Latest news with #RansomHub
Techday NZ
24-07-2025
- Business
- Techday NZ
Q2 2025 ransomware trends analysis: Boom and bust
"Tumultuous times" would be an accurate summary of Q2 2025 where ransomware threat actors are concerned. Rapid7's internal and publicly-available data analysis reveals a dynamic environment where major players come and go, newer groups work their way up the heavy-hitters ladder, and threat actors jostle for top dog status. Plus, there's law enforcement action thrown in there for good measure. In this article we highlight the key changes we saw represented in the data: shifting alliances, the disappearing act of a dominant force, and how this vanishing trick has led to a major redistribution of ransomware operations. At a glance Q2 2025 features many of the threat actors Rapid7 observed in Q1, with the top four leak site post groups quite a ways out in front of the rest. Qilin leads the pack by some distance, with SafePay and Akira in second place, and Play in third position. Lynx and INC Ransom lead the charge in the lower half of the chart, with DragonForce making its first appearance of the year alongside top 10 newcomers such as double extortionists NightSpire. In Q1 2025, there were 76 active ransomware groups. Out of those, 17 groups became inactive in Q2 2025, meaning they had no recorded leak posts in April, May, or June. These include (but are not limited to): 8base, BianLian, BlackBasta, Cactus, RansomExx, DarkVault, Zerolockersec, and CrazyHunter Team. There were 65 ransomware groups actively attacking in Q2 2025. While this represents a 14.47% decrease from the previous quarter, our data for the first half of 2025 shows an overall count of 96 unique groups - a 41.18% increase over the 68 we saw in 1H 2024. New ransomware groups active since the start of Q2 include (but are not limited to): KaWa4096, Warlock, Devman, Nova, and Dire Wolf, with 11 net new groups in Q2 2025 in total. Notably, power player RansomHub - the most prolific operator we observed in 2024, and leading our Q1 2025 top 10 - ceased operations completely at the beginning of April, with the group's infrastructure dropping offline. Affiliates primarily moved to other Ransomware-as-a-Service (RaaS) offerings, such as DragonForce and LockBit. Given that RansomHub affiliates are known for exploiting vulnerabilities to gain initial access, followed by double extortion, this could mean a significant ripple of ransomware distributors moving elsewhere. Popular targets in Q2: Services, healthcare, technology, legal, and finance were the most targeted industries in Q2 2025. The frontrunner this quarter is services, with 44.4% of posts containing these victims' data. In a distant second place is healthcare (10.6%), followed by technology in third (10.0%). Top regional targets include the United States (66.0%), the UK in second place with just 6.7%, and Canada (6.6%), Germany (4.2%), and Italy (3.2%) taking the other three top spots. Notable trends Q2 has seen plenty of infighting between prominent and up-and-coming threat actors, claims of rivals uniting, and major players hit by arrests. It makes sense, then, that affiliates would be in a state of flux, moving from one RaaS group to another, or even holding off altogether until the dust settles. With so many rebrands and launches of newer, more nimble ransomware groups to choose from, expect to see more affiliates striking out in bold new directions. Infighting sits uneasily next to cooperation in Q2, with some groups trying to facilitate bigger and better infrastructure, leak sites, and features offered to potential affiliates. DragonForce is a prime example, using its ransomware alongside other threat actors taking care of the initial access side of things. As we'll highlight later, DragonForce may have a shaky alliance with what remains of RansomHub - or perhaps it's something else altogether. In Q1, we took extra care to highlight that our top 10 included two sets of data; groups posting net-new leaks - that is, completely original and never-before-seen leak posts - and those posting reused or repurposed leaks. Well-known threat actors such as FunkSec and LockBit were found to be making use of old leak data, or mixing old data and faked attacks. Adopting new identities and reusing stale data for a quick promotional boost is also something to be wary of when covering ransomware groups and supposed leaks. For Q2, we've removed threat actors posting old or fake data from the top 10 completely. Q3 will no doubt require the same care and attention when looking to present the most accurate description of ransomware group activity possible. Ones to watch For Q2, our ones to watch are a mix of new and established names. Threat actor arrests, hostile inter-group takeovers, innovative affiliate services, and potentially dangerous ransomware outbreaks in healthcare organisations define a frantic few months. First observed in 2022, Scattered Spider is a threat actor that often combines nation-state-level