Malicious code in alinet-w (npm)

Package is malware due to ransomware-like behavior: file encryption, key exfiltration, terminal locking, ransom note, and persistence attempts. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5c18fd7e3ffa16f370fa25fcc489c381958d8200bf01cd8bf3627c91301eb397 The...

MAL-2026-1319 Malicious code in alinet-w (npm)

Package is malware due to ransomware-like behavior: file encryption, key exfiltration, terminal locking, ransom note, and persistence attempts. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5c18fd7e3ffa16f370fa25fcc489c381958d8200bf01cd8bf3627c91301eb397 The...

Unleashing the Kraken ransomware group

In August 2025, Cisco Talos observed big-game hunting and double extortion attacks carried out by Kraken, a Russian-speaking group that has emerged from the remnants of the HelloKitty ransomware cartel. Talos observed in one intrusion that the Kraken actor exploited Server Message Block SMB...

New Qilin Ransomware Attack Uses VPN Credentials, Steals Chrome Data

The threat actors behind a recently observed Qilin ransomware attack have stolen credentials stored in Google Chrome browsers on a small set of compromised endpoints. The use of credential harvesting in connection with a ransomware infection marks an unusual twist, and one that could have cascadi...

Suspected Exploitation of Apache ActiveMQ CVE-2023-46604

Tom Elkins, John Fenninger, Evan McCann, Matthew Smith, and Micah Young contributed attacker behavior insights to this blog. Beginning Friday, October 27, Rapid7 Managed Detection and Response MDR identified suspected exploitation of Apache ActiveMQ CVE-2023-46604 in two different customer...

Unveiling New Windows Ransomware Named Trash Panda

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary Trash Panda is a ransomware that encrypts files on Windows machines, replaces the desktop wallpaper, and drops a ransom note with political messages. It adds a ‘.monochrome’ extension to the encrypted...

What Cisco Talos knows about the Rhysida ransomware

Cisco Talos is aware of the recent advisory published by the U.S. Department of Health and Human Services HHS warning the healthcare industry about Rhysida ransomware activity. As weve discussed recently, there has been huge growth in the ransomware and extortion space, potentially linked to the...

New Yashma Ransomware Variant Targets Multiple English-Speaking Countries

An unknown threat actor is using a variant of the Yashma ransomware to target various entities in English-speaking countries, Bulgaria, China, and Vietnam at least since June 4, 2023. Cisco Talos, in a new write-up, attributed the operation with moderate confidence to an adversary of likely...

New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware

Cisco Talos discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that began at least as early as June 4, 2023. This ongoing attack uses a variant of the Yashma ransomware likely to target multiple geographic areas by mimicking WannaCry...

Rheinmetall attacked by BlackBasta ransomware

On Friday May 19, 2023, the German arms producer Rheinmetall acknowledged a cyber-incident at one of its subsidiaries in the private sector. The BlackBasta ransomware group has already claimed responsibility for the attack through its leak-site. Entry for Rheinmetall on BlackBasta leak site...

Leaked Babuk ransomware builder code lives on as RA Group

The bones of long gone ransomware group Babuk continue to rattle in the breeze, in the form of reused code. Researchers from Cisco Talos have named this new team the "RA Group", a ransomware collective which may have only been up and running since last month. Babuk famously threatened to leak law...

Read The Manual Locker: A Private RaaS Provider

Read The Manual Locker: A Private RaaS Provider By Trellix · April 13, 2023 This blog was written by Max Kersten The underground intelligence was obtained byN074B07. Another day, another ransomware-as-a-service RaaS provider, or so it seems. We’ve observed the “Read The Manual” RTM Locker gang,...

New ESXiArgs encryption routine outmaneuvers recovery methods

In what seems to be a typical arms race where one side responds to counter the progress the other side has made, the ransomware group behind the massive attack on ESXi Virtual Machines VMs has come up with a new variant that can no longer be decrypted with the recovery script released by the...

New Agenda Ransomware Variant, Written in Rust, Aiming at Critical Infrastructure

A Rust variant of a ransomware strain known as Agenda has been observed in the wild, making it the latest malware to adopt the cross-platform programming language after BlackCat, Hive, Luna, and RansomExx. Agenda, attributed to an operator named Qilin, is a ransomware-as-a-service RaaS group that...

CryWiper Masquerading as Ransomware to Target Russian Courts

By Deeba Ahmed CryWiper showcases ransomware-like features, such as file modification, adding a .CRY extension to the files, leaving a ransom note, etc. This is a post from HackRead.com Read the original post: CryWiper Masquerading as Ransomware to Target Russian Courts...

New RansomExx Ransomware Variant Rewritten in the Rust Programming Language

The operators of the RansomExx ransomware have become the latest to develop a new variant fully rewritten in the Rust programming language, following other strains like BlackCat, Hive, and Luna. The latest version, dubbed RansomExx2 by the threat actor known as Hive0091 aka DefrayX, is primarily...

New “Prestige” ransomware impacts organizations in Ukraine and Poland

The Microsoft Threat Intelligence Center MSTIC has identified evidence of a novel ransomware campaign targeting organizations in the transportation and related logistics industries in Ukraine and Poland utilizing a previously unidentified ransomware payload. We observed this new ransomware, which...

New “Prestige” ransomware impacts organizations in Ukraine and Poland

The Microsoft Threat Intelligence Center MSTIC has identified evidence of a novel ransomware campaign targeting organizations in the transportation and related logistics industries in Ukraine and Poland utilizing a previously unidentified ransomware payload. We observed this new ransomware, which...

New “Prestige” ransomware impacts organizations in Ukraine and Poland

The Microsoft Threat Intelligence Center MSTIC has identified evidence of a novel ransomware campaign targeting organizations in the transportation and related logistics industries in Ukraine and Poland utilizing a previously unidentified ransomware payload. We observed this new ransomware, which...

A first look at the builder for LockBit 3.0 Black

A few months after the LockBit gang released version 3.0 of its ransomware, LockBit 3.0 Black, the builder for it has been leaked by what seems to be a disgruntled developer. LockBit has been by far the most widely used ransomware in 2022 and the appearance of the builder could make things worse...