ransomware | Breaking Cybersecurity News | The Hacker News

Cyber threats today don't just evolve—they mutate rapidly, testing the resilience of everything from global financial systems to critical infrastructure. As cybersecurity confronts new battlegrounds—ranging from nation-state espionage and ransomware to manipulated AI chatbots—the landscape becomes increasingly complex, prompting vital questions: How secure are our cloud environments? Can our IoT devices be weaponized unnoticed? What happens when cybercriminals leverage traditional mail for digital ransom? This week's events reveal a sobering reality: state-sponsored groups are infiltrating IT supply chains, new ransomware connections are emerging, and attackers are creatively targeting industries previously untouched. Moreover, global law enforcement actions highlight both progress and persistent challenges in countering cybercrime networks. Dive into this edition to understand the deeper context behind these developments and stay informed about threats that continue reshap...

Threat hunters have shed light on a "sophisticated and evolving malware toolkit" called Ragnar Loader that's used by various cybercrime and ransomware groups like Ragnar Locker (aka Monstrous Mantis), FIN7, FIN8, and Ruthless Mantis (ex-REvil). "Ragnar Loader plays a key role in keeping access to compromised systems, helping attackers stay in networks for long-term operations," Swiss cybersecurity company PRODAFT said in a statement shared with The Hacker News. "While it's linked to the Ragnar Locker group, it's unclear if they own it or just rent it out to others. What we do know is that its developers are constantly adding new features, making it more modular and harder to detect." Ragnar Loader, also referred to as Sardonic, was first documented by Bitdefender in August 2021 in connection with an unsuccessful attack carried out by FIN8 aimed at an unnamed financial institution located in the U.S. It's said to have been put to use ...

A coalition of international law enforcement agencies has seized the website associated with the cryptocurrency exchange Garantex ("garantex[.]org"), nearly three years after the service was sanctioned by the U.S. Treasury Department in April 2022. "The domain for Garantex has been seized by the United States Secret Service pursuant to a seizure warrant obtained by the United States Attorney's Office for the Eastern District of Virginia under the authority of 18 U.S.C. §§ 981 and 982," reads a seizure banner on the website. The operation was carried out in coordination with the U.S. Department of Justice's Criminal Division, the Federal Bureau of Investigation, Europol, the Dutch National Police, the German Federal Criminal Police Office (Bundeskriminalamt aka BKA), the Frankfurt General Prosecutor's Office, the Finnish National Bureau of Investigation, and the Estonian National Criminal Police. Founded in 2019, Garantex was previously subject to U....

The financially motivated threat actor known as EncryptHub has been observed orchestrating sophisticated phishing campaigns to deploy information stealers and ransomware, while also working on a new product called EncryptRAT . "EncryptHub has been observed targeting users of popular applications, by distributing trojanized versions," Outpost24 KrakenLabs said in a new report shared with The Hacker News. "Furthermore, the threat actor has also made use of third-party Pay-Per-Install (PPI) distribution services." The cybersecurity company described the threat actor as a hacking group that makes operational security errors and as someone who incorporates exploits for popular security flaws into their attack campaigns. EncryptHub, also tracked by Swiss cybersecurity company PRODAFT as LARVA-208, is assessed to have become active towards the end of June 2024, relying on a variety of approaches ranging from SMS phishing (smishing) to voice phishing (vishing) in an at...

The threat actors behind the Medusa ransomware have claimed nearly 400 victims since it first emerged in January 2023, with the financially motivated attacks witnessing a 42% increase between 2023 and 2024. In the first two months of 2025 alone, the group has claimed over 40 attacks, according to data from the Symantec Threat Hunter Team shared with The Hacker News. The cybersecurity company is tracking the cluster under the name Spearwing. "Like the majority of ransomware operators, Spearwing and its affiliates carry out double extortion attacks, stealing victims' data before encrypting networks in order to increase the pressure on victims to pay a ransom," Symantec noted . "If victims refuse to pay, the group threatens to publish the stolen data on their data leaks site." While other ransomware-as-a-service (RaaS) players like RansomHub (aka Greenbottle and Cyclops), Play (aka Balloonfly), and Qilin (aka Agenda, Stinkbug, and Water Galura) have benefite...

Threat actors deploying the Black Basta and CACTUS ransomware families have been found to rely on the same BackConnect (BC) module for maintaining persistent control over infected hosts, a sign that affiliates previously associated with Black Basta may have transitioned to CACTUS. "Once infiltrated, it grants attackers a wide range of remote control capabilities, allowing them to execute commands on the infected machine," Trend Micro said in a Monday analysis. "This enables them to steal sensitive data, such as login credentials, financial information, and personal files." It's worth noting that details of the BC module, which the cybersecurity company is tracking as QBACKCONNECT owing to overlaps with the QakBot loader, was first documented in late January 2025 by both Walmart's Cyber Intelligence team and Sophos, the latter of which has designated the cluster the name STAC5777.  Over the past year, Black Basta attack chains have increasingly leve...

