This Russia-based bulletproof hosting company provides infrastructure to ransomware and other cybercriminals.

The U.S. Federal Bureau of Investigation also coordinated the action targeting the company’s leadership team and related entities.

Bulletproof hosting providers offer specialized servers designed to help criminals hide their activities and avoid law enforcement.

These services give ransomware gangs, hackers, and other cybercriminals the infrastructure they need to launch attacks against businesses and critical infrastructure.

Media Land’s Criminal Operations

Media Land, headquartered in St. Petersburg, Russia, supplied hosting services to major ransomware groups, including LockBit, BlackSuit, and Play.

The company’s infrastructure was also used for distributed denial-of-service (DDoS attacks targeting U.S. companies and critical systems. Company leadership played direct roles in the criminal operation.

Aleksandr Volosovik, Media Land’s general director, advertised the company’s services on cybercriminal forums under the alias “Yalishanda” and provided servers to ransomware actors.

Kirill Zatolokin, an employee, collected payments from customers and coordinated with other cyber actors. Yulia Pankova assisted Volosovik with legal matters and financial management.

The Treasury also designated Hypercore Ltd., a UK-registered company created by the Aeza Group after it was sanctioned in July 2025. Aeza attempted to rebrand and hide its connections to avoid sanctions.

Treasury officials designated new companies and individuals involved in the evasion effort, including directors Maksim Makarov and Ilya Zakirov. Related entities in Serbia and Uzbekistan were also targeted.

All property and assets belonging to the designated individuals and companies in the United States are now frozen.

U.S. persons and businesses are prohibited from conducting transactions with these entities. Financial institutions engaging with sanctioned parties risk enforcement actions.

The U.S. Treasury emphasized that these coordinated international actions demonstrate a commitment to preventing ransomware and protecting citizens from cybercrime.

The Cybersecurity and Infrastructure Security Agency released additional guidance on protecting against bulletproof hosting providers.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Authorities Sanctioned Russia-based Bulletproof Hosting Provider for Supporting Ransomware Operations appeared first on Cyber Security News.

The AhnLab researchers observed in mid-June 2025 that the group poses a persistent, financially motivated threat that exploits security gaps in remote access infrastructure.

Threat Group’s Operation Model

Cephalus operates with a singular focus on financial gain, employing a systematic approach to compromise organizations.

The group primarily targets companies running RDP services without multi-factor authentication (MFA) protection, creating an ideal entry point for credential-based attacks.

Named after the mythological figure who wielded an unerring spear, the group’s nomenclature reflects their confidence in operational success rates.

Once inside a network, Cephalus executes a standardized attack sequence: breaching systems, exfiltrating sensitive data, and deploying encryption across the victim’s infrastructure.

The group customizes its ransomware for specific targets, suggesting a high level of operational sophistication.

Whether operating as a Ransomware-as-a-Service (RaaS) platform or collaborating with other threat groups remains unclear, though their coordinated approach indicates established processes.

Technical Capabilities and Evasion Tactics

The Cephalus ransomware strain, developed in Go, incorporates advanced anti-forensics and evasion mechanisms to maximize encryption success while avoiding detection.

Upon execution, the malware turns off Windows Defender real-time protection, removes volume shadow copies, and terminates critical services, including Veeam and Microsoft SQL Server.

The ransomware employs a sophisticated encryption architecture that combines AES-CTR symmetric encryption with RSA public-key cryptography.

A particularly notable feature involves generating a fake AES key to deceive dynamic analysis tools, obscuring the actual encryption mechanism from AhnLab researchers and endpoint protection systems.

Cephalus distinguishes itself through aggressive tactics of victim pressure. The group includes proof of data exfiltration in ransom notes by providing direct links to GoFile repositories containing stolen information.

This demonstration strategy significantly increases victim compliance with ransom demands, as organizations face the dual threat of encrypted data and potential public exposure.

Organizations should prioritize implementing multi-factor authentication across all RDP access points, enforce strong credential hygiene, and maintain reliable backup systems isolated from production networks.

