Bell Ambulance and Alabama Ophthalmology Associates have suffered data breaches affecting over 100,000 people after being targeted in ransomware attacks.
The post Two Healthcare Orgs Hit by Ransomware Confirm Data Breaches Impacting Over 100,000 appeared first on SecurityWeek.
SecurityWeek – Read More
Transnational organized crime groups in East and Southeast Asia are spreading their lucrative scam operations across the globe, according to a UN report.
The post UN Researchers Warn That Asian Scam Operations Are Spreading Across the Rest of the World appeared first on SecurityWeek.
SecurityWeek – Read More
Was your Microsoft Entra ID account locked? Find out about the recent widespread lockouts caused by the new…
Hackread – Latest Cybersecurity, Hacking News, Tech, AI & Crypto – Read More
For our third focussed topic for Talos’ 2024 Year in Review, we tell the story of how identity has become the pivot point for adversarial campaigns.
The main themes of this story are credential abuse, Active Directory exploits, and MFA workarounds. Valid account details was the #1 way attackers got in, and nearly half of identity attacks involved poking at AD. We also look at common MFA missteps (like no enrollment or misconfigured policies) and break down how attackers are bypassing protections with techniques like push fatigue and password spraying.
Take a look at this short but data-rich overview of identity attacks. For defenders, it may be able to help you to identify gaps in MFA implementations, understand the operational tradecraft attackers are using post-authentication, and how to align your defenses with what’s being seen in the wild.
For a 60 second overview, have a watch of this video:
For the full analysis, download Talos’ 2024 Year in Review today.
Cisco Talos Blog – Read More
Editor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X.
There’s no shortage of ransomware these days. It’s everywhere, lurking in email attachments, hiding in cracked software, and making headlines almost daily. While some ransomware groups vanish or rebrand, new names step in to take their place, keeping security teams in a constant state of alert.
One of the latest strains making the rounds is PE32 Ransomware, a newcomer that’s quickly gaining attention online, including on Twitter. Despite its amateur execution, it manages to encrypt files, communicate over Telegram, and cause real damage.
In this report, Mauro Eldritch takes a closer look at how PE32 works, how it communicates, and why its chaotic behavior still poses a real threat.
When executed, the sample waits for the operator’s input to determine whether it should encrypt only the folder where it was dropped or the entire system (see Image 2).
However, regardless of this selection, it immediately starts noisily encrypting the most visible locations, such as the desktop, appending the .pe32s extension (see Image 3).
Instead of dropping a ransom note directly onto the Desktop (as most ransomware does), PE32 creates a folder named PE32-KEY in the root of the C: drive. This folder contains several internal files used during execution:
The ransom note stands out for its two-tiered payment model: one fee to unlock encrypted files, and another to prevent stolen data from being leaked. This approach differs from most ransomware strains, which typically bundle both into a single payment.
Prices vary widely:
Victims are instructed to reach out via Telegram. If that fails, the attackers provide a Gmail address as a backup contact method, another sign of their operational inexperience.
Once PE32 finishes prompting the attacker for encryption scope, it hides its process window and shifts to background mode. From there, it begins broadcasting its activity to a hardcoded Telegram group via the Bot API.
The first message looks like this:
”[PE32 v4.0.1] [Armin] [Thu, 20 Feb 2025 17:44:39] []
NEW RUN ID: 58994073AC147486]”If using Telegram as a C2 channel wasn’t already an OPSEC disaster, the actors also expose their Bot Token and Group Chat ID.
