Ransomware

Trigona ransomware is using a custom data exfiltration tool named 'uploader_client.exe' to steal data from compromised environments, enhancing speed and evasion.

The Payouts King ransomware is leveraging QEMU VMs as a reverse SSH backdoor to execute payloads, store malicious files, and establish covert remote access tunnels, bypassing endpoint security measures.

Threat actors are weaponizing legitimate SaaS notification pipelines to deliver phishing and spam emails, bypassing traditional email authentication protocols, and Storm-1175 is exploiting CVE-2026-1731 to deploy Medusa ransomware.

Qilin ransomware employs a malicious msimg32.dll in a multi-stage infection chain to disable endpoint detection and response (EDR) solutions by evading detection and terminating EDR processes.

The M-Trends 2026 report highlights the increasing sophistication of threat actors, including voice phishing attacks targeting SaaS environments, ransomware groups actively destroying recovery capabilities, and espionage groups exploiting edge devices for persistent access, revealing a shift towards faster hand-offs between initial access brokers and ransomware deployers.

The Interlock ransomware campaign is targeting enterprise firewalls to encrypt sensitive data and demand ransom payment.

The Warlock group utilizes web shells and tunneling to deploy ransomware within compromised environments, impacting victim data confidentiality and availability.

CVE-2023-46604 is a remote code execution vulnerability affecting Apache ActiveMQ that is actively exploited in the wild by ransomware operators, allowing remote attackers to execute arbitrary shell commands.

Attackers can leverage sqlcmd.exe or PowerShell commands like Invoke-Sqlcmd to access Veeam credentials stored in MSSQL databases, potentially targeting backups for destructive operations such as ransomware attacks.

A relative path traversal vulnerability in JetBrains TeamCity (CVE-2024-27199) could allow limited administrative actions and has been linked to ransomware attacks.

This rule detects potential ransomware behavior by identifying the creation of multiple files with the same name over SMB by the SYSTEM account, potentially indicating remote execution of ransomware dropping note files.

Detection of PowerShell scripts employing ShareFinder functions or Windows share enumeration APIs to discover accessible network shares for reconnaissance, lateral movement, or ransomware deployment.

The execution of `wevtutil.exe` with parameters to disable event logs is a tactic commonly employed by ransomware to evade detection and hinder forensic investigations, leading to a significant reduction in visibility for defenders.

This detection identifies the deletion of backup files by processes outside of the backup suite, specifically targeting Veritas and Veeam backups, which may indicate an attempt to prevent recovery from ransomware.

CVE-2023-27351 is an improper authentication vulnerability in PaperCut NG/MF that allows remote attackers to bypass authentication via the SecurityRequestFilter class, leading to potential ransomware deployment.