Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: ransomware (25 articles)Clear

Case study reveals US county paid $1 million to data-theft extortion group

A Ransom-ISAC case study, built from a leaked negotiation chat and the blockchain trail, reconstructs how a US government entity quietly paid about $1 million to an extortion group called Kairos to keep stolen files from being published. Notably, Kairos never encrypted anything: there was no locker and no decryption key, just theft and the threat to leak, with special pressure applied to a folder of prosecutors' records. The month-long negotiation fell from a $3 million demand to a $1 million payment. The case reflects a broader shift, with roughly half of recent extortion now skipping encryption entirely, since data theft alone provides enough leverage.

Check
Review whether you could detect the signs seen here: password-guessed logins, repeated failed logins, and large outbound transfers to burner file-sharing links, and confirm sensitive record stores are segmented and monitored.
Affected
Organizations holding sensitive records, especially smaller government bodies with limited resources; data-theft extortion needs no ransomware, only stolen files and the threat to publish, to force a large payment.
Fix
Enforce multi-factor authentication and alert on failed logins, segment and monitor sensitive record stores, watch for large outbound transfers, and treat any promise to delete stolen data as worthless.

Avalon malware framework bundles phishing, remote access, and CrownX ransomware

Blackpoint Cyber documented Avalon, a previously undocumented modular malware framework that pulls credential theft, lateral movement, remote access, backup disruption, and ransomware into one toolkit, with its ransomware component named CrownX. The attack starts with a spoofed legal-document email pointing to a password-protected archive on Proton Drive. Inside is an ISO image rather than a direct attachment, which helps it slip past email scanning, and opening a document-themed Windows shortcut inside the mounted image kicks off the infection chain. By combining evasive delivery with a full attack toolkit under one roof, Avalon lets operators run an intrusion from initial access through data theft to encryption.

Check
Alert staff to legal-themed emails that link to password-protected archives on cloud storage, and hunt for mounted ISO images spawning shortcut files and the follow-on scripts that behavior triggers.
Affected
Organizations whose staff can open ISO images and shortcut files delivered through cloud-hosted archives; Avalon then chains credential theft, remote access, and backup disruption into CrownX ransomware deployment.
Fix
Block or restrict automatic mounting of ISO images and execution of shortcut files from downloads, filter links to shared cloud archives, maintain tested offline backups, and train staff on legal-document lures.

AI agent runs an entire ransomware attack after breaking in through Langflow

Security firm Sysdig says it found what it believes is the first ransomware attack carried out from start to finish by an AI agent. The operator, which Sysdig calls JADEPUFFER, used a large language model to handle the whole job: breaking in, stealing credentials, moving through the network, then encrypting and wiping a company's production database. The way in was an old, already-patched flaw in Langflow, an open-source tool for building AI apps that is often left exposed online with cloud keys nearby. Once inside, the agent mapped the machine and swept it for secrets, including API keys for AI services and credentials for major cloud providers, before destroying data.

Check
Find any internet-exposed Langflow or similar AI application servers, confirm they are patched and off the internet, and check whether cloud or AI service credentials sit in environments those tools can read.
Affected
Organizations running exposed, unpatched Langflow servers, especially with cloud and AI service credentials nearby; attackers used the old flaw and an automated agent to steal secrets and ransom production databases.
Fix
Patch Langflow and never expose its code-running endpoints, keep secrets in a proper manager away from web-reachable tools, lock down outbound traffic and database admin access, and watch runtime behavior.

Ransomware crews pose as Interpol to pressure small businesses into paying

Dark Reading reports a ransomware campaign that leans on impersonating Interpol to pressure small businesses, using straightforward social engineering rather than sophisticated tooling. By dressing up their demands as communications from the international police organization, the attackers try to intimidate owners and staff who may lack dedicated security teams into believing they are in legal trouble and paying up. The campaign spans several regions, including the United States, Europe, and the Middle East. It is a reminder that authority-themed impersonation remains effective against smaller organizations, where a convincing-looking notice can short-circuit normal caution and verification.

