Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

On January 15th, the FSOCIETY ransomware group published on their official DLS (data leak site) that they have begun a partnership with the rising Funksec group. The FunkSec ransomware group first emerged publicly in late 2024 and rapidly gained prominence by publishing over 85 claimed victims—more than any other ransomware group in the month of December.

On January 13, 2025, Halcyon released a research blog about the Codefinger group conducting a ransomware campaign targeting Amazon S3 buckets. The attacks leverage AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data. The threat actors then demand ransom payments for the symmetric AES-256 keys required to decrypt it.

In the world of malware, common ransomware schemes aim to take the data within databases (considered the "gold" in the vault of any organization) and hold them hostage, promising data recovery upon ransom payment. Typically, most of these schemes follow an expected script: encrypting files, requesting payment, and then delivering a decryption key. This model, while damaging, generally allows victims to recover if they pay the ransom.

SenseOn has detected a large increase in the Lumma Stealer malware targeting customers over the past few months. Unlike traditional malware strains, Lumma Stealer has been leveraging a unique, and increasingly effective, access vector of fake CAPTCHA verification prompts. These deceptive prompts trick users into running malicious commands on their device eventually injecting malicious processes into legitimate programs. This attack vector is expected to become even more prevalent throughout 2025.

In 2024, the ransomware landscape recorded 5,414 published attacks on organizations worldwide, representing an 11% increase compared to 2023. While the year began with a decline in ransomware activity during Q1, the frequency of attacks surged in Q2 and continued to rise through the remainder of the year. This culminated in a dramatic spike during Q4, which saw 1,827 incidents—33% of all ransomware attacks for the year—making it the most active quarter.

Advanced cyberattacks by adversaries who maximize the impact using the combination of sophisticated tools and methods are the norm. Some of the most dangerous strategies are integrating supply chain attacks, infostealer malware, and infamous threat actors, including IntelBroker and CyberNiggers. The above-mentioned groups typify the growing landscape of the cyber threat that makes use of collaboration, sophisticated tools, and strategic exploitation of vulnerabilities.