Search results for: ransomware

The Symantec and Carbon Black Threat Hunter Team recently released its Ransomware 2026 report that contains helpful intelligence into the state of ransomware attacks and insight into how they are evolving, despite law enforcement’s success in taking down some of the largest ransomware gangs in 2025.

The very first statement is a sobering reality: “Ransomware activity reached record-high levels in 2025 as criminal actors continued to view extortion as one of the most lucrative forms of attack.”

The report notes that even though RansomHub (the number one ransomware operation) collapsed, there was “only a brief drop in ransomware attacks.” The statistics show that there were 6,182 extortion attacks in 2025, a 23% increase from 2024.

The report outlines the ambitious activities of the various ransomware groups in 2025. It highlights that, although new ransomware groups emerged, they all use similar tactics to achieve a solitary objective: “accessing the victim’s network, obtaining privileges to move laterally across the entire network before exfiltrating data, and delivering an encrypting payload to the maximum number of machines.” The threat actors are able to do this by using legitimate software to evade security measures put in place. “An awareness of the TTPs used by attackers will help organizations prepare their defenses and identify malicious behaviors on their networks.”

The report provides a detailed analysis of the TTPs that should be reviewed by security professionals, and the legitimate software used by threat actors to attack victims.

Finally, the report provides mitigation techniques that organizations can deploy to protect against targeted attacks which are well worth the read.

The statistics listed in the Quarterly Threat Report: Third Quarter, 2025, issued by Beazley Security are eye popping. They include:

  • August and September showed a sharp increase in ransomware activity, with those months accounting for 26% and 18% of reported ransomware incidents in the last half year, respectively.
  • Akira, Qilin, and INC Ransomware represented 65% of all ransomware cases, demonstrating a significant increase in attack activity by the largest ransomware operators. 
  • Known Exploited Vulnerabilities tracked by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) fell by 26%, yet attackers executed several high-impact exploitation campaigns.
  • Critical vulnerabilities in Cisco and NetScaler remote-access devices increasingly drew attention from attackers.
  • Attacks on SonicWall devices by Akira ransomware group accelerated in Q3, followed by a prominent MySonicWall data breach impacting all organizations leveraging the backup cloud service.

According to the report, business services were hit the most, followed by professional services and associations, manufacturing & distribution, healthcare, other, education, government, financial institutions, retail, and construction.

Significantly, the report notes that “the most common entry point was the use of valid, compromised credentials to access VPN infrastructure, which continued to grow in distribution this quarter. This trend underscores the importance of ensuring that multifactor authentication (MFA) is configured and protecting remote access solutions and that security teams maintain awareness and compensating controls for any accounts where MFA exceptions have been put in place.” The next category was the exploitation of internet-facing systems and services. A smaller subset included “search engine optimization (SEO) poisoning attacks and malicious advertisements, observed as a method used for initial access in some Rhysida ransomware investigations. This technique places threat actor-controlled websites at the top of otherwise trusted search results, tricking users into downloading fake productivity and administrative tools such as PDF editors.”

The report notes how effective the SonicWall vulnerability has been for threat actors. It concludes that there is an “overlapping threat to customers using SonicWall’s network appliance product line. Going forward, Beazley Security expects threat actors in possession of the stolen configurations will leverage the compromised backup files to launch future, targeted attacks.”

A November 13, 2025, a Cybersecurity Advisory warned that new activity by the Akira ransomware variant “presents an imminent threat to critical infrastructure.” The Advisory was jointly issued by four U.S. agencies, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency, the Department of Defense Cyber Crime Center, and the Department of Health and Human Services, and five international agencies, Europol’s European Cybercrime Centre, France’s Office Anti-Cybercriminalite – French Cybercrime Central Office, Germany’s Generalstaatsanwaltschaft Karlsruhe – Cybercrime-Zentrum Baden-Württemberg and Landeskriminalamt Baden-Württemberg, and the Netherlands’s National Cyber Security Centre.

Akira has been attacking organizations since March 2023, and the most recent Advisory updates an initial alert published in April 2024 warning organizations about Akira, including providing information about observed tactics, techniques, and procedures (TTPs) that organizations can be aware of to protect themselves against an attack.

