This article analyzes a malicious Visual Studio Code extension that implements ransomware-like behavior. It highlights how the extension encrypts files, uploads sensitive data, and communicates with a command and control server via a private GitHub repository. The piece questions how such obvious malware passed the marketplace review.

Ransomware gangs are actively exploiting the VMware ESXi flaw CVE-2025-22225, which allows attackers to escape the VMX sandbox. Researchers found evidence of a toolkit used in these attacks, indicating that the vulnerabilities were known to the threat actors long before their public disclosure. CISA has confirmed the flaw's involvement in ongoing ransomware incidents.

The Apache Software Foundation rejected the Akira ransomware gang's assertion that they stole 23 GB of data from OpenOffice, including sensitive employee and financial information. Apache insists it does not have the data claimed and found no evidence of a breach.

A report from At-Bay reveals that organizations using Cisco and Citrix VPNs are nearly seven times more likely to experience ransomware attacks compared to those without VPNs. The findings suggest that the complexity of these devices can lead to security vulnerabilities, emphasizing the need for companies to consider cloud-based solutions.

A serious vulnerability in 7-Zip, tracked as CVE-2025-11001, allows attackers to execute arbitrary code by exploiting how older versions handle ZIP files. Although active exploitation hasn't been seen yet, a public proof-of-concept increases the risk of future attacks, especially on Windows systems with privileged accounts. Users must manually update to version 25.01 to mitigate the threat.

This article details TangleCrypt, a new Windows malware packer linked to a ransomware attack. It discusses its methods for hiding payloads and the flaws in its implementation that may lead to crashes. Key features include its use of multiple encoding layers and basic anti-analysis techniques.

Researchers found that Sicarii ransomware has a decryption flaw, rendering victims' data unrecoverable even if they pay the ransom. The malware generates a new RSA key for each attack, discarding the private key, leaving no viable recovery option. Caution is advised for organizations considering ransom payments.

Researchers at Huntress report a 700% increase in ransomware attacks targeting hypervisors, particularly by the Akira group. These attacks exploit vulnerabilities in hypervisor security, allowing criminals to bypass traditional defenses and compromise virtual machines. Admins are urged to enhance security measures, including multi-factor authentication and patching.

Researchers found a phishing campaign using Phorpiex malware to spread Global Group ransomware. The attack employs deceptive file names to trick users into downloading a Windows shortcut that encrypts files offline, making recovery nearly impossible. It also erases backup files to cover its tracks.

The LockBit 4.0 leak provides critical insights into the chaotic nature of ransomware-as-a-service (RaaS) groups, revealing that many affiliates operate without oversight and often act unpredictably. This disorganization complicates defenses and incident response efforts, emphasizing the necessity of proactive preparation over negotiation. The evolving landscape suggests increasing fragmentation among ransomware groups, making them harder to attribute and defend against.

Everest ransomware has claimed a small breach involving Mailchimp, where the attackers accessed a limited number of accounts. The incident highlights ongoing vulnerabilities in email marketing platforms and raises concerns about user data security. Mailchimp is working to address the breach and enhance security measures to protect its users.

Cloudflared is a tunneling application that allows secure remote access to hosts and deployment of web applications without exposing them to the internet. However, it has also been misused by ransomware groups for maintaining unauthorized access within compromised environments. The article discusses various detection methods for identifying malicious Cloudflared instances, including analyzing account IDs and monitoring for anomalous activities.

UAP has confirmed a ransomware attack that compromised personal data and email correspondence of its users. The breach raises concerns over data security and the potential misuse of sensitive information. UAP is currently investigating the incident and taking measures to enhance security protocols.

A credential harvesting campaign targeting ScreenConnect super administrators has been identified, leveraging low-volume spear phishing tactics with the EvilGinx framework. The operation aims to capture super admin credentials for potential ransomware deployment, utilizing sophisticated techniques to bypass traditional security measures. Mimecast has implemented protective measures and recommends user education and technical controls to mitigate the threat.

ShadowCrypt is a project that enhances ransomware protection by camouflaging files with system-like extensions and hiding them in system directories, utilizing Windows shortcut files for easy access. It builds upon research from the paper "Hiding in the Crowd" and offers improved functionalities such as streamlined hiding processes, versatile recovery options, and integration with the right-click context menu for user convenience. The project aims to provide a cost-effective and user-friendly solution for secure file management on Windows systems.

ShinyHunters has launched a new data leak site called Trinity of Chaos, targeting organizations that have fallen victim to ransomware attacks. This site aims to publicly expose sensitive information, continuing the group's trend of high-profile data breaches and data leaks, particularly in the wake of recent ransomware incidents affecting various sectors.

A significant cyberattack has targeted a major grocery chain, disrupting operations and raising concerns about the security of the company's systems. The incident highlights the growing threat of ransomware and the vulnerabilities within the retail sector. Investigations are ongoing to assess the full impact and prevent future attacks.

The State Bar of Texas has reported a data breach after the INC ransomware gang claimed responsibility and leaked samples of stolen data. The breach occurred between January 28 and February 9, 2025, but was only discovered on February 12, leading to notifications sent to affected members and the offer of credit monitoring services.

Manpower confirmed that a ransomware attack on its Lansing franchise resulted in the theft of personal information from 144,189 individuals. The breach, attributed to the RansomHub extortion group, involved unauthorized access to sensitive data, prompting the company to offer affected individuals credit monitoring services. ManpowerGroup maintains that its corporate systems were not compromised and is supporting the franchise in its response to the incident.

Detecting ransomware in Amazon S3 is complex due to the limitations of existing logging tools and the default configurations of AWS services. The article outlines various ransomware techniques, their detection methods, and the necessary logging configurations to improve security against such threats. It also introduces YES3, an open-source tool designed to help identify S3 access issues and enhance ransomware prevention controls.

SonicWall is investigating a surge of ransomware incidents affecting its Gen 7 firewalls, linked to a potential zero-day vulnerability in its SSL VPN services. The company is collaborating with third-party threat research teams to assess the situation and has advised customers to disable SSL VPN services where feasible and implement security measures to mitigate risks. Previous attacks have exploited similar vulnerabilities, highlighting ongoing concerns about the security of SonicWall's products.

As of Q3 2025, the cyber extortion landscape is marked by a divergence between volume-driven Ransomware-as-a-Service (RaaS) targeting mid-market companies and costly targeted attacks on larger enterprises. Insider threats are emerging as a significant concern, with cases of bribing employees for network access to facilitate ransomware attacks becoming more prevalent. Despite a decline in ransom payments and rates, the necessity for organizations to enhance their cybersecurity measures and insider threat programs is underscored.