ransomware

Europe Evolves Into Ransomware’s Favorite Region

Ransomware attacks in Europe surged by 55% in early 2026 compared to the previous year, with 684 incidents recorded by Black Kite across the continent, particularly targeting major economies like the UK, Germany, France, Italy, and Spain. Attackers are focusing on manufacturing and digital services sectors to exploit supply chain vulnerabilities, and growing reliance on third- and multi-tier vendors increases organizational risk, highlighting the need for enhanced visibility and risk management across entire vendor ecosystems.

https://www.darkreading.com/cybersecurity-analytics/europe-evolves-ransomware-favorite-region

GTA 6 Developer Rockstar Reportedly Hacked, Data Being Ransomed

Hacker group ShinyHunters claims to have breached Rockstar Games' secured cloud servers via a security flaw in a third-party service, Anodot, demanding a ransom by April 14 or threatening to leak corporate data. Rockstar confirmed a data breach occurred but stated that only a limited amount of non-material company information was accessed, with no impact on their organization or players.

https://kotaku.com/rockstar-games-reportedly-hacked-massive-data-leak-ransom-gta-6-shinyhunters-2000686858

Mass Mobilization on the Dark Web: 300K Users Get Access to Ransomware Tools After LiteLLM Hack

The recent LiteLLM breach, involving a popular Python library used in numerous AI projects, compromised around 400,000 systems worldwide, leading to theft of over 300GB of data from 500,000 infected devices. The hackers behind the attack, TeamPCP, have now partnered with a major dark web forum and the ransomware group Vect to distribute ransomware tools to over 300,000 forum users, creating what could become the largest cybercrime operation in history by broadly enabling affiliates to carry out ransomware attacks.

https://cybernews.com/security/litellm-hack-spawning-massive-cybercrime-alliance/

Linux Ransomware Pay2Key Attacking Servers, Virtualization Platforms, and Cloud Environments

The Pay2Key ransomware group, linked to Iranian threat actors, has developed a Linux-targeted ransomware variant that actively attacks organizational servers, virtualization hosts, and cloud environments. This Linux-specific malware requires root privileges, disables key Linux security frameworks, and uses the ChaCha20 encryption algorithm to cause significant disruption to critical infrastructure, signaling a major shift in ransomware targeting strategy.

https://cybersecuritynews.com/linux-ransomware-pay2key-attacking-organizations-ervers/

LeakNet Ransomware Uses ClickFix Via Hacked Sites, Deploys Deno In-Memory Loader

LeakNet ransomware uses the ClickFix social engineering tactic to trick users into running malicious commands via compromised websites as an initial access method. This approach allows LeakNet to bypass traditional methods and reduce costs. The ransomware also employs a Deno-based loader to execute payloads in memory, minimizing detection.

https://thehackernews.com/2026/03/leaknet-ransomware-uses-clickfix-via.html

Naming and Shaming: How Ransomware Groups Tighten the Screws on Victims

Ransomware tactics have evolved from simple file encryption to combining data theft with threats of public exposure via dedicated leak sites (DLSs). These sites, emerging in 2019, amplify pressure on victims by publicly showcasing stolen data and demanding payment. This approach increases risks including reputational damage, regulatory fines, and follow-on cybercrimes. Victims face urgency and fear as they navigate decisions under pressure, often leading to repeated attacks even after ransom payment. Effective defenses require advanced security measures, access controls, regular software updates, resilient backups, and employee training to mitigate risks associated with ransomware threats.

https://www.welivesecurity.com/en/ransomware/naming-shaming-ransomware-groups-tighten-screws-victims/

As Ransomware Recedes, a New More Dangerous Digital Parasite Rises

Ransomware declines as “sleeperware” ascends: Picus Labs' report shows a shift from ransomware to stealthy malware that remains dormant until opportune moments, focusing on data theft rather than system disruption. This change reflects a significant drop in ransomware incidents, prompting new cybersecurity strategies.

https://www.zdnet.com/article/sleeperware-malware-sneaks-waits-ransomware-decline/

The Cyberattack That Exposed The Fragility Of Digital Heritage

Ransomware attacked the British Library on October 28, 2023, compromising servers, encrypting systems, and exfiltrating about 600 GB of data. The attack exploited vulnerabilities, including lack of multi-factor authentication on an entry point. This incident highlighted systemic issues in cultural institutions: outdated infrastructure, insufficient funding for tech upgrades, and complex network security challenges. In response, the Library initiated a significant overhaul, implementing better network segmentation, robust backup strategies, mandatory cybersecurity training, and elevating cybersecurity to a strategic priority. The incident underscores the risks faced by cultural heritage institutions in a digital age and the need for proactive cyber defense to protect knowledge access.

