#CyberExtortion

CyberMaterial

@cybermaterial.bsky.social

1 day ago

Hive0163 Uses AI Malware For Ransomware
Read More: buff.ly/BMLssgq

#Hive0163 #Slopoly #AIgeneratedMalware #RansomwareThreat #LLMAbuse #CyberExtortion #ThreatIntel #Infosec

thedailyperspective.org

@thedailyperspective.org

1 week ago

The Middle-Aged Face of Cybercrime: New Data Shatters the Hoodie Hacker Myth New Orange Cyberdefense data shows 35-to-44 year olds account for 37% of cybercrime arrests, shattering the teenage hacker stereotype.

The Middle-Aged Face of Cybercrime: New Data Shatters the Hoodie Hacker Myth

#Cybercrime #CyberSecurity #Ransomware #CyberExtortion #AusNews #Tech

thedailyperspective.org/article/2026-03-03-the-m...

CySecurity News

@cysecuritynews.bsky.social

1 month ago

Researchers Identify Previously Undocumented Malware Used in World Leaks Intrusions   Cybersecurity researchers have identified a newly developed malicious software tool being used by the extortion-focused cybercrime group World Leaks, marking a pivotal dent the group’s technical capabilities. According to findings published by the cybersecurity research division of Accenture, the malware has not been observed in prior investigations and appears to be custom-built for covert operations within victim networks. The researchers have designated the tool “RustyRocket” to distinguish it from previously documented malware families. Analysts explain that RustyRocket functions as a long-term persistence mechanism. Instead of triggering immediate disruption, the malware is designed to quietly embed itself within compromised systems, allowing attackers to remain present for extended periods without raising alarms. This hidden presence enables threat actors to move through internal networks, quietly extract sensitive information, and route network traffic through compromised machines. Security experts involved in the research noted that the tool had operated unnoticed until its recent discovery, surfacing the challenges organizations face in detecting advanced covert threats. Although World Leaks is commonly categorized as a ransomware group, its operations differ from traditional ransomware campaigns that encrypt files and demand payment for decryption keys. Rather than denying access to data, the group prioritizes unauthorized data collection. Victims are pressured with the threat of having confidential corporate and personal information publicly disclosed if payment demands are not met. This model places reputational damage, regulatory penalties, and legal exposure at the center of the extortion strategy. The group has publicly claimed responsibility for attacks against large international corporations. In one widely reported incident, World Leaks alleged that a major global sportswear company declined to comply with extortion demands, after which a substantial volume of internal documents was released. As with many threat actor statements, independent verification of the full scope of such claims remains limited, underlining the importance of cautious attribution in cyber incident reporting. From a technical perspective, RustyRocket is written in the Rust programming language and engineered to operate across both Microsoft Windows and Linux environments. This cross-platform design allows the malware to function in mixed enterprise infrastructures, increasing its usefulness to attackers. Researchers describe the tool as a combined data extraction and network proxy utility, capable of transferring stolen information through multiple layers of encrypted communication. By masking malicious traffic within normal network activity, the malware makes detection by conventional security tools comparatively more difficult. The tool also incorporates an execution safeguard that requires attackers to supply a pre-encrypted configuration file at runtime. Without this configuration, the malware remains dormant. This feature complicates forensic analysis and reduces the likelihood that automated security systems will successfully analyze or neutralize the tool. Investigators assess that World Leaks has been active since early 2025 and typically gains initial access through social engineering techniques, misuse of compromised credentials, or exploitation of externally exposed systems. Once inside a network, tools like RustyRocket enable attackers to quietly maintain their presence while systematically collecting data for later extortion. Security specialists warn that RustyRocket reflects a broader turn in cybercriminal operations toward stealth-based, intelligence-gathering intrusions rather than overtly disruptive attacks. To reduce exposure, organizations are advised to closely monitor unusual outbound data transfers and enforce strict network segmentation. These measures can limit an attacker’s ability to move across systems and reduce the volume of data that can be silently extracted. The rise of RustyRocket illustrates how extortion groups are increasingly investing in custom malware designed to evade traditional defenses, reinforcing the need for continuous security testing, proactive threat monitoring, and workforce preparedness to counter evolving attack methods.

Researchers Identify Previously Undocumented Malware Used in World Leaks Intrusions #CyberExtortion #DataLeaks #malware

ransomNews

@ransomnews.online

1 month ago

Please Don’t Feed the Scattered Lapsus ShinyHunters A prolific data ransom gang that calls itself Scattered Lapsus ShinyHunters (SLSH) has a distinctive playbook when it seeks to extort payment from victim firms: Harassing, threatening and even…

🔗 read more: krebsonsecurity.com/2026/02/plea...

#ransomNews #SLSH #CyberExtortion

ransomNews

@ransomnews.online

1 month ago

🔎 Scattered Lapsus ShinyHunters ramp up extortion chaos

SLSH terrorizes victim firms with harassment, threats, swatting and media manipulation to force payouts, and experts warn that negotiating only fuels more malicious pressure without guaranteed data return.

#ransomNews #SLSH #CyberExtortion

CyberMaterial

@cybermaterial.bsky.social

1 month ago

Cl0p Targets Australian IT Providers
Read More: buff.ly/KtJN8Nz

#Cl0p #CyberExtortion #AustraliaCyber #DarknetLeaks #SupplyChainRisk #RansomwareThreat #ThreatActors #CyberCrime

CyberMaterial

@cybermaterial.bsky.social

1 month ago

Mandiant Finds Vishing Attacks Stealing MFA
Read More: buff.ly/z5IK3us

#Vishing #MFABypass #ShinyHunters #SocialEngineering #CloudSecurity #IdentityAttack #ThreatResearch #CyberExtortion

vp.net

@vpnet.bsky.social

1 month ago

The Nike data leak is a masterclass in modern cyber extortion. 1.4 terabytes of internal files were exposed before being yanked offline. 📁

Full details and sources: s.vp.net/KbYNf

#Nike #DataLeak #WorldLeaks #CyberSecurity #CyberExtortion

CyberMaterial

@cybermaterial.bsky.social

1 month ago

Key Apple Nvidia Tesla Supplier Breached
Read More: buff.ly/1vQqIfe

#Ransomware #SupplyChainSecurity #ManufacturingCyber #IPTheft #RansomHub #CyberExtortion #Infosec

