Ransomware

The Qilin ransomware group has claimed a new victim, Commune d'Eyguires (www.eyguieres.org), a public sector entity in France, employing their Golang-based ransomware and double extortion tactics, leading to data encryption and potential public release of exfiltrated information.

The Gentlemen ransomware, operated by Storm-2697 as a RaaS, employs a combination of strong per-file encryption with aggressive self-propagation to achieve broad network compromise, targeting Windows environments and using double extortion tactics.

The 2026 FIFA World Cup faces significant cyber threats from ransomware groups, state-aligned entities like Iran-nexus Handala Hack Team and Russia-nexus NoName057(16), and financially motivated cybercriminals, anticipating disruptive intrusions, large-scale criminal fraud, and politically driven DDoS and hack-and-leak operations targeting fans, hospitality services, and tournament infrastructure.

Cyber extortion is increasingly relying on data theft rather than ransomware encryption, with threat actors like Bling Libra and TGR-CRI-1135 leveraging techniques like vishing and software supply chain compromise, fueled by regulatory compliance pressures and the impending weaponization of frontier AI models.

Microsoft disrupted SignSpaceCloud, a Russian cybercrime service providing code signing certificates to malware and ransomware operators, while European governments are shifting from Signal and WhatsApp due to phishing and data sovereignty risks, and the Fast16 malware targeted Iran's nuclear program.

Ransomware-as-a-service (RaaS) attacks leverage affiliates for initial access, persistence, and exfiltration, using varied techniques like compromised RDP, vulnerable VPNs, and rogue RMM tools, impacting multiple organizations in a single campaign.

Microsoft disrupted Fox Tempest, a threat actor running a malware-signing-as-a-service (MSaaS) that abuses Microsoft Artifact Signing to generate short-lived code-signing certificates used to sign malware disguised as legitimate software, delivering ransomware and various information stealers to victims across multiple sectors.

The WantToCry ransomware exploits exposed SMB services via brute-force for initial access, then exfiltrates files for remote encryption, rewriting the encrypted files to the original locations, demanding ransom payments from $400 to $1,800.

Kaspersky's Q1 2026 report highlights trends in malware targeting Windows, macOS, and IoT devices, including the exploitation of CVE-2026-20131 in Cisco Secure FMC firewalls and the rise of new ransomware variants and mining activities.

Detects the use of PowerShell to delete volume shadow copies, a tactic commonly employed by ransomware and other destructive attacks to hinder data recovery efforts.

The rule identifies the creation of files resembling ransomware notes via SMB, potentially indicating a remote ransomware attack on Windows systems.

Detection of a suspicious file rename operation following an incoming SMB connection, potentially indicating a remote ransomware attack via the SMB protocol, targeting Windows hosts.

VECT 2.0 ransomware, a RaaS offering, permanently destroys large files due to an encryption flaw, discarding decryption nonces for files above 128 KB, rendering them unrecoverable and effectively acting as a wiper; it uses raw ChaCha20-IETF with no authentication.

Trigona ransomware is using a custom data exfiltration tool named 'uploader_client.exe' to steal data from compromised environments, enhancing speed and evasion.

The Payouts King ransomware is leveraging QEMU VMs as a reverse SSH backdoor to execute payloads, store malicious files, and establish covert remote access tunnels, bypassing endpoint security measures.

Threat actors are weaponizing legitimate SaaS notification pipelines to deliver phishing and spam emails, bypassing traditional email authentication protocols, and Storm-1175 is exploiting CVE-2026-1731 to deploy Medusa ransomware.

Qilin ransomware employs a malicious msimg32.dll in a multi-stage infection chain to disable endpoint detection and response (EDR) solutions by evading detection and terminating EDR processes.

The M-Trends 2026 report highlights the increasing sophistication of threat actors, including voice phishing attacks targeting SaaS environments, ransomware groups actively destroying recovery capabilities, and espionage groups exploiting edge devices for persistent access, revealing a shift towards faster hand-offs between initial access brokers and ransomware deployers.

The Interlock ransomware campaign is targeting enterprise firewalls to encrypt sensitive data and demand ransom payment.

The Warlock group utilizes web shells and tunneling to deploy ransomware within compromised environments, impacting victim data confidentiality and availability.

CVE-2023-46604 is a remote code execution vulnerability affecting Apache ActiveMQ that is actively exploited in the wild by ransomware operators, allowing remote attackers to execute arbitrary shell commands.

Attackers can leverage sqlcmd.exe or PowerShell commands like Invoke-Sqlcmd to access Veeam credentials stored in MSSQL databases, potentially targeting backups for destructive operations such as ransomware attacks.

A relative path traversal vulnerability in JetBrains TeamCity (CVE-2024-27199) could allow limited administrative actions and has been linked to ransomware attacks.

This rule detects potential ransomware behavior by identifying the creation of multiple files with the same name over SMB by the SYSTEM account, potentially indicating remote execution of ransomware dropping note files.

Detection of PowerShell scripts employing ShareFinder functions or Windows share enumeration APIs to discover accessible network shares for reconnaissance, lateral movement, or ransomware deployment.

Analysis of Mac malware from 2016 including KeRanger ransomware, Keydnap backdoor and credential stealer, and the Eleanor PHP-based backdoor, highlighting their infection vectors and persistence mechanisms.

Detection of the 'wevtutil.exe' command-line utility being used to disable event logs, a common tactic employed by ransomware actors to evade detection and hinder forensic analysis on compromised Windows systems.

This detection identifies the deletion of backup files by processes outside of the backup suite, specifically targeting Veritas and Veeam backups, which may indicate an attempt to prevent recovery from ransomware.

This brief outlines a method for generically detecting ransomware on macOS by monitoring file I/O events and identifying the rapid creation of encrypted files by untrusted processes, as proposed by Objective-See.

An attacker modifies the Windows Registry key 'DisableAntiSpyware' to disable Windows Defender, a technique commonly associated with Ryuk ransomware to evade defenses.

This search detects the creation of a .key file in the root directory of the system drive, an activity associated with ransomware execution before file encryption.

Detection of 'netsh' command execution to enable network discovery in the firewall, a technique commonly used by ransomware such as REvil and RedDot to discover and compromise additional machines on the network.

Detection of adversaries deleting the Raccine Rules Updater scheduled task via `schtasks.exe` to disable the ransomware protection tool, potentially leading to data encryption and loss.

CVE-2023-27351 is an improper authentication vulnerability in PaperCut NG/MF that allows remote attackers to bypass authentication via the SecurityRequestFilter class, leading to potential ransomware deployment.

This analytic detects the modification of Windows Firewall settings to enable file and printer sharing, a common technique used by ransomware to facilitate lateral movement and broader network encryption.

This detection identifies changes to the VIB (vSphere Installation Bundle) acceptance level on an ESXi host, potentially allowing the installation of unsigned or unverified software and lowering the system's integrity enforcement.

This detection identifies when the ESXi firewall is disabled or set to permissive mode, potentially exposing the host to unauthorized access and network-based attacks, often preceding lateral movement, data exfiltration, or malware installation.

Attackers may disable Event Tracing for Windows (ETW) by modifying specific registry keys to evade detection and hinder security monitoring, potentially leading to further system compromise.

Attackers disable the Antimalware Scan Interface (AMSI) by modifying the Windows registry value 'AmsiEnable' to '0x00000000' to evade detection, commonly employed by ransomware, RATs, and APTs.