Tag LockBit

Microsoft Flags Storm-0501 as a Significant Threat in Hybrid Cloud Ransomware Operations

September 27, 2024
Ransomware / Cloud Security

Microsoft has identified the cyber group Storm-0501 as a noteworthy threat, targeting key sectors such as government, manufacturing, transportation, and law enforcement in the United States. Their sophisticated, multi-stage attack strategy is designed to infiltrate hybrid cloud environments, allowing attackers to move laterally from on-premises systems to the cloud. This approach leads to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. According to Microsoft’s threat intelligence team, Storm-0501 operates as a financially driven cybercriminal organization, utilizing both commodity and open-source tools for their ransomware activities. Active since 2021, they initially focused on educational institutions with the Sabbath ransomware before transitioning to a ransomware-as-a-service (RaaS) model, distributing various ransomware variants including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware.

Microsoft Flags Storm-0501 as Significant Threat in Hybrid Cloud Ransomware Incidents On September 27, 2024, Microsoft announced a notable increase in ransomware attacks orchestrated by the threat actor known as Storm-0501, which has predominantly targeted integral sectors such as government, manufacturing, transportation, and law enforcement across the United States. This…

Read More

Microsoft Flags Storm-0501 as a Significant Threat in Hybrid Cloud Ransomware Operations

September 27, 2024
Ransomware / Cloud Security

Microsoft has identified the cyber group Storm-0501 as a noteworthy threat, targeting key sectors such as government, manufacturing, transportation, and law enforcement in the United States. Their sophisticated, multi-stage attack strategy is designed to infiltrate hybrid cloud environments, allowing attackers to move laterally from on-premises systems to the cloud. This approach leads to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. According to Microsoft’s threat intelligence team, Storm-0501 operates as a financially driven cybercriminal organization, utilizing both commodity and open-source tools for their ransomware activities. Active since 2021, they initially focused on educational institutions with the Sabbath ransomware before transitioning to a ransomware-as-a-service (RaaS) model, distributing various ransomware variants including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware.

Joint Global Operation Leads to Arrests and Sanctions Against LockBit Ransomware and Evil Corp Members

October 3, 2024
Cybercrime / Ransomware

A coordinated international law enforcement effort has resulted in four arrests and the shutdown of nine servers associated with the LockBit (also known as Bitwise Spider) ransomware operation, targeting a once-prominent financially motivated cybercriminal group. Key developments include the apprehension of a suspected LockBit developer in France while on vacation outside Russia, the arrest of two individuals in the UK linked to an affiliate, and the capture of an administrator of a bulletproof hosting service in Spain used by the gang, according to Europol. Additionally, authorities have identified a Russian national, Aleksandr Ryzhenkov (known by several aliases including Beverley and Corbyn_Dallas), as a high-ranking member of the Evil Corp cybercrime group and a LockBit affiliate. Sanctions have been imposed on seven individuals and two entities connected to the e-crime organization. “The United States, in collaboration with our allies…”

LockBit Ransomware and Evil Corp Members Arrested in Global Law Enforcement Operation On October 3, 2024, a coordinated international law enforcement operation resulted in the arrest of four individuals and the dismantling of nine servers associated with the LockBit ransomware group, also known as Bitwise Spider. This initiative represents a…

Read More

Joint Global Operation Leads to Arrests and Sanctions Against LockBit Ransomware and Evil Corp Members

October 3, 2024
Cybercrime / Ransomware

A coordinated international law enforcement effort has resulted in four arrests and the shutdown of nine servers associated with the LockBit (also known as Bitwise Spider) ransomware operation, targeting a once-prominent financially motivated cybercriminal group. Key developments include the apprehension of a suspected LockBit developer in France while on vacation outside Russia, the arrest of two individuals in the UK linked to an affiliate, and the capture of an administrator of a bulletproof hosting service in Spain used by the gang, according to Europol. Additionally, authorities have identified a Russian national, Aleksandr Ryzhenkov (known by several aliases including Beverley and Corbyn_Dallas), as a high-ranking member of the Evil Corp cybercrime group and a LockBit affiliate. Sanctions have been imposed on seven individuals and two entities connected to the e-crime organization. “The United States, in collaboration with our allies…”

Qilin Ransomware Introduces “Call Lawyer” Feature to Increase Pressure on Victims for Higher Ransoms

June 20, 2025
Ransomware / Cybercrime

The operators of the Qilin ransomware-as-a-service (RaaS) platform have unveiled a new “Call Lawyer” feature intended to pressure victims into paying larger ransoms. This strategic move comes as the group ramps up its activities to capitalize on the decline of competing cybercriminals. According to Israeli cybersecurity firm Cybereason, this feature is integrated into the affiliate panel, allowing affiliates to present legal counsel offers to victims.

