The Gentlemen ransomware: Dissecting a self-propagating Go encryptor

In this article 1. Pre-encryption 2. File encryption 3. Post-encryption 4. Defending against The Gentlemen ransomware 5. Microsoft Defender detections and hunting guidance 6. Indicators of compromise Ransomware that combines robust encryption with rapid lateral movement significantly increases th...

From Extortion to E-commerce: How Ransomware Groups Turn Breaches into Bidding Wars

Ransomware has evolved from simple digital extortion into a structured, profit-driven criminal enterprise. Over time, it has led to the development of a complex ecosystem where stolen data is not only leveraged for ransom, but also sold to the highest bidder. This trend first gained traction in...

Unleashing the Kraken ransomware group

In August 2025, Cisco Talos observed big-game hunting and double extortion attacks carried out by Kraken, a Russian-speaking group that has emerged from the remnants of the HelloKitty ransomware cartel. Talos observed in one intrusion that the Kraken actor exploited Server Message Block SMB...

Ransomware Defense Using the Wazuh Open Source Platform

Ransomware is malicious software designed to block access to a computer system or encrypt data until a ransom is paid. This cyberattack is one of the most prevalent and damaging threats in the digital landscape, affecting individuals, businesses, and critical infrastructure worldwide. A ransomwar...

Uncovering Qilin attack methods exposed through multiple cases

In the second half of 2025, the ransomware group Qilin has continued to publish victim information on its leak site at a pace of more than 40 cases per month, making it one of the most impactful ransomware groups worldwide. The manufacturing sector has been the most affected, followed by...

Hypervisor-Based Double Extortion Ransomware Detection Method Using Kitsune Network Features

Double extortion ransomware attacks have become mainstream since many organizations adopt more robust and resilient data backup strategies against conventional crypto-ransomware. This paper presents detailed attack stages, tactics, procedures, and tools used in the double extortion ransomware...

Chaos RaaS Emerges After BlackSuit Takedown, Demanding $300K from U.S. Victims

A newly emerged ransomware-as-a-service RaaS gang called Chaos is likely made up of former members of the BlackSuit crew, as the latter's dark web infrastructure has been the subject of a law enforcement seizure. Chaos, which sprang forth in February 2025, is the latest entrant in the ransomware...

FBI and CISA Warn of Interlock Ransomware Targeting Critical Infrastructure

FBI warns of Interlock ransomware using unique tactics to hit businesses and critical infrastructure with double extortion...

Ransomware Gangs Exploit Unpatched SimpleHelp Flaws to Target Victims with Double Extortion

The U.S. Cybersecurity and Infrastructure Security Agency CISA on Thursday disclosed that ransomware actors are targeting unpatched SimpleHelp Remote Monitoring and Management RMM instances to compromise customers of an unnamed utility billing software provider. "This incident reflects a broader...

DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints

The threat actors behind the DragonForce ransomware gained access to an unnamed Managed Service Provider's MSP SimpleHelp remote monitoring and management RMM tool, and then leveraged it to exfiltrate data and drop the locker on multiple endpoints. It's believed that the attackers exploited a tri...

ToyMaker Uses LAGTOY to Sell Access to CACTUS Ransomware Gangs for Double Extortion

Cybersecurity researchers have detailed the activities of an initial access broker IAB dubbed ToyMaker that has been observed handing over access to double extortion ransomware gangs like CACTUS. The IAB has been assessed with medium confidence to be a financially motivated threat actor, scanning...

Introducing ToyMaker, an initial access broker working in cahoots with double extortion gangs

In 2023, Cisco Talos discovered an extensive compromise in a critical infrastructure enterprise consisting of a combination of threat actors. From initial access to double extortion, these actors slowly and steadily compromised a multitude of hosts in the network using a combination of various...

VanHelsing RaaS Launch: 3 Victims, $5K Entry Fee, Multi-OS, and Double Extortion Tactics

A ransomware-as-a-service RaaS operation called VanHelsing has already claimed three victims since it launched on March 7, 2025, demanding ransoms as high as $500,000. "The RaaS model allows a wide range of participants, from experienced hackers to newcomers, to get involved with a $5,000 deposit...

Medusa Ransomware Hits 40+ Victims in 2025, Demands $100K–$15M Ransom

The threat actors behind the Medusa ransomware have claimed nearly 400 victims since it first emerged in January 2023, with the financially motivated attacks witnessing a 42% increase between 2023 and 2024. In the first two months of 2025 alone, the group has claimed over 40 attacks, according to...

How Interlock Ransomware Infects Healthcare Organizations

Ransomware attacks have reached an unprecedented scale in the healthcare sector, exposing vulnerabilities that put millions at risk. Recently, UnitedHealth revealed that 190 million Americans had their personal and healthcare data stolen during the Change Healthcare ransomware attack, a figure th...

AI-Driven Ransomware FunkSec Targets 85 Victims Using Double Extortion Tactics

Cybersecurity researchers have shed light on a nascent artificial intelligence AI assisted ransomware family called FunkSec that sprang forth in late 2024, and has claimed more than 85 victims to date. "The group uses double extortion tactics, combining data theft with encryption to pressure...

Dental group lied through teeth about data breach, fined $350,000

A US chain of dental offices known as Westend Dental LLC denied a 2020 ransomware attack and its associated data breach, instead telling their customers that data was lost due to an “accidentally formatted hard drive.” Unfortunately for the organization, the truth was found out. Westend Dental...

New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems

Cybersecurity researchers have shed light on a Linux variant of a relatively new ransomware strain called Helldown, suggesting that the threat actors are broadening their attack focus. "Helldown deploys Windows ransomware derived from the LockBit 3.0 code," Sekoia said in a report shared with The...

Unwrapping the emerging Interlock ransomware attack

Cisco Talos Incident Response Talos IR recently observed an attacker conducting big-game hunting and double extortion attacks using the relatively new Interlock ransomware. Our analysis uncovered that the attacker used multiple components in the delivery chain including a Remote Access Tool RAT...

Threat Brief: Understanding Akira Ransomware

Overview Akira is a prolific ransomware that has been operating since March 2023 and has targeted multiple industries, primarily in North America, the UK, and Australia. It functions as a Ransomware as a Service RaaS and exfiltrates data prior to encryption, achieving double extortion. According ...