Security teams should also monitor for characteristic indicators of Cephalus activity and implement robust endpoint detection capabilities.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Threat Actors Leveraging RDP Credentials to Deploy Cephalus Ransomware appeared first on Cyber Security News.

Ryan Clifford Goldberg, 28, of Watkinsville, Georgia, and Kevin Tyler Martin, 31, of Roanoke, Texas, face serious criminal charges related to their alleged deployment of the notorious ALPHV BlackCat ransomware against healthcare, pharmaceutical, manufacturing, and engineering firms across the United States.​

The indictment, filed in the U.S. District Court for the Southern District of Florida on October 2, 2025, reveals an organized criminal operation that generated millions in extortion payments between May 2023 and April 2025.

ALPHV/BlackCat emerged as one of the most destructive ransomware variants in late 2021. Attacking hundreds of institutions worldwide and causing tens of millions in cryptocurrency ransom payments, combined with massive operational disruptions.​

How the Attack Campaign Worked

According to federal prosecutors, the defendants and an unnamed co-conspirator followed a structured attack methodology that became characteristic of ALPHV BlackCat operations.

The scheme involved gaining unauthorized access to corporate networks, stealing sensitive data, deploying encryption malware, and then demanding substantial ransom payments.

The group exploited fear of financial loss and data exposure to coerce payments from victims who faced impossible choices between losing their data or paying cryptocurrency ransoms.​

The defendants allegedly infiltrated five major companies, causing documented damages exceeding $17.5 million in ransom demands.

Their victims included a Tampa-based medical device manufacturer from which they extorted approximately $10 million, a Maryland pharmaceutical company, a California doctor’s office, an engineering firm also in California, and a Virginia-based drone manufacturer.

Over twenty ALPHV BlackCat victims operated in Florida’s Southern District alone, highlighting the campaign’s regional concentration.​

The federal indictment charges include conspiracy to interfere with interstate commerce through extortion, interference with interstate commerce by extortion, and intentional damage to protected computers.

Prosecutors also seek compensation of all proceeds derived from the criminal conspiracy, meaning any cryptocurrency or assets purchased with ransom money become subject to government seizure.​

The charges underscore how cybersecurity expertise turned toward criminal purposes creates devastating consequences for legitimate businesses and their customers who depend on the continuity of services and data security.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Cybersecurity Professionals Charged for Deploying ALPHV BlackCat Ransomware Against US Companies appeared first on Cyber Security News.

Oleksii Oleksiyovych Lytvynenko, 43, made his first court appearance in the Middle District of Tennessee following his transfer from Irish custody, where he had been held since July 2023.

According to court documents, Lytvynenko allegedly conspired with other cybercriminals between 2020 and June 2022 to deploy Conti ransomware against victims worldwide.

The operation involved hacking into computer networks, encrypting data, and demanding ransom payments in cryptocurrency to restore access and prevent public disclosure of stolen information.

Conti Ransomware Targeting Critical Infrastructure

The Conti ransomware variant proved devastatingly effective, attacking more than 1,000 victims across approximately 47 U.S. states, the District of Columbia, Puerto Rico, and 31 foreign countries.

Federal authorities estimate the conspiracy generated at least $150 million in ransom payments by January 2022. In 2021 alone, Conti was responsible for more attacks on critical infrastructure than any other ransomware variant, making it one of the most dangerous cyber threats facing essential services.

Court filings allege that Lytvynenko controlled stolen data from numerous Conti victims and participated in crafting ransom notes deployed on compromised systems. In Tennessee specifically, the conspirators allegedly extorted more than $500,000 in cryptocurrency from two victims and published stolen information from a third victim in the district.

At the request of U.S. authorities, An Garda Síochána, Ireland’s national police force, arrested Lytvynenko in July 2023. Following detention and extradition proceedings that concluded this month, he was transferred to American custody.

Court documents reveal that Lytvynenko allegedly continued engaging in cybercrime until days before his arrest in Ireland. Lytvynenko faces charges of conspiracy to commit computer fraud and conspiracy to commit wire fraud.

