BYOVD Reloaded: Abusing a New Driver to Kill EDR
The article discusses a sophisticated ransomware attack involving Qilin ransomware, which utilizes the technique of bring-your-own-vulnerable-driver (BYOVD) to bypass traditional Endpoint Detection and Response (EDR) measures. The analysis uncovers the exploitation of a lesser-known driver, TPwSav.sys, in the context of a ransomware-as-a-service model. It emphasizes the vulnerabilities exploited, the attack chain, and the retaliation measures taken by Blackpoint’s Security Operations Center (SOC).…
Read More
A Rebirth of a Cursed Existence? Examining ‘Babuk Locker 2.0’ Ransomware
Ransomware attacks, specifically the so-called Babuk Locker 2.0, have resurfaced in 2025, attributed to groups named Skywave and Bjorka. Investigations reveal that Babuk Locker 2.0 is essentially a rebranding of LockBit 3.0, utilizing similar techniques and targeting high-profile organizations across various sectors. Affected: organizations, government agencies, cybercriminal sectors

Keypoints :

Ransomware threat persists, causing significant organizational disruption.…
Read More
DragonForce Claims to Be Taking Over RansomHub Ransomware Infrastructure
Summary: The DragonForce ransomware group has announced a potential takeover of RansomHub’s infrastructure, a leading ransomware group. Cyble reports that while the specifics are unclear, DragonForce claims to be integrating RansomHub into their operations amid speculation following RansomHub’s site going offline. This shift follows DragonForce’s recent expansion of its ransomware services and infrastructure upgrades.…
Read More

Victim: 🚀, Launch Your Own Ransomware(RAAS) Business with Our Exclusive Ransomware Panel Source Cod… Country : Actor: babuk2 Source: http:/bxwu33iefqfc3rxigynn3ghvq4gdw3gxgxna5m4aa3o4vscdeeqhiqad.onion/blog/e38184cbe95213765772ae7675f2d9b1ef5ceedf9117e7c91a0f980136d7a3ab/ Discovered: 2025-03-28 23:52:06.313928 Published: 2025-03-28 23:50:52.557037 Description : Introducing an exclusive opportunity to launch your own Ransomware as a Service (RaaS) business with our state-of-the-art ransomware panel source code, brought to you by the notorious actor Babuk2.…
Read More
BlackLock Ransomware Operation Disrupted by Cybersecurity Firm
Summary: Resecurity has uncovered a Local File Include (LFI) vulnerability in the Data Leak Site (DLS) utilized by BlackLock Ransomware, enabling the exposure of sensitive operational data and IP addresses. This revelation assists in the investigation and disruption of the ransomware activity, which has rapidly grown, becoming increasingly aggressive with a significant rise in data leak incidents.…
Read More
Hackers Repurpose RansomHub’s EDRKillShifter in Medusa, BianLian, and Play Attacks
Summary: A recent analysis reveals a connection between RansomHub affiliates and several other ransomware groups through a custom tool called EDRKillShifter, which disables endpoint detection and response software. This tool utilizes a method known as Bring Your Own Vulnerable Driver (BYOVD) to ensure ransomware execution is not flagged by security measures.…
Read More
Shifting the sands of RansomHub’s EDRKillShifter
ESET researchers examine the ransomware landscape in 2024, highlighting the emergence of RansomHub, a prominent ransomware-as-a-service (RaaS) group linked to established gangs like Play, Medusa, and BianLian. The article discusses the rise of EDR killers, particularly EDRKillShifter, developed by RansomHub, and reflects on the shifting dynamics of ransomware payments and victim statistics.…
Read More
The Curious Case of PlayBoy Locker
Cybereason’s Threat Analysis report discusses the emerging PlayBoy Locker Ransomware-as-a-Service (RaaS), detailing how it enables less-skilled cybercriminals to conduct ransomware attacks through a comprehensive toolkit. The platform provides affiliates with customized ransomware capabilities, regular updates, and customer support, thus representing a growing threat. Affected: Ransomware, Cybersecurity, Dark Web, Affiliates

Keypoints :

