LockBit Ransomware Group Unveils Version 5.0 on Its Sixth Anniversary https://dailydarkweb.net/lockbit-ransomware-group-unveils-version-5-0-on-its-sixth-anniversary/ #RansomwareNews #CyberSecurity #DragonForce #cybercrime #databreach #ransomware #LockBit50 #honeypot #LockBit #Qilin #RaaS

Unmasking the new Chaos RaaS group attacks

Cisco Talos Incident Response has observed attacks by Chaos, a new ransomware-as-a-service group conducting big-game hunting and double extortion attacks. The group uses spam flooding, voice-based social engineering, RMM tool abuse, and legitimate file-sharing software for data exfiltration. Their ransomware employs multi-threaded rapid selective encryption and anti-analysis techniques, targeting both local and network resources. Chaos is likely formed by former BlackSuit (Royal) gang members, based on similarities in encryption methodology, ransom note structure, and toolset. The group has impacted various business verticals, predominantly in the U.S., UK, New Zealand, and India. They use the '.chaos' file extension and demand ransoms around $300K, threatening data disclosure and DDoS attacks if not paid.

Pulse ID: 68b1c325bd3b4a24b371dd29
Pulse Link: https://otx.alienvault.com/pulse/68b1c325bd3b4a24b371dd29
Pulse Author: AlienVault
Created: 2025-08-29 15:11:33

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Emulating the Expedited Warlock Ransomware – Source: securityboulevard.com https://ciso2ciso.com/emulating-the-expedited-warlock-ransomware-source-securityboulevard-com/ #rssfeedpostgeneratorecho #SecurityBloggersNetwork #ransomwareasaservice #adversaryemulation #Broad-BasedAttacks #CyberSecurityNews #SecurityBoulevard #ransomware #ToolShell #Warlock #RaaS

BQTLOCK Ransomware-as-a-Service Emerges as a Sophisticated Cybercrime Tool

BQTLock is a newly emerged Ransomware-as-a-Service (RaaS), tied to ZerodayX of the pro-Palestinian group Liwaa Mohammed.

Pulse ID: 68a90698ae03099dfa5b86cf
Pulse Link: https://otx.alienvault.com/pulse/68a90698ae03099dfa5b86cf
Pulse Author: cryptocti
Created: 2025-08-23 00:08:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Tracking GLOBAL GROUP Ransomware from Mamona to Market Scale

A new ransomware actor, GLOBAL GROUP, emerged on the Ramp4u cybercrime forum in June 2025, claiming to offer a fresh Ransomware-as-a-Service (RaaS) platform. However, forensic evidence reveals that GLOBAL is a rebranded continuation of the Mamona RIP and Black Lock ransomware families. The ransomware, built in Golang, supports cross-platform execution and uses ChaCha20-Poly1305 encryption. It features a dual-portal model for leak site viewing and negotiations, with an AI-powered chatbot for automated communication. The group's infrastructure mistakes exposed backend SSH credentials and real IP addresses. GLOBAL relies on Initial Access Brokers for network infiltration and offers a full-featured affiliate portal for custom payload generation.

Pulse ID: 68a7465dffe0f0d5bcc3161b
Pulse Link: https://otx.alienvault.com/pulse/68a7465dffe0f0d5bcc3161b
Pulse Author: AlienVault
Created: 2025-08-21 16:16:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

@amvinfe got Qilin on the record with a response to accusations by "hastalamuerte" and "Nova." And when Qilin didn't like his reporting and conclusions, they gave him yet another statement.

https://www.suspectfile.com/qilin-responds-to-the-accusations-we-dont-scam-our-affiliates/

I especially admired their description of themself, "This is an honest name!" (is there an emoji for smothering laughter?)

I'm just surprised they didn't challenge Marco's statement about their "Call Lawyer" feature.

TrickBot Behind More Than $724 Million in Crypto Theft and Extortion – Source:hackread.com https://ciso2ciso.com/trickbot-behind-more-than-724-million-in-crypto-theft-and-extortion-sourcehackread-com/ #1CyberSecurityNewsPost #QuadrupleExtortion #CyberSecurityNews #cybersecurity #CyberAttacks #CyberAttack #Extortion #Hackread #security #TrickBot #malware #Akamai #botnet #DDOS #RaaS

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites – Source: securityaffairs.com https://ciso2ciso.com/law-enforcement-operations-seized-blacksuit-ransomware-gangs-darknet-sites-source-securityaffairs-com/ #rssfeedpostgeneratorecho #informationsecuritynews #ITInformationSecurity #ransomwareasaservice #BlackSuitransomware #SecurityAffairscom #CyberSecurityNews #PierluigiPaganini #SecurityAffairs #BreakingNews #SecurityNews #CyberCrime #hacking #Malware #RaaS

Got questions about Ransomware-as-a-Service (#RaaS)? Perhaps you're wondering how the RaaS model works? Or, what the different extortion categories are? Or, maybe you'd like to see some real-life examples of RaaS groups?

