle their emails and passwords. Here are just some of the ways hackers exploit your stolen information:
Data breaches are a fact of life in the digital world we live in, but you can protect yourself with some smart security measures. By using strong passwords, password managers, antivirus software, and identity protection plans, you can reduce your risk of becoming a victim of cybercrime, and even get help to restore your identity, your financial losses and your reputation.
It’s like putting a lock on your personal data. When it comes to your sensitive information, it’s always better to be safe than sorry.
Keeping educational systems secure
How to keep your personal data safe
Protect yourself from identity theft
Safeguarding your devices from malware
The post The danger of data breaches — what you really need to know appeared first on Webroot Blog.
Understanding the anatomy of a ransomware attack empowers security teams to strengthen defenses, reduce the risk of successful attacks, and protect organizations from the serious consequences of a ransomware incident
Table Of ContentsRansomware attacks are pervasive and devastating, targeting organizations and causing havoc on operations, finances, and reputation. To defend against these threats, security teams must understand the ransomware attack lifecycle.
As reliance on digital systems and networks increases, the risk of ransomware attacks grows exponentially. These attacks can cripple businesses, disrupt services, compromise data, and lead to significant financial losses. Cybercriminals continually evolve their tactics, demanding constant adaptation from security teams.
In this blog, we will explore the intricacies of ransomware, breaking down the attack lifecycle. Understanding this anatomy empowers security teams to strengthen defenses, reduce the risk of successful attacks, and protect organizations from the serious consequences of a ransomware incident.
Phase 1 of a ransomware attack involves the threat actor researching and selecting organizations to attack. During this phase, threat actors identify potential targets and gather critical information about them.
Threat actors engage in reconnaissance to identify organizations that are more likely to yield a high return on their malicious activities. They carefully assess factors such as the industry, size, financial stability, and the value of the data held by the potential targets. Organizations that heavily rely on their digital infrastructure and are more likely to pay a ransom to regain access to critical systems and data are prime targets.
Threat actors employ various techniques to gather information during the reconnaissance phase. These techniques may include passive reconnaissance, where they collect publicly available data from websites, social media platforms, and professional networking sites. They may also utilize active reconnaissance, such as scanning for open ports and vulnerabilities, conducting phishing campaigns to gather employee information, or leveraging third-party sources like leaked databases and dark web forums.
Several factors can make organizations more vulnerable to targeting during the reconnaissance phase:
Phase 2 of a ransomware attack is the critical stage where threat actors strive to gain initial access to an organization’s network and systems.
During this stage, threat actors employ a range of techniques to achieve initial access, including:
Social engineering tactics play a significant role in the success of initial access attempts. Threat actors exploit human psychology to deceive individuals and gain access to sensitive information or systems.
Pretexting, where a false scenario or pretext is created to gain the target’s trust, and baiting, which offers enticing rewards or incentives, are common social engineering tactics used to manipulate individuals. Moreover, tailgating—or taking advantage of individuals holding doors open for others—can be used to gain unauthorized physical access to secure areas within an organization.
Once threat actors have gained initial access to an organization’s network and systems, they proceed to Phase 3 of a ransomware attack: lateral movement and privilege escalation.
This stage involves the navigation and expansion of their reach within the compromised network. Threat actors explore the compromised network to locate valuable data, critical systems, and potential targets for encryption.
They employ lateral movement, traversing through the network to gain control over multiple machines, servers, or devices, which increases the likelihood of finding and encrypting valuable information while making it challenging for defenders to contain the attack.
Threat actors may use several techniques to achieve lateral movement.
Once within the network, threat actors seek to escalate their privileges. By elevating their access rights, they gain increased control over critical systems and can maneuver more freely within the network. Privilege escalation techniques may include:
It is important to note that lateral movement and privilege escalation are not necessarily linear processes. Threat actors adapt their tactics based on the network’s topology, security measures, and available targets, maneuvering opportunistically within the network.
In Phase 4 of a ransomware attack, threat actors execute their ultimate objective: deploying the ransomware payload. This phase involves the encryption of the victim’s files and the subsequent demand for a ransom payment.
Ransomware comes in various forms, each with its own characteristics and objectives. Some common types include:
To deploy the ransomware payload effectively, threat actors may leverage various techniques including:
Ransomware-as-a-Service (RaaS) has emerged as a significant contributor to the proliferation of ransomware attacks. RaaS allows less technically skilled threat actors to access ransomware tools and infrastructure developed by more sophisticated actors. It operates on a profit-sharing model, where the developers take a percentage of the ransom payments. RaaS lowers the barrier to entry for cybercriminals, enabling the widespread distribution and execution of ransomware attacks.
Recommended Reading: The History and Evolution of Ransomware Attacks
RaaS platforms provide aspiring threat actors with user-friendly interfaces, technical support, and even customer service. They often offer customization options, allowing attackers to tailor the ransomware to their specific targets. The availability of RaaS has led to a surge in ransomware attacks globally, as it empowers a wider range of cybercriminals to participate in these lucrative campaigns.