This development marks a resurgence in Qilin’s operations at a time when other once-dominant ransomware factions, such as LockBit, Black Cat, and others, have faced sudden shutdowns and operational issues. Active since October 2022 and also known as Gold Feather and Water Galura, Qilin has emerged as a significant player in the ransomware landscape.

Data from dark web leak sites reveals that Qilin was responsible for 72 attacks in April 2025 and an estimated 55 in May, placing it behind only Safepay (72) and Luna Moth (67) in activity.

Qilin Ransomware Introduces “Call Lawyer” Feature to Boost Pressure on Victims June 20, 2025 In a notable shift within the landscape of ransomware attacks, the Qilin ransomware-as-a-service (RaaS) group has recently added a new feature aimed at compelling victims to comply with ransom demands. The “Call Lawyer” functionality, as reported…

Read More

Qilin Ransomware Introduces “Call Lawyer” Feature to Increase Pressure on Victims for Higher Ransoms

June 20, 2025
Ransomware / Cybercrime

The operators of the Qilin ransomware-as-a-service (RaaS) platform have unveiled a new “Call Lawyer” feature intended to pressure victims into paying larger ransoms. This strategic move comes as the group ramps up its activities to capitalize on the decline of competing cybercriminals. According to Israeli cybersecurity firm Cybereason, this feature is integrated into the affiliate panel, allowing affiliates to present legal counsel offers to victims.

This development marks a resurgence in Qilin’s operations at a time when other once-dominant ransomware factions, such as LockBit, Black Cat, and others, have faced sudden shutdowns and operational issues. Active since October 2022 and also known as Gold Feather and Water Galura, Qilin has emerged as a significant player in the ransomware landscape.

Data from dark web leak sites reveals that Qilin was responsible for 72 attacks in April 2025 and an estimated 55 in May, placing it behind only Safepay (72) and Luna Moth (67) in activity.

⚡ THN Weekly Update: Key Cybersecurity Threats, Tools, and Tips

Dec 23, 2024
Cybersecurity / Weekly Update

The digital landscape is relentless, as this week has shown. From the apprehension of ransomware developers to state-sponsored hackers unveiling novel tactics, it’s evident that cybercriminals are continually evolving their methods. They exploit everyday tools for malicious purposes, embed spyware in trusted applications, and uncover new vulnerabilities in outdated security systems. These incidents are not mere coincidences—they highlight the ingenuity and adaptability of cyber threats. In this edition, we’ll explore the most significant cybersecurity events from the past week and provide essential insights to help you stay protected and proactive. Let’s dive in.

⚡ Threat of the Week

Charges Filed Against LockBit Developer Rostislav Panev — Rostislav Panev, a 51-year-old dual Russian and Israeli citizen, has been charged in the U.S. for allegedly serving as a developer for the now-disrupted LockBit ransomware-as-a-service (RaaS) operation, which is believed to have generated approximately $230,000 between June 2022 and February 2024. Panev was…

THN Weekly Cybersecurity Overview: Key Threats, Tools, and Insights December 23, 2024 Cybersecurity / Weekly Overview The digital landscape remains unrelenting, offering criminals continuous opportunities for exploitation. This past week has underscored the ever-evolving nature of cyber threats, highlighting a range of incidents from the capture of ransomware developers to…

Read More

⚡ THN Weekly Update: Key Cybersecurity Threats, Tools, and Tips

Dec 23, 2024
Cybersecurity / Weekly Update

The digital landscape is relentless, as this week has shown. From the apprehension of ransomware developers to state-sponsored hackers unveiling novel tactics, it’s evident that cybercriminals are continually evolving their methods. They exploit everyday tools for malicious purposes, embed spyware in trusted applications, and uncover new vulnerabilities in outdated security systems. These incidents are not mere coincidences—they highlight the ingenuity and adaptability of cyber threats. In this edition, we’ll explore the most significant cybersecurity events from the past week and provide essential insights to help you stay protected and proactive. Let’s dive in.