Check
Warn staff, especially at smaller organizations, that law-enforcement bodies like Interpol do not demand payment by email or pop-up, and that any such message should be verified through official channels before acting.
Affected
Small and mid-sized businesses without dedicated security teams, across the US, Europe, and the Middle East; attackers use Interpol-themed intimidation to rush victims into paying rather than verifying the demand's legitimacy.
Fix
Train employees to recognize authority-impersonation scams, verify any law-enforcement contact independently, maintain tested offline backups, and give staff a clear, judgment-free way to report suspicious demands before they act.

Windows Defender BlueHammer flaw now used by ransomware gangs for SYSTEM access

CISA has updated its Known Exploited Vulnerabilities catalog to warn that ransomware gangs are now exploiting BlueHammer, a Microsoft Defender privilege-escalation flaw. The bug (CVE-2026-33825) lets a local attacker who already has a foothold escalate to SYSTEM by abusing Defender's file-remediation logic, giving them access to password hashes and the control needed to disable defenses and prepare systems for encryption. It was leaked with proof-of-concept code by a researcher in early April as a protest over Microsoft's disclosure process, exploited as a zero-day, then patched on April 14. It cannot be used for remote compromise on its own, but it strengthens attackers after initial access.

Check
Confirm the April 2026 Microsoft Defender update is applied across all Windows systems, and review endpoint logs for local privilege escalation, suspicious local-account access, and attempts to dump or read password hashes.
Affected
Windows systems missing the April 2026 Defender patch (CVE-2026-33825); after gaining initial access, attackers use the flaw to reach SYSTEM privileges, dump password hashes, and disable defenses ahead of ransomware.
Fix
Ensure the Microsoft Defender update is installed everywhere, prioritize systems exposed to phishing or stolen-credential access, and monitor for privilege-escalation behavior, since this flaw is now part of active ransomware playbooks.

Bajaj Auto confirms ransomware attack on its and subsidiary's systems

Bajaj Auto, one of India's largest makers of motorcycles and three-wheelers, has disclosed a ransomware attack that hit its systems and those of its wholly owned subsidiary Bajaj Auto Technology Limited on the morning of June 23. In a regulatory filing, the company said its technical team and outside experts responded quickly and that containment measures have so far been effective. Bajaj Auto has not disclosed the ransomware strain, whether data was stolen, or whether production was affected, and reported the incident to India's CERT-In. Its shares fell more than 2 percent, and the attack follows a separate breach at Tata Electronics.

Check
Manufacturers should review the resilience of production and IT systems against ransomware, confirm offline backups are tested, and watch for follow-on extortion or leaks tied to this and related Indian manufacturing attacks.
Affected
Bajaj Auto and its subsidiary Bajaj Auto Technology Limited; the strain, data impact, and operational effects are not yet disclosed, part of a wider wave of ransomware hitting Indian manufacturers.
Fix
Maintain tested offline backups, segment IT from production networks, enforce phishing-resistant MFA and least privilege, and prepare incident-response and regulatory-notification plans before an attack, not during one.

Edgecution malicious Edge extension escapes the browser sandbox to plant a backdoor

Zscaler detailed Edgecution, a malicious Microsoft Edge extension used in ransomware-linked intrusions that abuses Chrome's native messaging feature, which normally lets extensions talk to desktop apps, to break out of the browser sandbox and run a Python backdoor on the host. The extension beacons to a command server and relays commands to the backdoor, giving attackers filesystem access and code execution, while running in a hidden headless browser to stay invisible. Attacks start with social engineering on Microsoft Teams, where the actor poses as IT support and directs employees to a fake "Outlook Updates" page. Researchers tie the activity to an access broker linked to the Payouts King ransomware operation.