Internet service providers (ISPs) in China and the West Coast of the United States have become the target of a mass exploitation campaign that deploys information stealers and cryptocurrency miners on compromised hosts. The findings come from the Splunk Threat Research Team, which said the activity also led to the delivery of various binaries that facilitate data exfiltration as well as offer ways to establish persistence on the systems. The unidentified threat actors performed "minimal intrusive operations to avoid detection, with the exception of artifacts created by accounts already compromised," the Cisco-owned company said in a technical report published last week. "This actor also moves and pivots primarily by using tools that depend and run on scripting languages (e.g., Python and Powershell), allowing the actor to perform under restricted environments and use API calls (e.g., Telegram) for C2 [command-and-control] operations." The attacks have been ob...

Threat actors have been exploiting a security vulnerability in Paragon Partition Manager's BioNTdrv.sys driver in ransomware attacks to escalate privileges and execute arbitrary code. The zero-day flaw (CVE-2025-0289) is part of a set of five vulnerabilities that was discovered by Microsoft, according to the CERT Coordination Center (CERT/CC). "These include arbitrary kernel memory mapping and write vulnerabilities, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability," CERT/CC said . In a hypothetical attack scenario, an adversary with local access to a Windows machine can exploit these shortcomings to escalate privileges or cause a denial-of-service (DoS) condition by taking advantage of the fact that "BioNTdrv.sys" is signed by Microsoft. This could also pave the way for what's called a Bring Your Own Vulnerable Driver ( BYOVD ) attack on systems where the driver is not installed, thereby allowing t...

In 2024, global ransomware attacks hit 5,414, an 11% increase from 2023.  After a slow start, attacks spiked in Q2 and surged in Q4, with 1,827 incidents (33% of the year's total). Law enforcement actions against major groups like LockBit caused fragmentation, leading to more competition and a rise in smaller gangs. The number of active ransomware groups jumped 40%, from 68 in 2023 to 95 in 2024. New Ransomware Groups to Watch In 2023 there were just 27 new groups. 2024 saw a dramatic rise with 46 new groups detected. As the year went on the number of groups accelerated with Q4 2024 having 48 groups active.  Of the 46 new ransomware groups in 2024, RansomHub became dominant, exceeding LockBit's activity. At Cyberint, now a Check Point Company, the research team is constantly researching the latest ransomware groups and analyzing them for potential impact. This blog will look at 3 new players, the aforementioned RansomHub, Fog and Lynx and examine their impact in 202...

Remote Desktop Protocol (RDP) is an amazing technology developed by Microsoft that lets you access and control another computer over a network. It's like having your office computer with you wherever you go. For businesses, this means IT staff can manage systems remotely, and employees can work from home or anywhere, making RDP a true game-changer in today's work environment. But here's the catch: because RDP is accessible over the internet, it's also a prime target for unethical hackers. If someone gains unauthorized access, they could potentially take over your system. That's why it's so important to secure RDP properly. Why IT Teams Depend on RDP, Despite the Risks More than 50 percent of Kaseya's small and medium-sized businesses (SMBs) and Managed Service Providers (MSPs) customers use RDP for daily operations due to its efficiency and flexibility: Reduces Costs and Downtime – IT teams can resolve technical issues remotely, eliminating travel expenses and delays. Supports B...

More than a year's worth of internal chat logs from a ransomware gang known as Black Basta have been published online in a leak that provides unprecedented visibility into their tactics and internal conflicts among its members. The Russian-language chats on the Matrix messaging platform between September 18, 2023, and September 28, 2024, were initially leaked on February 11, 2025, by an individual who goes by the handle ExploitWhispers , who claimed that they released the data because the group was targeting Russian banks. The identity of the leaker remains a mystery. Black Basta first came under the spotlight in April 2022, using the now-largely-defunct QakBot (aka QBot) as a delivery vehicle. According to an advisory published by the U.S. government in May 2024, the double extortion crew is estimated to have targeted more than 500 private industry and critical infrastructure entities in North America, Europe, and Australia. Per Elliptic and Corvus Insurance, the prolific r...

The Computer Emergency Response Team of Ukraine (CERT-UA) on Tuesday warned of renewed activity from an organized criminal group it tracks as UAC-0173 that involves infecting computers with a remote access trojan named DCRat (aka DarkCrystal RAT). The Ukrainian cybersecurity authority said it observed the latest attack wave starting in mid-January 2025. The activity is designed to target the Notary of Ukraine. The infection chain leverages phishing emails that claim to be sent on behalf of the Ministry of Justice of Ukraine, urging recipients to download an executable, which, when launched, leads to the deployment of the DCRat malware. The binary is hosted in Cloudflare's R2 cloud storage service. "Having thus provided primary access to the notary's automated workplace, the attackers take measures to install additional tools, in particular, RDPWRAPPER, which implements the functionality of parallel RDP sessions, which, in combination with the use of the BORE utility...

The first quarter of 2025 has been a battlefield in the world of cybersecurity. Cybercriminals continued launching aggressive new campaigns and refining their attack methods. Below is an overview of five notable malware families, accompanied by analyses conducted in controlled environments. NetSupport RAT Exploiting the ClickFix Technique In early 2025, threat actors began exploiting a technique known as ClickFix to distribute the NetSupport Remote Access Trojan (RAT).  This method involves injecting fake CAPTCHA pages into compromised websites, prompting users to execute malicious PowerShell commands that download and run the NetSupport RAT.  Once installed, this RAT grants attackers full control over the victim's system, allowing activities such as real-time screen monitoring, file manipulation, and execution of arbitrary commands. Main technical characteristics of NetSupport RAT Attackers can view and control the victim's screen in real time. Uploads, downloads, m...