In this episode, we unpack the evolution of the LockBit ransomware group, focusing on the rise of LockBit 3.0 and its impact on global cybersecurity. From its advanced encryption tactics to ransomware-as-a-service (RaaS) models, discover how this threat continues to adapt—and what organizations must do to stay ahead.
#LockBit3 #Ransomware #CybersecurityThreats #InfoSecPodcast #CyberRisk #RaaS #DataProtection
Observed Resurgence of the “Dragon Force” Raas Operation
The full list of names and names of those who have come forward to describe themselves as "mysterious" or "disgraceful" has been released by the US Department of State.
Pulse ID: 682dbee968b08164c2908731
Pulse Link: https://otx.alienvault.com/pulse/682dbee968b08164c2908731
Pulse Author: cryptocti
Created: 2025-05-21 11:54:17
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #RCE #RaaS #bot #cryptocti
SAP Zero – Frostbite: How Russian RaaS Actor Qilin Exploited CVE-2025-31324 Weeks Before its Public Disclosure
CVE-2025-31324 hit the security world like a tsunami – an easily exploitable SAP vulnerability affecting enterprise environments across the globe. But while most assumed its exploitation began post-disclosure, new evidence suggests otherwise.
During an incident response led by OP Innovate for a major global enterprise, we uncovered proof that this vulnerability was actively exploited nearly three weeks before it was made public. While recent articles point the finger towards China-Linked APTs, we identified communication with known Cobalt Strike C2 infrastructure and IP addresses linked directly to Qilin, a notorious Russian-speaking Ransomware-as-a-Service group.
Pulse ID: 682cc36c603a5683307d027d
Pulse Link: https://otx.alienvault.com/pulse/682cc36c603a5683307d027d
Pulse Author: AlienVault
Created: 2025-05-20 18:01:16
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#China #CobaltStrike #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RaaS #RansomWare #RansomwareAsAService #Russia #Vulnerability #bot #AlienVault
🚨 Ransomware-as-a-Service (RaaS) is now 🤖 AI-powered—and more dangerous than ever.
From DIY kits to full-blown cybercrime platforms, here’s how RaaS evolved (and what that means for your security):
🔗 https://wardenshield.com/the-evolution-of-ransomware-as-a-service-raas-from-early-beginnings-to-ai-driven-cybercrime
#cybersecurity #RAAS
Very very interesting talk at @NorthSec by Tammy Harper of Flare, on how to infiltrate threat actors.
It's live on youtube just now if you're not at NorthSec: https://www.youtube.com/watch?v=9IT659uUXfs
Wonder though how this presentation doesn't blow her cover, at least part.
+ the video of Van Helsing reminds me of the videos I had found on malware authors advertizing the mobile botnets (see VB2022 talk @VirusBulletin )
👾 #VanHelsing #ransomware emerged this March but has already proven dangerous and tricky as a scalable multiplatform #RaaS targeting critical industries and infrastructure.
➡️ Learn more & collect #IOCs for proactive detection: https://any.run/malware-trends/VanHelsing/?utm_source=mastodon&utm_medium=post&utm_campaign=vanhelsing&utm_content=tracker&utm_term=120525
👾 Chaos is a #RaaS that also acts as a #wiper, RAT, or even #DDoS botnet.
🎯 It targets both large companies across different industries and SMEs with weak #cybersecurity posture.
👉 Learn more & collect #IOCs: https://any.run/malware-trends/chaos/?utm_source=mastodon&utm_medium=post&utm_campaign=chaos&utm_content=linktomtt&utm_term=050525
DragonForce has been claiming that it's creating this whole cartel and they're getting a lot of responses/inquiries about it. But does anyone else think it's odd that RansomHub and BianLian just disappeared without any announcement of closing or merger?
And I see Everest Team is back, but with a different leak site and without all of their previous data.
Are things really like DragonForce claims or is there a less friendly explanation?
[Перевод] VanHelsing, новый RaaS в городе
VanHelsing: новый игрок на арене RaaS В марте 2025 года на киберпреступной сцене появился VanHelsing — мощная платформа ransomware‑as‑a-service, мгновенно завоевавшая внимание. Кроссплатформенный локер, продвинутые методы шифрования, и простая панель управления — всё это предлагается за долю выкупа. Но главное — это скорость распространения и амбиции, с которыми действует этот новый RaaS. В статье — полный технический разбор, включая аргументы командной строки и логику шифрования.
https://habr.com/ru/articles/898928/
#VanHelsing #raas #malware_research #информационная_безопасность #шифровальщик
Explore the dark underworld of cybercrime with this episode on Ransomware as a Service (RaaS). Learn how cybercriminals are packaging ransomware tools and selling them like software subscriptions—making it easier than ever for attackers to strike.
