X-Industry

Between April and June 2024, the NullBulge group emerged, targeting users in AI-centric applications and gaming communities.  The NullBulge persona has showcased creative methods of distributing malware targeting said tools and platforms.  Though the group projects an image of activism claiming to be “protecting artists around the world” and claims to be motivated by a pro-art, anti-AI cause rather than profit, other activities tied to this threat actor may indicate otherwise.

NullBulge’s servic

On 26 June, Evolve Bank and Trust, a financial institution that’s popular with fintech startups, announced that it had been victim of a cyberattack and data breach that could have affected its partner companies as well.  The incident, according to the company’s statement, involved “the data and personal information of some Evolve retail bank customers and financial technology partners’ customers.”

Evolve’s communications chief Thomas Holmes said that the incident involves “a known cybercriminal

The notorious Russia-based ransomware gang Lockbit 3.0 has claimed responsibility for a cyber-attack on the US Federal Reserve.  The attack, which was announced on 23 June via a post on a site associated with the ransomware gang, allegedly saw the gang infiltrate the systems of the US Federal Reserve and exfiltrate 33 TB of sensitive banking information.

In the post, which was entitled 'federalreserve.gov', the gang explained how the Federal Reserve is structured, and its role in distributing mo

The LockBit ransomware group has claimed a significant increase in attack volume in May 2024, which would once again make it the most active ransomware gang, a new report from NCC Group shows.  The LockBit ransomware operation was disrupted in February when law enforcement agencies in North America, Europe, and Asia seized 34 servers, took over the gang’s Tor-based leak site, froze its cryptocurrency wallets, and collected technical information on the group’s infrastructure.

The US government ha

In April of this year, a cyberattack on a large telecommunications company has been claimed by a ransomware gang that is gaining momentum as a cybercriminal operation.  On 1 June, the RansomHub operation posted Frontier Communications to its leak site claiming to have sensitive information of more than 2 million people.  The group claimed it spent more than two months attempting to extort the company but never got a response.  Frontier did not respond to requests for comment but reported a cyber

LockbitSupp, the pseudonymous leader of the LockBit ransomware group, was identified as a Russian national called Dmitry Khoroshev on 7 May as the United States, United Kingdom and Australia imposed financial sanctions against him.

A 26-count indictment has been unsealed in the US charging Khoroshev, with developing and operating the LockBit ransomware service.  He is accused of growing LockBit “into a massive criminal organization that has, at times, ranked as the most prolific and destructive

Despite the LockBit Ransomware-as-a-Service (RaaS) gang claiming to be back after a high-profile takedown in mid-February 2024, an analysis reveals significant, ongoing disruption to the group's activities, along with ripple effects throughout the cybercrime underground, with implications for business risk.  LockBit was responsible for 25% to 33% of all ransomware attacks in 2023, according to investigators, easily making it the biggest financial threat actor group of the last year. Since it eme

An international law enforcement operation has led to the seizure of multiple darknet domains operated by LockBit, one of the most prolific ransomware groups, marking the latest in a long list of digital takedowns.  While the full extent of the effort, codenamed Operation Cronos, is presently unknown, visiting the group's ‘.onion’ website displays a seizure banner containing the message "The site is now under the control of law enforcement." Authorities from 11 countries, Australia, Canada, Finl

The banking malware known as Carbanak has been observed to be used in ransomware attacks with updated tactics.  The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness.  Carbanak returned in November 2023 through new distribution chains and has been distributed through compromised websites to impersonate various business-related software.

See:  https://redskyalliance.org/Finance/never-take-malware-from-strangers

Some impersonated tools include popular

Note: this Recorded Future Ransomware Tracker is updated on the second Sunday of each month to stay current.  The number of victims posted on ransomware extortion sites increased in May, with ransomware gangs publicly claiming more than 400 attacks in a month for the second time this year. 

The uptick was fueled in large part by the Russia-linked LockBit ransomware group, which posted 74 victims to its extortion site in May.  The group has become far and away the most active ransomware gang, wit

Many people have wondered what the YKK labeled zipper on their jeans and jackets really meant.  Well, hackers sure knew what YKK stood for: lots of ransom money. Japanese zipper giant YKK confirmed that its US operations were targeted by hackers in recent weeks but said it was able to contain the threat before damage was caused.

