Tag

Ransomware

All articles tagged with #ransomware

GodDamn Ransomware Uses Microsoft-Signed Kernel Driver to Blind EDR on 10 Hosts
technology1 day ago

GodDamn Ransomware Uses Microsoft-Signed Kernel Driver to Blind EDR on 10 Hosts

Security researchers report Hyadina’s GodDamn ransomware escalated with PoisonX, a purpose-built, Microsoft-signed kernel driver that terminates kernel callbacks to disable endpoint detection and response across at least 10 Windows hosts before encryption begins. The attack involved AnyDesk for initial access, credential harvesting, and PsExec for lateral movement, reflecting a Bring Your Own Vulnerable Driver (BYOVD) approach that leverages signing trust without behavioral review. Mitigations include enabling Hypervisor-Protected Code Integrity (HVCI), enforcing WDAC policies, applying driver block rules, and using behavioral detection (Sysmon Event ID 6, Code Integrity logs) alongside offline backups to recover from such incidents.

JadePuffer: First Ransomware Run Entirely by an AI Agent
cybersecurity5 days ago

JadePuffer: First Ransomware Run Entirely by an AI Agent

Researchers say JadePuffer used an autonomous AI agent to carry out an end-to-end ransomware operation: exploiting Langflow CVE-2025-3248 for initial access, then dumping data, stealing credentials, moving laterally, establishing persistence, escalating privileges, and encrypting 1,342 Nacos service configurations. The agent adapted in real time, even correcting a failed login within 31 seconds, and left a ransom note claiming AES-256 encryption (though researchers believe AES-128-ECB is more likely) with a randomly generated key not transmitted to the attacker. The attack also involved rogue Nacos admin accounts via CVE-2021-29441 and cron-based beaconing. This case marks the emergence of agentic threat actors and highlights both new risks and detection opportunities for security tooling.

Apple supply chain leak exposes iPhone 18 Pro components in Tata hack
technology11 days ago

Apple supply chain leak exposes iPhone 18 Pro components in Tata hack

Hackers from World Leaks dumped over 630 GB of Tata Electronics data, revealing detailed iPhone 18 Pro components and supplier information, highlighting how Apple’s global supply chain operates and where it may be vulnerable. Apple is investigating; Tata says it has restricted access and is conducting a forensic review. Analysts say the breach underscores the risk that supply-chain weaknesses pose to corporate secrecy and manufacturing, especially as Apple expands production in India; there is no indication yet that consumer data was stolen.

DragonForce Hides C2 Traffic in Microsoft Teams Relays with Backdoor.Turn
technology23 days ago

DragonForce Hides C2 Traffic in Microsoft Teams Relays with Backdoor.Turn

DragonForce-linked Backdoor.Turn uses Microsoft Teams’ TURN relay to hide its command-and-control traffic, obtaining an anonymous Teams token and establishing a QUIC connection to the attacker’s C2 server. The intrusion into a major U.S. services firm began with a BYOVD/DLL side-loading chain and included injection into DbgView64.exe for persistence, with initial access likely via an SQL/MS-SQL flaw or an initial access broker. The actors remained on the network for 1–2 months, illustrating a shift toward sophisticated, cartel-like ransomware operations.

ShadowBytes Threatens to Leak Nintendo Employee Data Over $2 Million Ransom
technology24 days ago

ShadowBytes Threatens to Leak Nintendo Employee Data Over $2 Million Ransom

A ransomware group calling itself ShadowBytes claims to have breached Nintendo, stealing about 859 MB of private employee data—including names, emails, bank statements, and private messages—and is demanding $2 million. Nintendo says only internal TinyPulse survey data was involved, no customer or financial data was accessed, and it is working with the provider to address the issue; a second threat reportedly targeted TinyPulse after Nintendo declined to pay.

Nintendo says employee data breach limited to HR survey data, not customer info
technology24 days ago

Nintendo says employee data breach limited to HR survey data, not customer info

A hacking group calling itself ShadowByt3$ claimed to have accessed about 859MB of Nintendo employee data via the TinyPulse HR platform and demanded a $2 million ransom. Nintendo of America responded that no systems were compromised and that the data involved is limited to internal survey content for a small number of employees, with most information dating back several years and no customer or financial data affected. The update emphasizes risks from third‑party HR tools and that the breach, if true, may be more about privacy of internal feedback than gaming data, with NOA working with TinyPulse to address the issue.

Ransomware hides C2 traffic in Teams relays to evade detection
technology25 days ago

Ransomware hides C2 traffic in Teams relays to evade detection

Symantec reports DragonForce’s Go-based Backdoor.Turn ransomware is the first in-the-wild malware to abuse Microsoft Teams TURN relays to conceal its command-and-control traffic. After initial access via an SQL server vulnerability, the group used BYOVD drivers for kernel privileges, established persistence, exfiltrated data, and then deployed DragonForce ransomware, leveraging sophisticated tradecraft and publishing IoCs for defenders.

