Category: ransomware

From shadowy Bitcoin exchanges to Interpol’s most wanted, Alexander Vinnik was the alleged kingpin behind BTC-e, a $4bn crypto laundering empire. Learn more about him, and how he became a geopolitical pawn between the US, France, and Russia. Plus! Hear how concert-goers are being warned about a swathe of scams hitting stadiums and arenas around the world. All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault. Plus don't miss our featured interview with Cliff Crosland of Scanner.dev.

In the coming weeks, criminals using ransomware may target businesses within the Food & Agriculture sectors, with the severity of these cyberattacks likely to escalate, according to a report from the Food and Agriculture Information Sharing and Analysis Center (ISAC).

The report, titled “Farm to Table Ransomware Realities,” highlights that ransomware attacks surged by 27% in 2024, with 212 incidents reported, compared to 164 in 2023.

These malware attacks have put both customers and partners of affected companies at significant risk, severely impacting the agriculture industry. If the gap between supply and demand continues to widen, the United States could face shortages of consumables, potentially leading to an artificial famine due to the slowdown in supply chains caused by attack-related downtime.

Unpredictable weather patterns across the country are already disrupting the food supply chain, and digital attacks could exacerbate these issues.

Security experts note that a new ransomware group, RansomHub, emerged in 2024 and is targeting the food sector most aggressively. Linked to the notorious LockBit gang, RansomHub could cause serious damage if the IT infrastructure within the Food and Agriculture sectors isn’t properly upgraded.

ISAC also reported that the Akira ransomware group is targeting the nation’s consumable IT assets, exploiting vulnerabilities or flaws in software-based management systems.

Additionally, research from cybersecurity firm Huntress found that ransomware attackers typically take an average of 17 hours to encrypt systems after infiltrating IT networks. Some groups, however, can encrypt databases in just 4-6 hours. The timing of these attacks often depends on the criminals’ primary goal of making money with minimal effort.

With the aid of advanced AI tools, criminals are becoming more sophisticated. Huntress researchers warn that these technologies could reduce the detection and response times of security teams, making it even more challenging to combat ransomware threats effectively.

The post Ransomware attacks on Food and Agriculture sector could intensify appeared first on Cybersecurity Insiders.

In a disturbing yet intriguing development, cyber criminals have once again demonstrated their capacity to target organizations with the sole aim of extracting valuable data. Historically, ransomware groups have been known to target active businesses, steal critical data, and encrypt it in an effort to extort a ransom from the company, usually with the expectation that the business head will pay to restore the stolen information. However, in a shocking twist, the infamous Akira Ransomware gang has recently exposed a surprising case on the dark web—one that has raised more questions than answers.

The gang has disclosed that it has obtained sensitive information from an Australian media company, Regency Media. What’s truly odd, however, is that the company, which had once been a key player in the industry, has been defunct since 2023.

Yes, you read that correctly: Regency Media has not been operational for over two years, and yet, its data has found its way onto the dark web. This raises an important question—why would cyber criminals go after a business that is no longer active, especially when there is no realistic chance of receiving any ransom?

Upon investigation, it appears that the criminals gained access to a trove of valuable data, which they have now leaked onto the dark web. This data dump includes non-disclosure agreements, sensitive personal information such as driver’s licenses, passport details, email addresses, and even contact information of staff and employees. Additionally, they have exposed financial records, including customer audit reports and other confidential financial data. The sheer volume of the stolen data is striking—approximately 16GB of sensitive information was obtained in the breach.

What makes this case even more puzzling is that Regency Media, the company in question, has not been operational for nearly two years. The business, once involved in the manufacturing of VCDs, cassettes, and tapes, ceased to exist as a functioning entity by July 2023. Given that the company has no operational capacity to pay a ransom, one might wonder what motivated the Akira gang to target them in the first place.

Initial investigations suggest that Regency Media may still be in possession of some older, proprietary data archives. These legacy servers, although no longer part of the company’s active infrastructure, may have been retained as archival repositories. However, it’s important to note that these servers likely have no connection to any ongoing business operations, making the breach even more unusual. Moreover, because Regency Media is no longer operational, the criminals’ chances of extorting money from the company are virtually nonexistent.