The malware then begins reporting its lifecycle to the Telegram group, detailing every step of its execution, as seen below:[Text Wrapping Break]
“[PE32 v4.0.1] [Armin] [Thu, 20 Feb 2025 17:45:07] [58994073AC147486]
Staring UltraFast Round C:\”PE32 struggles to process certain files (or their extensions—misspelled as “extentions” in its messages):
“[PE32 v4.0.1] [Armin] [Thu, 20 Feb 2025 17:47:08] [58994073AC147486]
Unknown Extentions:
[...]
odbc: 1 0MB
en_gb_e: 1 0MB
fr_fr_p: 1 0MB
xls4: 1 0MB
xls6: 1 0MB
xsx: 1 0MB
nettcp: 1 0MB
xls8: 1 0MB
access: 1 0MB”The encryption cycle concludes with three messages. The first one confirms that the “UltraFast” cycle has been completed, followed by two more messages indicating that the “Fast” and “Slow” cycles have also finished successfully.
“[PE32 v4.0.1] [Armin] [Thu, 20 Feb 2025 17:47:08] [58994073AC147486]
UltraFast Compeleted C:\”
With no observable DNS or HTTP requests, we can confirm that this strain of PE32 Ransomware relies exclusively on Telegram Bots for communication. This tactic is commonly observed in the MaaS scene, particularly with certain Stealers, but is rarely used in the RaaS ecosystem.
ANY.RUN’s Interactive Sandbox provides a CFG extraction function, allowing analysts to inspect the malware’s internal configuration. Unsurprisingly, the Telegram Bot Token is scattered throughout the code, making it trivially easy to trace the adversarial infrastructure—it’s almost impossible to miss, even by accident.
Armed with this token, anyone can easily flood the attacker’s C2 with fake requests or worse, use the bot’s key to impersonate the bot and send messages to any Telegram user.
By feeding the bot token into third-party tools like Matkap, threat hunters can automate the retrieval of all data exchanged through the bot, ranging from communications to encrypted files, and even victims’ encryption or decryption keys, as long as they were sent to or received from the bot.
Beyond its network behavior, PE32 operates like a typical ransomware strain. It collects system information such as the computer’s GUID, hostname, software policy settings, and supported languages, a common technique used to avoid infecting machines in specific regions, likely to minimize legal consequences.
PE32’s untidy nature makes it somewhat difficult to read and profile. For instance, it places a file named “pe32lockfile.lock” in every locked folder, likely as a flag indicating “I was here already.”
But when dropping the “pe32lockfile.lock” file in directories like the ones belonging to Skype, Firefox or Chrome, it trips a good portion of detection rules, so it’s a behaviour worth nothing.
The chaos doesn’t stop there. PE32 also drops C:bootTel.dat, a legitimate Windows telemetry file associated with chkdsk.exe (Disk Checker). Although harmless on its own, the creation of this file is directly tied to the ransomware’s activity.
By aggressively encrypting files across the C: drive, including non-critical system files, PE32 ends up triggering the disk repair utility. While it doesn’t halt system functionality, it does cause Windows to initiate self-repair checks, providing an additional footprint of the malware’s presence.
With this, we now have additional indicators of PE32’s activity.
PE32 shows no logic in file selection. It encrypts everything in sight, regardless of extension or value. Chrome’s language packs (messages.json), static resources like .gif and .css files, and even incomplete extension data are all locked without discrimination.
On the technical side, PE32 keeps things simple. There’s no use of exotic libraries or obfuscated function calls. It relies on the classic combo of ntdll.dll and kernel32.dll to execute processes and manipulate files, while crypt32.dll and bcrypt.dll handle encryption.
It depends on schannel.dll, Windows’ native TLS/SSL to reach its C2 channel using HTTPS, and that’s it. Plain and simple!
Dissecting PE32 is challenging due to its unpredictable and erratic behavior. The ransomware triggers numerous detections, some legitimate, others the result of its careless execution, which can complicate analysis and lead to false trails.
Fortunately, ANY.RUN’s automatic ATT&CK matrix and IOC collection make this task significantly easier. These features help analysts quickly identify behaviors and map them to known techniques, significantly reducing investigation time.
One of the most notable techniques observed is T1102 – Web Service Communication, specifically communication via Telegram. Although not the most advanced tactic, it provides a clear indication of PE32’s reliance on a basic and exposed C2 channel.
