Rise of RansomHub: A Resurgent Threat in Cybercrime The RansomHub ransomware-as-a-service (RaaS) group has emerged as a significant player in the cybercrime landscape, capitalizing on previously patched vulnerabilities in Microsoft Active Directory and the Netlogon protocol to facilitate unauthorized access to victim networks. Recent analyses highlight the group’s ability to…
Emerging Cyber Threat: Collaboration Between Head Mare and Twelve Targets Russian Entities Recent intelligence from Kaspersky has revealed that two threat groups, known as Head Mare and Twelve, appear to have aligned their efforts to launch cyberattacks against Russian organizations. The firm’s analysis indicates that Head Mare has adopted tools…
In 2024, a total of 5,414 ransomware attacks occurred worldwide, representing an 11% increase compared to 2023. Following a gradual start, ransomware incidents surged in the second quarter and peaked in the fourth, accounting for 1,827 incidents—approximately 33% of the total for the year. Notably, law enforcement actions against prominent…
In a rapidly shifting cybersecurity landscape, threat actors are adapting and evolving their tactics, as evidenced by recent attacks targeting various organizations and individuals. Notable this week is the activity of the hacking group UNC3886, which has successfully exploited end-of-life MX Series routers manufactured by Juniper Networks. These devices, due…
Bridgestone has confirmed that a cyberattack has disrupted operations at some of its manufacturing facilities. This article examines the implications for employees, includes expert insights, and highlights the suspected hacking group, Scattered Lapsus$ Hunters. Bridgestone, the leading tire manufacturer globally by output, has launched an investigation into a cyberattack affecting…
RansomHub Disappears on April 1; Affiliates Shift to Qilin as DragonForce Takes Over
April 30, 2025
Cybercrime / Threat Intelligence
Cybersecurity experts have reported that RansomHub’s online operations unexpectedly went offline on April 1, 2025, raising alarm among its affiliates in the ransomware-as-a-service (RaaS) ecosystem. According to Singaporean cybersecurity firm Group-IB, this disruption has likely led to affiliates migrating to Qilin, with evidence showing that disclosures on its data leak site have surged since February. RansomHub, which debuted in February 2024, has reportedly compromised data from over 200 victims. It quickly eclipsed prominent RaaS groups LockBit and BlackCat, attracting affiliates like Scattered Spider and Evil Corp with enticing profit-sharing models. “After potentially acquiring the web application and source code for Knight (formerly Cyclops), RansomHub swiftly gained traction in the ransomware landscape, leveraging a feature-rich multi-platform encryptor and a robust, affiliate-friendly approach…”
RansomHub Disappears from the Cyber Landscape; Affiliates Shift to Qilin While DragonForce Claims Leadership April 30, 2025 In a significant turn of events within the cybercriminal ecosystem, the ransomware-as-a-service (RaaS) operation known as RansomHub has unexpectedly gone offline as of April 1, 2025. This abrupt disappearance has raised alarms among…
RansomHub Disappears on April 1; Affiliates Shift to Qilin as DragonForce Takes Over
April 30, 2025
Cybercrime / Threat Intelligence
Cybersecurity experts have reported that RansomHub’s online operations unexpectedly went offline on April 1, 2025, raising alarm among its affiliates in the ransomware-as-a-service (RaaS) ecosystem. According to Singaporean cybersecurity firm Group-IB, this disruption has likely led to affiliates migrating to Qilin, with evidence showing that disclosures on its data leak site have surged since February. RansomHub, which debuted in February 2024, has reportedly compromised data from over 200 victims. It quickly eclipsed prominent RaaS groups LockBit and BlackCat, attracting affiliates like Scattered Spider and Evil Corp with enticing profit-sharing models. “After potentially acquiring the web application and source code for Knight (formerly Cyclops), RansomHub swiftly gained traction in the ransomware landscape, leveraging a feature-rich multi-platform encryptor and a robust, affiliate-friendly approach…”
Microsoft Flags Storm-0501 as a Significant Threat in Hybrid Cloud Ransomware Operations
September 27, 2024
Ransomware / Cloud Security
Microsoft has identified the cyber group Storm-0501 as a noteworthy threat, targeting key sectors such as government, manufacturing, transportation, and law enforcement in the United States. Their sophisticated, multi-stage attack strategy is designed to infiltrate hybrid cloud environments, allowing attackers to move laterally from on-premises systems to the cloud. This approach leads to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. According to Microsoft’s threat intelligence team, Storm-0501 operates as a financially driven cybercriminal organization, utilizing both commodity and open-source tools for their ransomware activities. Active since 2021, they initially focused on educational institutions with the Sabbath ransomware before transitioning to a ransomware-as-a-service (RaaS) model, distributing various ransomware variants including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware.
