Recent Ransomware and Malware Campaigns Targeting Organizations and Individuals
A surge in sophisticated cyberattacks has been observed, with threat actors employing a variety of tactics to compromise organizations and individuals. Notable incidents include the use of the BYOVD (Bring Your Own Vulnerable Driver) technique to deploy DeadLock ransomware, as well as targeted campaigns leveraging phishing emails with HR-related lures to distribute Remcos RAT malware. Additionally, attackers are exploiting popular movie torrents to spread Agent Tesla via layered PowerShell scripts, and Android users in Spain are being targeted by the DroidLock ransomware, which can hijack devices and demand ransom through full-screen overlays. These campaigns demonstrate a trend toward multi-stage infection chains, abuse of legitimate tools and drivers, and the use of social engineering to increase the likelihood of successful compromise.
Other significant developments include the targeting of Canadian organizations by the STAC6565/Gold Blade group using QWCrypt ransomware, and the emergence of new threat actor tactics such as disabling endpoint detection and response (EDR) systems to facilitate ransomware deployment. The threat landscape is further complicated by the activities of groups like Scattered Lapsus$ Hunters, who use social engineering and typosquatted domains to compromise Zendesk users, and the exposure of internal dynamics within ransomware groups like BlackBasta, revealing operational stress and internal mistrust. These incidents underscore the evolving nature of cyber threats, the blending of espionage and financial motives, and the increasing sophistication of both technical and social attack vectors.
Related Entities
Vulnerabilities
Sources
1 more from sources like knowbe4 blog
Related Stories
Ransomware and initial-access tradecraft evolves with new evasion and extortion techniques
Reporting and research published in mid-January 2026 highlights continued **high ransomware activity** and rapid evolution in initial-access and evasion tradecraft. A Symantec/Carbon Black Threat Hunter Team study cited by *Help Net Security* reports ransomware actors claimed **4,737 attacks in 2025**, with only brief slowdowns after major disruptions; the abrupt April 2025 shutdown of **RansomHub** was followed by affiliates quickly shifting to other operations, while **LockBit** failed to recover after late-2024 law-enforcement action. The same reporting notes a broader shift toward **extortion models that don’t rely on encryption**, emphasizing data theft and coercion as groups diversify pressure tactics. Multiple technical reports describe how attackers are improving delivery and resilience. *BleepingComputer* says **Gootloader** now uses heavily malformed ZIP files—concatenating **500–1,000** ZIP archives and manipulating ZIP structures (e.g., truncated `EOCD`)—to crash or defeat common analysis tools while still extracting via Windows’ default utility, supporting its role as an initial-access vector often preceding ransomware. *The Register* reports **DeadLock** ransomware uses **Polygon smart contracts** to frequently rotate proxy infrastructure for victim communications (via an HTML wrapper pointing victims to the *Session* messenger), complicating blocking and takedown efforts; Group-IB notes DeadLock also departs from typical double-extortion by lacking a public data-leak site and instead threatening underground data sales. Separately, Microsoft-observed phishing described by *KnowBe4* shows threat actors exploiting **email routing/spoofing misconfigurations** to make phishing appear internal (often leveraging **Tycoon2FA**), while ReliaQuest’s trend report and a separate write-up on **CastleLoader** describe human-driven initial access (spearphishing/drive-by) and social-engineering lures such as **ClickFix** being used to stage loaders and follow-on payloads—underscoring that access-broker and loader ecosystems continue to feed ransomware and broader intrusion activity.
2 months ago
Recent Ransomware Threats Targeting Organizations and Critical Sectors
Several new ransomware groups and campaigns have emerged, demonstrating increased sophistication and targeting a range of organizations globally. The SafePay group has established itself as a major threat by operating as a centralized, closed ransomware operation, eschewing the typical Ransomware-as-a-Service (RaaS) model. SafePay employs double extortion tactics, exfiltrating sensitive data before encrypting systems, and leverages rapid attack chains that often move from initial access to full encryption within 24 hours. Their methods include exploiting compromised credentials, misconfigured firewalls, and deploying backdoors for persistence, with a focus on operational security to avoid law enforcement detection. Other notable threats include the CrazyHunter ransomware, which has aggressively targeted healthcare organizations in Taiwan using advanced evasion techniques and multi-stage attacks that exploit Active Directory and propagate via Group Policy Objects. Meanwhile, the Ransomhouse group, operated by Jolly Scorpius, has upgraded its capabilities with a dual-key encryption system and automated attacks on VMware ESXi hypervisors, particularly focusing on German enterprises. These campaigns highlight a trend toward more targeted, technically advanced ransomware operations that prioritize both data theft and rapid system disruption, posing significant risks to critical infrastructure and sensitive industries.
2 months agoMultiple Ransomware and Malware Campaigns Resurface with Enhanced Capabilities
Several distinct malware and ransomware campaigns have resurfaced with new variants and advanced features, targeting organizations globally. The XWorm remote access trojan (RAT) has re-emerged in its version 6.0, now featuring a modular architecture that includes a ransomware plugin and advanced evasion techniques. This new version of XWorm is designed to bypass security defenses more effectively, increasing the risk of successful intrusions and data encryption. Meanwhile, the WARMCOOKIE malware has also returned after a previous takedown, now equipped with stealth handlers and utilizing expired command-and-control (C2) certificates to evade detection. The use of expired certificates is a novel tactic that complicates network monitoring and threat hunting efforts. In a separate development, the Russian-speaking Lunar Spider cybercriminal group has launched a new wave of ransomware attacks, leveraging the Latrodectus V2 loader to deliver their payloads. This loader is known for its sophisticated delivery mechanisms and ability to bypass traditional security controls. The Lunar Spider group’s campaign demonstrates a continued evolution in ransomware delivery, with a focus on maximizing infection rates and minimizing detection. Concurrently, ransomware groups Qilin and Gunra have been actively targeting South Korean organizations, with Qilin listing nine asset management firms and an engineering services company as victims, and Gunra compromising a gas manufacturing and supply company. These attacks highlight a trend of ransomware operators focusing on critical infrastructure and financial sectors in South Korea. The resurgence of these malware and ransomware families underscores the persistent threat posed by cybercriminal groups who continuously adapt their tools and techniques. Security researchers have observed that the modularity and stealth features in these new variants make them more challenging to detect and remediate. Organizations are advised to update their threat intelligence feeds and enhance monitoring for indicators of compromise associated with XWorm, WARMCOOKIE, and Latrodectus. The use of expired C2 certificates and advanced evasion tactics signals a shift in attacker methodologies, requiring defenders to adapt their detection strategies. The targeting of multiple sectors, including finance, engineering, and energy, demonstrates the broad scope of current ransomware campaigns. Incident response teams should be prepared for multi-stage attacks that leverage loaders like Latrodectus to deploy ransomware. The ongoing activity from groups such as Lunar Spider, Qilin, and Gunra indicates a high level of coordination and resourcefulness among threat actors. The rapid re-emergence of previously disrupted malware families suggests that takedown efforts may only provide temporary relief. Security teams should prioritize patching, network segmentation, and user awareness training to mitigate the risk of infection. Collaboration with threat intelligence providers can offer early warning of emerging threats and support proactive defense measures. The evolving landscape of ransomware and malware campaigns requires continuous vigilance and adaptation by defenders.
5 months ago