⚡ Threat of the Week

Charges Filed Against LockBit Developer Rostislav Panev — Rostislav Panev, a 51-year-old dual Russian and Israeli citizen, has been charged in the U.S. for allegedly serving as a developer for the now-disrupted LockBit ransomware-as-a-service (RaaS) operation, which is believed to have generated approximately $230,000 between June 2022 and February 2024. Panev was…

Storm-2603 Exploits SharePoint Vulnerabilities to Deploy Warlock Ransomware on Unpatched Systems

Jul 24, 2025
Vulnerability / Ransomware

Microsoft has disclosed that a threat actor, identified as Storm-2603, is actively exploiting vulnerabilities in SharePoint to deploy Warlock ransomware on targeted systems. In an update released Wednesday, the company noted that these insights stem from ongoing analysis and threat intelligence regarding Storm-2603’s exploitation activities. This financially motivated actor is suspected to be based in China and has previously been linked to the deployment of both Warlock and LockBit ransomware. The attack chain involves exploiting CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability, targeting unpatched on-premises SharePoint servers to facilitate the deployment of the spinstall0.aspx web shell. “This initial access enables command execution via the w3wp.exe process that supports SharePoint,” Microsoft stated. “Storm-2603 subsequently initiates a series of discovery commands, including…”

Storm-2603 Exploits SharePoint Vulnerabilities to Deploy Warlock Ransomware on Unpatched Systems On July 24, 2025, Microsoft disclosed that the cyber group known as Storm-2603 is actively exploiting vulnerabilities in SharePoint software to deploy Warlock ransomware on targeted systems. This revelation is based on an extensive analysis and threat intelligence from…

Read More

Storm-2603 Exploits SharePoint Vulnerabilities to Deploy Warlock Ransomware on Unpatched Systems

Jul 24, 2025
Vulnerability / Ransomware

Microsoft has disclosed that a threat actor, identified as Storm-2603, is actively exploiting vulnerabilities in SharePoint to deploy Warlock ransomware on targeted systems. In an update released Wednesday, the company noted that these insights stem from ongoing analysis and threat intelligence regarding Storm-2603’s exploitation activities. This financially motivated actor is suspected to be based in China and has previously been linked to the deployment of both Warlock and LockBit ransomware. The attack chain involves exploiting CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability, targeting unpatched on-premises SharePoint servers to facilitate the deployment of the spinstall0.aspx web shell. “This initial access enables command execution via the w3wp.exe process that supports SharePoint,” Microsoft stated. “Storm-2603 subsequently initiates a series of discovery commands, including…”

Black Basta Leaks Expose Phishing and Google Account Takeover Vulnerabilities

Fraud Management & Cybercrime, Ransomware Former Ransomware Group’s Fallout Reveals Hackers Targeting Microsoft Teams Mathew J. Schwartz (euroinfosec) • June 12, 2025 Recent data leaks from ransomware organizations underscore the evolving tactics used by attackers to compromise and lure in new victims. Notable disclosures include a substantial cache of internal…

Read MoreBlack Basta Leaks Expose Phishing and Google Account Takeover Vulnerabilities

LockBit’s New Challenge: Unruly Affiliates

Fraud Management & Cybercrime, Ransomware Data Leak Reveals LockBit Ransomware Group Expanding Targeting Strategies Akshaya Asokan ( asokan_akshaya) • June 12, 2025 Image: Shutterstock Recent analysis of data leaked from the LockBit ransomware group’s administrator panel indicates a troubling trend: the group’s affiliates have increasingly targeted organizations in China. This…

Read MoreLockBit’s New Challenge: Unruly Affiliates

NC Pathology Practice Alerts 236,000 Patients About Data Breach

Fraud Management & Cybercrime, Healthcare, Industry Specific Did Marlboro-Chesterfield Pathology Pay Ransom to Cybercriminal Group SafePay? Marianne Kolbasuk McGee (HealthInfoSec) • May 23, 2025 Marlboro-Chesterfield Pathology, a laboratory in North Carolina, is notifying nearly 236,000 patients about a data breach incident reported in January. (Image: MCP) A hacking incident involving…

Read MoreNC Pathology Practice Alerts 236,000 Patients About Data Breach

LockBit Leaks Expose Efforts to Recruit Ransomware Newcomers

Fraud Management & Cybercrime, Ransomware ‘Lite Panel’ Provides Easy Entry for Ransomware Operators at $777, Reports Researcher Mathew J. Schwartz (euroinfosec) • May 16, 2025 Ransomware groups are continually evolving their strategies to extort organizations, both large and small. The introduction of a more accessible “lite” version of LockBit’s ransomware-as-a-service…

Read MoreLockBit Leaks Expose Efforts to Recruit Ransomware Newcomers