Some cybersecurity experts speculate that the breach may have occurred in 2023, around the time when Regency Media officially ceased operations. This would suggest that the hackers may have sat on the stolen data for a period of time before choosing to disclose it publicly. It’s not uncommon for sensitive or valuable data to circulate on the dark web for a while before being sold or released—often because there’s always demand for such data, even if the original business is no longer functioning.

The fact that Akira Ransomware leaked the data despite Regency Media being defunct demonstrates a crucial point: cyber criminals are primarily motivated by financial gain, and the identity or current operational status of the victimized company is irrelevant. Whether a business is active or no longer operational, the goal of these attackers remains the same—to profit from the stolen data, regardless of the collateral damage caused.

In the end, this incident serves as a stark reminder of the persistent and ever-evolving nature of cyber threats. Even companies that have long since shut their doors are not safe from data breaches, and the criminals responsible for these attacks will stop at nothing to exploit whatever sensitive information they can get their hands on.

The post Akira Ransomware is now targeting legacy servers of defunct companies appeared first on Cybersecurity Insiders.

For years, cyber threat actors have been launching attacks to spread malware and deploy tools for intelligence gathering, often driven by financial motives. However, a recent development has caught the attention of cybersecurity researchers—state-sponsored hackers assigned to espionage operations are now moonlighting as ransomware operators.

Moonlighting, in technical terms, refers to employees using official resources for a second job without their primary employer’s knowledge. This practice results in losses for the primary employer, as time, software, and computing resources are diverted elsewhere. Now, this phenomenon is emerging in the cybercrime world, with espionage actors engaging in ransomware attacks for personal gain.

One such case involves a China-based threat group known as Emperor Dragonfly. Originally tasked with intelligence gathering, this group has now been caught spreading RA World Ransomware. What remains unclear is whether Emperor Dragonfly has shifted its objectives entirely or if its members are engaging in ransomware attacks as a side hustle.

Researchers from Symantec’s Threat Hunter Team, who have been tracking these developments since June 2024, have concluded that some state actors are now engaging in financially motivated cybercrime. This could be due to personal financial incentives or increased law enforcement pressure worldwide, which has disrupted many state-backed cyber operations.

Adding to this perspective, security experts from Palo Alto Networks’ Unit 42 have observed a similar trend. They suggest that the shift may be linked to inconsistent government funding for cyber operations, leading some hackers to seek alternative income sources.

Traditionally, moonlighting has been associated with employees in software and IT sectors. However, this latest trend shows that even hackers are engaging in side gigs, leading to unusual and rare developments in the cyber threat landscape.

Interestingly, ransomware groups have evolved significantly since 2020. Many have transitioned into launching Distributed Denial of Service (DDoS) attacks and vice versa. This shift coincided with the global economic slowdown caused by COVID-19 lockdowns, prompting cybercriminals to explore new avenues to sustain their operations.

Conclusion

This is an interesting shift in the cyber threat landscape! The idea of state-sponsored hackers moonlighting as ransomware operators adds a whole new layer of complexity to cyber defense strategies. It makes attribution even trickier—were these attacks sanctioned, or just rogue elements looking for extra income?

The financial angle makes sense too. If government funding for cyber operations is inconsistent or reduced, these actors might turn to cybercrime to fill the gap. This also aligns with how ransomware gangs adapted post-2020, switching tactics based on global events and law enforcement crackdowns.

It raises a bigger question: If nation-state actors are moonlighting as financially motivated cybercriminals, how does this impact global cyber warfare policies? Would governments hold other nations accountable for ransomware attacks carried out by their own operatives, even if those operatives weren’t acting under direct orders?

What’s your take—do you think this trend will continue, or is it just a phase?

The post Chinese Threat Group conducting espionage found moonlighting with ransomware appeared first on Cybersecurity Insiders.

In most cases, thieves disappear after successfully stealing money, goods, or valuable data. However, in the world of cybercrime, particularly with ransomware attacks, the scenario is quite different. 

Unlike traditional theft where the criminal takes the stolen items and vanishes, ransomware attacks typically involve a two-step process: first, data is stolen, and then it is encrypted, making it inaccessible unless a ransom is paid. This method not only disrupts operations but also places intense pressure on victims, as the criminals often use the stolen data as leverage for further exploitation.