CySecurity News

@cysecuritynews.bsky.social

1 month ago

Black Basta Under Pressure After Ukraine Germany Enforcement Operation   Investigators say the Black Basta ransomware campaign left a trail of disruption that extended across Europe and beyond, impacting everything from hospital wards to industrial production lines that were abruptly halted, resulting in a temporary ban of internet and phone use. Prosecutors from the German Federal Ministry of Justice, along with international law enforcement partners, now believe that the trail of this extortion, the most damaging in recent years, can be traced back to one individual who they describe as the driving force behind one of these operations.  There has been an investigation into whether Oleg Nefedov was the architect and operational leader of the Black Basta group. Authorities have identified him as a Russian national.  Authorities accuse him of coordinating a massive ransomware campaign against companies and public institutions across multiple continents by forming and leading an overseas criminal organization. There is a suspicion among investigators that Nefedov was responsible for leading the organization's core activities, including selecting targets, recruiting affiliates, orchestrating intrusions, and negotiating ransoms, while the proceeds of the transactions were laundered via cryptocurrency wallets and distributed among all participants in the scheme. Black Basta was also analyzed from an online alias perspective and suspected ties to a now-defunct ransomware collective named Conti. This reinforces the assessment that Black Basta arose from an advanced and interconnected cybercrime ecosystem that has matured over many years.  Officials from the Federal Republic of Germany have confirmed that Nefedov still resides in Russia and that he has been placed on Interpol's international wanted list, an indication that European authorities have intensified their efforts to identify and pursue the individuals behind cyber extortion committed in large scale industrial scales.  The Federal Criminal Police Office of Germany has confirmed that Oleg Nefedov, a 36-year-old Russian national suspected of leading the Black Basta ransomware group, is one of the suspected leaders of the ransomware. He is charged with forming criminal organizations abroad, orchestrating large-scale extortion crimes, and committing related cyber crimes.  A central coordinator was alleged by investigators to be Nefedov. During his time at the group, Nefedov selected targets, recruited and managed members, assigned operational roles, negotiated ransom demands, and distributed extorted proceeds, which were usually paid in cryptocurrency, according to the investigation.  There were several aliases he operated under on the internet-including tramp, tr, gg, kurva, AA, Washingt0n, and S.Jimmi-and authorities say he may have maintained a connection to the now-defunct Conti ransomware group.  According to German authorities, Nefedov is believed to be in Russia at the moment, though his exact location remains unclear. Interpol has also added him to a global wanted list. In recent months, the investigation has been further strengthened by numerous disclosures and enforcement actions that have heightened the investigation.  A leaked internal chat log attributed to Black Basta, which gave rare insights into the group's organization, operations, and communications, as well as exposing identifying information about the individuals involved. This information provided an insight into the organization's inner workings and daily operations.  According to cybersecurity researchers, many of the Black Basta members previously operated within criminal networks that were closely linked to the Conti and Ryuk ransomware strains, as well as the TrickBot banking trojan — operations that have led Western governments to identify and sanction more than a dozen individuals for their involvement in such attacks.  According to researchers and investigators, Black Basta is the result of the collapse of Conti, a ransomware operation which fragmented into smaller, semi-autonomous cells after it shut down. In a recent study published by the International Security Agency, Black Basta has been widely interpreted as a rebranding of the former Conti infrastructure, with many of those splinter groups either embedding themselves into existing ransomware schemes or controlling existing operations.  It has been demonstrated that this view has been reinforced by a review of leaked internal communications by Trellix researchers. According to those who reviewed the Black Basta chat logs, GG and Chuck were exchanging emails about a purported $10 million reward for information about an individual, referred to as “tr” or “-amp,” an individual which researchers believe corresponds to a bounty offered by the U.S. Government for information that will lead to the identification of key Conti figures, including Tramp, the hacker.  Additionally, Trellix researchers found that within the leaked conversations, GG was identified as Tramp, who had been regarded as Conti's leader for some time, by a participant called "bio," sometimes known as "pumba," a figure who was previously connected to the Conti organization.  These findings echo those released earlier in February 2022, when a researcher revealed Conti's internal chats in the aftermath of the Russian invasion of Ukraine, revealing internal dynamics and explicitly referring to Tramp as leader of the group.  It is well-known that such leaks have long been a source of attribution efforts within the cybersecurity industry, but German authorities say that their current case rests on evidence gathered through intelligence and investigation on the German side.  Oleg Nefedov has been identified formally as the head of the Black Basta ransomware group by Europol, and the Interpol red notice database has been updated with his name. This is a crucial step in the international effort to enquire about the group's activities, marking a decisive step in the effort to enshrine accountability for the group.  The data breach is the result of an attack on more than 500 organizations across North America, Europe, and Australia by means of Black Basta's ransomware-as-a-service model, which was active since April 2022 and caused hundreds of millions of dollars in damage in the process. Two suspects in western Ukraine, which were allegedly acting as hash crackers in order to help facilitate network intrusions, data theft, and ransomware deployment, were also announced by German authorities. The police seized digital devices and cryptocurrency during raids that are related to the incident, and are currently conducting forensic analysis of the evidence.  Official figures underscore the scale of the damage attributed to the group. An official press release from the German authorities stated that documented Black Basta attacks have caused prolonged operational disruptions at over 100 companies in Germany, as well as over 700 organizations worldwide, including hospitals, public institutions, and government agencies.  In Germany, it is estimated that losses will exceed 20 million euros in the next few years. Research conducted in December 2023 by blockchain analytics firm Elliptic and Corvus Insurance found that over the course of the past four years, the group accumulates at least $107 million in Bitcoin ransom payments, which has been determined to be paid by over 329 victims in 31 countries across the world.  A detailed analysis of blockchain transactions also revealed a clear financial and operational link between Black Basta and Conti, which supported the conclusions of law enforcement that this syndicate grew out of a well-established, interconnected cybercrime ecosystem that was well-established and interconnected.  In light of the scope and selectivity of Black Basta's operations, it is evident why it has been a top priority for law enforcement and security researchers to investigate. A number of victims have been confirmed, including Rheinmetall, Hyundai, BT Group, Ascension, ABB, the American Dental Association, U.K.-based outsourcing company Capita, the Toronto Public Library, the Yellow Pages Canada, and others.  These victims include German defense contractor Rheinmetall, Hyundai's European division, BT Group, as well as the United States healthcare provider Ascension. According to the researchers, the group did not operate in an indiscriminate manner, but applied a targeted strategy based on geography, industry, and organizational revenue, while also closely tracking geopolitical developments in order to reduce the likelihood of retaliation from law enforcement agencies.  A ransomware operation known as Black Basta, which is characterized by a focus on large, high-revenue organizations with the ability to pay large ransoms, was known to be targeting large, high-revenue organizations. Based on internal communications, it appears that entities in both the United States and Germany were the most likely to pay a ransom.  There are 57 percent of victims in the United States who had reported a leak between April 2022 and January 2025, with Germany accounting for 12 percent, while additional victims were observed throughout Europe, Asia Pacific and the Americas as well.  Accordingly, that assessment is reflected in activity observed on the group's leak site. Several leaks of internal chats in the group have introduced rare insights into the group's internal structure, its financial management, and its extortion practices, which have strengthened efforts to identify key actors and disrupt their operations by exposing real-world names and financial transactions.  Despite the fact that Black Basta’s data leak site is currently offline, analysts warn that the group still has the resources and incentives to re-emerge, either by adopting a new name or partnering with other ransomware crews, illustrating how authorities continue to face challenges in dismantling entrenched cybercrime networks rather than simply disrupting them, even when the site is offline.  Together, these findings present a detailed portrayal of a ransomware operation that developed out of a fractured but resilient cybercrime ecosystem into a global enterprise that has far-reaching consequences. Having identified an alleged leader along with financial tracing, leaking internal communications, and coordinated international enforcement, German authorities state that the investigation has matured—with an emphasis not only on disruption, but also on attribution and accountability for ransomware.  It should be noted that while law enforcement actions have slowed Black Basta's visible activities, experts and officials agree that dismantling such networks will take years, especially when key figures are believed to be operating in jurisdictions that are beyond the reach of law enforcement officials.  In addition to demonstrating the extent of the harm caused by ransomware campaigns, the case also highlights the growing determination of governments to pursue those responsible, even through the broader cybercrime landscape continues to evolve, fragment, and resurface.