If convicted, he could receive a maximum sentence of five years in prison for computer fraud conspiracy and an additional 20 years for wire fraud conspiracy. His case is being prosecuted by the Justice Department’s Computer Crime and Intellectual Property Section alongside the U.S. Attorney’s Office for the Middle District of Tennessee.

This extradition represents continued efforts by U.S. law enforcement to pursue ransomware operators globally. In September 2023, an indictment charging four other Conti conspirators was unsealed in Tennessee.

Since 2020, the Computer Crime and Intellectual Property Section has secured convictions of over 180 cybercriminals and obtained court orders returning more than $350 million to victims.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Conti Group Member Responsible for Deploying Ransomware Extradited to USA appeared first on Cyber Security News.

Recent research from MIT Sloan and Safe Security reveals a shocking statistic: 80% of ransomware attacks now utilize artificial intelligence.

This represents a fundamental shift from traditional malware operations to autonomous, adaptive threats that can evolve in real-time to bypass conventional security measures.

Organizations worldwide are facing a new category of ransomware that doesn’t just encrypt files; it learns, adapts, and maximizes damage through intelligent decision-making processes.

Autonomous Ransomware Operations

The first confirmed AI-powered ransomware, dubbed PromptLock, emerged in August 2025 when researchers at ESET discovered samples on VirusTotal.

Created as a proof-of-concept by New York University’s Tandon School of Engineering, PromptLock demonstrates how large language models can orchestrate complete ransomware campaigns autonomously.

Unlike traditional ransomware that relies on pre-written code, PromptLock uses natural language prompts to generate malicious Lua scripts dynamically, making each attack unique and difficult to detect.

The malware operates by connecting to freely available language models through APIs, allowing it to analyze file systems, determine which data to exfiltrate or encrypt, and even craft personalized ransom notes.

This approach reduces the malware’s footprint while maintaining sophisticated functionality a technique that could revolutionize how cybercriminals develop and deploy attacks.

Beyond academic research, actual threat actors are already weaponizing AI for ransomware operations. FunkSec, a ransomware group that emerged in late 2024, exemplifies this trend.

Despite appearing to lack advanced technical expertise, FunkSec rapidly scaled its operations using AI-assisted malware development, targeting over 120 organizations across government, defense, technology, and education sectors.

FunkSec’s approach demonstrates how AI lowers the barrier to entry for cybercriminals. The group uses artificial intelligence to generate malware code, create detailed code comments, and automate attack processes.

Their ransomware, FunkLocker, exhibits coding patterns consistent with “AI snippet” generation, resulting in inconsistent but rapidly evolving malware variants.

This represents a paradigm shift where technical inexperience no longer prevents groups from launching sophisticated attacks.

The BlackMatter ransomware family also incorporates AI-driven encryption strategies and real-time analysis of victim defenses to evade traditional endpoint detection systems.

These groups demonstrate that AI-powered ransomware has moved beyond theoretical concepts to active deployment in cybercriminal operations.

Capabilities Of AI-Enhanced Attacks

AI fundamentally transforms every phase of ransomware operations through several key capabilities.

Enhanced reconnaissance allows malware to autonomously scan security perimeters, identify vulnerabilities, and select precise exploitation tools. This eliminates the need for human operators during initial phases, enabling attacks to spread rapidly across IT environments.

Adaptive encryption techniques represent another revolutionary advancement. AI-powered ransomware can analyze system resources and data types to modify encryption algorithms dynamically, making decryption more complex.

The malware can prioritize high-value targets by analyzing document content using Natural Language Processing before encryption, ensuring maximum strategic impact.

Evasive tactics powered by machine learning enable ransomware to continuously modify its code and behavior patterns. This polymorphic capability makes signature-based detection methods ineffective, as the malware presents different fingerprints with each execution.

AI also enables malware to track user presence and activate during off-hours to maximize damage while minimizing detection opportunities.