If so, we've got the perfect resource for you! Take a look at the "Beginner’s Guide to Ransomware-as-a-Service" and learn how Ransomware-as-a-Service works, as well as some best practices for mitigating #ransomware risks.

With insight into how Ransomware-as-a-Service works, #security teams can implement additional controls to mitigate risk.

https://graylog.org/post/a-beginners-guide-to-ransomware-as-a-service/ #cybersecurity #cybercrime

GrayAlpha Operation Detection: The Fin7-Affiliated Group Spreads PowerNet Loader, NetSupport RAT, and MaskBat Loader – Source: socprime.com https://ciso2ciso.com/grayalpha-operation-detection-the-fin7-affiliated-group-spreads-powernet-loader-netsupport-rat-and-maskbat-loader-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #PowerNetLoader #Latestthreats #MaskBatLoader #NetSupportRAT #socprimecom #GrayAlpha #socprime #Blog #FIN7 #RaaS

New #Anubis #RaaS includes a #wiper module
https://securityaffairs.com/179044/malware/anubis-raas-now-includes-a-wiper-module.html
#securityaffairs #hacking #malwae

LockBit Leak Shows Affiliates Use Pressure Tactics, Rarely Get Paid https://hackread.com/lockbit-leak-affiliates-pressure-tactics-rarely-paid/ #Cybersecurity #CyberAttack #CyberCrime #Ransomware #LockBit #Malware #Ransom #RaaS #Tor

LockBit Leak Shows Affiliates Use Pressure Tactics, Rarely Get Paid – Source:hackread.com https://ciso2ciso.com/lockbit-leak-shows-affiliates-use-pressure-tactics-rarely-get-paid-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #CyberAttack #CyberCrime #Ransomware #Hackread #LockBit #malware #Ransom #RaaS #Tor

RaaS Explained: How Cybercriminals Are Scaling Attacks Like Startups – Source:hackread.com https://ciso2ciso.com/raas-explained-how-cybercriminals-are-scaling-attacks-like-startups-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #CyberCrime #Ransomware #Hackread #security #Startups #RaaS

RaaS Explained: How Cybercriminals Are Scaling Attacks Like Startups https://hackread.com/raas-explained-cybercriminals-scaling-attacks-startups/ #Cybersecurity #CyberCrime #Ransomware #Security #Startups #RaaS

State of ransomware in 2025 – Source: securelist.com https://ciso2ciso.com/state-of-ransomware-in-2025-source-securelist-com/ #rssfeedpostgeneratorecho #APT(Targetedattacks) #Crossplatformmalware #CyberSecurityNews #MalwareStatistics #Financialthreats #MicrosoftWindows #Targetedattacks #DataEncryption #securelistcom #Publications #ransomware #Lockbit #BYOVD #RaaS #APT #LLM #AI

DragonForce has been claiming that it's creating this whole cartel and they're getting a lot of responses/inquiries about it. But does anyone else think it's odd that RansomHub and BianLian just disappeared without any announcement of closing or merger?

And I see Everest Team is back, but with a different leak site and without all of their previous data.

Are things really like DragonForce claims or is there a less friendly explanation?

When the victimizers become the victims.... RansomHub the victim of a takeover?

https://databreaches.net/2025/04/07/when-the-victimizers-become-the-victims-ransomhub-the-victim-of-a-takeover/

Hunters International #RaaS is rebranding to "World Leaks," focusing on data theft and extortion-only attacks. Despite announcing a shutdown in 2024, they launched the new operation on January 1, 2025, using a custom #exfiltration tool

https://www.bleepingcomputer.com/news/security/hunters-international-rebrands-as-world-leaks-in-shift-to-data-extortion/

#ESETresearch discovered previously unknown links between the #RansomHub, #Medusa, #BianLian, and #Play ransomware gangs, and leveraged #EDRKillShifter to learn more about RansomHub’s affiliates. @SCrow357 https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/
RansomHub emerged in February 2024 and in just three months reached the top of the ransomware ladder, recruiting affiliates from disrupted #LockBit and #BlackCat. Since then, it dominated the ransomware world, showing similar growth as LockBit once did.
Previously linked to North Korea-aligned group #Andariel, Play strictly denies operating as #RaaS. We found its members utilized RansomHub’s EDR killer EDRKillShifter, multiple times during their intrusions, meaning some members likely became RansomHub affiliates.
BianLian focuses on extortion-only attacks and does not publicly recruit new affiliates. Its access to EDRKillShifter suggests a similar approach as Play – having trusted members, who are not limited to working only with them.
Medusa, same as RansomHub, is a typical RaaS gang, actively recruiting new affiliates. Since it is common knowledge that affiliates of such RaaS groups often work for multiple operators, this connection is to be expected.
Our blogpost also emphasizes the growing threat of EDR killers. We observed an increase in the number of such tools, while the set of abused drivers remains quite small. Gangs such as RansomHub and #Embargo offer their killers as part of the affiliate program.
IoCs available on our GitHub: https://github.com/eset/malware-ioc/tree/master/ransomhub