Black Basta Under Pressure After Ukraine Germany Enforcement Operation #BlackBasta #ContiRansomware #CyberExtortion

CyberMaterial

@cybermaterial.bsky.social

2 months ago

Brightspeed Probes Possible Cyberattack
Read More: buff.ly/ev4uDzv

#Brightspeed #DataBreachInvestigation #ISPsecurity #CustomerData #CyberExtortion #ThreatActors #BreachAlert

CySecurity News

@cysecuritynews.bsky.social

2 months ago

Ransomware Profits Shrink Forcing Criminal Gangs to Innovate   Ransomware networks are increasingly using unconventional recruitment channels to recruit new operators. Using blatant job-style announcements online, these networks are enlisting young, inexperienced operators with all sorts of job experience in order to increase their payouts.  There is a Telegram post from a channel that is connected to an underground collective that emphasizes the importance of female applicants, dismissing nationality barriers and explicitly welcoming people who have no previous experience in recruitment, with the promise to train recruits “from scratch” while emphasizing the expectation that they will learn rapidly. In return, the position was advertised as being available during weekdays between 12 p.m. and 6 p.m. Eastern Time and being compensated $300 per successful call, which is paid out exclusively in cryptocurrency. It was far from a legitimate job offer, but it served as a gateway into a thriving criminal ecosystem known as The Community or The Com, a loosely connected group of about 1,000 individuals, many of whom are children in middle and high school.  In order to operate, the network relies on fluid, short-lived alliances, constantly reshaping its structure in what cybersecurity researcher Allison Nixon calls an "infernal soup" of overlapping partnerships, which recur continuously.  In the years since 2022, the collective and its evolving offshoots have carried out sustained intrusion campaigns against large corporations across the United States and the United Kingdom that have been referred to by previously referred to as Scattered Spider, ShinyHunters, Lapsus$, SLSH, and many others, among others.  It is estimated that these sort of attacks, which include data breaches, credential theft, account takeovers, spear phishing, and digital extortion, may have compromised companies with a market value of more than $1 trillion. It is estimated that these sort of attacks, which include data breaches, credential theft, account takeovers, spear phishing, and digital extortion, may have compromised companies with a market value of more than $1 trillion.  In the coming weeks, Silent Push will unveil a new research report based on cyber intelligence research conducted by Silent Push, Silent Push's partner firm Silent Push's affiliate Silent Push. Legal documents indicate that at least 120 organizations, as well as 120 brands, have been targeted, ranging from the worldwide giant Chick-fil-A, to the global giants of Instacart, Louis Vuitton, Morningstar, News Corporation, Nike, Tinder, T-Mobile, T-Mobile, Vodafone, and T-Mobile, Vodafone among others.  This indicates that modern ransomware crime rings have undergone a major shift in both their operational strategy as well as the talent pool they utilize. In a world where profit margins are tightening, ransomware operations are changing, forcing threat actors to choose their victims with greater deliberateness and design attack models that are increasingly engineered.  According to Coveware, the analysis division within Veeam, ransomware campaigns are no longer driven by broad, opportunistic targeting, but rather by pressure to extract leverage through precision and psychological manipulation in order to gain a competitive edge. There was a stark shift in corporate behavior during the third quarter that signaled a dramatic change in behavior in the ransomware industry.  The proportion of victims paying ransoms fell below 25 percent for the first time ever in the history of ransomware tracking. However, when payments were made, they reflected a contraction that was unprecedented — an average of $376,941 with a median payout of $140,000. This represents a two-thirds decline from the previous quarter.  There has been a decline in trust among major enterprises as a result of the downturn, particularly around the claim that stolen data would be permanently deleted after payment. This skepticism has had a material negative impact on exfiltration-only extortion, which has been reduced by 19 percent in ransom compliance.  According to industry researchers, the financial strain has fractured the ransomware economy, resulting in 81 unique data-leak sites being recorded in Q3, the highest number to date, as emerging groups fill the void left by larger syndicates exiting the arena, following suit with their own ransomware campaigns.  In spite of this dispersion, targeted groups have developed an erratic targeting behavior, drawing markets that were previously considered peripheral, including Southeast Asia, such as Thailand, and Thailand in particular. Especially recently, attackers have targeted midsize organizations that are lacking the financial resilience to weather sustained disruption – such as Russian-speaking crews like Akira and Qilin – even if they cannot meet multimillion-dollar demands that are being demanded.  It is not only about victim realignment; operators are also exploring a broad range of revenue-enhancement strategies, including insider recruitment and bribery, social engineering on the helpdesk, supply chain compromise, and callback phishing, a tactic first developed in 2021 by the Ryuk group to destabilize defenses by causing victims to contact attackers directly, which in turn would disrupt defenses.  Cisco Talos research highlights the importance of live negotiation in security, noting that attackers have been using real-time phone interaction to weaponize emotional pressure and adaptive social engineering to increase the effectiveness of attacks. Despite the fact that raw economic incentives have failed to deliver historical returns, modern ransomware groups have evolved a new way of leveraging influence, as evidenced by recent research.  It has become apparent over the past few months that cybercriminal groups are increasingly embracing high-profile consumer brands in their strategic entanglements, as well as a marked shift in how these brands are defending themselves against such attacks.  During the late spring and early summer of 2018, cybercrime collective Scattered Spider, a decentralized cybercrime collective that is known for targeting retail and supply chain organizations, targeted major retail and supply chain organizations including Victoria's Secret, United Natural Foods, and Belk, among others. As the incidents unfolded, and the industry as a whole mobilized to defend itself against the attacks, the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) was established, an intelligence-sharing organization that coordinates the collective cybersecurity defense by retail enterprises.  The RH-ISAC played an important role in the escalating digital threats and the tightening budgets for security in the retail and hospitality industries, industry intelligence releases indicate that there is also a parallel increase in executive alignment and organizational preparedness across the two industry sectors. There has been an increase in the number of chief information security officers reporting directly to senior business leaders as reflected in a recent study conducted by RH-ISAC.  In a way, this represents a 12-point increase from the previous year, signaling that cybersecurity has become more integrated into corporate strategy rather than being separated from IT. It has been noted by sector leaders that, as a result of this structural shift, security chiefs have become an increasingly important part of commercial decision-making, with their influence extending beyond breach prevention to risk governance, vendor evaluation, and business continuity planning.  There is no doubt that the same report showed that operational resilience has emerged as a major priority in the boardroom, ranking at the top for approximately half of the organizations surveyed.  During the conference, the leadership of RH-ISAC highlighted the industry's need to focus on recovery readiness, incident response coordination, and cross-company intelligence exchange, all of which are now considered essential to maintaining customer trust and continuous supply chains in an environment where reputational damage can often outweigh technical damage.  Although some retail and hospitality enterprises are still faced with the challenge of tight security functions and the apparent friction between deploying them rapidly as well as ensuring that the security remains airtight, many enterprises have been able to demonstrate an improved capacity for absorbing and responding to sustained adversarial pressure.  Analysts observe that recent high-profile compromises have not derail the industry but have instead tested its defenses and, in several cases, validated them. In this regard, the growing emphasis on cyber resilience is emerging from an aspiration to a reality as a result of orchestrating coordinated response strategies, sharing threat intelligence, mitigation frameworks, and incident guidelines to help organizations prevent becoming successive targets for cyber crimes.  During the course of the center's response, European retail partners were able to share their insights quickly with the center, since they were facing Scattered Spider operations only weeks earlier. As early as April, the same group had breached a number of U.K. retail organizations including Harrods, Marks & Spencer, and the Co-op, which resulted in emergency advisories from British law enforcement and national cyber agencies advising the public.  A cross-border intelligence dialogue was held by RH-ISAC in light of those developments to gain an in-depth understanding of the group's evolving tactics. Shortly after the U.K. attacks, the organization held a members-only threat briefing with researchers from Mandiant, Google's cyber intelligence division, to review operational patterns, attacker behavior, and defensive weaknesses.  RH-ISAC's intelligence coordination with British retailers has enabled them to refine the attribution signals and enhance their early-warning models before the group escalated operations in North America and it was no surprise that they achieved this.  During this series of breaches, it was revealed that the collective was heavily dependent on young, loosely affiliated operators, but that the retail industry was also making a marked departure from historically isolated incident management models, and instead was increasingly committed to collaborative defenses, intelligence reciprocity, and coordinated response planning.  There has been a significant evolution in ransomware in recent years, marking the beginnings of a new era of cyber defenses for consumer-facing industries in which economics, psychology, and collaboration are coming together as critical forces.  In the age of fragmented threat groups, a growing number of recruits, and more manipulative attack models, resilience cannot be solely based on perimeter security. There are experts in the field who emphasize the importance of pairing rapid threat detection with institutional memory, so that organizations can preserve information from every incident, regardless of how quickly attacker infrastructure or affiliations erode.  A growing number of organizations are implementing protocols for verifying helpdesks, monitoring insider threats, performing supply chain risk audits, and sharing cross-border intelligence. This is an era in which human weaknesses are exploited as aggressively as software flaws, and these protocols are emerging as non-negotiable defenses.  Meanwhile, the shift towards executive security ownership in retail and hospitality is a blueprint for other sectors as well, since cybersecurity influence needs to be integrated with business strategy rather than being buried beneath it.  There are a number of recommendations for organizations to implement continuous employee awareness conditioning, stricter playbooks for recovering access, simulated social engineering drills, and incident response alliances that are as fast as an attacker can move.  Essentially, resilience is not being able to compromise. It does not imply that you do not compromise, but that you are able to recover more rapidly, coordinate more effectively, and think quicker than the opposition.

