Huntress Employee Allegedly Tipped Off Ransomware Actor About FBI
Former analyst claims a Huntress threat hunter shared FBI communications with ransomware operator Devman, including agent names. CEO admits 'poor judgment' but denies illegality.
105 articles tagged with "Ransomware"
Former analyst claims a Huntress threat hunter shared FBI communications with ransomware operator Devman, including agent names. CEO admits 'poor judgment' but denies illegality.
Angelo Martino leaked client insurance limits and negotiation strategies to the ransomware gang he was hired to negotiate against. Federal court sentences the double agent to nearly six years.
Symantec exposes GodDamn ransomware's BYOVD attack using Microsoft-signed PoisonX kernel driver to blind EDR tools. Here's how Hyadina's latest variant works and what defenders should watch for.
Technical analysis reveals Everest ransomware wakes sleeping machines via ARP cache parsing before encryption. ConfuserEx obfuscation and deceptive crypto declarations complicate response.
Sophos and FBI warn of new partnership combining supply chain credential theft with ransomware deployment. 500,000 credentials already stolen.
New modular malware framework Avalon combines credential theft, lateral movement, and CrownX ransomware in one package. AI-assisted development suspected.
CISA confirms ransomware groups are exploiting CVE-2026-33825, a Microsoft Defender privilege escalation flaw leaked in April. Patch urgently if you haven't already.
Check Point Research reveals InfernoGrabber, an AI-generated ransomware that encrypts files through Chrome's File System Access API without installing malware or exploiting any vulnerability.
The Blackfield ransomware gang claims a breach at Nidec Corporation, demanding $2 million to prevent data leakage. This marks Nidec's second ransomware incident in two years.
BabaDeda, Lorem Ipsum, and Potemkin loaders emerge from ClickFix social engineering attacks, deploying infostealers and linking to Rhysida ransomware operations.
Two UK teenagers plead guilty to the September 2024 TfL breach that exposed 10 million commuters and forced 28,000 employees to reset passwords in person.
A malicious Edge extension abuses Chrome's Native Messaging protocol to deploy a Python backdoor with full system access, linked to Payouts King ransomware operations.
Symantec links the stealthy Mistic backdoor to KongTuke, an initial access broker supplying corporate network access to major ransomware gangs.
CVE-2026-50751 allows unauthenticated VPN access via IKEv1 certificate validation flaw. CISA gave federal agencies three days to patch after linking attacks to ransomware affiliate.
Prinz Eugen ransomware prioritizes recently modified files for encryption, maximizing business disruption. Learn how this Go-based threat works and who's at risk.
Symantec reveals ransomware group used Teams TURN relay infrastructure to mask command-and-control. First documented abuse of Teams relay for malware C2.
ESET unmasks GentleKiller, an 8-variant EDR killer framework targeting 400+ security processes. The gang ships updates to affiliates like a software vendor.
Ukrainian national Oleksii Lytvynenko admits to developing loader malware for the Conti ransomware gang after extradition from Ireland. Sentencing set for September 2026.
ShinyHunters threatens to leak 26 million customer records from MSG Sports, owner of the Knicks and Rangers, as today's June 15 deadline passes.
Qilin's affiliate network hit healthcare, manufacturing, and critical infrastructure across nine countries in early June. The gang maintains 12-month dominance.
11-nation operation shuts down €336M cryptocurrency laundering service. Two operators arrested in Georgia, 25 domains seized, and over 6,000 money mule accounts exposed.
CVE-2026-44963 in Veeam Backup & Replication enables any authenticated domain user to achieve remote code execution on backup servers. CVSS 9.4 critical severity.
Sophos discovers ransomware framework using Claude Opus 4.5 to automate EDR evasion and Active Directory discovery. Toolkit tested 80+ modules against Sophos, CrowdStrike, and Defender.
7-Eleven confirms data breach after ShinyHunters demanded $250K ransom. Over 600,000 Salesforce records allegedly stolen from franchise application systems.