One of the more infamous ransomware groups is Clop, which has been active since 2019. The Clop ransomware group follows a distinct pattern. They infiltrate a victim’s network, steal sensitive data, and then encrypt it, demanding payment in exchange for decryption. The criminals make it clear that if the ransom isn’t paid, the victim’s sensitive information will be sold or shared with third parties, often resulting in disastrous consequences for the victim’s reputation and business operations.

In response to this threat, many victims opt to pay the ransom, often in the form of cryptocurrencies like Bitcoin, as it is harder to trace. However, this action does not guarantee safety. Payment may provide temporary relief, but it doesn’t erase the possibility of further exploitation or attacks.

A disturbing new tactic has emerged with the Clop ransomware group, as uncovered by cybersecurity researchers at cyfirma. Rather than attacking a victim once and moving on, the group has begun a strategy of lurking in the victim’s network undetected for months. During this period, they remain inactive while the ransomware’s presence in the system goes unnoticed by threat monitoring solutions. After several weeks or even months, they spring into action again, relaunching the attack and demanding ransom payments multiple times over an extended period. This method effectively turns the infected network into a long-term money-making tool for the cybercriminals, continuously generating profit from the same victim.

Typically, these groups gain access to a network through phishing campaigns or by exploiting vulnerabilities within the system, often through malicious software (malware) that enters the network undetected. The infected networks then serve as a launchpad for further attacks, as the ransomware’s code remains hidden from detection tools, allowing the attackers to continue exploiting the victim’s system.

Industries that are especially vulnerable to these types of ransomware attacks include manufacturing, retail, transportation, and healthcare. These sectors often deal with highly sensitive data and rely heavily on their networks for day-to-day operations, making them prime targets for Clop and similar state-funded or organized cybercrime groups. As these industries are integral to the global economy, the potential impact of a successful ransomware attack can be catastrophic, not only in terms of financial loss but also in terms of trust and legal repercussions.

To protect against such attacks, it is crucial to implement a robust cybersecurity strategy. The first line of defense is to install anti-malware solutions across all server environments. Regular updates and patches must be applied to prevent vulnerabilities from being exploited. Additionally, regular backups of critical data and applications should be made to ensure that victims can restore their systems quickly without giving in to ransom demands. It is also important to deploy automated solutions that can detect and block phishing attempts and other forms of social engineering that are commonly used to gain initial access to networks.

Perhaps one of the most essential components of defense is employee awareness. Since many ransomware attacks start with human error, such as clicking on a malicious email attachment or link, training employees to recognize the signs of phishing and other suspicious activities can significantly reduce the risk of a breach. Organizations must regularly remind employees about the importance of cybersecurity practices and encourage vigilance in protecting both company and personal information.

In conclusion, ransomware attacks, particularly those perpetrated by sophisticated groups like Clop, are a growing threat that requires comprehensive, multi-layered defenses. By taking proactive steps, from implementing anti-malware solutions to fostering a culture of cybersecurity awareness, businesses can mitigate the risk of falling victim to such devastating attacks.

The post Clop Ransomware lurks within the network, exploiting it for extended periods appeared first on Cybersecurity Insiders.

The story of how hackers managed to compromise the US Government's official SEC Twitter account to boost the price of Bitcoins, AI isn't helping reduce the rife conspiracy theories inside classrooms, and is the funeral bell tolling for ransomware? All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by special guest Jane Wakefield.

In a major joint operation, the FBI, in collaboration with the UK’s National Crime Agency (NCA), Europol, and law enforcement agencies from France, Germany, Japan, Romania, Switzerland, Thailand, Spain, and Bavaria, has officially announced the arrest of four European nationals linked to ransomware operations. These cybercriminals are believed to have orchestrated attacks resulting in approximately $16 million in global financial losses.

Operation PHOBOS AETOR: A Coordinated Cybercrime Takedown

Codenamed “Operation PHOBOS AETOR,” this extensive investigation led to the arrest of two men and two women across four different locations. Authorities also seized 40 digital devices, including computers, hard drives, and high-end mobile phones containing cryptocurrency wallets suspected to be linked to ransom payments.

According to media updates, international law enforcement agencies highlighted that all four arrested individuals were Russian nationals. These individuals were allegedly responsible for deploying the Phobos ransomware, a strain of malware used to target both public and private entities across Europe. Their attacks were facilitated by 8Base ransomware’s IT infrastructure, a notorious platform commonly used for cyber extortion.