Ransomware Profits Shrink Forcing Criminal Gangs to Innovate #CryptoFundedCrime #CyberExtortion #cyberthreat

CySecurity News

@cysecuritynews.bsky.social

3 months ago

CyberVolk Ransomware Fails to Gain Traction After Encryption Misstep   CyberVolk, a pro-Russian hacktivist collective, has intensified its campaign of ransomware-driven intimidation against entities perceived as hostile to Moscow in the past year, marking a notable change in both scale and presentation, marking a notable shift in its operations.  In addition to its attacks, the group has become increasingly adept at constructing carefully constructed visual branding, including the release of stylized ransomware imagery to publicize successful intrusions in addition to attacking. It seems that these visuals, which were enhanced by deliberately inflammatory language and threatening tone, were not intended simply to announce breaches, but rather to amplify psychological pressure for victims and broader audiences alike.  In October 2024, CyberVolk appeared to have a clear strategy in the ransoming of several Japanese organizations, including the Japan Oceanographic Data Center and the Japan Meteorological Agency, in which they claimed responsibility for the ransoming. CyberVolk has reportedly altered the desktop wallpapers of several victims prior to starting the encryption process, using the act itself as a signal of control and coercion to control and coerce them.  CyberVolk's plans to venture into the ransomware-as-a-service ecosystem, however, seem to have been undermined by fundamental technical lapses that were clearly underhand. As part of its strategy to attract affiliates, this group has recently launched a new ransomware strain called VolkLocker, positioning it as a RaaS offering designed to expand its operational reach and attract affiliates.  A SentinelOne research team has found that the malware has severe cryptographic and implementation weaknesses that greatly reduce its effectiveness, according to a study conducted by researchers. It is worth noting that the encryptor is specifically hardcoded directly into the ransomware binary as well as written in plaintext to a hidden file on compromised systems, compounding the error.  VolkLocker's credibility and viability within the cybercrime market is severely undermined by the vulnerability of extracting and reusing the exposed key, which could possibly allow organizations to recover their data without having to pay a ransom. As a consequence, affected organizations could potentially recover their data without paying a ransom.  It was last year when the Infosec Shop and other researchers first started documenting CyberVolk's activities that it caught the attention of the security community, and when it became known that the hacktivist collective was pro-Russian. CyberVolk appears to be operating in the same ideological space as outfits such as CyberArmyofRussia_Reborn and NoName057(16) — both of which have been linked to the Russian military intelligence apparatus and President Vladimir Putin by US authorities.  However, CyberVolk has yet to be proven to maintain direct ties with the Russian governing authorities. Additionally, CyberVolk has a distinctive operational difference from many of its peers. Compared to comparable hacktivist teams, which tend to focus their efforts on disruption but low-impact distributed denial-of-service attacks, CyberVolk has consistently utilized ransomware as part of its campaigns.  Researchers have noted that after repeated bans from Telegram in 2025, the group almost disappeared from public view for the first half of 2025, only to resurface in August with a revamped ransomware service based on VolkLocker. In analyzing the operations, it is evident that an uneven scaling attempt has taken place, combining fairly polished Telegram automation with malware payloads that retain signs of testing and incomplete hardening.  VolkLocker is written in Go and designed to work across both Windows and Linux environments. In addition to enabling user communication, Telegram-based command-and-control functionality, it also handles system reconnaissance, decryption requests, and the decryption of sensitive data. In order to configure new payloads, affiliates must provide operational details such as Bitcoin payment addresses, Telegram bot credentials, encryption deadlines, file extensions, and self-destruct parameters.  Among the backbones of this ecosystem is Telegram, which is responsible for providing communication, tool distribution, and customer support services. However, some operators have reported extending the default C2 framework to include keylogging and remote access capabilities. As of November, the group was advertising standalone remote access trojans and keyloggers in addition to its RaaS offerings, and these packages included tiered pricing options.  The ransomware is capable of escalating privileges, bypassing Windows User Account Control, selectively encrypting files based on pre-defined exclusion rules, and applying AES-256 encryption in GCM mode, which emphasizes CyberVolk's ongoing attempts to mix ideological messaging with the increasingly commercialized nature of cybercrime.  In the course of further technical analysis of VolkLocker, it has been revealed that the ransomware has been shaped by an aggressive design choice and critical implementation errors. One of the most notable features of the program is its integration of a timer function written in Go that can be configured to initiate a destructive wipe upon expiration of the countdown or upon entering an incorrect password into the ransom note in HTML. Upon activation, the routine targets the most common user directories, such as Documents, Downloads, Pictures, and the Desktop, making the users vulnerable to permanent data loss. In order to access CyberVolk's ransomware-as-a-service platform, one must pay approximately $800 to $1,100 for an operating system that supports just one operating system, or $1,600 to $2,200 for a build that supports both Windows and Linux operating systems.  In the early days of the group, affiliates obtained the malware by using Telegram-based builder bots that were able to customize encryption parameters and create customized payloads, indicating that the group relied heavily on Telegram as a delivery and coordination platform.  