This behavior aligns with early-stage or poorly maintained ransomware, which typically lacks data exfiltration capabilities and instead focuses solely on encryption and basic status reporting. In this context, T1102 serves as a valuable early signal for identifying similar threats in the wild.
The PE32 ransomware campaign introduces notable risks despite its unsophisticated design:
The analysis of PE32 Ransomware reveals how even basic, poorly coded malware can disrupt systems, encrypt valuable data, and leverage public platforms like Telegram for command and control.
While it lacks advanced evasion or data theft capabilities, PE32 reflects the growing trend of fast-deploy, low-effort ransomware strains that still pose a real threat to individuals and organizations.
By analyzing PE32 in real time using ANY.RUN’s Interactive Sandbox, we were able to fully observe its execution flow, uncover its communication channels, and extract key artifacts, without relying solely on static reverse engineering.
Here’s how this kind of analysis brings value:
Try ANY.RUN’s Interactive Sandbox today
SHA256:15cb6bd05a35fdbd9a7e53b092a1b0537c64cb5df08ee0262479c0cc24eafd8a
FilePath:C:PE32-KEYID
SHA256:5946bdeb8b7bf0603e99cefb15c083a37352fa8a916b2664bbb9f9027f44985b
FilePath:C:PE32-KEYREADME.txt
SHA256:c6ddc9c2852eddf30f945a50183e28d38f6b9b1bbad01aac52e9d9539482a433
Filename:PE32.exe
SHA256:098ee778fca1bfd809499dac65f528ea727f2aee9c6eaf79fe662d9261086e4a
FilePath:C:PE32-KEYcontext.pe32c
SHA256:9e561018034479df1493addca30f1d031b9185e1d66f15333b8ea79d16acf64b
FilePath:C:PE32-KEYlock.pe32
References:
Matkap tool: github.com/0x6rss/matkap
Sandbox analysis: https://app.any.run/tasks/58b336b0-baec-48bb-9675-b2f3d352b63c
The post PE32 Ransomware: A New Telegram-Based Threat on the Rise appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
Microsoft on Monday announced that it has moved the Microsoft Account (MSA) signing service to Azure confidential virtual machines (VMs) and that it’s also in the process of migrating the Entra ID signing service as well.
The disclosure comes about seven months after the tech giant said it completed updates to Microsoft Entra ID and MS for both public and United States government clouds to
The Hacker News – Read More
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025.
“Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company,” the Symantec Threat Hunter Team said in a new report
The Hacker News – Read More
A security architect with the National Labor Relations Board (NLRB) alleges that employees from Elon Musk‘s Department of Government Efficiency (DOGE) transferred gigabytes of sensitive data from agency case files in early March, using short-lived accounts configured to leave few traces of network activity. The NLRB whistleblower said the unusual large data outflows coincided with multiple blocked login attempts from an Internet address in Russia that tried to use valid credentials for a newly-created DOGE user account.
The cover letter from Berulis’s whistleblower statement, sent to the leaders of the Senate Select Committee on Intelligence.
The allegations came in an April 14 letter to the Senate Select Committee on Intelligence, signed by Daniel J. Berulis, a 38-year-old security architect at the NLRB.
NPR, which was the first to report on Berulis’s whistleblower complaint, says NLRB is a small, independent federal agency that investigates and adjudicates complaints about unfair labor practices, and stores “reams of potentially sensitive data, from confidential information about employees who want to form unions to proprietary business information.”
The complaint documents a one-month period beginning March 3, during which DOGE officials reportedly demanded the creation of all-powerful “tenant admin” accounts in NLRB systems that were to be exempted from network logging activity that would otherwise keep a detailed record of all actions taken by those accounts.
Berulis said the new DOGE accounts had unrestricted permission to read, copy, and alter information contained in NLRB databases. The new accounts also could restrict log visibility, delay retention, route logs elsewhere, or even remove them entirely — top-tier user privileges that neither Berulis nor his boss possessed.