Microsoft Flags Storm-0501 as Significant Threat in Hybrid Cloud Ransomware Incidents On September 27, 2024, Microsoft announced a notable increase in ransomware attacks orchestrated by the threat actor known as Storm-0501, which has predominantly targeted integral sectors such as government, manufacturing, transportation, and law enforcement across the United States. This…
Microsoft Flags Storm-0501 as a Significant Threat in Hybrid Cloud Ransomware Operations
September 27, 2024
Ransomware / Cloud Security
Microsoft has identified the cyber group Storm-0501 as a noteworthy threat, targeting key sectors such as government, manufacturing, transportation, and law enforcement in the United States. Their sophisticated, multi-stage attack strategy is designed to infiltrate hybrid cloud environments, allowing attackers to move laterally from on-premises systems to the cloud. This approach leads to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. According to Microsoft’s threat intelligence team, Storm-0501 operates as a financially driven cybercriminal organization, utilizing both commodity and open-source tools for their ransomware activities. Active since 2021, they initially focused on educational institutions with the Sabbath ransomware before transitioning to a ransomware-as-a-service (RaaS) model, distributing various ransomware variants including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware.
Joint Global Operation Leads to Arrests and Sanctions Against LockBit Ransomware and Evil Corp Members
October 3, 2024
Cybercrime / Ransomware
A coordinated international law enforcement effort has resulted in four arrests and the shutdown of nine servers associated with the LockBit (also known as Bitwise Spider) ransomware operation, targeting a once-prominent financially motivated cybercriminal group. Key developments include the apprehension of a suspected LockBit developer in France while on vacation outside Russia, the arrest of two individuals in the UK linked to an affiliate, and the capture of an administrator of a bulletproof hosting service in Spain used by the gang, according to Europol. Additionally, authorities have identified a Russian national, Aleksandr Ryzhenkov (known by several aliases including Beverley and Corbyn_Dallas), as a high-ranking member of the Evil Corp cybercrime group and a LockBit affiliate. Sanctions have been imposed on seven individuals and two entities connected to the e-crime organization. “The United States, in collaboration with our allies…”
LockBit Ransomware and Evil Corp Members Arrested in Global Law Enforcement Operation On October 3, 2024, a coordinated international law enforcement operation resulted in the arrest of four individuals and the dismantling of nine servers associated with the LockBit ransomware group, also known as Bitwise Spider. This initiative represents a…
Joint Global Operation Leads to Arrests and Sanctions Against LockBit Ransomware and Evil Corp Members
October 3, 2024
Cybercrime / Ransomware
A coordinated international law enforcement effort has resulted in four arrests and the shutdown of nine servers associated with the LockBit (also known as Bitwise Spider) ransomware operation, targeting a once-prominent financially motivated cybercriminal group. Key developments include the apprehension of a suspected LockBit developer in France while on vacation outside Russia, the arrest of two individuals in the UK linked to an affiliate, and the capture of an administrator of a bulletproof hosting service in Spain used by the gang, according to Europol. Additionally, authorities have identified a Russian national, Aleksandr Ryzhenkov (known by several aliases including Beverley and Corbyn_Dallas), as a high-ranking member of the Evil Corp cybercrime group and a LockBit affiliate. Sanctions have been imposed on seven individuals and two entities connected to the e-crime organization. “The United States, in collaboration with our allies…”
Qilin Ransomware Introduces “Call Lawyer” Feature to Increase Pressure on Victims for Higher Ransoms
June 20, 2025
Ransomware / Cybercrime
The operators of the Qilin ransomware-as-a-service (RaaS) platform have unveiled a new “Call Lawyer” feature intended to pressure victims into paying larger ransoms. This strategic move comes as the group ramps up its activities to capitalize on the decline of competing cybercriminals. According to Israeli cybersecurity firm Cybereason, this feature is integrated into the affiliate panel, allowing affiliates to present legal counsel offers to victims.
This development marks a resurgence in Qilin’s operations at a time when other once-dominant ransomware factions, such as LockBit, Black Cat, and others, have faced sudden shutdowns and operational issues. Active since October 2022 and also known as Gold Feather and Water Galura, Qilin has emerged as a significant player in the ransomware landscape.
Data from dark web leak sites reveals that Qilin was responsible for 72 attacks in April 2025 and an estimated 55 in May, placing it behind only Safepay (72) and Luna Moth (67) in activity.
Qilin Ransomware Introduces “Call Lawyer” Feature to Boost Pressure on Victims June 20, 2025 In a notable shift within the landscape of ransomware attacks, the Qilin ransomware-as-a-service (RaaS) group has recently added a new feature aimed at compelling victims to comply with ransom demands. The “Call Lawyer” functionality, as reported…
Qilin Ransomware Introduces “Call Lawyer” Feature to Increase Pressure on Victims for Higher Ransoms
June 20, 2025
Ransomware / Cybercrime
The operators of the Qilin ransomware-as-a-service (RaaS) platform have unveiled a new “Call Lawyer” feature intended to pressure victims into paying larger ransoms. This strategic move comes as the group ramps up its activities to capitalize on the decline of competing cybercriminals. According to Israeli cybersecurity firm Cybereason, this feature is integrated into the affiliate panel, allowing affiliates to present legal counsel offers to victims.
This development marks a resurgence in Qilin’s operations at a time when other once-dominant ransomware factions, such as LockBit, Black Cat, and others, have faced sudden shutdowns and operational issues. Active since October 2022 and also known as Gold Feather and Water Galura, Qilin has emerged as a significant player in the ransomware landscape.
Data from dark web leak sites reveals that Qilin was responsible for 72 attacks in April 2025 and an estimated 55 in May, placing it behind only Safepay (72) and Luna Moth (67) in activity.