Chrome 0-Day in the Wild Dominates a Week of Exploits, Phishing, and Malware
cybersecurity26 days ago

Chrome 0-Day in the Wild Dominates a Week of Exploits, Phishing, and Malware

Chrome’s active exploitation of CVE-2026-11645 headlines a week of widespread security news, from UniFi OS flaws and an Oracle PeopleSoft compromise to a large Arch Linux AUR package taint, npm/PyPI malware campaigns, and phishing kits. The roundup also covers the Outsider phishing-as-a-service takedown, VPN/auth-bypass flaws, cloud-logging abuse, and ransomware campaigns (Gentlemen, Akira), illustrating attackers’ reliance on old code, weak defaults, and misconfigurations. Patch quickly, watch for unusual login activity, and strengthen defense-in-depth.

European Police Dismantles First VPN, Unmasks Thousands of Criminals
technology1 month ago

European Police Dismantles First VPN, Unmasks Thousands of Criminals

European authorities led by France and the Netherlands, with Europol and Eurojust, dismantled the First VPN service used by cybercriminals for ransomware and data theft. Investigators infiltrated the service, seized 33 servers, and arrested its administrator, identifying about 506 users and producing 83 intelligence packages that supported 21 Europol-facilitated investigations. The operation underscored how VPNs marketed as ‘no-logs’ can mislead users who believe they are safe, even as criminal activity relies on such infrastructure.

Global raid shuts down ransomware-linked VPN First VPN and seizes its infrastructure
cybersecurity1 month ago

Global raid shuts down ransomware-linked VPN First VPN and seizes its infrastructure

An international operation led by France and the Netherlands, with Europol/Eurojust support, dismantled the ‘First VPN’ service used by ransomware and data-theft actors. Authorities seized 33 servers across 27 countries, shut down key domains, disrupted infrastructure, and arrested the administrator in Ukraine. Investigators infiltrated the VPN to recover data, with Europol reporting 506 identified users and 83 intelligence packages shared to aid ongoing investigations into ransomware and related crimes. While VPNs have legitimate uses, criminals leveraged this service to hide activity; all identified users have been notified and further legal action may follow.

Canvas LMS breaches halted after hackers’ deal, data reportedly returned
technology2 months ago

Canvas LMS breaches halted after hackers’ deal, data reportedly returned

Instructure says it reached an agreement with the ShinyHunters hackers after a breach of the Canvas LMS; the stolen data has reportedly been returned and the company asserts that no customers will be extorted as a result of the incident, though it’s unclear if a ransom was paid. Instructure also says data destruction was verified, most systems are back online, and it will share more details in a forthcoming webinar.

Canvas breach ends as hackers delete stolen data after deal
technology2 months ago

Canvas breach ends as hackers delete stolen data after deal

Instructure, the company behind the Canvas learning platform, says it reached a deal with the hackers (ShinyHunters) responsible for a major breach, secured the stolen data back, and obtained digital proof that remaining copies were destroyed via shred logs. The incident compromised student IDs, email addresses, names and messages for thousands of schools and hundreds of millions of people, though no passwords or financial data were found. Canvas was taken offline during the investigation, and the company is conducting forensic work and hardening its systems while students faced finals-related disruptions.

Instructure Pays Ransom, Restores Canvas Access After Hackers
technology2 months ago

Instructure Pays Ransom, Restores Canvas Access After Hackers

Instructure paid a ransom to the ShinyHunters gang after Canvas was breached twice, returning data for about 275 million users across 8,800 institutions and promising no extortion of customers. The monetary amount wasn’t disclosed, the deal arrived before a May 12 deadline, and Canvas environments are back online as investigators continue forensic work and security hardening.

ShinyHunters hijack Penn Canvas, threaten data dump over ransom
technology2 months ago

ShinyHunters hijack Penn Canvas, threaten data dump over ransom

ShinyHunters took Penn’s Canvas offline, claiming a vulnerability in Instructure and demanding a settlement to prevent a data leak, with a May 12, 2026 deadline; the group says it has access to hundreds of millions of user records, including Penn emails, names, Penn IDs, and course enrollments, and Penn is investigating with Instructure and law enforcement while other institutions are affected.

MuddyWater Uses Teams for Credential Theft in False-Flag Ransomware Operation
technology2 months ago

MuddyWater Uses Teams for Credential Theft in False-Flag Ransomware Operation

Rapid7 links MuddyWater to a 2026 operation that used interactive Teams screen-sharing to harvest credentials and bypass MFA, exfiltrate data, and maintain persistence with tools like DWAgent and AnyDesk, while avoiding file encryption to masquerade as a ransomware attack. Described as a false-flag, state-backed campaign, it leverages a Chaos RaaS framework and off-the-shelf tools to blur attribution, highlighting evolving attacker tradecraft that blends cybercrime with strategic aims.