PlayBoy Locker RaaS is designed for less-skilled attackers with a complete toolkit for launching ransomware attacks.…
Read More
RaaS Evolved: LockBit 3.0 vs LockBit 4.0
LockBit is a prominent ransomware strain operating since 2019, known for its aggressive tactics and Ransomware-as-a-Service model. The evolution of LockBit has seen the transition from version 3.0 to 4.0, introducing enhanced evasion techniques and impacting various organizations worldwide. Affected: organizations, cybersecurity sector

Keypoints :

LockBit ransomware has been operational since 2019, targeting diverse industries.…
Read More
Unveiled the Threat Actors
This article explores various threat actors known for their significant cyber attacks, detailing their origins, techniques, and famous hacks. It categorizes these actors by their affiliations, such as state-sponsored and financially motivated groups, providing insight into their behaviors and methodologies. Affected: Government networks, financial institutions, healthcare, energy sector, retail, hospitality, media, technology, and more.…
Read More
Babuk2 Ransomware Attempts Extortion Based on False Claims
Summary: Investigations reveal that the Babuk2 ransomware group is making false extortion claims, reusing data from previous breaches without evidence of new attacks. Despite the group’s assertions of conducting multiple attacks, independent analyses show no confirmed incidents of ransomware encryption or intrusions. Businesses must take due diligence in verifying any extortion claims to mitigate financial and reputational risks.…
Read More
New VanHelsing ransomware targets Windows, ARM, ESXi systems
Summary: A new multi-platform ransomware-as-a-service operation called VanHelsing has emerged, targeting various operating systems, including Windows and Linux. It allows affiliates to keep 80% of ransom payments and employs sophisticated encryption methods and stealth tactics in its operations. The ransomware has already been used in attacks against at least three victims, with ransoms set at 0,000.…
Read More
VanHelsing RaaS Launch: 3 Victims, K Entry Fee, Multi-OS, and Double Extortion Tactics
Summary: The VanHelsing ransomware-as-a-service (RaaS) operation emerged on March 7, 2025, quickly claiming multiple victims through a user-friendly platform that supports a variety of operating systems. The scheme employs double extortion tactics and allows affiliates to profit significantly while only prohibiting attacks on the Commonwealth of Independent States (CIS).…
Read More
⚡ THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More
Summary: Recent cyber threats highlight vulnerabilities in open-source tools, escalating ad fraud through mobile apps, and advanced ransomware tactics targeting critical defenses. Notably, attacks have leveraged AI, and a supply chain breach at Coinbase exemplifies these risks. A rise in stolen credentials further underscores the urgent need for improved cybersecurity measures.…
Read More
VanHelsing, new RaaS in Town
VanHelsingRaaS is an emerging ransomware-as-a-service (RaaS) launched in March 2025, allowing affiliates to initiate ransomware attacks with a low deposit. It targets multiple platforms and has already infected several victims demanding significant ransom payments. The program’s rapid growth and sophisticated capabilities highlight the evolving ransomware threat.…
Read More
Dragon RaaS: Pro-Russian Hacktivist Group Walks the Razor’s Edge Between Cybercrime and Propaganda
Summary: A new Ransomware-as-a-Service player, Dragon RaaS, combines political hacktivism with opportunistic cybercrime, targeting organizations with weak security. It emerged as a splinter group from the Stormous ransomware gang and is affiliated with various cybercrime syndicates. Dragon RaaS’s operations focus on defacement attacks and ransomware extortion, utilizing a rebranded version of existing ransomware techniques.…
Read More
New Ransomware Operator Exploits Fortinet Vulnerability Duo
Forescout Research has identified a new ransomware strain, dubbed SuperBlack, linked to the threat actor “Mora_001”, exploiting vulnerabilities in Fortinet devices. This threat actor is connected to the LockBit ransomware ecosystem and demonstrates sophisticated tactics including rapid ransomware deployment, user account creation across victim networks, and the use of modified LockBit tools.…
Read More
Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates
Summary: The Medusa ransomware operation employs a malicious driver, ABYSSWORKER, in a BYOVD attack to disable anti-malware tools. This driver uses stolen certificates to pose as a legitimate system driver, allowing it to bypass security measures and enable detailed control over the attacker’s actions. Additionally, a new backdoor called Betruger has been associated with RansomHub, enhancing their ransomware’s capabilities without relying solely on traditional encrypting payloads.…
Read More