tradecraft with aggressive social engineering. It continues to take the spotlight in high-profile incidents, even in the midst of arrests potentially tied to the collective. Experts in weaponising corporate environments and behaviours, careful attention is paid to the human side of corporate targets when sizing up a potential infiltration. This group is closely tied to social engineering techniques where initial access is concerned. Phishing, SIM swapping, and help desk social engineering are what Scattered Spider excels at, which can make early detection difficult. Large enterprises in industries such as gaming, telecommunications, and cloud computing are known to be attractive propositions to Scattered Spider. However, the group has also branched out into retail, finance, and the aviation sector. It's been speculated that they are the group behind the June 30 cyber attack impacting 5.7 million Qantas airlines customers. Scattered Spider often partners with RaaS group DragonForce, with the former handling initial access and the latter providing the ransomware; together, they can be a devastating tag team of intrusion and extortion, and one which can lead to confusion between said groups in specific attacks. We can't currently suggest how much impact recent arrests related to several retailer compromises may have on the threat actor. Suspicion of Computer Misuse Act offences, blackmail, money laundering, and participating in organised crime are not easy charges to shrug off. The "sink or swim" moment for Scattered Spider may already have passed by the time Q3 comes around. A new entry to our top 10 groups list, DragonForce (also known as "The DragonForce Ransomware Cartel") first came to light with a 2023 attack on the Ohio Lottery, impacting roughly 500,000 individuals with claims of stolen employee and customer data. More recently, a UK retailer, itself a victim of a major attack in April of this year, attributed the compromise to DragonForce. According to the company's chair, the attack, which is expected to impact this year's profits by around $400m, felt like it was intended to "destroy the business." DragonForce is media-savvy and has its own AI generated calling card, occasionally sent directly to BBC journalists to announce what may be new breaches. To add to the drama surrounding this threat actor, shortly after RansomHub's leak site went offline in late March, it was defaced with a prominent "R.I.P. 3/3/25" mess age. In April, DragonForce published a "new projects" portal on their own leak site linking back to that message - and explicitly invited RansomHub to join their newly branded "Ransomware Cartel." Analysts widely interpret this as a hostile takeover; DragonForce also publicly declared on the RAMP dark‑web forum that RansomHub had "decided to move to our infrastructure." The result is a tangled and dramatic subplot that seems to reflect DragonForce's strategic push to absorb affiliates and expand its footprint. A messy, convoluted tale with no clear narrative, but perhaps that's exactly what an up-and-coming threat actor with a view to expansion wants. In our Q1 2025 ransomware blog, Qilin came fourth in our top 10 list once non-net-new leak posts were excluded. We did say this threat actor was one to watch, and sure enough, Qilin is top of the list once similar non-net new exclusions are applied. Qilin, working its way through healthcare, financial, and manufacturing businesses since 2022, has had a dramatic few months since we last referenced its activities. Once more we return to the now-defunct RansomHub, because though absent, the shadow of its presence looms large; even with the increase in leak posts from Qilin in Q2, it would likely have remained in second place behind RansomHub's prolific output. With the behemoth out of the way, this is now Qilin's time to shine. In June, it was revealed that Qilin added a "call a lawyer" feature to its affiliate panel. Said lawyer is supposed to be able to assist with ransom negotiations, stolen data assessment, and potential breaking of laws by victims post-compromise. Doubt has been cast with regard to how useful this service would actually be, and an argument could be made that it does sound like something largely designed to attract more affiliates. New, flashy services and features help to put a RaaS offering a cut above the rest, which is surely something Qilin operators have considered when adding this new service. By the same token, sometimes publicity and making headlines can have the opposite effect where attracting affiliates is concerned. It was recently confirmed that a large-scale ransomware attack on one of the NHS's suppliers in 2024 was a contributory factor - among several others - to the death of a patient. In total, 170 patients suffered "low harm" impact as a result of the Qilin-attributed attack on Synnovis. With Qilin responsible for other attacks in the healthcare industry, it remains to be seen if the threat actor's "we don't care" attitude proves a little