Berulis writes that on March 3, a black SUV accompanied by a police escort arrived at his building — the NLRB headquarters in Southeast Washington, D.C. The DOGE staffers did not speak with Berulis or anyone else in NLRB’s IT staff, but instead met with the agency leadership.
“Our acting chief information officer told us not to adhere to standard operating procedure with the DOGE account creation, and there was to be no logs or records made of the accounts created for DOGE employees, who required the highest level of access,” Berulis wrote of their instructions after that meeting.
“We have built in roles that auditors can use and have used extensively in the past but would not give the ability to make changes or access subsystems without approval,” he continued. “The suggestion that they use these accounts was not open to discussion.”
Berulis found that on March 3 one of the DOGE accounts created an opaque, virtual environment known as a “container,” which can be used to build and run programs or scripts without revealing its activities to the rest of the world. Berulis said the container caught his attention because he polled his colleagues and found none of them had ever used containers within the NLRB network.
Berulis said he also noticed that early the next morning — between approximately 3 a.m. and 4 a.m. EST on Tuesday, March 4 — there was a large increase in outgoing traffic from the agency. He said it took several days of investigating with his colleagues to determine that one of the new accounts had transferred approximately 10 gigabytes worth of data from the NLRB’s NxGen case management system.
Berulis said neither he nor his co-workers had the necessary network access rights to review which files were touched or transferred — or even where they went. But his complaint notes the NxGen database contains sensitive information on unions, ongoing legal cases, and corporate secrets.
“I also don’t know if the data was only 10gb in total or whether or not they were consolidated and compressed prior,” Berulis told the senators. “This opens up the possibility that even more data was exfiltrated. Regardless, that kind of spike is extremely unusual because data almost never directly leaves NLRB’s databases.”
Berulis said he and his colleagues grew even more alarmed when they noticed nearly two dozen login attempts from a Russian Internet address (83.149.30,186) that presented valid login credentials for a DOGE employee account — one that had been created just minutes earlier. Berulis said those attempts were all blocked thanks to rules in place that prohibit logins from non-U.S. locations.
“Whoever was attempting to log in was using one of the newly created accounts that were used in the other DOGE related activities and it appeared they had the correct username and password due to the authentication flow only stopping them due to our no-out-of-country logins policy activating,” Berulis wrote. “There were more than 20 such attempts, and what is particularly concerning is that many of these login attempts occurred within 15 minutes of the accounts being created by DOGE engineers.”
According to Berulis, the naming structure of one Microsoft user account connected to the suspicious activity suggested it had been created and later deleted for DOGE use in the NLRB’s cloud systems: “DogeSA_2d5c3e0446f9@nlrb.microsoft.com.” He also found other new Microsoft cloud administrator accounts with nonstandard usernames, including “Whitesox, Chicago M.” and “Dancehall, Jamaica R.”
A screenshot shared by Berulis showing the suspicious user accounts.
On March 5, Berulis documented that a large section of logs for recently created network resources were missing, and a network watcher in Microsoft Azure was set to the “off” state, meaning it was no longer collecting and recording data like it should have.
Berulis said he discovered someone had downloaded three external code libraries from GitHub that neither NLRB nor its contractors ever use. A “readme” file in one of the code bundles explained it was created to rotate connections through a large pool of cloud Internet addresses that serve “as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.” Brute force attacks involve automated login attempts that try many credential combinations in rapid sequence.
The complaint alleges that by March 17 it became clear the NLRB no longer had the resources or network access needed to fully investigate the odd activity from the DOGE accounts, and that on March 24, the agency’s associate chief information officer had agreed the matter should be reported to US-CERT. Operated by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), US-CERT provides on-site cyber incident response capabilities to federal and state agencies.
But Berulis said that between April 3 and 4, he and the associate CIO were informed that “instructions had come down to drop the US-CERT reporting and investigation and we were directed not to move forward or create an official report.” Berulis said it was at this point he decided to go public with his findings.
