Cl0p Ransomware, aka Cl0p, is a ransomware group that emerged in February 2019 and targeted most industries worldwide, including retail, transportation, education, manufacturing, automotive, energy, financial, telecommunications and even healthcare. The clop ransomware group is thought to be a successor of the CryptoMix ransomware group.

Read also: Top LockBit dev charged in US, faces extradition from Israel, two scammers charged in $22 million NFT fraud scheme, and more.

As organizations embrace DevOps practices and CI/CD pipelines to accelerate software delivery, their greater dependency on third-party components can introduce security risks. Because malware can infiltrate an environment during development, it’s important to check for it ahead of deployment.

Since December 16, 2024, Arctic Wolf has observed increased activity in a social engineering campaign associated with Black Basta ransomware. In this campaign, threat actors were observed using Microsoft Quick Assist and Teams to impersonate IT personnel and engage in malicious activities upon contacting victims. This is a continuation of the Black Basta campaign we reported on in a security bulletin sent in June 2024.

In a surprising development, Bumblebee Malware (a popular malware downloader) has resurfaced with an approach that was believed to be long gone: VBA macro-enabled documents. This comes just four months after Europol dismantled various trick bots—including Bumblebee, IcedId, Pikabot, TrickBot and systemBC—during a crackdown called Operation Endgame.

Threat actors impersonate HR in seasonal phishing campaign, Zloader receives new features and capabilities, and new details emerge about Secret Blizzard.

Before you prove your humanity to a pop up, make sure you’re not accidentally downloading malware.

Ransomware attacks targeting utilities have surged by 42% over the past year, with spear phishing playing a major role in 81% of cases, according to a ReliaQuest study spanning November 2023 to October 2024. Analyzing data from its GreyMatter platform and dark web activity, ReliaQuest found that utilities like water and energy systems are disproportionately affected. Their critical role in infrastructure makes them prime targets for cybercriminals.

Despite a ransomware payment controversy, some companies still decide to yield to the attacker’s requests. Doing so may seem like the easiest way out, but it comes with its own set of complications, both ethical and legal.

Stealer logs and the infostealers that harvest them form a key part of the threat landscape and cybercriminal ecosystem. Infostealers, which are also referred to as stealer malware, are deployed by threat actors to facilitate data theft from compromised devices. This data typically contains sensitive and valuable personal information including credentials, hardware or software information, IP addresses, browser cookies, and more.

Ransomware continues to be one of the most pervasive and costly cyber threats facing organizations worldwide. More than 40% of organizations surveyed by ESG research experienced a successful ransomware attack in the previous 12 months, and 32% were successfully attacked more than once. The consequences of failing to protect against ransomware can be devastating for any business. Beyond financial loss, victims can suffer operational downtime, reputational damage and potential regulatory fines.

DLL side-loading is a popular technique used by threat actors to execute malicious payloads under the umbrella of a benign, usually legitimate, executable. This allows the threat actor to exploit whitelists in security products that exclude trusted executables from detection. Among others, this technique has been leveraged by APT41 to deploy DUSTTRAP and Daggerfly to deliver Nightdoor backdoor.

In December 2024, Arctic Wolf Labs observed a mass exploitation campaign involving Cleo Managed File Transfer (MFT) products for initial access. The execution chain involved an obfuscated PowerShell stager, a Java loader, and ultimately a Java-based backdoor, which we will refer to as Cleopatra. In this article we will provide insight into the execution chain in this campaign, obfuscated malicious payloads deployed, and surrounding threat intelligence context around these activities.

Did you know that 59% of organizations have been hit by ransomware, with Active Directory (AD) often being the primary target for attackers seeking credential theft and privilege escalation? With AD being basically the heart of enterprise IT from the permissions management and granting view, these ransomware threats automatically go against it and hence protecting them is pretty much important so to keep the organization safe.

MacOS, often regarded for its robust security measures, has increasingly become a target for sophisticated cyber threats. Among the latest examples is Banshee Stealer, a malware engineered to compromise macOS systems by extracting sensitive user information. Developed by Russian cybercriminals and offered at a premium subscription fee of $3,000 per month, this malware underscores the growing attention of threat actors toward macOS platforms.

Another week, another extortion group data-leak site emerges. Cyjax has continued to observe the emergence of data-leak sites (DLSs) for extortion and ransomware groups. New groups FunkSec, ContFR, Argonauts, Kairos, Chort, and Termite appeared in December and November 2024 alone, bringing this year’s total up to 69. On 11 December 2024, Cyjax identified the emergence of a Tor-based DLS belonging to a new data-leak extortion group going by the name ’Bluebox’.

Malware, short for malicious software, refers to any software specifically designed to harm, exploit, or otherwise compromise a device, network, or user data. In today’s digital age, malware attacks have become a persistent threat, targeting individuals, businesses, and even governments.

3AM (also known as ThreeAM) is a ransomware group that first emerged in late 2023. Like other ransomware threats, 3AM exfiltrates victims' data (threatening to release it publicly unless a ransom is paid) and encrypts the copies left on targeted organisations' computer systems.

Every day, threat actors devise new plans for breaking into secure systems. The steps they take, from researching a target to carrying out the attack, are known as the cyber kill chain. Traditionally, that kill chain has targeted devices and networks that lie completely within your organization’s control. For better or worse, mobile and cloud-based work have upended that dynamic.

With the continuing rise of ransomware, malware defenses are more critical than ever before with regard to securing the enterprise. Anti-Malware technologies have become an afterthought in many organizations, a technology that they’ve always had, always used, and never really thought about. This control serves as a reminder that this technology is as critical as it ever was and lays out the minimum requirements for ensuring your malware defenses are up to the task.

Hellcat ransomware emerged in early November 2024 and quickly became a notable threat in the cybersecurity landscape. The group first gained attention on November 6, 2024, when it claimed responsibility for a cyberattack against Schneider Electric. Known for its aggressive tactics and unique ransom demands, Hellcat is already making its mark in the world of ransomware.

A year ago, Bitsight TRACE published a blog post on Socks55Systemz,a proxy malware with minimal mentions in the threat intelligence community at the time. In that post, we correlated a Telegram user to the botnet operation and estimated its size at around 10,000 compromised systems. After a year-long investigation, we are shedding new light on these conclusions.

Cyjax has continued to observe the emergence of data-leak sites (DLSs) for extortion and ransomware groups, with ContFR, Argonauts, Kairos, Chort, and Termite, appearing November 2024 alone. Cyjax has identified the emergence of a Tor-based DLS belonging to a new, self-called “cybercrime group” named ‘Funksec’. This group has claimed 11 victims so far and advertises a free Distributed Denial-of-Service (DDoS) tool.