The financial consequences of AI-powered ransomware attacks far exceed traditional threats. The average cost of ransomware attacks has increased by 574% over six years, reaching $5.13 million per incident in 2024. For 2025, experts estimate costs will range between $5.5-6 million per attack, representing a 7-17% increase.

Small businesses face particularly severe consequences, with 60% of attacked companies closing permanently within six months.

The combination of immediate costs, customer abandonment, increased insurance premiums, and regulatory penalties creates a cascade of financial destruction that many organizations cannot survive.

A recent case study of an AI-powered ransomware attack on an Indian healthcare provider illustrates the comprehensive nature of these threats.

The attack used AI-driven network mapping to identify critical systems like Electronic Health Records, employed adaptive encryption techniques that accelerated when defensive measures were detected, and utilized polymorphic code to avoid signature-based detection.

Defense Strategies

Organizations must adopt multi-layered, AI-enhanced defense strategies to combat these evolving threats.

Zero-trust architecture becomes critical, as AI can analyze behavior patterns in real-time to dynamically adjust access permissions based on risk signals. This approach limits lateral movement even when endpoints are compromised.

AI-powered behavioral analysis offers significant defensive advantages, reducing cyberattack success rates by 73% while predicting 85% of data breaches before they occur.

These systems excel at detecting anomalies that indicate ransomware activity, such as unusual file access patterns or network communications.

Deception technologies can trap AI attackers by deploying honeypots and decoy assets that mimic high-value systems.

When AI-driven ransomware probes these environments, defenders can study attack patterns and develop countermeasures without risking production systems.

Implementation of immutable backup systems with air-gapped storage becomes essential, as AI ransomware often searches for and disables backup systems before encryption.

Organizations should also deploy adversarial AI that feeds misleading data to attacker reconnaissance algorithms, increasing the likelihood of model failure.

The emergence of AI-powered ransomware represents an inflection point in cybersecurity. Organizations can no longer rely on traditional defensive measures against threats that learn, adapt, and evolve autonomously.

As demonstrated by current statistics and real-world attacks, the time for proactive preparation is now before AI-powered ransomware brings down your organization’s critical operations.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post AI-Powered Ransomware Is the Emerging Threat That Could Bring Down Your Organization appeared first on Cyber Security News.

The attack, detailed in a recent Unit 42 report from Palo Alto Networks, began with something as simple as compromised VPN credentials, escalating into widespread encryption and data theft that could have cost millions.

This incident underscores the escalating sophistication of ransomware actors and the urgent need for layered defenses in today’s threat landscape.

The breach kicked off with a classic voice phishing scam, or vishing. An attacker posed as the company’s IT help desk, convincing an unwitting employee to input their real VPN login on a fake phishing site.

Once inside, the intruder wasted no time. They launched a DCSync attack on a domain controller, siphoning off elite credentials like those of a key service account.

From there, lateral movement was swift: using Remote Desktop Protocol (RDP) and Server Message Block (SMB), the hackers deployed tools such as Advanced IP Scanner to chart the network and SMBExec to exploit vulnerabilities.

Persistence came next, with the attackers installing legitimate remote access software like AnyDesk alongside a custom remote access trojan (RAT) on a domain controller, disguised as a scheduled task to dodge reboots.

They hit a second domain controller hard, dumping the NTDS.dit database full of password hashes. Over 400 GB of sensitive data vanished via a rebranded rclone tool.

60+ VMware ESXi Hosts Breached

To erase their footprints, they ran CCleaner before the knockout punch: BlackSuit ransomware, automated through Ansible playbooks, locked down hundreds of virtual machines across about 60 VMware ESXi hosts.

Their probe revealed critical gaps, leading to targeted fixes: swapping outdated Cisco ASA firewalls for next-gen models, enforcing network segmentation, and limiting admin access to isolated VLANs.

On identity fronts, they pushed multifactor authentication (MFA) for all remote logins, NTLM disabling, credential rotations, and bans on service accounts for interactive sessions like RDP.

The client successfully avoided a $20 million ransom demand, thanks to Unit 42’s expertise, while also gaining enterprise-wide monitoring and ongoing managed detection services.