An email from Daniel Berulis to his colleagues dated March 28, referencing the unexplained traffic spike earlier in the month and the unauthorized changing of security controls for user accounts.
Tim Bearese, the NLRB’s acting press secretary, told NPR that DOGE neither requested nor received access to its systems, and that “the agency conducted an investigation after Berulis raised his concerns but ‘determined that no breach of agency systems occurred.’” The NLRB did not respond to questions from KrebsOnSecurity.
Nevertheless, Berulis has shared a number of supporting screenshots showing agency email discussions about the unexplained account activity attributed to the DOGE accounts, as well as NLRB security alerts from Microsoft about network anomalies observed during the timeframes described.
As CNN reported last month, the NLRB has been effectively hobbled since President Trump fired three board members, leaving the agency without the quorum it needs to function.
“Despite its limitations, the agency had become a thorn in the side of some of the richest and most powerful people in the nation — notably Elon Musk, Trump’s key supporter both financially and arguably politically,” CNN wrote.
Both Amazon and Musk’s SpaceX have been suing the NLRB over complaints the agency filed in disputes about workers’ rights and union organizing, arguing that the NLRB’s very existence is unconstitutional. On March 5, a U.S. appeals court unanimously rejected Musk’s claim that the NLRB’s structure somehow violates the Constitution.
Berulis shared screenshots with KrebsOnSecurity showing that on the day the NPR published its story about his claims (April 14), the deputy CIO at NLRB sent an email stating that administrative control had been removed from all employee accounts. Meaning, suddenly none of the IT employees at the agency could do their jobs properly anymore, Berulis said.
An email from the NLRB’s associate chief information officer Eric Marks, notifying employees they will lose security administrator privileges.
Berulis shared a screenshot of an agency-wide email dated April 16 from NLRB director Lasharn Hamilton saying DOGE officials had requested a meeting, and reiterating claims that the agency had no prior “official” contact with any DOGE personnel. The message informed NLRB employees that two DOGE representatives would be detailed to the agency part-time for several months.
An email from the NLRB Director Lasharn Hamilton on April 16, stating that the agency previously had no contact with DOGE personnel.
Berulis told KrebsOnSecurity he was in the process of filing a support ticket with Microsoft to request more information about the DOGE accounts when his network administrator access was restricted. Now, he’s hoping lawmakers will ask Microsoft to provide more information about what really happened with the accounts.
“That would give us way more insight,” he said. “Microsoft has to be able to see the picture better than we can. That’s my goal, anyway.”
Berulis’s attorney told lawmakers that on April 7, while his client and legal team were preparing the whistleblower complaint, someone physically taped a threatening note to Mr. Berulis’s home door with photographs — taken via drone — of him walking in his neighborhood.
“The threatening note made clear reference to this very disclosure he was preparing for you, as the proper oversight authority,” reads a preface by Berulis’s attorney Andrew P. Bakaj. “While we do not know specifically who did this, we can only speculate that it involved someone with the ability to access NLRB systems.”
Berulis said the response from friends, colleagues and even the public has been largely supportive, and that he doesn’t regret his decision to come forward.
“I didn’t expect the letter on my door or the pushback from [agency] leaders,” he said. “If I had to do it over, would I do it again? Yes, because it wasn’t really even a choice the first time.”
For now, Mr. Berulis is taking some paid family leave from the NLRB. Which is just as well, he said, considering he was stripped of the tools needed to do his job at the agency.
“They came in and took full administrative control and locked everyone out, and said limited permission will be assigned on a need basis going forward” Berulis said of the DOGE employees. “We can’t really do anything, so we’re literally getting paid to count ceiling tiles.”
Further reading: Berulis’s complaint (PDF).
Krebs on Security – Read More
Since January, threat actors distributing the malware have notched up more than 100 victims.
darkreading – Read More
The city of Abilene disconnected servers after officials detected a cyber incident last week.
The Record from Recorded Future News – Read More