X-Industry

Despite current of law enforcement action to take down ransomware gangs, Secureworks has observed a 30% year-on-year rise in active ransomware groups.   In the eighth edition of the Secureworks annual State of The Threat Report[1], the firm identified 31 new groups that had entered the ransomware ecosystem in the last 12 months.  The report noted that while a few big players had previously dominated the threat landscape, it is now home to a broader set of emerging entities.[2]

The top four most

Last February of 2024, researchers at SentinelOne posted a write-up on Kryptina Ransomware-as-a-Service (RaaS), a free and open-source RaaS platform written for Linux.  At the time, Kryptina provided all the components required to host a fully functional RaaS platform.  This included automating payloads, managing multiple groups and campaigns nested within, and configuring the ransom payment requirements, such as the amount and type of payment. Despite such functionality, the offering struggled

A recent Chainalysis report indicates that 2024 is set to be the highest-grossing year for ransomware payments.  2023 is the current record holder in that regard, surpassing the $1 billion dollar mark, which was an interesting development given the significant decline in ransomware payments that occurred in 2022.  In the chart we have below, we can see a clear trendline indicating an increasing trend since 2019.  In hindsight, it may be more useful to view 2022 as an anomaly.  The mid-year total

Between April and June 2024, the NullBulge group emerged, targeting users in AI-centric applications and gaming communities.  The NullBulge persona has showcased creative methods of distributing malware targeting said tools and platforms.  Though the group projects an image of activism claiming to be “protecting artists around the world” and claims to be motivated by a pro-art, anti-AI cause rather than profit, other activities tied to this threat actor may indicate otherwise.

NullBulge’s servic

On 26 June, Evolve Bank and Trust, a financial institution that’s popular with fintech startups, announced that it had been victim of a cyberattack and data breach that could have affected its partner companies as well.  The incident, according to the company’s statement, involved “the data and personal information of some Evolve retail bank customers and financial technology partners’ customers.”

Evolve’s communications chief Thomas Holmes said that the incident involves “a known cybercriminal

The notorious Russia-based ransomware gang Lockbit 3.0 has claimed responsibility for a cyber-attack on the US Federal Reserve.  The attack, which was announced on 23 June via a post on a site associated with the ransomware gang, allegedly saw the gang infiltrate the systems of the US Federal Reserve and exfiltrate 33 TB of sensitive banking information.

In the post, which was entitled 'federalreserve.gov', the gang explained how the Federal Reserve is structured, and its role in distributing mo

The LockBit ransomware group has claimed a significant increase in attack volume in May 2024, which would once again make it the most active ransomware gang, a new report from NCC Group shows.  The LockBit ransomware operation was disrupted in February when law enforcement agencies in North America, Europe, and Asia seized 34 servers, took over the gang’s Tor-based leak site, froze its cryptocurrency wallets, and collected technical information on the group’s infrastructure.

The US government ha

In April of this year, a cyberattack on a large telecommunications company has been claimed by a ransomware gang that is gaining momentum as a cybercriminal operation.  On 1 June, the RansomHub operation posted Frontier Communications to its leak site claiming to have sensitive information of more than 2 million people.  The group claimed it spent more than two months attempting to extort the company but never got a response.  Frontier did not respond to requests for comment but reported a cyber

LockbitSupp, the pseudonymous leader of the LockBit ransomware group, was identified as a Russian national called Dmitry Khoroshev on 7 May as the United States, United Kingdom and Australia imposed financial sanctions against him.

A 26-count indictment has been unsealed in the US charging Khoroshev, with developing and operating the LockBit ransomware service.  He is accused of growing LockBit “into a massive criminal organization that has, at times, ranked as the most prolific and destructive

Despite the LockBit Ransomware-as-a-Service (RaaS) gang claiming to be back after a high-profile takedown in mid-February 2024, an analysis reveals significant, ongoing disruption to the group's activities, along with ripple effects throughout the cybercrime underground, with implications for business risk.  LockBit was responsible for 25% to 33% of all ransomware attacks in 2023, according to investigators, easily making it the biggest financial threat actor group of the last year. Since it eme

An international law enforcement operation has led to the seizure of multiple darknet domains operated by LockBit, one of the most prolific ransomware groups, marking the latest in a long list of digital takedowns.  While the full extent of the effort, codenamed Operation Cronos, is presently unknown, visiting the group's ‘.onion’ website displays a seizure banner containing the message "The site is now under the control of law enforcement." Authorities from 11 countries, Australia, Canada, Finl

The banking malware known as Carbanak has been observed to be used in ransomware attacks with updated tactics.  The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness.  Carbanak returned in November 2023 through new distribution chains and has been distributed through compromised websites to impersonate various business-related software.