As of November 2025, the same operators have expanded their commercial offerings, advertising standalone remote access trojans and keyloggers for $500 each, further signaling a desire to diversify their offerings from merely ransomware to a wide range of security technologies. Nevertheless, VolkLocker’s operations have a serious cryptographic weakness at the core of their operation that makes it difficult for them to be effective.  As part of the encryption process, AES-256 is employed in Galois/Counter Mode and a random 12-byte nonce is generated for each file before it deletes the original and adds extensions such as .locked or .cvolk to the encrypted copies after destroying the original files. Although the system seems to be designed to be quite strong, researchers found that all files on a victim's system are encrypted using a single master key which is derived from a 64-character hexadecimal string embedded directly in the binary files.  Additionally, the same key is stored in plaintext to a file named system_backup.key, which is never removed, compounding the problem. This backup appears to be a testing artifact that was inadvertently left in production builds, and SentinelOne suggests that it might be able to help victims recover their data without paying a ransom for it.  While the flaw offers a rare advantage to those already affected, it is expected that when it is disclosed to the public, the threat actors will take immediate steps to remedy the issue. The majority of security experts advise that, generally, the best way to share such weaknesses with law enforcement and ransomware response specialists while an operation is ongoing, is by utilizing private channels. This is done in order to maximize victim assistance without accelerating adversary adaptation, thus maximizing victim assistance without accelerating adversary adaptation.  The modern cyber-extortion economy is sustained by networks of hackers, affiliates, and facilitators that work together to run these campaigns. In order to understand this landscape effectively, open-source intelligence was gathered from social media activity and media reporting. These activities highlighted the existence of a broad range of actors operating within it.  One such group is the Ukrainian-linked UA25 collective, whose actions retaliate against Russian infrastructure are often accompanied by substantial financial and operational damage, with a claim to responsibility publicly made in the media. In such cases, asymmetrical cyber conflict is being highlighted, where loosely organized non-state actors are able to cause outsized damage to much larger adversaries, underscoring the asymmetrical nature of contemporary cyber conflict.  In this climate, Russian cybercriminal groups are often able to blur the line between ideological alignment and financial opportunism, pushing profit-driven schemes under the banner of political activism in an effort to achieve political goals. CyberVolk is an example of this hybrid model: CyberVolk aims to gain legitimacy through hacktivist rhetoric while also engaging in extortion and tool sales to monetize its ransomware activity.  Security firms and independent researchers have been continuously scrutinizing the situation, which has led, in the past few years, to expose internal operational weaknesses, including flawed cryptographic practices, insecure key handling, which can be leveraged to disrupt campaigns and, in some cases, aid law enforcement and takedown efforts on a broader scale. This has been reported as well by publications such as The Register.  In the near-term, analysts warn that ransomware operations will likely get more sophisticated and destructive - with future strains of ransomware increasingly incorporating elements commonly associated with wiper malware, which encrypts data rather than issuing ransoms. There have been several regulatory actions, sanctions, and government advisories issued throughout 2025 that have laid the foundation for a more coordinated international response to these threats.  However, experts warn that meaningful progress will depend on a sustained cooperation between governments, technology companies, and private sector firms. In the case of CyberVolk, the technical ambition often outweighs the execution, yet even faulty operations demonstrate a persistent threat from Russian-linked actors, who continue to adapt despite mounting pressures from the West.  In the wake of recent sanctions targeting key enablers, some parts of this ecosystem have been disrupted; however, new infrastructure and service providers are likely to fill these gaps as time goes on. Defensers should take note of the following lesson: continued vigilance, proactive threat hunting, as well as adopting advanced detection and response capabilities remain essential for preventing ransomware from spreading, as the broader contest against ransomware increasingly depends on converting adversaries' mistakes into durable security advantages to ensure the success of the attack.  It should be noted that the rise and subsequent missteps of CyberVolk can be considered a timely reminder that the ransomware landscape is evolving in multiple ways, not only in terms of technical sophistication but also in terms of narrative strategy and operational ambition.  Although advocates of groups may work to increase their impact by using political messaging, branding, and service models that are tailored for commercialization, long-term success remains dependent on disciplined engineering and operational security-areas in which even ideologically motivated actors continue to fail.  Organizations should take this episode as an example of the importance of building multilayered defenses that go beyond perimeter security to include credential hygiene, behavioral monitoring, and rapid incident response planning in addition to regular patching, offline backups, and tabletop exercises. This episode emphasizes how vital it is to engage with threat intelligence providers in order to identify emerging patterns before they turn into operational disruptions.  In the eyes of policymakers and industry leaders, the case highlights the benefits of coordinated disclosure practices and cross-border collaboration as means of weakening ransomware ecosystems without inadvertently making them more refined.  Iterating and rebranding ransomware groups can be equally instructive as iterating and rebranding their malware, providing defenders with valuable opportunities to anticipate next moves and close gaps before they are exploited. The ability to survive in an environment characterized by both sides adapting will increasingly depend on turning visibility into action and learning from every flaw that has been exposed.