too rich for would-be affiliates. As with Q1, RaaS and double extortion are overwhelmingly favoured by the majority of threat actors in our top 10. The volume of leak posts over Q2 is high, with both never-before-seen leaks and rehashed data adding to the total. Additionally, some groups are making use of stealer logs and Initial Access Broker (IAB) forums which provide credentials for the first point of entry into a compromised network. The risk-reward line in the sand is perhaps making some groups become a little greedy in the rush to snap up new and potentially floating affiliates. Relaxing entry requirements for affiliate schemes, as DragonForce and Cicada3301 have done, may well lower the barrier to entry for wannabes. Considering how quickly rival groups will go to war with one another over actual or perceived slights, it seems risky to simply hope that new affiliates will play by the rules - or not get themselves caught and expose the inner workings of an operation. In the worst case scenario, a new affiliate not subject to stringent checks could turn out to be a security researcher, law enforcement, or even someone from a rival threat actor. As we said: risk-reward. Recommendations In our Q1 2025 post, we highlighted "Five things you can do now" to secure your organisation against the ever-present threat of ransomware-centric compromise. Effective multi-factor authentication (MFA) deployment, continuous patch management, and attack surface investigation are all great ways to set about tackling the ransomware scourge. But what can you do when your attacker is a specific threat actor, such as Scattered Spider? Lock down the help desk: An important part of Scattered Spider's intrusion techniques are help desk scams. Employee data scraped from LinkedIn profiles, combined with a lack of security precautions from the employer often hands Scattered Spider a first rung on the compromise ladder. Train help desk staff to recognise common social engineering techniques, especially around quick "emergency" resets, and enforce strict verification for password and MFA resets. High-privilege accounts may require multi-factor or even multi-person approvals, especially for out-of-band or urgent sounding reset requests. Place limits on how many support staffers can reset admin-level accounts, and ensure all such actions are logged with management. Deploy and secure your MFA: Phishing-resistant MFA is crucial for users, especially administrators. For example, the latter in particular should not be using easily compromised SMS messaging for authentication codes, as this is a form of authentication notorious for being hijacked with fake help desk calls. App-based OTP with number matching, or FIDO2 security keys, would be better options here. As Scattered Spider is known to deploy MFA fatigue techniques, countering this with the limiting of push attempts or number matching should be viewed as an important, if not essential, tool for warding off Scattered Spider attacks. No matter which form your MFA takes, quick detection of newly added devices or unusual IP activity can help a security team to prevent further pivots from the attacker. Revisit your identity hygiene and least privilege: With compromised credentials being such an important part of Scattered Spider's tactics, it makes sense to keep business-critical accounts from everyday activities. High-privilege tasks should be performed by unique accounts, with just-in-time elevation applied to said accounts so that even a compromise cannot lead to immediate escalation without an approval request. Tighten cloud security and monitoring: Scattered Spider's deep understanding of cloud environments using Amazon Web Services (AWS) Systems Manager Session Manager, EC2 Serial Console, and Identity and Access Management (IAM) role enumeration to pivot and persist within cloud infrastructure spells trouble for organisations with insecure cloud environments. Ensure cloud management pathways are locked down, and restrict the use of Systems Manager Session Manager and the EC2 Serial Console to authorised admin users only in AWS. Enable alerts if these features are used by new users or unusual IP addresses. Monitor cloud audit logs for AWS (CloudTrail), Microsoft Entra ID, for any sign of intrusion - this may take the form of IAM role enumeration calls, or unexpected IAM new user creation. Behaviour analytics can help to pinpoint when a low-privilege user suddenly begins performing admin-level actions. Ensure that a compromised Okta/SSO user cannot by itself administer the entire cloud environment by making use of the principle of least privilege. Enact a backup and response plan: Offline and encrypted backups of critical data, alongside regular testing of restoration plans, will ensure there is no eleventh hour panic should the worst happen. As Scattered Spider wastes no time from initial compromise to full domain/admin takeover, an incident response plan is crucial to quickly and safely lock down a Scattered Spider