Posts

Showing posts with the label Ransomware

Beware: Anubis Ransomware Now Hitting Android and Windows Devices

Image
 A sophisticated new ransomware threat has emerged from the cybercriminal underground, presenting a serious challenge to both enterprise and personal cybersecurity. Dubbed Anubis , this malware is not only capable of encrypting files but also stealing login credentials—targeting both Android and Windows platforms simultaneously. First identified in November 2024 , Anubis represents a concerning evolution in malware design. It merges the destructive power of traditional ransomware with the stealthy credential-theft techniques often associated with banking trojans. This dual-functionality approach has helped Anubis quickly gain traction among cybercriminals and establish itself as a significant threat in the wild. A Rising Threat Amid a Surge in Ransomware Activity Anubis has appeared during a global rise in ransomware incidents. Recent threat intelligence reveals a 25% increase in publicly listed ransomware victims and a 53% rise in leak sites operated by ransomware gangs. Th...

Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery

Image
Cybersecurity researchers have disclosed a surge in "mass scanning, credential brute-forcing, and exploitation attempts" originating from IP addresses associated with a Russian bulletproof hosting service provider named  Proton66 . The activity, detected since January 8, 2025, targeted organizations worldwide, according to a two-part analysis published by Trustwave SpiderLabs last week. "Net blocks 45.135.232.0/24 and 45.140.17.0/24 were particularly active in terms of mass scanning and brute-force attempts," security researchers Pawel Knapczyk and Dawid Nesterowicz  said . "Several of the offending IP addresses were not previously seen to be involved in malicious activity or were inactive for over two years." The Russian autonomous system Proton66 is assessed to be linked to another autonomous system named PROSPERO. Last year, French security firm Intrinsec detailed their connections to bulletproof services marketed on Russian cybercrime forums under the ...

Infosecurity Europe 2024: Ransomware and AI threats drive surge in cybersecurity investments

Image
Infosecurity Europe, the premier information security event, will take place at ExCeL London from 4-6 June 2024. The event has unveiled further insights from its 2024 Cybersecurity Trends, Obstacles and Opportunities report, emphasising the growing concern among cybersecurity leaders regarding ransomware and AI-generated attacks.   Nearly 40% of respondents indicated that these threats are driving increased investment in cyber defences. Rising threats prompt increased cybersecurity investment The latest findings highlight the urgency for organisations to stay ahead of evolving cyber threats. With attacks becoming more frequent, complex, and damaging, businesses are ramping up their resources to bolster defences and enhance resilience. This heightened investment underscores the critical role of cybersecurity in protecting sensitive data, preserving customer trust, and ensuring business continuity. Ransomware: A persistent threat Ransomware remains a significant concern, an...

CISA ransomware warning program will launch this year

Image
The Cybersecurity and Infrastructure Security Agency, an arm of the Department of Homeland Security, is rolling out a program that warns organizations about potential ransomware attacks, CyberScoop reports. The program is currently running as a pilot and will be fully operational by the end of 2024. About 7,000 organizations have signed up for the pilot. So far, CISA has issued 2,049 warnings since the pilot was launched in January 2023. “The warning pilot is focused on reducing the prevalence of ransomware by using our vulnerability scanning tools to let businesses know if they have vulnerabilities that need to be patched,” CISA Director Jen Easterly told CyberScoop. To get alerts, organizations need to sign up for CISA’s cyber hygiene scanning tool. According to CISA’s FAQ page for the program, the tool “[e]valuates external network presence by executing continuous scans of public, static IPv4s for accessible services and vulnerabilities. This service provides weekly vulnerability r...

Phobos Ransomware Aggressively Targeting U.S. Critical Infrastructure

Image
U.S. cybersecurity and intelligence agencies have warned of  Phobos ransomware  attacks targeting government and critical infrastructure entities, outlining the various tactics and techniques the threat actors have adopted to deploy the file-encrypting malware. "Structured as a ransomware as a service (RaaS) model, Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S. dollars," the government  said . The advisory comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). Active since May 2019, multiple variants of Phobos ransomware have been identified to date, namely Eking, Eight, Elbie, Devos, Faust, and Backmydata. Late last year, Cisco Talos  revealed  that the threat ...

Hello Kitty Ransomware Group Exploiting Apache ActiveMQ Vulnerability

Image
Cybersecurity researchers are warning of suspected exploitation of a recently disclosed critical security flaw in the Apache ActiveMQ open-source message broker service that could result in remote code execution. "In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations," cybersecurity firm Rapid7  disclosed  in a report published Wednesday. "Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October." The intrusions are said to involve the exploitation of  CVE-2023-46604 , a remote code execution vulnerability in Apache ActiveMQ that allows a threat actor to run arbitrary shell commands. It's worth noting that the  vulnerability  carries a CVSS score of 10.0, indicating maximum severity. It has been  addressed  in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.1...

Threat Actors Targeting Microsoft SQL Servers to Deploy FreeWorld Ransomware

Image
Threat actors are exploiting poorly secured Microsoft SQL (MS SQL) servers to deliver Cobalt Strike and a ransomware strain called FreeWorld. Cybersecurity firm Securonix, which has dubbed the campaign  DB#JAMMER , said it stands out for the way the toolset and infrastructure is employed. "Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov  said  in a technical breakdown of the activity. "The ransomware payload of choice appears to be a newer variant of  Mimic ransomware  called FreeWorld." Initial access to the victim host is achieved by brute-forcing the MS SQL server, using it to enumerate the database and leveraging the  xp_cmdshell configuration option  to run shell commands and conduct reconnaissance. The next stage entails taking steps to impair system firewall and establish persistence by c...