CyberVolk Ransomware Fails to Gain Traction After Encryption Misstep #CryptographicVulnerability #CyberAttacks #CyberExtortion

Approov Mobile Security

@approov.bsky.social

4 months ago

Standing Up to Extortion: Lessons from the Checkout.com Breach Standing Up to Extortion: Lessons from the Checkout.com Breach and the Rise of Vishing Attacks Description This week on Upwardly Mobile, we dive deep into the tactics of the prolific criminal group ShinyHunters and explore how global enterprises are responding to sophisticated cyber extortion attempts in 2025. We analyze two major security incidents that highlight critical vulnerabilities in legacy systems and modern OAuth ecosystems. The Extortion Dilemma: Checkout.com Stands Firm We detail the incident where https://www.checkout.com/blog/protecting-our-merchants-standing-up-to-extortion was contacted by ShinyHunters, who demanded a ransom after gaining unauthorized access to a legacy, third-party cloud file storage system. This system was used in 2020 and prior years for internal operational documents and merchant onboarding materials, affecting less than 25% of their current merchant base. Critically, the threat actors did not access merchant funds or card numbers, and the live payment processing platform was not impacted. Checkout.com publicly stated they would not be extorted and refused to pay the ransom. Instead, they are turning this attack into an investment for the entire security industry by donating the ransom amount to https://www.cmu.edu/ and the https://gcscc.ox.ac.uk/home-page to fund cybercrime research. The company accepted full responsibility for the legacy system not being properly decommissioned. The 2025 OAuth and Vishing Wave The episode also examines ShinyHunters' 2025 campaign targeting mobile and web-based enterprise applications, particularly those connected to Salesforce and integrated platforms like Salesloft and Drift. These attacks were characterized by sophisticated social engineering and voice phishing ("vishing"), where attackers impersonated IT staff (sometimes using AI-generated voices) to persuade employees to authorize malicious versions of Salesforce tools via mobile or web apps. By exploiting OAuth tokens, ShinyHunters compromised sensitive internal APIs and data from high-profile victims, including Google, Cloudflare, Qantas, Allianz Life, and Adidas. Analysts noted that these techniques bypassed technical controls by abusing human trust, enabling the theft of over 1.5 billion Salesforce records from approximately 760 organizations. These incidents underscore that modern mobile application security is deeply dependent on robust cloud and OAuth ecosystem safeguards. Sponsor This episode of Upwardly Mobile is brought to you by approov.io, helping protect your mobile API access and application endpoints from sophisticated attacks like those utilizing stolen OAuth tokens. Sponsor Link: https://notebooklm.google.com/notebook/approov.io Keywords: ShinyHunters, Cyber Extortion, Ransomware, Legacy System Vulnerability, OAuth Exploitation, Vishing, Voice Phishing, Salesforce Security, Checkout.com, Cybercrime Research, Cloud Security, Supply Chain Attack, Mobile Application Security, Digital Economy Security, Data Breach. Relevant Source Materials and Links https://www.checkout.com/blog/protecting-our-merchants-standing-up-to-extortion ShinyHunters Salesforce Cyberattacks via Vishing and OAuth Exploitation - The Hackernews: Why the ShinyHunters Data Breach vs. SaaS highlights vulnerabilities - TrueSec: Cyber extortion group ShinyHunters targets Salesforce customers - CM Alliance: Reports on major cyberattacks and data breaches in September 2025 - EclecticIQ: Analysis of ShinyHunters' financially motivated data extortion group targeting enterprise cloud applications - ReSecurity: Examining the alliance of threat actors and their global cybercrime spree - Obsidian Security: The merger of chaos between ShinyHunters and Scattered Spider in the 2025 Salesforce attacks - Cysecurity News: Coverage of ShinyHunters’ voice phishing attacks - ReliaQuest: Threat spotlight on ShinyHunters targeting Salesforce amid collaboration with Scattered Spider - CloudProtection: Reporting on Salesforce attacks in 2025 - PKWARE: Recent Data Breaches