See:  https://redskyalliance.org/Finance/never-take-malware-from-strangers

Some impersonated tools include popular

Note: this Recorded Future Ransomware Tracker is updated on the second Sunday of each month to stay current.  The number of victims posted on ransomware extortion sites increased in May, with ransomware gangs publicly claiming more than 400 attacks in a month for the second time this year. 

The uptick was fueled in large part by the Russia-linked LockBit ransomware group, which posted 74 victims to its extortion site in May.  The group has become far and away the most active ransomware gang, wit

Many people have wondered what the YKK labeled zipper on their jeans and jackets really meant.  Well, hackers sure knew what YKK stood for: lots of ransom money. Japanese zipper giant YKK confirmed that its US operations were targeted by hackers in recent weeks but said it was able to contain the threat before damage was caused.

The Tokyo-based corporation would not say if it was hit with ransomware, but a spokesperson reported that once YKK discovered that its US-based networks were targeted, t

A new strain of malware developed by threat actors likely affiliated with the FIN7 cybercrime group has been put to nefarious use by the now-defunct Conti ransomware gang members, indicating collaboration between the two crews.  The malware, named Domino, is primarily designed to facilitate follow-on exploitation of compromised systems, including delivering a lesser-known information stealer that has been advertised for sale on the dark web since December 2021.

Former TrickBot/Conti syndicate me

A ransomware attack that hit ION Trading UK could take days to fix, leaving scores of brokers unable to process derivatives trades.  ION Group, the financial data firm's parent company, said in a statement on its website that the attack began last week.  "The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing," ION Group said.  Ransomware is a form of malicious software deployed by criminal gangs which works by encry

Activity Summary - Week Ending on 6 January 2023:

• Red Sky Alliance identified 32,773 connections from new IP’s checking in with our Sinkholes
• Amazon in Singapore hit 32x
• Analysts identified 492 new IP addresses participating in various Botnets
• Red Sky Dark Web Collection for 2022
• LockBit seen twice in Top 5 Malware
• Indian Job Seeker data stolen (IR-23-005-001)
• The Meta Eire Fine
• Five Guys Burgers

Red Sky Alliance Compromised (C2) IP’s 

Activity Summary - Week Ending on 16 December 2022:

• Red Sky Alliance identified 31,927 connections from new IP’s checking in with our Sinkholes
• Frantech[.]ca In Las Vegas hit 14x
• Analysts identified 730 new IP addresses participating in various Botnets
• Cuba Ransomware
• ZeroBot
• Heliconia Exploit
• Sam’s Busted
• Metropolitan Opera
• CA Finance LockBit
• India Fighting on many Fronts
• e-Car Buyers

Link to full report: IR-22-350-001_weekly350.pdf

Activity Summary - Week Ending on 26 August 2022:

• Red Sky Alliance identified 30,967 connections from new IP’s checking in with our Sinkholes
• Microsoft hit
• Analysts identified 2,019 new IP addresses participating in various Botnets
• DarkyLock, Gwisin, vvyu, Kriptor
• Cuba Ransomware
• DiDi Chinese Ride Share
• India hit Hard
• Psychology and Cyber Security
• LockBit in France
• Center Hospital Sud Francilien & La Poste Mobile Hit

Link to full report: IR-22-238-001_weekly238.pdf

A member of the Conti ransomware group, believed to be Ukrainian of origin, has leaked the gang’s internal chats after the group’s leaders posted an aggressive pro-Russian message on their official site, on February 25^th, in the aftermath of Russia’s invasion of Ukraine.  The message appears to have rubbed Conti’s Ukrainian members the wrong way, and one of them has hacked the gang’s internal Jabber/XMPP server. Internal logs were leaked earlier today via an email sent to multiple journalists an