attack. Rapid invalidation of active sessions and tokens, forced enterprise-wide password resets, and locking down help desk password resets will work wonders here, as will the deployment of your incident response teams. Take it to the table: Tabletop exercises, which make full use of Scattered Spider's playbook of known tactics, techniques, and procedures (TTPs), should be a part of any scenario intended to determine how much of a Scattered Spider storm your organisation thinks it can weather. Focus on key Scattered Spider techniques, such as a dedicated help desk attack exercise. For example: maybe the attacker has already gained an employee's phone number from LinkedIn, and is attempting a SIM swap social engineering attempt on the help desk technician. Perhaps the attacker has instead compromised the login of the help desk worker via a phishing website, and is looking to create hidden privileged accounts. In this scenario, how would you know the rogue account had been created? What data would you look for to indicate unusual activity, and where would it live? We mentioned multi-person approvals for new account creation up above; what happens if there's no approval required? Conclusion The rise of groups such as DragonForce, as well as Qilin's newfound dominance in the face of RansomHub's absence, signals a period of what may be prolonged powerscale rebalancing and affiliate enticement among threat actors. Add to this the uncertain lay of the land with regard to supposed ransomware alliances, and we have a perfect storm of groups working together - yet remaining at odds - while businesses attempt to parse shifting threat actor patterns. The sheer chaos of this environment means that it's never been more important for organisations to make use of threat intelligence and explore what makes these groups tick. Their willingness to exploit new strains of ransomware and affiliate activity, while also leveraging social engineering, is clear to see. A defence-in-depth approach that covers both detection and response and social engineering training to address the human element is crucial. Maybe it's finally time to dust off that tabletop.
Yahoo
02-06-2025
- Business
- Yahoo
INE Security Alert: $16.6 Billion in Cyber Losses Underscore Critical Need for Advanced Security Training
New FBI Data Reveals Organizations Need Deeper Technical Expertise to Detect, Contain, and Remediate Advanced Attacks CARY, N.C., June 2, 2025 /PRNewswire/ -- INE Security, a global leader in cybersecurity training and certification, is emphasizing the urgent need for technical cybersecurity professionals who can detect, analyze, and neutralize threats once they've bypassed initial defenses. The FBI's latest Internet Crime Complaint Center (IC3) Annual Report reveals a stark reality: cybercriminals extracted a record $16.6 billion from victims in 2024, representing a 33% increase over the previous year. While these losses include both individual and organizational victims, the enterprise-focused attacks highlighted in the report underscore a critical skills gap. The Technical Challenge Behind the Numbers While the FBI report captures the financial damage, the underlying technical reality is more complex: Ransomware Evolution: The 18% surge in critical infrastructure attacks, led by sophisticated variants like Akira, LockBit, and RansomHub, demonstrates that modern ransomware operators are using advanced techniques, including lateral movement, privilege escalation, and data exfiltration that require specialized detection and response skills. Post-Compromise Detection: The $2.77 billion in Business Email Compromise losses, which primarily target organizations, represent successful attacks that evaded initial security controls. Organizations need security professionals trained in forensic analysis, network traffic analysis, and incident response to identify and contain these threats after they've gained initial access. Cryptocurrency Attack Complexity: The 66% spike in cryptocurrency fraud ($9.3 billion total) includes attacks on both individual and organizational victims, but reflects increasingly sophisticated blockchain analysis requirements and the need for security teams trained in cryptocurrency forensics and threat hunting methodologies. INE Security's Technical Training Response "While the FBI report captures losses across all victim types, the enterprise-focused attacks demonstrate that organizations face increasingly sophisticated threats that require advanced defensive capabilities," said Dara Warn, CEO of INE Security. "Organizations need security professionals with hands-on technical skills to hunt threats, analyze malware, and respond to incidents with deep technical expertise." INE Security's enterprise training programs address the post-breach reality through: Advanced Threat Detection Labs: Hands-on training with current CVEs and attack techniques, enabling security teams to recognize and analyze the specific TTPs (Tactics, Techniques, and Procedures) used