Ransomware Tactics and Legal Consequences

During interrogations, all four suspects admitted to participating in double extortion attacks. This method involves encrypting victims’ data while simultaneously threatening to leak stolen information online if ransom demands are not met. Such tactics have proven effective in pressuring victims—ranging from corporations to government institutions—to pay hefty sums in cryptocurrency.

Given the international nature of their crimes, the arrested individuals are expected to be extradited to the countries where their cyber offenses were committed. Once extradited, they will face prosecution under local cybercrime laws, which could lead to lengthy prison sentences and substantial financial penalties.

The Bigger Picture: Can Law Enforcement Stop Ransomware?

While such arrests represent a significant victory against cybercriminals, they do not completely eliminate the ransomware threat. Instead, they may temporarily disrupt criminal networks until new actors emerge or existing groups reorganize. A notable example of this is LockBit 2.0, which, despite law enforcement efforts, evolved into LockBit 3.0 in August this year, demonstrating how ransomware groups continuously adapt to evade crackdowns.

The 2025 Cyber Threat Landscape

Meanwhile, the 2025 Cyber Threat Report, published by Huntress, has shed light on the evolving ransomware landscape. The report reveals that cybercriminal groups spreading ransomware in 2024 have shifted their focus to high-profile targets. These groups employ tactics that involve large-scale, high-speed attacks, maximizing financial gains before law enforcement can intervene.

Among the most active ransomware groups this past year were:

    Lynx
    Akira
    RansomHub

These groups, despite their relatively new presence in the cybercrime ecosystem, have been remarkably successful in executing attacks that resulted in substantial financial extortion. Their aggressive strategies and ability to adapt indicate that ransomware remains one of the most pressing cybersecurity threats in 2025.

Conclusion

The arrests under Operation PHOBOS AETOR mark an important step in the ongoing fight against cybercrime. However, as history has shown, ransomware groups are highly resilient, constantly evolving their methods to bypass security measures. While law enforcement continues to dismantle these criminal networks, organizations must remain vigilant, invest in robust cybersecurity measures, and collaborate with authorities to mitigate future ransomware threats.

The post Phobos and 8Base Ransomware criminals arrest by FBI appeared first on Cybersecurity Insiders.

Cisco, a global leader in networking equipment, has recently fallen victim to a sophisticated cyberattack, where sensitive data from its active directory environments was stolen, posted on the dark web, and potentially sold to interested parties. The attack has raised serious concerns about the security of the company’s operations and the potential long-term impact on its reputation.

The notorious Kraken ransomware gang has taken responsibility for the breach, claiming they had access to Cisco’s sensitive environments for several months. During this period, the hackers reportedly accessed critical data, including passwords, research and development information, and other proprietary details.

According to information provided by Cybersecurity Insiders, the stolen data included usernames, security identifiers, password hashes, financial information, and even some employee-related data. A dataset containing a mixture of these types of data was available on the dark web until the previous Friday, further heightening the severity of the incident.

However, Cisco’s internal security team, Cisco Talos, has since clarified that the leaked data is actually a result of an older cyber incident dating back to May 2022. They confirmed that their current networks are safe, with no evidence of any ongoing network infiltration. While this disclosure has provided some reassurance, the incident still highlights the persistent risks that organizations face in the ever-evolving landscape of cyber threats.

The news of the breach surfaced at a particularly sensitive time for Cisco, as the company had just announced its acquisition of SnapAttack, a threat detection platform aimed at enhancing Cisco’s security capabilities. This acquisition is expected to strengthen the Cisco Splunk business, accelerating its organic threat detection capabilities. However, the timing of the attack raises concerns about the company’s ability to maintain customer trust and the potential impact on future deals.

In the wake of such an attack, companies risk significant damage to their reputation. Cybersecurity breaches can erode trust among customers, partners, and other stakeholders, while also providing competitors with an opportunity to capitalize on the situation. This breach serves as a reminder of how vulnerable even the most established companies can be to cyber threats, and how the repercussions of such incidents can extend far beyond the immediate damage to the organization’s security.

The post Kraken Ransomware strikes Cisco servers to steal data appeared first on Cybersecurity Insiders.