📣 New Podcast! "Standing Up to Extortion: Lessons from the Checkout.com Breach" on @Spreaker #cloudsecurity #cyberextortion #cybersecurity #databreach #mobilesecurity #oauth #shinyhunters #vishing

ransomNews

@ransomnews.online

4 months ago

What Makes Ransomware Groups Successful? New research revealed successful ransomware groups exhibit three key elements. Spoiler alert: It doesn't all revolve around artificial intelligence.

High profits stem from business-like structure and resilience.

🔗 read more: www.darkreading.com/cyberattacks...

#ransomNews #ransomwareEconomy #cyberextortion

CySecurity News

@cysecuritynews.bsky.social

4 months ago

Microsoft Warns: Over Half of Cyberattacks Driven by Extortion and Ransomware, Legacy Security Failing to Keep Up   More than 50% of cyberattacks are now motivated by extortion and ransomware, according to Microsoft’s latest Digital Defense Report. The tech giant revealed that outdated security systems are no longer capable of defending against today’s evolving cyber threats. In its sixth annual report, Microsoft highlighted that around 80% of the cyber incidents its security teams investigated last year were financially motivated. "That’s at least 52% of incidents fueled by financial gain, while attacks focused solely on espionage made up just 4%," said Amy Hogan-Burney, CVP for Customer Security and Trust at Microsoft. She added, "Nation-state threats remain a serious and persistent threat, but most of the immediate attacks organizations face today come from opportunistic criminals looking to make a profit." The report noted that critical public sectors, including hospitals and local governments, are prime targets. These institutions often handle highly sensitive information but operate with limited cybersecurity resources and response capabilities. In many cases, healthcare and other essential services are more likely to pay ransoms due to the critical nature of their operations. Although nation-state-driven attacks account for a smaller share of total incidents, their volume is steadily increasing. Microsoft’s findings show that China continues its aggressive campaigns across industries to steal sensitive data, using covert systems and exploiting internet vulnerabilities to avoid detection. Iran has widened its scope, targeting sectors from the Middle East to North America, including shipping and logistics companies in Europe and the Persian Gulf to gain access to valuable commercial data. Meanwhile, Russia has extended its operations beyond Ukraine, focusing on small businesses in pro-Ukraine countries, perceiving them as softer targets compared to larger corporations. Microsoft also identified North Korea as a major concern for both espionage and revenue-driven cyber operations. Thousands of North Korean IT workers are reportedly employed remotely by global companies, funneling their salaries back to the regime. When exposed, some of these operatives have shifted to extortion tactics. "The cyber threats posed by nation-states are becoming more expansive and unpredictable," Hogan-Burney warned. "In addition, the shift by at least some nation-state actors to further leveraging the cybercriminal ecosystem will make attribution even more complicated." She stressed the importance of collaboration: "This underscores the need for organizations to stay abreast of the threats to their industries and work with both industry peers and governments to confront the threats posed by nation-state actors." Microsoft’s report also underscored how artificial intelligence and automation have empowered cybercriminals, even those with minimal expertise, to execute more complex attacks. AI tools are being used to develop malware faster, generate convincing fake content, and enhance phishing and ransomware campaigns. More than 97% of identity attacks are now password-related, with a 32% surge in the first half of 2025 alone. Attackers commonly exploit leaked credentials and use large-scale password guessing. "However, credential leaks aren’t the only place where attackers can obtain credentials," Hogan-Burney explained. "This year, we saw a surge in the use of infostealer malware by cyber criminals. Infostealers can secretly gather credentials and information about your online accounts, like browser session tokens, at scale." She added, "Cyber criminals can then buy this stolen information on cyber crime forums, making it easy for anyone to access accounts for purposes such as the delivery of ransomware." The report concludes by urging governments to establish stronger frameworks to ensure credible consequences for cyber activities that breach international laws and norms.

Microsoft Warns: Over Half of Cyberattacks Driven by Extortion and Ransomware, Legacy Security Failing to Keep Up #AIincybersecurity #CyberAttacks #CyberExtortion

CySecurity News

@cysecuritynews.bsky.social

5 months ago

Red Hat Data Breach Deepens as Extortion Attempts Surface   The cybersecurity breach at enterprise software provider Red Hat has intensified after the hacking collective known as ShinyHunters joined an ongoing extortion attempt initially launched by another group called Crimson Collective. Last week, Crimson Collective claimed responsibility for infiltrating Red Hat’s internal GitLab environment, alleging the theft of nearly 570GB of compressed data from around 28,000 repositories. The stolen files reportedly include over 800 Customer Engagement Reports (CERs), which often contain detailed insights into client systems, networks, and infrastructures. Red Hat later confirmed that the affected system was a GitLab instance used exclusively by Red Hat Consulting for managing client engagements. The company stated that the breach did not impact its broader product or enterprise environments and that it has isolated the compromised system while continuing its investigation. The situation escalated when the ShinyHunters group appeared to collaborate with Crimson Collective. A new listing targeting Red Hat was published on the recently launched ShinyHunters data leak portal, threatening to publicly release the stolen data if the company failed to negotiate a ransom by October 10. As part of their extortion campaign, the attackers published samples of the stolen CERs that allegedly reference organizations such as banks, technology firms, and government agencies. However, these claims remain unverified, and Red Hat has not yet issued a response regarding this new development. Cybersecurity researchers note that ShinyHunters has increasingly been linked to what they describe as an extortion-as-a-service model. In such operations, the group partners with other cybercriminals to manage extortion campaigns in exchange for a percentage of the ransom. The same tactic has reportedly been seen in recent incidents involving multiple corporations, where different attackers used the ShinyHunters name to pressure victims. Experts warn that if the leaked CERs are genuine, they could expose critical technical data, potentially increasing risks for Red Hat’s clients. Organizations mentioned in the samples are advised to review their system configurations, reset credentials, and closely monitor for unusual activity until further confirmation is available. This incident underscores the growing trend of collaborative cyber extortion, where data brokers, ransomware operators, and leak-site administrators coordinate efforts to maximize pressure on corporate victims. Investigations into the Red Hat breach remain ongoing, and updates will depend on official statements from the company and law enforcement agencies.