The true consequences of the attack begin to unfold during the encryption and impact phase. During this phase, threat actors encrypt the victim’s files and inflict significant damage on their systems.
Ransomware employs sophisticated encryption algorithms to lock the victim’s files, rendering them inaccessible without the decryption key. The encryption process typically targets a wide range of file types, including documents, images, videos, databases, and more. Threat actors often use strong encryption algorithms like RSA or AES to ensure the victim cannot decrypt the files without the decryption key.
As the encryption process unfolds, the victim’s files become unusable, with each file typically receiving a unique encryption key. The ransomware may also overwrite or modify the original file, making recovery without the decryption key even more challenging. The impact on the victim’s systems can be severe, leading to operational disruption, data loss, financial consequences, and reputational damage.
The consequences of a successful ransomware attack can be devastating for both organizations and individuals, and often entails many of the following:
In Phase 6 of a ransomware attack, threat actors establish communication with their victims and begin the process of extortion. At this time, they’ll demand ransom payments in exchange for providing the decryption keys or access to the victim’s systems.
During this phase, threat actors initiate contact with the victim to convey their demands and establish a line of communication. They often use anonymizing technologies, such as the Tor network, to mask their identities and make it difficult to trace their activities. Communication can occur through various channels, including email, instant messaging platforms, or even dedicated ransom negotiation portals set up by the attackers.
Threat actors employ different methods to demand ransom payments from their victims. These may include:
Engaging or not engaging with threat actors during the extortion phase raises legal and ethical considerations. Organizations must carefully evaluate their options:
It is crucial for organizations to consult legal counsel, law enforcement agencies, and experienced incident response professionals before making any decisions regarding ransom payment. Each situation is unique, and a thorough evaluation of the risks, legal obligations, and ethical considerations is necessary.
The recovery and mitigation phase of an attack is where organizations focus on restoring systems, recovering encrypted data, and implementing measures to prevent future attacks.
Recovering from a ransomware attack requires a systematic approach. Key strategies for recovering encrypted data and restoring systems include:
Effectively responding to ransomware incidents requires a well-defined incident response plan, and may include some of these best practices:
Prevention is key in mitigating future ransomware attacks. Implementing proactive security measures can significantly reduce the risk and impact of such incidents. Consider these important measures:
Ransomware attacks continue to evolve, becoming more sophisticated and widespread. Threat actors adapt their tactics, techniques, and tools to exploit vulnerabilities and maximize their financial gain. As such, ongoing vigilance and adaptation are essential.
But at each stage of a ransomware attack, robust threat intelligence can stop an emerging risk in its tracks and minimize—or even prevent—damage to your organization.
An effective threat intelligence program enables you to understand threat actors and their TTPs each step of the way. Critical capabilities for your threat intelligence program include:
To learn more about how Flashpoint empowers security teams to prevent and respond to ransomware attacks, begin a free trial, or watch this video to discover the top ways to prevent an attack at your organization.
Recent attacks from Clop emphasize the importance of implementing an organization-wide ransomware and cyber extortion strategy, from preparedness to detection and isolation
Table Of ContentsIt’s been one month since the Clop ransomware group began exploiting the MOVEit vulnerability (CVE-2023-34362 (VulnDB ID: 322555) to claim nearly 100 victims across the globe, many of which have come public. This attack comes on the heels of Clop leveraging the GoAnywhere MFT vulnerability (CVE-2023-0669), which led them to claim they’d illegally obtained information for more than 100 companies.
When a ransomware or cyber extortion event occurs, security teams are racing against the clock:
These questions are of vital importance to organizations across the public and private sectors. And the recent Clop attacks—which affected organizations across the globe in nearly every vertical—are yet another example of why it’s vital to have proactive defense measures in place.
First, it’s vital to have a deep understanding of the adversary, such as a RaaS (ransomware-as-a-service) group like Clop. Here are five ways that ransomware groups like Clop attack targets, as well as the threat vectors they seen to exploit:
CLOP’s use of the MOVEit and GoAnywhere MFT vulnerabilities provide us with two recent high-profile examples of the power and impact of the group’s attacks—as well as the damage they can have on victims.
It also shines a bright light onto the level of information and context that CTI analysts and vulnerability management teams require in order to better prioritize and take action on the vulnerabilities likely to be used in ransomware and other attacks.
Tools such as Flashpoint’s VulnDB can unpack vulnerabilities like MOVEit in order to provide practitioners with access to real-time, comprehensive information so that they can understand the scope of the incident and develop effective response strategies to make faster, informed decisions and mitigate the attack.
This includes information about 300,000 vulnerabilities, including thousands not listed in the public source, as well as robust metadata and numerous prioritization and prediction metrics, including:
Furthermore, when equipped with this context, vulnerability practitioners should be able to gain an active understanding of how the software, services, and other third-party assets they use are affected.
Speed is crucial when responding to or setting up defenses for a ransomware or cyber extortion event. In order to stay current on known exploits and better understand potential organization risks, vulnerability managers, analysts, and researchers should be able to set up customizable, automated ransomware alerts of leaked assets as a result of an extortion incident, and gain insight into the extent of exposure and damage.