Since its inception in approximately March 2023, it is reported that Akira has “pocketed $244 million as of late September.” The FBI calls Akira one of the top five ransomware variants currently attacking companies.

According to the Advisory, Akira is primarily targeting “small- and medium-sized businesses, but have also impacted larger organizations across various sectors, with a notable preference for organizations in the manufacturing, educational institutions, information technology, healthcare and public health, financial services, and food and agriculture sectors.”

The Joint Advisory recommends that organizations:

  1. Prioritize remediating known exploited vulnerabilities;
  2. Enable and enforce phishing-resistant multifactor authentication (MFA); and
  3. Maintain regular backups of critical data, ensure backups are stored offline, and regularly test the restoration process.

The Advisory provides useful information worthy of your consideration about measures to take to harden defenses against an attack.

The SafePay ransomware group has been active since fall 2024 and has increased its activity this spring and summer. According to NCC Group, SafePay hit the most victims of any threat actor in May 2025—it is linked to 248 victims to date, according to Ransomware.live and RansomFeed.

The group uses common tactics, including social engineering with telephone calls and spam. One of SafePay’s particular techniques worth informing employees about is sending “a ton of spam, and at the same time, when they are panicking and raising concerns, a call comes from ‘the company’s IT department’ via Microsoft teams.” Posting as a third-party IT department, the threat actors request remote access, then “drop a PowerShell script and often live on the network for up to a week to investigate and another week to slowly move towards exploitation.”

SafePay employs a double extortion model—exfiltrating files that they threaten to leak, and then deploying the ransomware to affect operations and pressure victims to pay. They are targeting private companies in the financial, legal, insurance, health care, and critical services, as well as pivoting to the public sector.

On March 12, 2025, a joint cybersecurity advisory was issued by the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the Multi-State Information Sharing and Analysis Center to advise companies about the tactics, techniques and procedures (TTPs), and indicators of compromise (IOCs) to protect themselves against Medusa ransomware.

According to the advisory:

Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021. As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing. The Medusa ransomware variant is unrelated to the MedusaLocker variant and the Medusa mobile malware variant per the FBI’s investigation.

The advisory provides technical details on how Medusa gains access to systems, including phishing campaigns as the primary method for stealing credentials. The group also exploits unpatched software vulnerabilities, which reinforces the importance of timely patching.

The threat actors exfiltrate the victim’s data and then deploy the encryptor, gaze.exe, on files while disabling Windows Defender and other antivirus tools. The encrypted files use the .medusa file extension. They then contact the victim within 48-hours and use the .onion data leak site for communication.

The advisory lists the IOCs and TTPs used in the attacks. IT professionals may wish to review them and apply mitigation tactics. The mitigations listed in the advisory are lengthy and worth consulting.

The Cybersecurity & Infrastructure Security Agency, the Federal Bureau of Investigation, and the Multi-State Information Sharing and Analysis Center released an advisory on February 19, 2025, providing information on Ghost ransomware activity.

According to the advisory, “Ghost actors conduct these widespread attacks targeting and compromising organizations with outdated versions of software and firmware on their internet facing services.” They use publicly available code to exploit Common Vulnerability Exposures (CVE) that have not been patched. The CVEs used by Ghost include CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207.

The advisory urges organizations to:

  1. Maintain regular system backups stored separately from the source systems, which cannot be altered or encrypted by potentially compromised network devices [CPG 2.R].
  2. Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe [CPG 2.F].
  3. Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization [CPG 2.F].
  4. Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.

The advisory details how Ghost (Cring) is gaining initial access, executing applications, escalating privileges, obtaining credentials, evading defenses, moving laterally, and exfiltrating data. It also provides indicators of compromise and email addresses used by the threat actors.

Patching continues to be a crucial block-and-tackle technique, and timely patching is critical for mitigating exploitation. Blocking known malicious emails is a proven tactic to mitigate access. Review the advisory to ensure the applicable patches have been applied and the malicious emails associated with Ghost have been blocked.