by ransomware groups and advanced persistent threats. Incident Response and Forensics Training: Practical skills in malware analysis, memory forensics, and network traffic analysis that enable rapid threat identification and containment once attackers have gained access. Threat Hunting Methodologies: Proactive detection techniques that help security teams identify compromise indicators before attacks reach their intended objectives. Industry-Specific Attack Simulation: Customized training environments that replicate the specific threats facing manufacturing, healthcare, government, and financial sectors—the industries most heavily targeted according to the FBI data. The Skills Gap Reality The FBI report's emphasis on successful Operation Level Up, which saved victims $285.6 million through proactive identification, underscores the value of skilled security professionals who can proactively hunt threats and analyze complex attack patterns. "The difference between a $10,000 security incident and a $10 million breach often comes down to detection speed and response capability," emphasized Warn. "Organizations with certified security professionals trained in advanced technical skills detect threats in hours rather than months." Enterprise Training That Addresses Real Threats INE Security's enterprise programs are designed around the technical realities revealed in the FBI report: Malware Analysis Training: Hands-on experience with current ransomware families and attack techniques Network Security Monitoring: Advanced skills in detecting lateral movement and data exfiltration Cryptocurrency Forensics: Specialized training in blockchain analysis and cryptocurrency threat hunting Custom Threat Simulation: Industry-specific attack scenarios based on actual threat intelligence For organizations looking to build the technical security capabilities needed to combat the sophisticated threats highlighted in the FBI IC3 report, INE Security offers customized enterprise training solutions. Organizations can request a demo to explore how advanced security training may enhance their detection and response capabilities. About INE Security INE Security is the premier provider of online networking and cybersecurity training and cybersecurity certifications. Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is trusted by Fortune 500 companies worldwide for their cybersecurity training needs, and by IT professionals looking to advance their careers. INE Security's suite of learning paths offers an incomparable depth of expertise across cybersecurity education and is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career. ContactKathryn BrownINE Securitykbrown@ Logo - View original content to download multimedia: SOURCE INE Security Sign in to access your portfolio
Yahoo
06-05-2025
- Yahoo
‘RansomHub' behind CCSD cybersecurity incident that impacted thousands of student, staff data in July 2024
CHARLESTON COUNTY, S.C. (WCBD) – The Charleston County School District provided an update Tuesday regarding a cybersecurity incident that occurred in July 2024. The district said it conducted a 'thorough investigation' with external cybersecurity experts and found that a cybercriminal group known as RansomHub gained unauthorized access for roughly four days, July 16-19, impacting 20,653 students and staff dating back to 2005. When the incident was discovered, CCSD said it acted immediately to contain the threat, secure its network, and initiate a detailed forensic review. 'While the district does not publicly disclose specific vulnerabilities or methods used in the breach, we can confirm that the exploited vulnerability has been fully remediated, and our systems have undergone significant security upgrades to prevent future incidents,' the district said in a news release. The district said it did not pay a ransom or engage in negotiations with the cybercriminals at any point. Personal information compromised in the breach varied by individual. The district said it completed an exhaustive review to identify and notify those individuals whose information was affected. 'Notifications were recently mailed directly to impacted individuals and included specific details on the types of information involved, along with tailored guidance,' CCSD said. The district said it is offering complimentary identity protection services, including credit monitoring, identity theft recovery assistance, and a $1,000,000 insurance reimbursement policy to support those affected. District officials said individuals who were confirmed to have been impacted and received a letter are encouraged to take advantage of the protection services and to contact the dedicated call center at 1-877-522-6813 with any questions. Representatives will be available to provide assistance on that line between 9 a.m. and 9 p.m. Monday through Friday. Copyright 2025 Nexstar Media, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. For the latest news, weather, sports, and streaming video, head to WCBD News 2.