This story shows a harsh truth: one stolen credential can cause a chain reaction of problems. Groups like Ignoble Scorpius take advantage of such mistakes, using simple tools and ransomware to create maximum disruption.

Organizations need to prioritize multi-factor authentication, proactive assessments, and automated responses to effectively combat ransomware. As this threat evolves, it is essential to enhance defenses before the next vishing call leads to a similar outcome.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post BlackSuit Ransomware Actors Breached Corporate Environment, Including 60+ VMware ESXi Hosts appeared first on Cyber Security News.

Dubbed ‘MalTerminal’ by SentinelLABS, the malware uses OpenAI’s GPT-4 to dynamically create ransomware code and reverse shells, presenting a new and formidable challenge for detection and threat analysis.

The discovery highlights a significant shift in adversary tradecraft, where the malicious logic is not hardcoded into the malware itself but is generated on-the-fly by an external AI model.

This approach can render traditional security measures, such as static signatures, ineffective, as the code can be unique for each execution. The findings were part of broader research into how threat actors are weaponizing LLMs.

A New Generation Of Adaptable Threats

Unlike other adversarial uses of AI, such as creating convincing phishing emails or using AI software as a lure, LLM-enabled malware embeds the model’s capabilities directly into its payload. This allows the malware to adapt its behavior based on the target environment.

SentinelLABS researchers established a clear definition for this threat, distinguishing it from malware simply created by an LLM, which they note remains immature.

The primary concern with LLM-enabled malware is its unpredictability. By offloading code generation to an LLM, the malware’s actions can vary significantly, making it difficult for security tools to anticipate and block its behavior.

Prior documented cases like PromptLock, a proof-of-concept ransomware, and LameHug (or PROMPTSTEAL), linked to the Russian APT28 group, demonstrated how LLMs could be used to generate system commands and exfiltrate data. These examples paved the way for hunting more advanced threats.

The breakthrough came from a novel threat-hunting methodology developed by SentinelLABS. Instead of searching for malicious code, researchers hunted for the artifacts of LLM integration: embedded API keys and specific prompt structures.

They wrote YARA rules to detect key patterns for major LLM providers like OpenAI and Anthropic. A year-long retrohunt on VirusTotal flagged over 7,000 samples with embedded keys, though most were non-malicious developer errors.

The key to finding MalTerminal was focusing on samples with multiple API keys, a redundancy tactic for malware, and hunting for prompts with malicious intent.

The researchers used an LLM classifier to score the maliciousness of discovered prompts. This strategy led them to a set of Python scripts and a Windows executable named MalTerminal.exe.

Analysis indicated that it utilized a deprecated OpenAI chat completion API endpoint, which was retired in November 2023. This suggests the malware was developed prior to that date, making it the earliest known sample of its kind.

MalTerminal prompts an operator to choose between deploying ransomware or a reverse shell, then uses GPT-4 to generate the necessary code.

Cyber Defense for Threats

The emergence of malware like MalTerminal, PromptLock, and LameHug signals a new frontier in cyber defense. The primary challenge is that detection signatures can no longer rely on static malicious logic.

Furthermore, network traffic to legitimate LLM APIs can be difficult to distinguish from malicious use. However, this new class of malware has its own weaknesses. Its dependency on external APIs and the need to embed API keys and prompts within its code create new opportunities for detection.

If an API key is revoked, the malware can be neutralized. Researchers also discovered other offensive LLM tools, including vulnerability injectors and people search agents, by hunting for these artifacts.

While LLM-enabled malware is still in an experimental stage, its development gives defenders a critical opportunity to adapt their strategies for a future where malicious code is generated on demand.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post LLM-enabled MalTerminal Malware Leverages GPT-4 to Generate Ransomware Code appeared first on Cyber Security News.

This marks the first definitive link between a legitimate security tool and a ransomware incident. The campaign, which deployed three separate ransomware strains, is attributed with moderate confidence to the threat actor Storm-2603.

The attack severely impacted the victim’s IT environment, encrypting VMware ESXi virtual machines and Windows servers using Warlock, LockBit, and Babuk ransomware.

