#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
AWS EKS Security Best Practices

ransomware | Breaking Cybersecurity News | The Hacker News

Category — ransomware
New FileFix Method Emerges as a Threat Following 517% Rise in ClickFix Attacks

New FileFix Method Emerges as a Threat Following 517% Rise in ClickFix Attacks

Jun 26, 2025 Cyber Attack / Malware Analysis
The ClickFix social engineering tactic as an initial access vector using fake CAPTCHA verifications increased by 517% between the second half of 2024 and the first half of this year, according to data from ESET. "The list of threats that ClickFix attacks lead to is growing by the day, including infostealers, ransomware, remote access trojans, cryptominers, post-exploitation tools, and even custom malware from nation-state-aligned threat actors," Jiří Kropáč, Director of Threat Prevention Labs at ESET, said . ClickFix has become a widely popular and deceptive method that employs bogus error messages or CAPTCHA verification checks to entice victims into copying and pasting a malicious script into either the Windows Run dialog or the Apple macOS Terminal app, and running it. The Slovak cybersecurity company said the highest volume of ClickFix detections are concentrated around Japan, Peru, Poland, Spain, and Slovakia. The prevalence and effectiveness of this attack meth...
The Hidden Risks of SaaS: Why Built-In Protections Aren't Enough for Modern Data Resilience

The Hidden Risks of SaaS: Why Built-In Protections Aren't Enough for Modern Data Resilience

Jun 26, 2025 Data Protection / Compliance
SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...
Cyber Criminals Exploit Open-Source Tools to Compromise Financial Institutions Across Africa

Cyber Criminals Exploit Open-Source Tools to Compromise Financial Institutions Across Africa

Jun 26, 2025 Threat Intelligence / Ransomware
Cybersecurity researchers are calling attention to a series of cyber attacks targeting financial organizations across Africa since at least July 2023 using a mix of open-source and publicly available tools to maintain access. Palo Alto Networks Unit 42 is tracking the activity under the moniker CL-CRI-1014 , where "CL" refers to "cluster" and "CRI" stands for "criminal motivation." It's suspected that the end goal of the attacks is to obtain initial access and then sell it to other criminal actors on underground forums, making the threat actor an initial access broker (IAB). "The threat actor copies signatures from legitimate applications to forge file signatures , to disguise their toolset and mask their malicious activities," researchers Tom Fakterman and Guy Levi said . "Threat actors often spoof legitimate products for malicious purposes." The attacks are characterized by the deployment of tools like PoshC2 fo...
cyber security

How 100+ Security Leaders Are Tackling AI Risk

websiteWizAI Security / Cloud Security
AI adoption is accelerating— but most security programs are still working to catch up. See how real teams are securing AI in the cloud.
cyber security

Why organizations need to protect their Microsoft 365 data

websiteVeeamEnterprise Security / Data Protection
This 5-minute read will explain what your organization is responsible for within Microsoft 365 and how to identify security gaps.
CISA Adds 3 Flaws to KEV Catalog, Impacting AMI MegaRAC, D-Link, Fortinet

CISA Adds 3 Flaws to KEV Catalog, Impacting AMI MegaRAC, D-Link, Fortinet

Jun 26, 2025 Vulnerability / Firmware Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added three security flaws, each impacting AMI MegaRAC, D-Link DIR-859 router, and Fortinet FortiOS, to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2024-54085 (CVSS score: 10.0) - An authentication bypass by spoofing vulnerability in the Redfish Host Interface of AMI MegaRAC SPx that could allow a remote attacker to take control CVE-2024-0769 (CVSS score: 5.3) - A path traversal vulnerability in D-Link DIR-859 routers that allows for privilege escalation and unauthorized control (Unpatched) CVE-2019-6693 (CVSS score: 4.2) - A hard-coded cryptographic key vulnerability in FortiOS, FortiManager and FortiAnalyzer that's used to encrypt password data in CLI configuration, potentially allowing an attacker with access to the CLI configuration or the CLI backup file to decrypt the sensitive data Firmwar...
Hackers Target Over 70 Microsoft Exchange Servers to Steal Credentials via Keyloggers

Hackers Target Over 70 Microsoft Exchange Servers to Steal Credentials via Keyloggers