https://informationsecuritybuzz.com/the-cyberattack-that-exposed-the-fragility-of-digital-heritage/

The Latest Wave of Ransomware Attacks: As Widespread as Possible

Ransomware attack on BridgePay disrupts U.S. payment systems, forcing businesses, like restaurants, to go cash-only. The company is working with law enforcement but has found no evidence of compromised payment card data. This incident highlights vulnerabilities in centralized payment systems, emphasizing the need for improved cyber resiliency among service providers.

https://www.paymentsjournal.com/the-latest-wave-of-ransomware-attacks-as-widespread-as-possible/

Nitrogen Can’t Unlock Its Own Ransomware After Coding Error

Nitrogen ransomware is ineffective due to a programming error that prevents even the attackers from decrypting victims' files, rendering ransom payments useless. The malware corrupts the public key during encryption, leading to irreversible data loss. Despite its origins in 2023, Nitrogen has evolved from initial access malware to a ransomware threat that has caused significant damage without providing any means for recovery.

https://www.theregister.com/2026/02/04/nitrogen_ransomware_broken_decryptor/

FBI Seizes RAMP Cybercrime Forum Used by Ransomware Gangs

FBI seized RAMP, a cybercrime forum used by ransomware gangs, displaying a seizure notice on its Tor and clearnet sites. The action, coordinated with the Justice Department, provides access to user data, potentially identifying criminals. The forum, launched in 2021 after restrictions on ransomware promotion elsewhere, was managed by Mikhail Matveev, linked to multiple ransomware operations. Forum operators lamented the loss, and this seizure reflects ongoing law enforcement efforts against cybercrime.

https://www.bleepingcomputer.com/news/security/fbi-seizes-ramp-cybercrime-forum-used-by-ransomware-gangs/

2 Cyber Pros Admit to Being BlackCat Ransomware Affiliates

Two cybersecurity professionals, Ryan Goldberg and Kevin Martin, pleaded guilty to being affiliates of the BlackCat ransomware gang. They extorted at least five U.S. companies, including a medical device maker, earning $1 million. Both men, along with a third unnamed co-conspirator, used their expertise to commit these attacks while employed at cybersecurity firms.

https://www.databreachtoday.com/2-cyber-pros-admit-to-being-blackcat-ransomware-affiliates-a-30415

Interpol-led Action Decrypts 6 Ransomware Strains, Arrests Hundreds

Operation Sentinel, led by Interpol, arrested 574 individuals and recovered $3 million tied to cybercrimes across 19 countries, deactivating over 6,000 malicious links and decrypting six ransomware strains. The initiative highlights increasing cyber threats, with significant cases in Senegal, Ghana, Benin, and Cameroon reflecting joint international law enforcement efforts.

https://www.bleepingcomputer.com/news/security/interpol-led-action-decrypts-6-ransomware-strains-arrests-hundreds/

CISA Loses Key Employee Behind Early Ransomware Warnings

CISA's ransomware warning program, crucial in preventing $9 billion in damages, is jeopardized after its lead, David Stern, resigned rather than accept a reassignment. His departure raises concerns about the program's future and relationships with stakeholders, as it heavily depended on his connections and expertise. CISA asserts that the program continues, but its effectiveness may diminish without Stern's leadership.

https://www.cybersecuritydive.com/news/cisa-ransomware-warning-program-key-employee-left/808589/

From Linear to Complex: An Upgrade in RansomHouse Encryption

RansomHouse, a ransomware-as-a-service (RaaS) by Jolly Scorpius, has upgraded its encryption methods from simple to complex strategies, affecting at least 123 victims across critical sectors. The operation employs a double extortion tactic, combining data theft with ransom demands. Its attack chain involves four key phases: Develop, Infiltrate, Exfiltrate & Deploy, and Extort. Tools used include MrAgent, for managing systems, and Mario, the encryptor, which targets VMware environments. The upgraded Mario encryption method is significantly more sophisticated, enhancing operational disruption for victims.

https://unit42.paloaltonetworks.com/ransomhouse-encryption-upgrade/

Scroll to Top