Legitimate Tool Weaponized

Velociraptor is designed for security teams to perform endpoint monitoring and data collection, but in this campaign, it played a key role in helping the attackers maintain stealthy, persistent access.

After gaining initial entry, the threat actors installed an outdated version of Velociraptor (0.73.4.0), which is vulnerable to a privilege escalation flaw tracked as CVE-2025-6264.

This vulnerability can lead to arbitrary command execution and a complete takeover of the affected endpoint. The actors used this foothold to deploy LockBit and Babuk ransomware while remaining undetected.

This abuse of trusted security products aligns with a broader trend observed by Talos, where attackers increasingly leverage commercial and open-source tools to achieve their objectives.

Cisco Talos attributes this activity to Storm-2603, a suspected China-based group first identified in July 2025, exploiting SharePoint vulnerabilities known as ToolShell. The attribution is based on significant overlaps in tools and tactics.

Storm-2603 is known for deploying both Warlock and LockBit ransomware in the same attack, and while LockBit is common, the use of Warlock is a strong indicator, as it has been heavily used by this group since it appeared in June 2025.

The deployment of three distinct ransomware variants, Warlock, LockBit, and Babuk, in a single engagement is highly unusual and strengthens the connection to Storm-2603. However, the group had not previously been seen using Babuk, the combination of TTPs points in their direction.

A Multi-faceted Attack Chain

The attack, first detected in mid-August 2025, involved a sophisticated chain of events. After gaining what was likely initial access through the ToolShell exploit, the actor escalated privileges by creating new admin accounts and syncing them to Entra ID.

They used these accounts to access the VMware vSphere console, ensuring persistent control over the virtual environment.

To impair defenses, the attackers modified Active Directory Group Policy Objects (GPOs) to disable Microsoft Defender’s real-time protection and behavior monitoring.

A fileless PowerShell script carried out the final encryption on Windows machines, while a Linux binary of the Babuk encryptor targeted ESXi servers.

The attack also featured a double extortion component, with the actors using a custom PowerShell script to exfiltrate sensitive data before encryption, employing techniques to evade detection like suppressing progress indicators and using sleep commands to inhibit analysis.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Use DFIR Tool ‘Velociraptor’ to Attack VMware ESXi and Windows Servers with Ransomware appeared first on Cyber Security News.

Originally operating under the name “El Dorado” since March 2024, the group rebranded to BlackLock in September 2024, establishing itself as a formidable player in the ransomware landscape with victims spanning multiple countries and industries.

BlackLock’s technical sophistication lies in its development using the Go programming language, enabling the malware to execute seamlessly across Windows, Linux, and VMware ESXi systems. 

This cross-platform approach significantly expands the attack surface, allowing threat actors to compromise entire IT infrastructures simultaneously. 

The ransomware operates under a Ransomware-as-a-Service (RaaS) model, actively recruiting skilled affiliates through Russian-speaking cybercrime forums, particularly RAMP.

Advanced Encryption and Cross-Platform Capabilities

ASEC reports that the ransomware implements robust cryptographic techniques, utilizing Go’s crypto package to perform file encryption through ChaCha20.NewUnauthenticatedCipher() with randomly generated 32-byte FileKeys and 24-byte nonces for each targeted file. 

This approach ensures that every encrypted file receives a unique encryption key, making recovery virtually impossible without the attackers’ decryption tools.

BlackLock’s sophisticated key management system employs Elliptic Curve Diffie-Hellman (ECDH) key exchange to generate shared keys for metadata encryption. 

The ransomware appends encrypted metadata containing the FileKey and victim information to each file, protected by secretbox.Seal() encryption. 

This dual-layer encryption strategy prevents victims from independently recovering their data while ensuring the attackers can decrypt files upon ransom payment.

The malware supports extensive command-line arguments for operational flexibility, including -path for targeted encryption, -delay for timed execution, -threads for performance optimization, and -perc for partial file encryption to accelerate the attack process. 