The Tokyo-based corporation would not say if it was hit with ransomware, but a spokesperson reported that once YKK discovered that its US-based networks were targeted, t

A new strain of malware developed by threat actors likely affiliated with the FIN7 cybercrime group has been put to nefarious use by the now-defunct Conti ransomware gang members, indicating collaboration between the two crews.  The malware, named Domino, is primarily designed to facilitate follow-on exploitation of compromised systems, including delivering a lesser-known information stealer that has been advertised for sale on the dark web since December 2021.

Former TrickBot/Conti syndicate me

A ransomware attack that hit ION Trading UK could take days to fix, leaving scores of brokers unable to process derivatives trades.  ION Group, the financial data firm's parent company, said in a statement on its website that the attack began last week.  "The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing," ION Group said.  Ransomware is a form of malicious software deployed by criminal gangs which works by encry

Activity Summary - Week Ending on 6 January 2023:

• Red Sky Alliance identified 32,773 connections from new IP’s checking in with our Sinkholes
• Amazon in Singapore hit 32x
• Analysts identified 492 new IP addresses participating in various Botnets
• Red Sky Dark Web Collection for 2022
• LockBit seen twice in Top 5 Malware
• Indian Job Seeker data stolen (IR-23-005-001)
• The Meta Eire Fine
• Five Guys Burgers

Red Sky Alliance Compromised (C2) IP’s 

Activity Summary - Week Ending on 16 December 2022:

• Red Sky Alliance identified 31,927 connections from new IP’s checking in with our Sinkholes
• Frantech[.]ca In Las Vegas hit 14x
• Analysts identified 730 new IP addresses participating in various Botnets
• Cuba Ransomware
• ZeroBot
• Heliconia Exploit
• Sam’s Busted
• Metropolitan Opera
• CA Finance LockBit
• India Fighting on many Fronts
• e-Car Buyers

Link to full report: IR-22-350-001_weekly350.pdf

Activity Summary - Week Ending on 26 August 2022:

• Red Sky Alliance identified 30,967 connections from new IP’s checking in with our Sinkholes
• Microsoft hit
• Analysts identified 2,019 new IP addresses participating in various Botnets
• DarkyLock, Gwisin, vvyu, Kriptor
• Cuba Ransomware
• DiDi Chinese Ride Share
• India hit Hard
• Psychology and Cyber Security
• LockBit in France
• Center Hospital Sud Francilien & La Poste Mobile Hit

Link to full report: IR-22-238-001_weekly238.pdf

A member of the Conti ransomware group, believed to be Ukrainian of origin, has leaked the gang’s internal chats after the group’s leaders posted an aggressive pro-Russian message on their official site, on February 25^th, in the aftermath of Russia’s invasion of Ukraine.  The message appears to have rubbed Conti’s Ukrainian members the wrong way, and one of them has hacked the gang’s internal Jabber/XMPP server. Internal logs were leaked earlier today via an email sent to multiple journalists an

What happens when your expert consultant team that has been advising your organization about what you need to do to protect your firm from cyber threats becomes “front page news?” The consultancy Accenture, which offers cybersecurity services, confirmed Wednesday it had been hit by a cyber incident. The ransomware gang LockBit took credit for the attack.  Dublin, Ireland-based Accenture declined to give details on when the incident occurred, its duration or the attack type.

See for more informat

Remember the Dark Side comics?  Well, the DarkSide criminal hacking group is no laughing matter.  The DarkSide Ransomware gang claims they are creating a distributed storage system in Iran to store and leak data stolen from victims.  DarkSide is operated as a Ransomware-as-a-Service (RaaS) where developers control programming the ransomware software and payment site, and affiliates are recruited to hack businesses and encrypt their devices.

DarkSide is the latest ransomware criminal gang to anno

Like any profitable business model, ransomware gangs continue to innovate and increase their business.  Recently, reports have emerged of a collaboration between the Maze and Lockbit gangs, as well as the REvil, aka Sodinokibi, operators not leaking stolen data for free when victims do not pay, but instead auctioning it off to the highest bidder.

Here are some of the latest ransomware trends noted by cyber analysts: IR-20-164-002_Ransomware Trends.pdf