Forbes
17-04-2025
- Business
- Forbes
19 Tech Experts Detail Emerging APT Tactics (And How To Prepare)
getty The thought of a successful cyberattack is a sobering one for any business, but even more alarming are advanced persistent threats. Through these sophisticated attacks, a bad actor infiltrates a network and is able to linger for an extended period of time, undetected, accessing sensitive data, disrupting operations or even conducting ongoing surveillance. Carefully planned and often tailored to specific industries and technologies, APTs are evolving and growing in number, with cloud migration, remote workplaces and increased reliance on third-party vendors expanding the attack surface. Below, members of Forbes Technology Council detail emerging APT tactics digital organizations must be ready for and how to prepare. Browsers have emerged as a significant threat vector. The significant majority of our work time is spent within browsers. As the use of SaaS applications continues to grow, the number of locations where sensitive data is stored expands, making it more challenging to secure data and leaving IT and security teams struggling to keep up. Our inability to mitigate browser-based threats poses critical risk for our organizations. - John Carse, SquareX Threat actors are weaponizing EDR bypass tools (or 'EDR killers') to launch their attacks, as seen in recent attempts by RansomHub. Threats that evade perimeter controls, however, must still cross the network—which can't be tampered with. Have a layered defense that includes network visibility to identify unusual patterns that could indicate malicious behaviors so attackers have nowhere to hide. - Rob Greer, ExtraHop Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify? AI supports every phase of an attack, including command-and-control (C2) beaconing. If your security mostly relies on machine learning systems based on rules and known indicators, you're exposed. Most enterprises should expect their counterparties to be repeatedly hacked—until we all embrace adaptive deep learning as a defense. - Evan Powell, Deep Tempo APT groups will weaponize deepfake-driven phishing even further. AI-generated voices and videos will impersonate executives, bypassing traditional identity verification and social engineering defenses. Organizations must implement multifactor biometric authentication, behavioral analytics and AI-driven anomaly detection that can flag even the most subtle inconsistencies. - Aditya Patel, Amazon Web Services (AWS) Cloud collaboration tools are increasingly being weaponized. Attackers 'live off the land' using trusted platforms like Microsoft 365 to evade detection. To combat this, organizations should implement strong multifactor authentication and behavioral analytics for cloud environments and train employees to recognize suspicious activity in the tools they rely on for daily collaboration. - Gergo Vari, Lensa, Inc. Advances in generative AI have become sophisticated, making social engineering attacks more convincing and challenging to detect. Identity-driven security, such as phishing-resistant authentication and verification, plays a crucial role in mitigating social engineering attacks by focusing on verifying and validating the identities of users and entities involved in digital interactions. - Venkat Viswanathan, Okta APTs are increasingly targeting backup and disaster recovery systems to sabotage recovery efforts. Organizations must implement immutable backups, enforce zero-trust access, regularly test recovery plans and use AI-driven threat detection to ensure cyber resilience. - Aliasgar Dohadwala, Visiontech Systems International LLC APT groups are increasingly leveraging infostealer malware to harvest credentials and session cookies, allowing them to bypass multifactor authentication and maintain stealthy access. To defend against this, organizations must monitor for stolen credentials, detect and invalidate compromised sessions, and enforce adaptive authentication to prevent attackers from exploiting legitimate user identities. - Damon Fleury, SpyCloud A rising APT tactic is supply chain attacks, where hackers exploit third-party vendors and software dependencies to breach networks. To counter this, organizations must conduct strict vendor assessments, enforce zero-trust security, implement continuous monitoring and strengthen incident response to safeguard critical systems and data. - Sanjoy Sarkar, First Citizens Bank While open-source AI models are a goldmine for software developers, they are equally attractive to cybercriminals for embedding malware. Organizations need to be able to discover which models are being used within their applications, and how they're being used, to screen them for security risks and enforce policies over which models can and cannot be used. - Varun Badhwar, Endor Labs Prepare for AI-driven APTs that autonomously adapt to security defenses. These attacks learn from detection attempts and modify their techniques to remain hidden. Prepare by implementing AI-based defense systems, conducting adversarial simulations, developing response playbooks, embracing zero-trust architecture and investing in threat intelligence for early warnings of new attack methods. - Priya Mohan, KPMG An emerging APT tactic is adversarial AI attacks, where threat actors manipulate machine learning models to evade detection or generate false insights. Organizations should prepare by securing AI training data, implementing robust anomaly detection and continuously stress-testing models against