Notably, the ransomware includes provisions for VMware ESXi environments through the -esxi option, though this feature remains unimplemented in the analyzed samples.

BlackLock demonstrates advanced network propagation capabilities by utilizing open-source projects like go-smb2 to scan and access SMB shared folders across Windows networks. 

The ransomware can authenticate using plaintext passwords or NTLM hashes specified through the -u, -p, and -h parameters, enabling lateral movement across corporate networks and simultaneous encryption of networked storage systems.

To eliminate recovery options, BlackLock employs sophisticated data destruction techniques targeting Volume Shadow Copy Service (VSS) and Recycle Bin contents. 

Rather than executing obvious command-line instructions, the malware constructs COM object instances to execute WMI queries through shellcode loaded directly into memory, making detection significantly more challenging for security solutions.

The ransomware creates ransom notes titled HOW_RETURN_YOUR_DATA.TXT in every encrypted directory, containing threatening language that warns victims of business disruption and data leakage to customers and the public if ransom demands are not met. 

This psychological pressure tactic, combined with the technical impossibility of independent data recovery, creates substantial leverage for the attackers.

Organizations must implement comprehensive security strategies encompassing endpoint protection, network segmentation, and robust backup solutions to defend against this evolving threat landscape.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post BlackLock Ransomware Attacking Windows, Linux, and VMware ESXi Environments appeared first on Cyber Security News.

The schemes reportedly extorted over 250 companies in the United States and hundreds more across the globe, causing millions of dollars in damages.

The defendant, Volodymyr Viktorovich Tymoshchuk, also known by aliases such as “deadforz,” “Boba,” “msfv,” and “farnetwork,” is facing multiple charges for his involvement in these widespread cyberattacks.

“Volodymyr Tymoshchuk is charged for his role in ransomware schemes that extorted more than 250 companies across the United States and hundreds more around the world,” stated Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division.

He added that the attacks sometimes led to the complete disruption of business operations until the victims could recover or restore their encrypted data.

According to the indictment, between December 2018 and October 2021, Tymoshchuk and his co-conspirators deployed the LockerGoga, MegaCortex, and Nefilim ransomware variants to encrypt computer networks in the U.S., France, Germany, the Netherlands, Norway, and Switzerland.

The attackers customized the ransomware for each victim, ensuring that the decryption key was unique. If a victim paid the ransom, they would receive a tool to unlock their files.

“Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms, and threatened to leak their sensitive data online if they refused to pay,” said U.S. Attorney Joseph Nocella Jr. for the Eastern District of New York.

From July 2019 to June 2020, the group allegedly compromised the networks of hundreds of companies with LockerGoga and MegaCortex.

However, law enforcement successfully thwarted many of these attacks by notifying victims before the ransomware could be fully deployed.

Following the initial wave of attacks, Tymoshchuk is alleged to have become an administrator for the Nefilim ransomware from July 2020 to October 2021.

He and other administrators provided the ransomware to affiliates, including co-defendant Artem Stryzhak, in exchange for a 20% cut of the ransom proceeds.

Stryzhak was previously extradited from Spain and faces charges in the same district. The charges against Tymoshchuk include conspiracy to commit computer fraud, intentional damage to a protected computer, and transmitting threats to disclose confidential information.

The investigation, led by the FBI, is part of a broader international effort involving authorities in France, the Czech Republic, Germany, Lithuania, Luxembourg, the Netherlands, Norway, Switzerland, and Ukraine, with support from Europol and Eurojust.

In a significant blow to the ransomware groups, decryption keys for LockerGoga and MegaCortex were released to the public in September 2022 through the “No More Ransomware Project,” allowing victims to recover their data without paying a ransom.

Concurrent with the indictment, the U.S. Department of State’s Transnational Organized Crime Rewards Program is offering a reward of up to $11 million for information leading to the arrest, conviction, or location of Tymoshchuk or his conspirators.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Authorities Arrested Admins Of “LockerGoga,” “MegaCortex,” And “Nefilim” Ransomware Gangs appeared first on Cyber Security News.