Check
Review which browser extensions are installed across the organization and audit native messaging host registrations, and treat unsolicited Microsoft Teams messages from supposed IT support directing software installs as suspicious.
Affected
Organizations whose employees can install browser extensions and be reached by external Microsoft Teams messages; the technique escapes the browser sandbox to give attackers host-level access for ransomware staging.
Fix
Restrict browser extension installation through policy, control native messaging host configurations, lock down external Teams contact, and train staff to reject IT-support prompts pushing browser or software updates.

New Prinz Eugen ransomware breaches organizations via stolen RDP credentials

Researchers at ThreatDown have detailed a new ransomware operation called Prinz Eugen that breaks from convention in two ways: it prioritizes recently modified files for encryption, hitting the data victims most likely still need, and it leaves no ransom note on the system. The operators break in manually using stolen RDP credentials, deploy remote management tools, steal data for double extortion, and encrypt with a modern cipher combination. At least five victims have been identified, including South Africa's Standard Bank, where the attacker demanded one bitcoin and was refused. The lack of a ransom note can delay detection and complicate incident response.

Check
Review internet-exposed RDP and remote-access services for weak or reused credentials and missing MFA, and check for unauthorized remote management tools and unexpected encryption of recently modified files.
Affected
Organizations exposing RDP or remote access with weak authentication; Prinz Eugen has hit at least five victims so far, including financial institutions, entering through stolen RDP credentials and hands-on intrusion.
Fix
Require phishing-resistant MFA on all remote access, restrict and monitor RDP, control remote management tools through allowlisting, segment networks, and keep tested offline backups to recover without paying.

DragonForce ransomware hid command traffic inside Microsoft Teams for months

Symantec reports that DragonForce ransomware operators stayed hidden inside a major US services firm's network for up to two months by disguising their command-and-control traffic as ordinary Microsoft Teams activity. A new Go-based backdoor, Backdoor.Turn, grabs an anonymous Teams visitor token, routes through a legitimate Microsoft Teams relay server, and then tunnels to the attackers' real server, so defenders watching the network only see connections to genuine Microsoft infrastructure. It is the first known malware to abuse Teams relay servers this way. The attackers also used a custom malicious driver to disable defenses, and installed the backdoor after deploying ransomware, suggesting they kept access for a return visit or to resell.

Check
Hunt for anomalous QUIC and Teams-relay traffic and unexpected processes making Teams connections, and review hosts for suspicious drivers, new accounts, and weakened password or firewall settings.
Affected
Organizations targeted by DragonForce; because the backdoor blends into legitimate Microsoft Teams traffic, network monitoring alone may miss it, leaving internet-facing database servers and weak segmentation as entry points.
Fix
Patch internet-facing SQL and other servers, enforce least privilege and driver-signing controls, monitor for Teams-relay abuse and BYOVD activity, and maintain tested offline backups and network segmentation to limit ransomware impact.

The Gentlemen ransomware adds worm-like spread, tops 478 victims

The Gentlemen, a ransomware-as-a-service operation tracked by Microsoft as Storm-2697, has been upgraded with a self-spreading mode and now claims 478 victims across dozens of countries and industries. Written in Go and obfuscated to evade analysis, its optional --spread switch turns a single-machine infection into a network worm that deploys the encryptor to every reachable system, using stolen or reused credentials to move laterally. A --wipe switch destroys recoverable data and forensic traces. On each host it disables Defender, weakens firewall and authentication settings, and adds scheduled tasks for persistence. Initial access often comes through compromised Fortinet edge-device credentials.

Check
Hunt for The Gentlemen's persistence markers (scheduled tasks named UpdateSystem or UpdateUser, Run keys GupdateS and GupdateU), and audit Fortinet edge devices for compromised or reused credentials.
Affected
Windows-based organizations, plus Linux, NAS, BSD, and ESXi systems; networks with flat segmentation and shared credentials are most exposed to the worm-like lateral spread.
Fix
Enforce unique credentials and phishing-resistant MFA, segment networks to limit lateral movement, keep offline tested backups, patch and monitor Fortinet edge devices, and harden Defender against tampering.