Jun 24, 2025 Vulnerability / Malware
Unidentified threat actors have been observed targeting publicly exposed Microsoft Exchange servers to inject malicious code into the login pages that harvest their credentials. Positive Technologies, in a new analysis published last week, said it identified two different kinds of keylogger code written in JavaScript on the Outlook login page - Those that save collected data to a local file accessible over the internet Those that immediately send the collected data to an external server The Russian cybersecurity vendor said the attacks have targeted 65 victims in 26 countries worldwide, and marks a continuation of a campaign that was first documented in May 2024 as targeting entities in Africa and the Middle East. At that time, the company said it had detected no less than 30 victims spanning government agencies, banks, IT companies, and educational institutions, with evidence of the first compromise dating back to 2021. The attack chains involve exploiting known flaws in M...
XDigo Malware Exploits Windows LNK Flaw in Eastern European Government Attacks

XDigo Malware Exploits Windows LNK Flaw in Eastern European Government Attacks

Jun 23, 2025 Cyber Espionage / Vulnerability
Cybersecurity researchers have uncovered a Go-based malware called XDigo that has been used in attacks targeting Eastern European governmental entities in March 2025. The attack chains are said to have leveraged a collection of Windows shortcut ( LNK ) files as part of a multi-stage procedure to deploy the malware, French cybersecurity company HarfangLab said . XDSpy is the name assigned to a cyber espionage that's known to target government agencies in Eastern Europe and the Balkans since 2011. It was first documented by the Belarusian CERT in early 2020.  In recent years, companies in Russia and Moldova have been targeted by various campaigns to deliver malware families like UTask, XDDown, and DSDownloader that can download additional payloads and steal sensitive information from compromised hosts. HarfangLab said it observed the threat actor leveraging a remote code execution flaw in Microsoft Windows that's triggered when processing specially crafted LNK files. The v...
Scattered Spider Behind Cyberattacks on M&S and Co-op, Causing Up to $592M in Damages

Scattered Spider Behind Cyberattacks on M&S and Co-op, Causing Up to $592M in Damages

Jun 21, 2025 Cyber Attack / Critical Infrastructure
The April 2025 cyber attacks targeting U.K. retailers Marks & Spencer and Co-op have been classified as a "single combined cyber event." That's according to an assessment from the Cyber Monitoring Centre (CMC), a U.K.-based independent, non-profit body set up by the insurance industry to categorize major cyber events. "Given that one threat actor claimed responsibility for both M&S and Co-op, the close timing, and the similar tactics, techniques, and procedures (TTPs), CMC has assessed the incidents as a single combined cyber event," the CMC said . The organization has categorized the disruption of the retailers as a "Category 2 systemic event." It's estimated that the security breaches will have a total financial impact of £270 million ($363 million) to £440 million ($592 million). However, the cyber attack on Harrods around the same time has not been included at this stage, citing a lack of adequate information about the cause and...
Qilin Ransomware Adds "Call Lawyer" Feature to Pressure Victims for Larger Ransoms

Qilin Ransomware Adds "Call Lawyer" Feature to Pressure Victims for Larger Ransoms

Jun 20, 2025 Ransomware / Cybercrime
The threat actors behind the Qilin ransomware-as-a-service (RaaS) scheme are now offering legal counsel for affiliates to put more pressure on victims to pay up, as the cybercrime group intensifies its activity and tries to fill the void left by its rivals. The new feature takes the form of a "Call Lawyer" feature on the affiliate panel, per Israeli cybersecurity company Cybereason. The development represents a newfound resurgence of the e-crime group as once-popular ransomware groups like LockBit, Black Cat, RansomHub, Everest, and BlackLock have suffered abrupt cessations, operational failures, and defacements. The group, also tracked as Gold Feather and Water Galura, has been active since October 2022. Data compiled from the dark web leak sites run by ransomware groups shows that Qilin led with 72 victims in April 2025. In May, it is estimated to be behind 55 attacks , putting it behind Safepay (72) and Luna Moth (67). It's also the third most active group after...
Google Warns of Scattered Spider Attacks Targeting IT Support Teams at U.S. Insurance Firms

Google Warns of Scattered Spider Attacks Targeting IT Support Teams at U.S. Insurance Firms

