A Ransom-ISAC case study, built from a leaked negotiation chat and the blockchain trail, reconstructs how a US government entity quietly paid about $1 million to an extortion group called Kairos to keep stolen files from being published. Notably, Kairos never encrypted anything: there was no locker and no decryption key, just theft and the threat to leak, with special pressure applied to a folder of prosecutors' records. The month-long negotiation fell from a $3 million demand to a $1 million payment. The case reflects a broader shift, with roughly half of recent extortion now skipping encryption entirely, since data theft alone provides enough leverage.
Blackpoint Cyber documented Avalon, a previously undocumented modular malware framework that pulls credential theft, lateral movement, remote access, backup disruption, and ransomware into one toolkit, with its ransomware component named CrownX. The attack starts with a spoofed legal-document email pointing to a password-protected archive on Proton Drive. Inside is an ISO image rather than a direct attachment, which helps it slip past email scanning, and opening a document-themed Windows shortcut inside the mounted image kicks off the infection chain. By combining evasive delivery with a full attack toolkit under one roof, Avalon lets operators run an intrusion from initial access through data theft to encryption.
Security firm Sysdig says it found what it believes is the first ransomware attack carried out from start to finish by an AI agent. The operator, which Sysdig calls JADEPUFFER, used a large language model to handle the whole job: breaking in, stealing credentials, moving through the network, then encrypting and wiping a company's production database. The way in was an old, already-patched flaw in Langflow, an open-source tool for building AI apps that is often left exposed online with cloud keys nearby. Once inside, the agent mapped the machine and swept it for secrets, including API keys for AI services and credentials for major cloud providers, before destroying data.
Dark Reading reports a ransomware campaign that leans on impersonating Interpol to pressure small businesses, using straightforward social engineering rather than sophisticated tooling. By dressing up their demands as communications from the international police organization, the attackers try to intimidate owners and staff who may lack dedicated security teams into believing they are in legal trouble and paying up. The campaign spans several regions, including the United States, Europe, and the Middle East. It is a reminder that authority-themed impersonation remains effective against smaller organizations, where a convincing-looking notice can short-circuit normal caution and verification.
CISA has updated its Known Exploited Vulnerabilities catalog to warn that ransomware gangs are now exploiting BlueHammer, a Microsoft Defender privilege-escalation flaw. The bug (CVE-2026-33825) lets a local attacker who already has a foothold escalate to SYSTEM by abusing Defender's file-remediation logic, giving them access to password hashes and the control needed to disable defenses and prepare systems for encryption. It was leaked with proof-of-concept code by a researcher in early April as a protest over Microsoft's disclosure process, exploited as a zero-day, then patched on April 14. It cannot be used for remote compromise on its own, but it strengthens attackers after initial access.
Bajaj Auto, one of India's largest makers of motorcycles and three-wheelers, has disclosed a ransomware attack that hit its systems and those of its wholly owned subsidiary Bajaj Auto Technology Limited on the morning of June 23. In a regulatory filing, the company said its technical team and outside experts responded quickly and that containment measures have so far been effective. Bajaj Auto has not disclosed the ransomware strain, whether data was stolen, or whether production was affected, and reported the incident to India's CERT-In. Its shares fell more than 2 percent, and the attack follows a separate breach at Tata Electronics.
Zscaler detailed Edgecution, a malicious Microsoft Edge extension used in ransomware-linked intrusions that abuses Chrome's native messaging feature, which normally lets extensions talk to desktop apps, to break out of the browser sandbox and run a Python backdoor on the host. The extension beacons to a command server and relays commands to the backdoor, giving attackers filesystem access and code execution, while running in a hidden headless browser to stay invisible. Attacks start with social engineering on Microsoft Teams, where the actor poses as IT support and directs employees to a fake "Outlook Updates" page. Researchers tie the activity to an access broker linked to the Payouts King ransomware operation.
Researchers at ThreatDown have detailed a new ransomware operation called Prinz Eugen that breaks from convention in two ways: it prioritizes recently modified files for encryption, hitting the data victims most likely still need, and it leaves no ransom note on the system. The operators break in manually using stolen RDP credentials, deploy remote management tools, steal data for double extortion, and encrypt with a modern cipher combination. At least five victims have been identified, including South Africa's Standard Bank, where the attacker demanded one bitcoin and was refused. The lack of a ransom note can delay detection and complicate incident response.
Symantec reports that DragonForce ransomware operators stayed hidden inside a major US services firm's network for up to two months by disguising their command-and-control traffic as ordinary Microsoft Teams activity. A new Go-based backdoor, Backdoor.Turn, grabs an anonymous Teams visitor token, routes through a legitimate Microsoft Teams relay server, and then tunnels to the attackers' real server, so defenders watching the network only see connections to genuine Microsoft infrastructure. It is the first known malware to abuse Teams relay servers this way. The attackers also used a custom malicious driver to disable defenses, and installed the backdoor after deploying ransomware, suggesting they kept access for a return visit or to resell.
The Gentlemen, a ransomware-as-a-service operation tracked by Microsoft as Storm-2697, has been upgraded with a self-spreading mode and now claims 478 victims across dozens of countries and industries. Written in Go and obfuscated to evade analysis, its optional --spread switch turns a single-machine infection into a network worm that deploys the encryptor to every reachable system, using stolen or reused credentials to move laterally. A --wipe switch destroys recoverable data and forensic traces. On each host it disables Defender, weakens firewall and authentication settings, and adds scheduled tasks for persistence. Initial access often comes through compromised Fortinet edge-device credentials.