Unfortunately, I’ve had unpleasant dealings with the Phobos ransomware group. My interactions with Phobos have been fodder for a good story when I educate client employees on recent cyber-attacks to prevent them from becoming victims. The story highlights how these ransomware groups, including Phobos, are sophisticated criminal organizations with managerial hierarchy. They use common slang in their communications and have to get “authority” to negotiate a ransom. It’s a strange world.

Because of my unpleasant dealings with Phobos, I was particularly pleased to see that the Department of Justice (DOJ) recently announced the arrest and extradition of Russian national Evgenii Ptitsyn on charges that he administered the Phobos ransomware variant.

This week, the DOJ unsealed charges against two more Russian nationals, Roman Berezhnoy and Egor Nikolaevich Glebov, who “operated a cybercrime group using the Phobos ransomware that victimized more than 1,000 public and private entities in the United States and around the world and received over $16 million in ransom payments.” They were arrested “as part of a coordinated international disruption of their organization, which includes additional arrests and the technical disruption of the group’s computer infrastructure.” I’m thrilled about this win. People always ask me whether these cyber criminals get caught. Yes, they do. This is proof of how important the Federal Bureau of Investigation (FBI) is in assisting with international cybercrime, and how effective its partnership with international law enforcement is in catching these pernicious criminals. This is why I firmly believe that we must continue to share information with the FBI to assist with investigations, and why the FBI must be allowed to continue its important work to protect U.S. businesses from cybercrime.

The city of Columbus, Ohio, announced on May 29, 2024, that a ransomware attack forced its systems offline. According to its notice, the attack was perpetrated by “an established, sophisticated threat actor operating overseas,” and that it was working with law enforcement to investigate the incident.  The culprit behind the ransomware attack is reported to be Rhysida.

According to Security Week, the ransomware group posted the city’s data on the dark web, including individuals’ names, addresses, dates of birth, bank account information, driver’s license information, Social Security numbers, and other identifying information. Columbus reported to the Maine Attorney General that it is notifying 500,000 individuals that their personal information was affected by the incident, and is offering those who are affected 24 months of credit monitoring and dark web monitoring.

Unit 42 recently reported that it has identified “Jumpy Pisces, a North Korean state-sponsored threat group associated with the Reconnaissance General Bureau of the Korean People’s Army, as a key player in a recent ransomware incident.” Its investigation indicates “with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group (Fiddling Scorpius).” Jumpy Pisces has previously engaged in cyberespionage, financial crime, and ransomware attacks and was behind the ransomware known as Maui.

Unit 42 states that this is the “first observed instance” of Jumpy Pisces using an existing ransomware infrastructure that “signals deeper involvement in the broader ransomware threat landscape.”

According to Unit 42, “We expect their attacks will increasingly target a wide range of victims globally. Network defenders should view Jumpy Pisces activity as a potential precursor to ransomware attacks, not just espionage, underscoring the need for heightened vigilance.”

Unit 42 provides the attack methods, timeline of events, threat actor tooling, collaborations with Play ransomware, indicators of compromise, and resources for organizations to use to protect against these threats.

The Office for Civil Rights of the Department of Health and Human Services (OCR) announced on September 26, 2024, that it had entered a settlement with Cascade Eye and Skin Centers (together, Cascade) for $250,000 following an investigation of a ransomware attack against them.

This is the fourth settlement against a victim of a ransomware attack. According to the OCR’s press release, “Ransomware and hacking are the primary cyber-threats in health care. Since 2018, there has been a 264% increase in large breaches reported to OCR involving ransomware attacks.”

The OCR’s investigation found that 291,000 files were affected by the attack. During its investigation, it alleges that Cascade potentially violated HIPAA by failing to conduct a risk analysis and to have sufficient monitoring of its systems to prevent a cyber-attack.

The settlement is a stark reminder to covered entities and business associates that even if you are a victim of a criminal attack, you are still required to follow HIPAA. Having a robust HIPAA compliance program in place is essential to protecting against threats and possible enforcement actions. Many HIPAA-regulated entities are reviewing their HIPAA compliance programs at this time to address the recent amendment to HIPAA regarding reproductive health information. For instance, Notice of Privacy Practices are required to be updated by December 2024. Now is the time to review and update your HIPAA compliance program.