#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
AWS EKS Security Best Practices

LockBit Ransomware | Breaking Cybersecurity News | The Hacker News

Category — LockBit Ransomware
Rare Werewolf APT Uses Legitimate Software in Attacks on Hundreds of Russian Enterprises

Rare Werewolf APT Uses Legitimate Software in Attacks on Hundreds of Russian Enterprises

Jun 10, 2025 Cryptocurrency / Malware
The threat actor known as Rare Werewolf (formerly Rare Wolf) has been linked to a series of cyber attacks targeting Russia and the Commonwealth of Independent States (CIS) countries. "A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries," Kaspersky said . "The malicious functionality of the campaign described in this article is implemented through command files and PowerShell scripts." The intent of the attacks is to establish remote access to compromised hosts, and siphon credentials, and deploy the XMRig cryptocurrency miner. The activity impacted hundreds of Russian users spanning industrial enterprises and engineering schools, with a smaller number of infections also recorded in Belarus and Kazakhstan. Rare Werewolf , also known by the names Librarian Ghouls and Rezet, is the moniker assigned to an advanced persistent threat (APT) group that has a track record of...
LockBit Ransomware Group Resurfaces After Law Enforcement Takedown

LockBit Ransomware Group Resurfaces After Law Enforcement Takedown

Feb 26, 2024 Dark Web / Threat Intelligence
The threat actors behind the LockBit ransomware operation have resurfaced on the dark web using new infrastructure, days after an international law enforcement exercise  seized control  of its servers. To that end, the notorious group has moved its data leak portal to a new .onion address on the TOR network, listing 12 new victims as of writing. The administrator behind LockBit, in a  lengthy follow-up message , said some of their websites were confiscated by most likely exploiting a critical PHP flaw tracked as CVE-2023-3824, acknowledging that they didn't update PHP due to "personal negligence and irresponsibility." "I realize that it may not have been this CVE, but something else like 0-day for PHP, but I can't be 100% sure, because the version installed on my servers was already known to have a known vulnerability, so this is most likely how the victims' admin and chat panel servers and the blog server were accessed," they noted. They also cla...
Expert Insights Articles Videos
Cybersecurity Resources