Summary: The notorious Scattered Spider cybercrime group has become an affiliate of the RansomHub ransomware-as-a-service (RaaS) operator, leading to the emergence of a new RaaS model in the cybercrime landscape.

Threat Actor: Scattered Spider | Scattered Spider Victim: Change Healthcare | Change Healthcare

Key Point :

The Scattered Spider cybercrime group, formerly an ALPHV/BlackCat affiliate, is now conducting ransomware operations with RansomHub, according to analysis by GuidePoint Security.…
Read More

This blog investigates Medusa ransomware, a Ransomware-as-a-Service (RaaS) variant that is known to use living off the land techniques to infect target networks and move towards its ultimate goals, data encryption and exfiltration.

What is Living off the Land attack?

In the face of increasingly vigilant security teams and adept defense tools, attackers are continually looking for new ways to circumvent network security and gain access to their target environments.…

Read More

Qilin, also known as Agenda ransomware, represents a formidable threat in cybercrime. This ransomware, one of the known Ransomware-as-a-Service (RaaS) groups, is designed with adaptability in mind, allowing it to customize attacks based on its victims’ specific environments. Originating from a sophisticated background, Qilin leverages advanced tactics to extort organizations.…

Read More

Summary: This content discusses the RansomHub ransomware-as-a-service, which is believed to have evolved from the now-defunct Knight ransomware project. RansomHub operates as a data theft and extortion group that sells stolen files to the highest bidder.

Threat Actor: RansomHub | RansomHub Victim: United Health subsidiary Change Healthcare | Change Healthcare

Key Point :

RansomHub is a relatively new ransomware-as-a-service that has evolved from the now-defunct Knight ransomware project.…
Read More

Summary: A threat actor known as “phant0m” is promoting a new Ransomware-as-a-Service (RaaS) called “SpiderX,” which is designed to be more advanced and harder to detect than its predecessor, Diablo ransomware.

Threat Actor: phant0m | phant0m Victim: N/A

Key Point :

A threat actor named phant0m is advertising a new Ransomware-as-a-Service (RaaS) called SpiderX on the dark web forum OnniForums.…
Read More

Summary: This article discusses a recent ransomware attack by the Ransomhub group on an Industrial Control Systems (ICS) of a Spanish bioenergy plant, highlighting the dangers of cyberattacks on ICS.

Threat Actor: Ransomhub | Ransomhub Victim: Spanish bioenergy plant | Spanish bioenergy plant

Key Point :

The recent ransomware attack by the Ransomhub group targeted the Supervisory Control and Data Acquisition (SCADA) system of a Spanish bioenergy plant, highlighting the vulnerability of Industrial Control Systems (ICS) to cyberattacks.…
Read More

As organizations prepare for the challenges and opportunities of 2024, the critical importance of cybersecurity preparedness is increasingly apparent. In an era characterized by rapid digital transformation and continuous innovation, cyber threats are becoming more sophisticated and frequent, presenting substantial risks to businesses across all sectors.…

Read More

Published On : 2024-05-24

EXECUTIVE SUMMARY

At CYFIRMA, our commitment is to provide timely insights into prevalent threats and malicious tactics affecting both organizations and individuals. Synapse ransomware has emerged as a new threat in the cyber landscape, appearing in the wild since February 2024. This ransomware is distributed under the Ransomware-as-a-Service (RaaS) model to affiliates via dark web or onion web pages, with its payload, SynapseCrypter.exe.…

Read More

On February 22, 2025, the Critical Infrastructure and Security Agency (CISA) issued a #StopRansomware: ALPHV Blackcat ransomware alert. This alert builds upon earlier Federal Bureau of Investigation (FBI) work and contributions from other agencies and OSINT sources in 2022, 2023, and early 2024. This alert released new Indicators of Compromise (IoC), including several command and control (C&C) server domains essential to the Kill Chain1 currently used by the Blackcat threat actors.…

Read More

On May 10, 2024, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA) to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.…

Read More

Dispossessor has recently emerged in the ransomware landscape, and it is especially notable for its similarities to the notorious LockBit group. Following an extensive crackdown by global law enforcement agencies, which led to the seizure of LockBit’s primary domains, Dispossessor quickly surfaced, mimicking the structure and content of LockBit.

Dispossessor’s logo

Who is Dispossessor Ransomware

The name “Dispossessor” could be linked to Ursula K.…

Read More

NOTE: I started this story before Operation Cronos. Hence you can see tiny details getting unfold before the FBI/Europol Compromise and afterwards. This article mainly focuses on the mighty comeback of LockBit Group and their approach after Operation Cronos and does NOT attribute to the Identity of LockBitSupp.…

Read More

Summary: A cybercriminal named “salfetka” is claiming to sell the source code of INC Ransom, a ransomware-as-a-service operation that has targeted various organizations including Xerox Business Solutions, Yamaha Motor Philippines, and the National Health Service in Scotland.

Threat Actor: salfetka | salfetka Victim: INC Ransom | INC Ransom

Key Point:

A cybercriminal named “salfetka” is selling the source code of INC Ransom, a ransomware-as-a-service operation.…
Read More

This report was originally published for our customers on 2 May 2024.

As part of our critical vulnerabilities monitoring routine, Sekoia’s Threat & Detection Research (TDR) team deploys and supervises honeypots in different locations around the world to identify potential exploitations.

Table of contentsIntroduction

Recently, our team observed an incident involving our MS-SQL (Microsoft SQL) honeypot.…

Read More
SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…

Read More

Summary: Law enforcement has seized the Tor website of the Lockbit ransomware group and plans to reveal the identities of its members, but the group claims that they are still active and will continue their operations.

Threat Actor: Lockbit ransomware group | Lockbit ransomware group Victim: N/A

Key Point :

Law enforcement has seized the Tor website of the Lockbit ransomware group and plans to reveal the identities of its members on May 7, 2024.…
Read More