adversarial inputs. Strengthening AI governance and investing in explainable AI will enhance resilience. - Sai Vishnu Vardhan Machapatri, Vernus Technologies Attackers are deploying zero-click exploits—which require no user interaction—to infiltrate mobile devices, Internet of Things systems and critical infrastructure. Enterprises need continuous endpoint monitoring, hardware-level security enforcement and AI-driven anomaly detection for connected devices. - Vamsi Krishna Dhakshinadhi, GrabAgile Inc. An emerging APT tactic involves targeting unmanaged digital assets (that is, shadow IT) and poisoning AI training data to manipulate outcomes. Organizations should conduct regular audits to identify and secure shadow IT, enforce strict governance over digital tools, validate AI data pipelines and implement anomaly detection to ensure data integrity before model training. - Mark Mahle, NetActuate, Inc. A new APT tactic to watch for is adversary-in-the-middle (AiTM) attacks, where threat actors intercept and manipulate real-time communications to bypass authentication and hijack sessions. To prepare, organizations should implement phishing-resistant multifactor authentication, monitor session integrity and deploy AI-driven anomaly detection to flag unauthorized access attempts before they escalate. - Roman Vinogradov, Improvado APTs will increasingly target data governance gaps rather than technical systems. Organizations should prepare by establishing comprehensive data inventories and clear data lineage. When you know what data you have, who can access it and how it flows through systems, you eliminate the 'dark corners' where threats hide. - Nick Hart, Data Foundation Organizations must prepare for 'AI poisoning,' where attackers manipulate machine learning models by injecting corrupted data into training sets. This can lead to biased and incorrect results, eventually distorting fraud detection and security defenses. Organizations must implement robust data validation pipelines and regularly and proactively audit AI models for anomalies. - Harini Shankar Cloud-native attack chains are a rising advanced persistent threat trend. These use cloud services for stealthy, complex attacks that evade traditional defenses. Organizations must implement cloud workload protection (CWP), continuous API monitoring and SIEM that correlates cloud-native logs. Microsegmentation and least-privilege access are also vital to limit lateral movement. - Pradeep Kumar Muthukamatchi, Microsoft Attackers with long-term footholds in networks performing data exfiltration are a major concern. To combat this, businesses should implement zero-trust architectures to limit lateral movement and use next-generation firewalls that analyze traffic patterns to new or untrusted locations. - Imran Aftab, 10Pearls
Yahoo
26-02-2025
- Business
- Yahoo
Hackers slam Michigan tribe for not negotiating after cyberattack forced casinos to close
GRAND RAPIDS, Mich. (WOOD) — The showdown between a group of hackers and a Michigan tribe is far from over, even as the tribe prepares to reopen its chain of casinos following an 18-day shutdown. Michigan casino chain forced to shut down after ransomware attack A group called has claimed responsibility for the cyberattack and submitted a letter to the on Feb. 16 to provide its 'side of the events.' The hacker group said it has made 'multiple attempts' to contact the Sault Ste. Marie Tribe of Chippewa Indians and said reports that they are demanding $5 million in ransom are false. 'They have received detailed instructions via phone voicemails, corporate and personal emails and internal network messages,' RansomHub . 'Despite these numerous efforts, no representative from the Sault Tribe has initiatives any communication with us. Therefore, the reported $5 million ransom figure is purely speculative, as no negotiations have taken place.' The attack was first discovered on Feb. 9, forcing the tribe to promptly . The Sault Ste. Marie location is set to open Wednesday. The St. Ignace casino will open at noon Friday. The other three locations, in Manistique, Christmas and Hessel, will open at noon March 3. Kewadin announces plans to reopen casinos weeks after ransomware attack RansomHub claims it has possession of more than 100 gigabytes of confidential data. Tribal Chairman Austin Lowes said the tribe is still working to determine the extent of what private data was stolen, but did confirm that his personal information and the private data of his family members was exposed. 'The financial situation of the tribe is sufficient to cover the expenses associated with this cyberattack,' the RansomHub letter read. 'The tribe's failure to act raises serious questions about its leaderships priorities and intentions regarding this matter.' Lowes has not made any mention of demands from the hackers or whether the two sides have negotiated a possible deal. Sign up for the News 8 daily newsletter The ransomware focused on the tribe's computer networks and internal phone systems. In addition to shutting down the tribe's five casinos, it severely limited all sorts of tribal services, including its health centers. is a type of malicious hardware that locks users out of computer files, systems or networks and 'demands a ransom' to get it back. The FBI says there are several ways to unknowingly download ransomware onto a computer — anything from opening an email attachment, a pop-up ad or even visiting a website that has embedded malware. Copyright 2025 Nexstar Media, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
