LockBit ransomware gang hacked; admin panels defaced, revealing a database containing over 59,000 bitcoin addresses and 4,442 victim negotiation messages. Passwords stored in plaintext for 75 affiliates exposed. Breach occurred April 29, 2025, with uncertain perpetrators. This incident follows previous law enforcement disruptions, further damaging LockBit's reputation.
DragonForce expands ransomware model by forming a cartel structure, allowing affiliates to use its malware and branding without managing infrastructure. Affiliates pay a 20% fee on ransoms and must adhere to specific rules. The group, claiming to avoid targeting certain healthcare entities, aims to attract less technical actors and increase profits through flexibility in deploying ransomware under various brands.
Ransomware involved in 44% of data breaches in 2024, per Verizon's report, showing a rise from one-third in 2023. Victims refusing to pay ransoms grew to 64%, and median ransom decreased to $115,000. Small businesses are hit hardest, facing ransomware in 88% of breaches. Overall, ransomware attacks are increasing across sectors, including finance and government.
https://therecord.media/ransomware-in-half-of-all-data-breaches-verizon
Ransomware groups like DragonForce and Anubis are adopting new business models to attract affiliates and boost profits. DragonForce has rebranded as a “cartel,” allowing affiliates to create their own brands while using shared infrastructure, increasing potential risks. Anubis offers varied monetization schemes for affiliates and employs aggressive tactics to pressure victims into paying, including threats to publish data. The evolution of these models follows disruptions in the ransomware landscape, highlighting ongoing experimentation that could reshape the ecosystem. Despite a decrease in extortion payments, experts warn that the threat remains high with evolving vulnerabilities.
https://therecord.media/ransomware-groups-test-new-business-models-dragonforce-anubis
Leak reveals Black Basta ransomware group's tactics, including social engineering strategies where women call men and men call women to exploit trust biases. The messages expose organization dynamics, workflows, and methods for exploiting vulnerabilities, showcasing a structured and efficient operation. The leak offers cybersecurity insights to defend against such tactics.
US, Australia, Canada warn ransomware gangs use ‘fast flux' to obscure cyberattack infrastructure. This technique rapidly changes DNS records, making detection harder, complicating law enforcement efforts. Two variants exist: single flux (multiple IPs for one domain) and double flux (changing DNS servers as well). Used for over a decade, its resurgence among nation-state actors raises alarms. Ransomware groups like Hive utilize it for resilience and anonymity, thwarting takedowns and assessments.
https://therecord.media/us-australia-canada-warn-of-fast-flux-ransomware-rusia
Black Basta and Cactus ransomware groups are now using BackConnect malware to maintain control of compromised systems and exfiltrate sensitive data. Attackers utilize social engineering, particularly via Microsoft Teams and remote access tools, to gain initial access. They abuse legitimate software like OneDrive to sideload malicious DLLs, allowing for persistent control. The BackConnect malware shows links to QakBot and has been associated with numerous breaches, mainly in North America. Organizations should restrict remote access tools, train employees on social engineering, and implement security best practices to mitigate risks associated with such attacks.
https://www.trendmicro.com/de_de/research/25/b/black-basta-cactus-ransomware-backconnect.html
Black Basta chat logs revealed 62 unique CVEs, with 85.5% exploited and 70.9% listed in the CISA KEV catalog. They exploit known vulnerabilities in widely used enterprise technologies. Their discussions show a preference for targeting high-revenue firms in sensitive sectors and quickly discuss new CVEs post-advisory. They employ known exploits and consider developing new ones, reinforcing the need for rapid vulnerability remediation. Notably, a rejected CVE was mentioned that had evidence of exploitation.
FBI warns of dangerous ransomware attacks by the Ghost group, exploiting unpatched vulnerabilities in software across 70+ countries. Organizations are urged to backup systems, apply patches, segment networks, and enforce MFA for privileged accounts. Ghost uses public code to infiltrate networks, undermining security via outdated vulnerabilities. The FBI emphasizes proactive risk management and discourages ransom payments, stressing the urgency for security improvements.
Ransomware threats are evolving, leveraging AI for sophisticated phishing and social engineering attacks, adopting “living-off-the-land” techniques to avoid detection, and exploiting legal disclosure regulations to pressure victims. Cybercriminals also use ransomware as a geopolitical weapon, targeting critical sectors like healthcare and public administration. Attack rates and recovery costs are rising significantly, with overall cybersecurity defenses needing to adapt to these complex challenges. Proactive measures, such as vulnerability management and incident response, are essential to counter these threats.
TLDR: In 2025, key cyber security trends include: 1) AI's role in cyber warfare and disinformation, 2) ransomware evolving into data exfiltration, 3) increased threats from infostealers targeting sensitive data, 4) vulnerabilities in edge devices as entry points for attacks, and 5) cloud security challenges due to misconfigurations. Organizations must adopt proactive risk management and unified security strategies to combat advanced threats.
https://blog.checkpoint.com/research/5-key-cyber-security-trends-for-2025/
Ransomware activity in December 2024 fell by 12.38% from November, with notable groups like Cl0p and Funksec emerging. The manufacturing sector faced the most attacks, while the U.S. was the top target. New tactics, including exploiting vulnerabilities and advanced social engineering, underline the evolving threat landscape. Organizations are urged to enhance cybersecurity measures, employee training, incident response planning, and patch management to combat these risks effectively. Ransomware attacks continue to significantly impact businesses, necessitating proactive defense strategies.
https://www.cyfirma.com/research/tracking-ransomware-december-2024/
Ransomware targeting VMware ESXi servers surged in 2024, with average demands hitting $5 million, exploiting around 8,000 internet-exposed hosts. Attackers use Babuk variants, circumventing security through accessible entry points. They target critical file types, employing hybrid encryption to complicate recovery. Key strategies for risk mitigation include updating vCenter, implementing MFA, deploying detection tools, and network segmentation. Regular security assessments are vital to safeguard against ransomware threats that can jeopardize organizations reliant on ESXi servers.
https://thehackernews.com/2025/01/ransomware-on-esxi-mechanization-of.html
Ransomware called “Codefinger” is exploiting AWS's Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt Amazon S3 buckets, demanding ransoms for decryption keys. Victims lose access to data since AWS doesn't store encryption keys. Attackers use compromised credentials to encrypt data and threaten deletion if victims alter files. Amazon advises customers to implement strict security measures, including disabling unnecessary SSE-C, rotating keys, and minimizing account permissions.
Ransomware attacks decreased by 22% in Q1 2024 after a 55.5% surge in 2023. Key factors for this drop include enhanced law enforcement actions against major groups like LockBit and ALPHV, leading to significant arrests and infrastructure takedowns. Additionally, a historic low in ransom payments and emerging new groups suggest changes in the landscape of cybercrime, with new entrants struggling to fill the void left by established ransomware operations.
