ALL POSTS

Key Findings Polish authorities have arrested a 47-year-old man accused of being an affiliate for the Phobos ransomware group. The suspect faces up to five years in prison for producing, obtaining, and sharing computer programs used to conduct cyberattacks. The arrest was part of a larger Europol-led operation called "Phobos Aetor" that targeted individuals involved with Phobos ransomware attacks. Background Phobos ransomware has claimed over 1,000 victims globally and receiv

Key Findings North Korean IT operatives are applying to remote positions using real LinkedIn accounts of individuals they are impersonating The goal is to secure jobs at Western companies and conduct espionage, data theft, and ransomware attacks The threat is tracked by the cybersecurity community as Jasper Sleet, PurpleDelta, and Wagemole The impersonated LinkedIn profiles often have verified workplace emails and identity badges to appear legitimate Once employed, the DPRK w

Key Findings Exploitation of public-facing applications remained the top method of initial access, though it declined from 62% to about 40% of engagements. Phishing was the second-most common tactic, notably targeting Native American tribal organizations, and credential harvesting often led to further internal attacks. Ransomware incidents continued to fall, making up only 13% of cases, with Qilin ransomware still dominant. Background Cisco Talos Incident Response's report fo

Key Findings Symantec and VMware Carbon Black researchers have uncovered a new ransomware strain called Osiris, used in a November 2025 attack against a major Southeast Asian food service franchise operator. Osiris leverages the POORTRY driver in a bring-your-own-vulnerable-driver (BYOVD) attack to disable security software on targeted systems. The new ransomware has full-featured capabilities, including the ability to stop services and processes, select files and folders to

Key Findings GootLoader malware uses malformed ZIP files made of hundreds of concatenated archives to evade detection. GootLoader is used by ransomware actors for initial access, then handed off to others. GootLoader runs on an access-as-a-service model and has been known to deliver threats like SunCrypt, REvil, Kronos, and Cobalt Strike. The ZIP file is intentionally broken so many security and analysis tools can't open it, but Windows can, helping the malware avoid detectio

Key Findings Ukrainian and German police raided homes linked to alleged Black Basta ransomware members, identifying two Ukrainian suspects. Law enforcement issued an international wanted notice for the group's alleged Russian ringleader, Oleg Nefedov. Black Basta ransomware-as-a-service (RaaS) has been active since April 2022, impacting over 500 organizations worldwide and causing hundreds of millions of dollars in damage. The cybercrime group has infected over 329 victims, i

Key Findings Ukrainian and German law enforcement authorities have identified two Ukrainians suspected of working for the Russia-linked ransomware-as-a-service (RaaS) group Black Basta. The group's alleged leader, a 35-year-old Russian national named Oleg Evgenievich Nefedov (Нефедов Олег Евгеньевич), has been added to the European Union's Most Wanted and INTERPOL's Red Notice lists. The accused individuals specialized in technical hacking, including credential theft and "has

Key Findings A new ransomware family called DeadLock was discovered in July 2025, distinguished by its innovative abuse of Polygon smart contracts to manage its command-and-control (C2) infrastructure. DeadLock embeds the proxy URL directly into the blockchain via a `setProxy` function, creating an immutable and resilient communication channel that is difficult for law enforcement to take down. This "EtherHiding" technique echoes methods previously observed with North Korean

Key Findings Everest ransomware group claims to have breached Chrysler systems and stolen over 1TB of data Stolen data includes extensive customer, dealer, and internal records spanning 2021-2025 Over 105GB of Salesforce-related information is reportedly part of the stolen data Screenshots show customer interaction logs, agent work logs, and potential HR/identity records Everest has threatened to publish the full dataset and audio recordings if demands are not met Chrysler ha

Key Findings: Artem Aleksandrovych Stryzhak, a 35-year-old Ukrainian national, pleaded guilty to multiple crimes stemming from his involvement in a string of ransomware attacks targeting U.S. and Europe-based organizations from mid 2018 to late 2021. Stryzhak faces up to 10 years in jail for conspiracy to commit fraud, including extortion. Authorities are still looking for Stryzhak's alleged co-conspirator Volodymyr Tymoshchuk and announced a $11 million reward for informatio

Key Findings Ransomware payments reported to FinCEN exceeded $4.5 billion by 2024 2023 marked a record year with $1.1 billion in ransomware payments across 1,512 incidents From 2022 to 2024, organizations reported 4,194 ransomware incidents and over $2.1 billion in payments In comparison, from 2013 to 2021, FinCEN logged 3,075 reports totaling about $2.4 billion Background FinCEN analyzed ransomware trends using Bank Secrecy Act (BSA) reports filed from January 2022 to Februa

Key Findings: A new packer-as-a-service offering called "Shanya" has been gaining popularity among ransomware groups. Shanya offers features like AMSI bypass, UAC bypass, runtime protection, and anti-VM/sandbox evasion. Early samples of the Shanya crypter contained revealing information about its purpose and development. The Shanya packer has been detected in a wide geographic distribution, with higher prevalence in certain countries like Tunisia and the UAE. The packed execu

Key Findings The U.S. Treasury Department, along with officials from the U.K. and Australia, imposed sanctions on two Russian bulletproof hosting providers and their key personnel. The targeted providers, Media Land and its subsidiaries, are accused of supporting ransomware operations and other cybercrime activities. The sanctions also targeted individuals and companies that helped the previously sanctioned Aeza Group evade sanctions and reconstitute their operations. Cybercr

Background Cybersecurity researchers have flagged a malicious Visual Studio Code (VS Code) extension with basic ransomware capabilities. The extension, named "susvsex," was uploaded on November 5, 2025, by a user named "suspublisher18." The extension was designed to automatically activate itself on any event, including installing or when launching VS Code, and invoke a function named "zipUploadAndEncrypt." Extension Functionality The "zipUploadAndEncrypt" function creates a Z

Background Google's Threat Intelligence Group (GTIG) has identified a new generation of malware that is using AI during execution to mutate, adapt, and collect data in real-time, helping it evade detection more effectively. Cybercriminals are increasingly using AI to build malware, plan attacks, and craft phishing lures. Recent research shows AI-driven ransomware like PromptLock can adapt during execution. Malware with Novel AI Capabilities GTIG has identified malware familie