Jun 17, 2025 Threat Intelligence / Identity Security
The notorious cybercrime group known as Scattered Spider (aka UNC3944) that recently targeted various U.K. and U.S. retailers has begun to target major insurance companies, according to Google Threat Intelligence Group (GTIG). "Google Threat Intelligence Group is now aware of multiple intrusions in the U.S. which bear all the hallmarks of Scattered Spider activity," John Hultquist, chief analyst at GTIG, said in an email Monday. "We are now seeing incidents in the insurance industry. Given this actor's history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers." Scattered Spider is the name assigned to an amorphous collective that's known for its use of advanced social engineering tactics to breach organizations. In recent months, the threat actors are believed to have forged an alliance with the DragonForce ransomware cartel in the ...
Backups Are Under Attack: How to Protect Your Backups

Backups Are Under Attack: How to Protect Your Backups

Jun 17, 2025 Cyber Threat / Business Continuity
Ransomware has become a highly coordinated and pervasive threat, and traditional defenses are increasingly struggling to neutralize it. Today's ransomware attacks initially target your last line of defense — your backup infrastructure. Before locking up your production environment, cybercriminals go after your backups to cripple your ability to recover, increasing the odds of a ransom payout. Notably, these attacks are carefully engineered takedowns of your defenses. The threat actors disable backup agents, delete snapshots, modify retention policies, encrypt backup volumes (especially those that are network accessible) and exploit vulnerabilities in integrated backup platforms. They are no longer trying just to deny your access but erase the very means of recovery. If your backup environment isn't built with this evolving threat landscape in mind, it's at high risk of getting compromised. How can IT pros defend against this? In this guide, we'll uncover the weak strategies that lea...
Anubis Ransomware Encrypts and Wipes Files, Making Recovery Impossible Even After Payment

Anubis Ransomware Encrypts and Wipes Files, Making Recovery Impossible Even After Payment

Jun 16, 2025 Malware / Ransomware
An emerging ransomware strain has been discovered incorporating capabilities to encrypt files as well as permanently erase them, a development that has been described as a "rare dual-threat." "The ransomware features a 'wipe mode,' which permanently erases files, rendering recovery impossible even if the ransom is paid," Trend Micro researchers Maristel Policarpio, Sarah Pearl Camiling, and Sophia Nilette Robles said in a report published last week. The ransomware-as-a-service (RaaS) operation in question is named Anubis, which became active in December 2024, claiming victims across healthcare, hospitality, and construction sectors in Australia, Canada, Peru, and the U.S. Analysis of early, trial samples of the ransomware suggests that the developers initially named it Sphinx, before tweaking the brand name in the final version. It's worth noting that the e-crime crew has no ties to an Android banking trojan and a Python-based backdoor of the s...
Ransomware Gangs Exploit Unpatched SimpleHelp Flaws to Target Victims with Double Extortion

Ransomware Gangs Exploit Unpatched SimpleHelp Flaws to Target Victims with Double Extortion

Jun 13, 2025 Vulnerability / Ransomware
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday disclosed that ransomware actors are targeting unpatched SimpleHelp Remote Monitoring and Management (RMM) instances to compromise customers of an unnamed utility billing software provider. "This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025," the agency said in an advisory. Earlier this year, SimpleHelp disclosed a set of flaws (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that could result in information disclosure, privilege escalation, and remote code execution. The vulnerabilities have since come under repeated exploitation in the wild, including by ransomware groups like DragonForce, to breach targets of interest. Last month, Sophos revealed that a Managed Service Provider's SimpleHelp deployed was accessed by the threat actor using these flaws, and then leveraged it to pivot t...
Former Black Basta Members Use Microsoft Teams and Python Scripts in 2025 Attacks

Former Black Basta Members Use Microsoft Teams and Python Scripts in 2025 Attacks

Jun 11, 2025 Ransomware / Cybercrime
Former members tied to the Black Basta ransomware operation have been observed sticking to their tried-and-tested approach of email bombing and Microsoft Teams phishing to establish persistent access to target networks. "Recently, attackers have introduced Python script execution alongside these techniques, using cURL requests to fetch and deploy malicious payloads," ReliaQuest said in a report shared with The Hacker News. The development is a sign that the threat actors are continuing to pivot and regroup, despite the Black Basta brand suffering a huge blow and a decline after the public leak of its internal chat logs earlier this February. The cybersecurity company said half of the Teams phishing attacks that were observed between February and May 2025 originated from onmicrosoft[.]com domains, and that breached domains accounted for 42% of the attacks during the same period. The latter is a lot more stealthy and allows threat actors to impersonate legitimate traffi...
Expert Insights Articles Videos
Cybersecurity Resources