Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: wiper (2 articles)Clear

Iranian intelligence (MOIS) behind LA Metro hack disguised as 'Ababil of Minab' hacktivists - hundreds of terabytes wiped

Israeli firm Gambit Security has forensically linked the late-March attack on the Los Angeles County Metropolitan Transportation Authority to Iran's Ministry of Intelligence and Security (MOIS), despite the attackers branding themselves as the pro-Iran hacktivist collective 'Ababil of Minab.' The group posted videos claiming it wiped hundreds of terabytes and stole over a terabyte of files. LA Metro confirmed the breach on April 2, 2026, and had to check hundreds of servers for compromise before bringing them back online. The case illustrates a recurring pattern of state operations wearing a hacktivist costume to provide deniability while targeting critical infrastructure.

Check
Critical-infrastructure and transit operators: treat 'hacktivist' claims of destructive attacks as possible state-operation cover. Hunt for wiper precursors and bulk-deletion activity. Validate offline backup integrity.
Affected
US critical infrastructure, especially transit authorities. Iran's MOIS uses fake-hacktivist fronts (here, Ababil of Minab) to claim destructive attacks while preserving deniability.
Fix
Maintain tested offline backups resilient to wipers. Segment OT/IT networks. Monitor for mass-deletion and destructive commands. Coordinate with CISA and ISACs on Iranian APT indicators.

Broken VECT 2.0 ransomware is silently destroying any file larger than 131 KB on Windows, Linux, and ESXi - paying the ransom recovers nothing

Researchers found a serious bug in VECT 2.0, a new ransomware family making the rounds: the encryption routine corrupts any file larger than about 131 KB instead of encrypting it reversibly. Files smaller than the threshold encrypt and decrypt normally; everything bigger gets permanently destroyed. Operators don't seem to know yet, so victims who pay get a working decryption tool that recovers small files and tells them the large ones are 'corrupted' - which they are, because VECT broke them on the way in. The bug affects Windows, Linux, and VMware ESXi variants. Any large file on a VECT 2.0-hit system is irrecoverable regardless of whether the ransom is paid.

Check
Make sure every host that handles documents, databases, or virtual machine images has tested, off-network backups - because if VECT 2.0 hits, restore from backup is your only path.
Affected
Any Windows, Linux, or VMware ESXi system running unpatched RDP, SMB, or VPN exposure that VECT 2.0 operators are using as initial access. The 131 KB threshold catches almost everything important: Office documents, PDFs, databases, virtual machine disks, source code repos. Small config files survive, which makes the attack look partially recoverable until victims realize the scope.
Fix
Verify backups are off-network (immutable storage, air-gapped tape, S3 object lock) and test restore for at least one large file from each business-critical system. If hit by VECT 2.0, do not pay the ransom - large files cannot be recovered even if the operator delivers a working decryption tool. Restore from clean backup. Watch for VECT 2.0 indicators in EDR feeds; the bug may be patched in future versions.