Red Hat Data Breach Deepens as Extortion Attempts Surface #CyberExtortion #CyberSecurity #Ransomware

GetNews.me

@getnews-me.bsky.social

5 months ago

Salesforce Refuses to Pay Extortion Demand Over 1 Billion Records

Salesforce said it will not pay the ransom demanded by Scattered LAPSUS$ Hunters, who claim to have stolen about 989.45 million records and set a deadline for Friday. Read more: getnews.me/salesforce-refuses-to-pa... #salesforce #cyberextortion

ransomNews

@ransomnews.online

5 months ago

🚨 UPDATE Salesforce

Scattered Lapsus$ Hunters claim fresh victims via new leak site.

The merged cybercrime collective (LAPSUS$, ShinyHunters, Scattered Spider) has launched a new website to announce recent breaches and data dumps.

#ransomNews #ScatteredLapsus #CyberExtortion

The Friday Times

@thefridaytimes.bsky.social

7 months ago

Entrapment, extortion, and religious fear—blasphemy accusations in Pakistan are entering the digital age, dangerously.
By Dr. Noreen Saher

Read more: thefridaytimes.com/05-Aug-2025/...

#BlasphemyLaws #DigitalSecurity #HumanRights #PakistanJustice #CyberExtortion #Religious

Tazz

@divineintel.bsky.social

7 months ago

The 12 Hottest Topics of Digital Evidence and the Changing Legal Landscape In this article, we’re looking at 12 of the latest and hottest activities in the legal landscape regarding digital evidence and open source intelligence (OSINT) such as ransomware, cybecrime, deep fak...

divineintel.com/the-12-hotte...

#CybercrimeTakedowns #PhobosRansomware #HiveRansomware #InternationalCybercrime #DigitalEvidence #LawEnforcement #Cybersecurity #CyberExtortion #CybercrimeInvestigations #ExtraditionCases #DigitalForensics #CriminalNetworks #CyberLaw #DataPrivacy #CybersecurityPolicy

WIRE TOR - The Ethical Hacking Services

@wiretor.bsky.social

9 months ago

FBI Warns of Luna Moth Extortion Attacks Targeting U.S. Law Firms U.S. law firms are under siege from a stealthy and persistent cyber extortion group known as the Silent Ransom Group.

🚨FBI Warns of Luna Moth Extortion Attacks Targeting U.S. Law Firms🚨 Contact for Security: support@wiretor.com

wiretor.com/srg-attacks-...

#FBIwarning #LunaMoth #SilentRansomGroup #SRG #CyberExtortion #LawFirmCybersecurity #LegalSectorAttack #RansomwareGroup #SocialEngineering #PhishingScam

WIRE TOR - The Ethical Hacking Services

@wiretor.bsky.social

10 months ago

🚨 PowerSchool Hacker Now Targeting Individual School Districts in Ongoing Extortion Campaign 🚨

wiretor.com/%f0%9f%9a%a8...

#PowerSchool #DataBreach #CyberSecurity #RansomwareAttack #StudentDataLeak #SchoolHack #InfoSec #DataPrivacy #TDSB #CyberExtortion #EdTechSecurity

Talk Nerdy to Me!

@talk-nerdyto-me.bsky.social

11 months ago

🧵 The Ransom Situation

The attacker is demanding $200M total, with "removal fees" for individual companies.

Two companies have reportedly already paid to have their data excluded from the dataset being sold.

This is now an active extortion campaign.
#CyberExtortion #RansomAttacks

SquaredTech

@squaredtech.bsky.social

1 year ago

FBI Warns: NORTH Korean IT Workers Extorting U.S. Companies IN 2025 North Korean IT workers are stealing source code and extorting employers by exploiting remote work vulnerabilities, the FBI warns.

FBI Warns: North Korean IT Workers Extorting U.S. Companies
#CyberExtortion #RemoteWorkSecurity #FBIWarning #CyberCrime
www.squaredtech.co/fbi-warns-no...

TechInformed

@techinformed.bsky.social

1 year ago

Orange Cyberdefense warns of prolific pro-Russian hacktivist group and releases cybergang mapping tool Orange’s cybersecurity division has uncovered a prolific pro-Russian hacktivist group which is targeting almost exclusively European organisations

DYK, a pro-Russian #hacktivist group is targeting European entities to disrupt public opinion.

Orange’s Cyberdefense report reveals over 6,600 DDoS attacks since March 2022. The #US faces more #cyberextortion, with a 25% YOY rise.

Sabine VanderLinden

@sabinevdl.bsky.social

1 year ago

Top Types Of Cyber Extortion Scams And 7 Ways To Stay Safe Protect yourself from rising cyber extortion scams. Learn the top tactics scammers use and seven actionable ways to stay safe from threats, demands and online fraud.

Protect yourself from rising #cyberextortion scams! Here is a way to learn the top tactics scammers use and 7 actionable ways to stay safe from threats, demands, and online fraud.

John P. Mello Jr.

@jpmjr.bsky.social

1 year ago

$75M Ransomware Payment Exposed in New Zscaler Report One of the largest ransomware payouts that’s become public was reported Tuesday by cloud security firm Zscaler. more

One of the largest ransomware payouts that’s become public was reported Tuesday by cloud security firm Zscaler. #Ransomware #Zscaler #DarkAngels #ZeroTrust #CyberExtortion #ITOTConvergence
jpmellojr.blogspot.com/2024/07/75m-...