The Akira ransomware group has been active since March 2023, targeting diverse industries across North America, the UK, and Australia. Operating as a Ransomware-as-a-Service (RaaS) model, Akira employs a double-extortion strategy by stealing sensitive data before encrypting it. According to their leak site, the group claims to have compromised over 350 organizations.

IDATLOADER (aka HIJACKLOADER, GHOSTPULSE) has become prevalent in 2024, using advanced and new techniques such as BPL Sideloading, which Kroll reported on in June. Kroll observes IDATLOADER distributing malware such as ASYNCRAT, PURESTEALER, REMCOS, STEALC and what some might describe as a recent epidemic in LUMMASTEALER infections.

New data shows just how crippling ransomware has been on small businesses that have fallen victim to an attack and needed to pay the ransom. Logic would normally dictate that ransomware gangs are going to go after the “big fishes” – the larger organizations with deep pockets. But with the advent of the “as a service” model of ransomware, threat actors have found a niche, with many of them focusing on businesses with 1 to 50 employees.

ShrinkLocker is a family of ransomware that encrypts an organisation's data and demands a ransom payment in order to restore access to their files. It was first identified by security researchers in May 2024, after attacks were observed in Mexico, Indonesia, and Jordan.

APT36, also known as Transparent Tribe, is a well-known cyber espionage group attributed to Pakistan. Active since 2013, this advanced persistent threat (APT) group has focused its efforts primarily on Indian government sectors, including defense, education, and key infrastructure. APT36 has demonstrated consistent sophistication in their tactics, evolving their methods to target a wide array of platforms and systems.

Read also: A suspect linked to a $235M WazirX crypto heist arrested, Snowflake hackers indicted in the US, and more.

Researchers at IBM X-Force are tracking a phishing campaign by the criminal threat actor “Hive0145” that’s using stolen invoice notifications to trick users into installing malware. Hive0145 acts as an initial access broker, selling access to compromised organizations to other threat actors who then carry out additional cyberattacks.

With a 168% rise in evasive malware, cyber threats have reached a new level of sophistication. This type of malware employs advanced techniques to evade detection by traditional solutions, which often rely on pre-defined signatures to identify threats. These malicious programs pose a major challenge in cybersecurity by camouflaging themselves within legitimate processes and acting stealthily.

A new report from ESET has found that most nation-state threat actors rely on spear phishing as a primary initial access technique. In the second and third quarters of 2024, state-sponsored APTs from China, Russia, Iran, and North Korea used social engineering attacks to compromise their targets. Iranian threat actors continued conducting cyber espionage against countries across the Middle East, Europe, and the US. They also expanded their targeting to hit financial companies in Africa.

The Kroll Security Operations Center (SOC) has recently detected and remediated a trend of incidents that involved socially engineering a victim into pasting a PowerShell script into the “Run” command window to begin a compromise. These incidents have typically begun with the victim user attempting to find “YouTube to mp3” converters, or similar, then being redirected to the malicious webpages.