#Ransomware #Cybercrime #RaaS #CyberSecurity #InfoSec #DataProtection #ThreatIntelligence #TechPodcast #SecurityAwareness
When the victimizers become the victims.... RansomHub the victim of a takeover?
#Ransomware #RaaS #takeover #cartel #DragonForce #databreach
Medusa Rides Momentum From #Ransomware-as-a-Service Pivot. Shifting to a #RaaS business model has accelerated the group's growth, and targeting critical industries like healthcare, legal, and manufacturing hasn't hurt either.
https://www.darkreading.com/threat-intelligence/medusa-momentum-ransomware-as-a-service-pivot
Da vértigo ver el nivel de organización de estos #RaaS (servicios de #ransomware ). Gracias a la gente de @ESETresearch por ofrecernos su informe sobre #ransomHub y los #EDR killer : https://www.welivesecurity.com/es/investigaciones/edrkillshifter-ransomhub-grupos-rivales/
⚠️ Hunters International #RaaS is rebranding to "World Leaks," focusing on data theft and extortion-only attacks. Despite announcing a shutdown in 2024, they launched the new operation on January 1, 2025, using a custom #exfiltration tool ☠️
(trustwave.com) Babuk2 Bjorka: The Evolution of Ransomware for 'Data Commoditization'
I have long awaited the moment when RaaS-operators and the ecosystem surrounding it would start to really dig through the data and find the juicy bits.
I know that Ransomhub have been quite good at making the data browsable but perhaps this "new" group is spearheading a new modus or trend.
Short Summary:
Trustwave SpiderLabs has uncovered a significant evolution in ransomware operations through their investigation of the apparent revival of the Babuk ransomware group. Rather than finding a traditional ransomware operation, they discovered a sophisticated threat actor named Bjorka who has transformed the ransomware model into an industrial-scale data commoditization enterprise. Bjorka is recycling previously leaked data from other ransomware groups and selling it through multiple platforms while impersonating the Babuk brand (as Babuk2).
#ESETresearch discovered previously unknown links between the #RansomHub, #Medusa, #BianLian, and #Play ransomware gangs, and leveraged #EDRKillShifter to learn more about RansomHub’s affiliates. @SCrow357 https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/
RansomHub emerged in February 2024 and in just three months reached the top of the ransomware ladder, recruiting affiliates from disrupted #LockBit and #BlackCat. Since then, it dominated the ransomware world, showing similar growth as LockBit once did.
Previously linked to North Korea-aligned group #Andariel, Play strictly denies operating as #RaaS. We found its members utilized RansomHub’s EDR killer EDRKillShifter, multiple times during their intrusions, meaning some members likely became RansomHub affiliates.
BianLian focuses on extortion-only attacks and does not publicly recruit new affiliates. Its access to EDRKillShifter suggests a similar approach as Play – having trusted members, who are not limited to working only with them.
Medusa, same as RansomHub, is a typical RaaS gang, actively recruiting new affiliates. Since it is common knowledge that affiliates of such RaaS groups often work for multiple operators, this connection is to be expected.
Our blogpost also emphasizes the growing threat of EDR killers. We observed an increase in the number of such tools, while the set of abused drivers remains quite small. Gangs such as RansomHub and #Embargo offer their killers as part of the affiliate program.
IoCs available on our GitHub: https://github.com/eset/malware-ioc/tree/master/ransomhub
A new #ransomware-as-a-service crew, VanHelsing, launched on March 7, targets Windows, Linux, and VMware ESXi systems. It has infected three organizations with $500,000 ransom demands, but only Windows machines have been hit so far☝️☠️ #RaaS
https://go.theregister.com/feed/www.theregister.com/2025/03/25/vanhelsing_ransomware_russia/
New VanHelsing ransomware-as-a-service (RaaS) platform rapidly expanding in cybercrime market. #Cybersecurity #Ransomware #RaaS
More details: https://blog.checkpoint.com/research/the-rise-of-vanhelsing-raas-a-new-player-in-the-ransomware-landscape/ - https://www.flagthis.com/news/11788
BlackLock, a #ransomware group rebranded from El Dorado in late 2024, uses a #RaaS model to target Windows, VMWare ESXi, and Linux. It's predicted to be a major RaaS operation in 2025, with 48 attacks in early 2024☝️👩💻
https://www.tripwire.com/state-of-security/blacklock-ransomware-what-you-need-know