The combination of threat intelligence and vulnerability intelligence is a powerful weapon against adversaries. For instance, when a ransomware event occurs, vulnerability practitioners should be able to easily raise their awareness levels by using a robust alerting system. From there, they can quickly drill down into supplemental information to identify if exploits are being shared, see which threat actors are discussing the vulnerability across all illicit and open-source communities (forums, chats, ransomware sites, paste sites, blogs, social media, e.g.), and better assess the risk.
Gaining continuous intelligence and context on ransomware attacks is vital throughout an attack, which often extends for weeks in the public sphere (and undoubtedly longer behind closed doors). It is therefore important to ensure that your organization is being provided with an active understanding of the situation as it unfolds in real-time—beyond vulnerability intelligence.
Flashpoint’s Intelligence Team, for example, delivers to customers incident pages and regular updates that communicate the most important details of an extortion event in progress. This includes background and assessments of the vulnerability, status updates with timelines, known victims, change logs, and intelligence that contributes to a more holistic understanding of a risk and informs decision-making.
A managed attribution solution allows intelligence teams to shift from defense to offense by enabling security teams to safely and anonymously conduct investigations. Analysts will often access or download files from a ransomware blog to verify if their organization was impacted in the incident. While doing so, it’s vital to protect and keep your organization safe via a secure research environment that is isolated from analyst browsers, computers and network infrastructure. Flashpoint’s Managed Attribution solution allows security teams to interact with files, conduct online investigations, and browse safely without risk to their organization.
To quickly assess, contain, and mitigate the impact of such incidents, it is crucial for organizations to have robust risk management practices in place. This includes conducting thorough due diligence when selecting third-party vendors, assessing their security practices, actively monitoring their security posture, and implementing contractual obligations and security controls to protect the company’s interests.
Additionally, it’s crucial to have incident response plans in place in order to respond effectively and recover from security breaches.In the event that an organization is impacted by ransomware, having a well-practiced incident response plan can greatly minimize damages. This includes:
Ransomware and cyber extortion events are undoubtedly stressful and challenging, but there are practical and proven ways to lessen that burden to reduce risk across your organization. To learn more about how Flashpoint empowers security teams to prevent and respond to ransomware attacks, contact us, sign up for a free trial, or watch this video to understand the top ways to prevent a ransomware attack at your organization.
Flashpoint’s monthly look at the cyber risk ecosystem affecting organizations around the world, including intelligence, news, data, and analysis about ransomware, vulnerabilities, insider threats, and takedowns of illicit forums and shops.
Table Of ContentsFlashpoint’s latest ransomware infographic paints a sobering picture of the evolving threat landscape, as cybercriminals employ increasingly sophisticated—and effective—tactics. Last month, our analysts observed a total of 397 ransomware attacks.
According to our intelligence, 2,245 new vulnerabilities were reported in March, with 379 of them being missed by the Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD).
The tactic of recruiting insiders has become immensely popular amongst threat actors aiming to breach systems and/or commit ransomware attacks.
In March, our analysts collected 5,586 posts advertising insider services—both from threat actors seeking insiders and malicious employees offering their services. Of those, 1,127 were unique posts from individuals in illicit and underground communities.
In March 2023, there were numerous takedowns, voluntary shutdowns, and arrests affecting ransomware, markets, account shops, card shops, and individual cybercriminals. Here are the high-profile takedowns.
On March 21, 2023, mid-tier hacking forum Breach Forums was shut down following the arrest of its administrator, Conor Brian Fitzpatrick (aka “pompompurin”), six days prior.
Read the court doc here.
On March 3, a US Magistrate Judge issued a seizure warrant for Worldwiredlabs[.]com, a domain used by cybercriminals to sell malware, including remote access trojan (RAT) “NetWire,” which is capable of targeting and infecting major computer operating systems.
On March 7, an international law enforcement effort led to the seizure of Worldwiredlabs. The FBI had begun its investigation in 2020, and uncovered that it was the only known online distributor of NetWire.
Read the court doc here.
The following data is derived from the Flashpoint Intelligence Platform and VulnDB, the most comprehensive and timely source of vulnerability intelligence available. Sign up for a free trial today.
As part of our monitoring of malicious files in current use, we detected a malicious BAT file that was uploaded to VirusTotal from Iran. This file executes a ransomware that we associated with the EvilNominatus ransomware, initially exposed at the end of 2021. It seems that the ransomware’s developer is a young Iranian, who bragged about its development on Twitter.
At this point, we have no details regarding any victims of this ransomware. We publish this research due to the malware’s unique method of operation, and the low number of AV engines capable of detecting it.
The original BAT file the research is based on was only detected by two AV engines on VirusTotal. Another BAT file that was discovered later, which shares characteristics with the first one, wasn’t detected by any AV engines. Other files that were either generated by the BAT files or communicated with them to carry out attacks were detected by multiple AV engines. Therefore, we assess that the tool’s general level of risk is low at this point.
Read the full report:
Login