CVE-2024-12802 lets attackers bypass MFA on SonicWall Gen6 VPNs even after patching. Ransomware operators actively exploiting incomplete fixes. Gen6 reached EOL April 16.
New ransomware group Payload uses Babuk-derived code to target Windows and VMware ESXi systems. 12 victims across 7 countries within hours of launching leak site.
International law enforcement seizes 33 servers and shuts down First VPN, a criminal service used by at least 25 ransomware groups since 2014. 15 nations participated.
Verizon's 2026 Data Breach Investigations Report reveals vulnerability exploitation surpassed credential theft as the leading breach vector for the first time in 19 years. Only 26% of KEV flaws get patched.
Microsoft's Digital Crimes Unit seizes infrastructure behind Fox Tempest, a malware-signing service that helped Rhysida, Akira, and Qilin ransomware gangs disguise malicious code as legitimate software.
Internal database of #2 ransomware group leaked after 4VPS hosting breach exposes chat logs, affiliate rosters, and operational playbooks from 400+ attacks.
Nitrogen ransomware gang claims 8TB of data including Apple, Nvidia, and Intel files from Foxconn's Wisconsin and Texas facilities. Fourth major ransomware incident for the electronics giant.
Pharma supplier West Pharmaceutical Services discloses ransomware attack in SEC filing. Attackers exfiltrated data before encrypting systems. Unit 42 investigating.
A new proof-of-concept tool abuses Windows CreateFileW API to block file access across SMB shares. The technique evades all tested EDR products and requires no elevated privileges.
M-Trends 2026 reveals attackers now outpace patches, with AI accelerating exploitation and ransomware handoffs dropping to 22 seconds. Defenders are losing ground.
Go-based Sorry ransomware exploits cPanel auth bypass CVE-2026-41940, encrypting files with ChaCha20/RSA-2048. 44,000+ IPs compromised as attackers demand Tox ransom.
US Coast Guard Cyber Command issued an alert warning that INC Ransom is actively targeting maritime and logistics networks with double-extortion ransomware.
Former Sygnia and DigitalMint employees Ryan Goldberg and Kevin Martin sentenced for deploying ALPHV BlackCat ransomware while working as incident responders.
Peter Stokes, 19, was detained while boarding a flight to Japan. Federal prosecutors allege he participated in breaches that forced companies to pay millions in ransoms.
New extortion group BlackFile impersonates IT helpdesks via phone calls to steal credentials and demand seven-figure ransoms. Targets include retail chains and hospitality companies.
Check Point researchers gained access to a SystemBC C2 server operated by The Gentlemen ransomware group, uncovering over 1,570 compromised corporate networks that haven't been publicly disclosed.
New Kyber ransomware operation uses NIST-standardized Kyber1024 encryption on Windows while targeting VMware ESXi with a separate variant. Rapid7 analysis reveals the ESXi version's claims are false.
ShinyHunters claims breach of Canada Life Assurance exposing 5.6 million Salesforce records with PII. Ransom deadline passed April 21, 2026—data leak threatened.
New ransomware operation claims Medical Park Hospitals as first victim. 36 Turkish hospitals face data leak threats after 3.3TB exfiltration.
New ransomware operation linked to ex-BlackBasta affiliates runs Alpine Linux VMs on compromised hosts. Endpoint tools can't see inside the VM boundary.
FBI IC3 2025 report reveals record $20.9 billion in cybercrime losses. Investment fraud tops $8.6B, cryptocurrency scams reach $11.4B, and ransomware losses surge 259%.
Ransomware attack on ChipSoft forces 11 Dutch hospitals offline. The vendor manages patient records for most of the Netherlands. Attacker unknown.
Microsoft links China-based Storm-1175 to high-velocity Medusa ransomware attacks exploiting zero-day vulnerabilities. Healthcare, education, and finance sectors hit across Australia, UK, and US.
Sinobi, a suspected Lynx/INC rebrand, has grown from 40 victims to 215 since September 2025. The RaaS operation targets US midmarket companies with hybrid Curve25519/AES encryption.