Report shows how industrialized credential theft underpins ransomware, SaaS breaches, and geopolitical attacks, shifting security focus from prevention to detecting misuse of legitimate access.
The post Stolen Logins Are Fueling Everything From Ransomware to Nation-State Cyberattacks appeared first on SecurityWeek.
SecurityWeek – Read More
Today — March 31 — is World Backup Day. And every year, most people tell themselves, “I’ll get around to that tomorrow”. But even if you’re one of the responsible ones who regularly backs up their docs, photo archives, and the entire operating system — you’re still at risk. Why? Because ransomware has learned how to specifically target everyday users’ backups.
In the not-so-distant past, ransomware was mostly a big business problem. Attackers focused on corporate servers and enterprise backups because freezing a major company’s production process or stealing all their information and customer databases usually meant a massive payout. We’ve seen plenty of those cases over the last few years. However, the “small-fry” market has become just as tempting for cybercriminals — and here’s why.
For starters, attacks are automated. Modern ransomware doesn’t need a human operating it manually. These programs scan the internet for vulnerable devices and, upon finding one, encrypt everything indiscriminately without the hacker getting involved. This means a single attacker can effortlessly hit thousands of home devices.
Second, because of this broad reach, the ransom demands have become more “affordable”. Regular users aren’t asked for millions, but “only” a few hundred or thousand dollars. Many people are willing to pay that amount without involving the police — especially when family archives, photos, medical records, banking documents, and other personal files are on the line, with no other copies in existence. And when you multiply those smaller payouts by thousands of victims, the hackers walk away with very tidy sums.
And finally, home devices are usually sitting ducks. While corporate networks are guarded really well, the average home router most likely runs on factory settings with “admin” as the password. Many people leave their network attached storage (NAS) wide open to the internet with zero protection. It’s low-hanging fruit.
A home NAS drive — often called a personal cloud — is essentially a mini-computer running a specialized Linux or FreeBSD-based operating system. It houses one or more large-capacity hard drives, often combined into an array. The storage connects to a home router, making files accessible from any device on the home network — or even remotely over the internet if you’ve configured it that way. Many people buy a NAS specifically to centralize their family’s backups and simplify access for family members, thinking it’s the ultimate safe haven for their digital archives.
The irony is that these very storage hubs have become the primary target for ransomware gangs. Hackers can break in relatively easily either by exploiting known vulnerabilities or simply brute-forcing a weak password. Over the last five years, there were several major ransomware attacks specifically targeting home NAS units made by QNAP, Synology, and ASUSTOR.
Targeting NAS isn’t the only way hackers can get to your files. The second method relies on social engineering: basically tricking victims into launching malware themselves. Take the massive AI hype of 2025, for example. Scammers would set up malicious websites distributing fake installers for ChatGPT, Invideo AI, and other trending tools. They would lure people in with promises of free premium subscriptions, but in reality users ended up downloading and running ransomware.
Once the malware infiltrates your system, it starts surveying its environment and neutralizing anything that could help you recover your data without paying up.
The classic 3-2-1 rule for backups goes like this:
However, this rule predates the era of ransomware. Today we need to update it with one vital condition: another copy must be completely isolated from both the internet and your computer at the time of an attack.
The new rule is 3-2-1-1 — a bit more of a mouthful, but much safer. Following it is simple: get an external hard drive that you plug in once a week, back up your data, and then unplug it.
Don’t panic. Check out our Free Ransomware Decryptors page. We’ve collected a library of decryption tools that might help you get your data back without paying up.
Kaspersky official blog – Read More
Review: Apple’s latest over-ear headphones have arrived, but they’re probably not what you were hoping for in a successor.
Latest news – Read More
Simply dropping AI into an operation will not deliver positive results without significant work behind the scenes.
Latest news – Read More
The new Optics smart glasses might be the first pair of Meta Ray-Bans you can wear all day. Here’s why.
Latest news – Read More
Spring cleaning should include your online data. Here’s how to protect yours for less with discounts on Incogni, DeleteMe, and more.
Latest news – Read More
Ransomware attacks aren’t smash-and-grab anymore. They’re built on access that already looks legitimate — closer to positioning chess pieces than breaking the door down.
That’s the big trend that comes through in the ransomware data from the Talos 2025 Year in Review. Once attackers have initial access (and 40% of the time it’s through phishing) they move the way a user or administrator would: logging in, checking systems, and using the same remote access tools that are already installed.
In fact, one of the biggest challenges for defenders today is that ransomware actors are deliberately trying to overlap with everyday activity. RDP, PowerShell, and PsExec are the top three tools that are used by ransomware actors, but in many environments, these tools are part of normal operations.
The difference is how they’re being used. If they’re being used to expand access and move across systems, this should raise a few red flags. I’m not sure it’s possible to emphasise enough how important your asset management comes into play here — having clear asset inventories and network behaviour baselines and conducting continuous anomaly monitoring.
Like the rest of the Talos Year in Review, identity is what ties everything together. Valid accounts show up across nearly every stage of ransomware attacks: initial access, lateral movement, and execution.
From our ransomware data analysis, manufacturing continues to be the most targeted sector, which reflects how challenging these environments are to monitor closely. There’s a mixture of systems, users, and processes, often with limited tolerance for disruption.
Professional, scientific, and technical services (second on the most targeted sectors list) face similar exposure, especially when access spans multiple systems or organizations.
The ransomware-as-a-service (RaaS) groups have had a bit of a shakeup. After LockBit topped our 2024 report, the group fell to 35th this year following sustained law enforcement pressure. Qilin, a constant pain in the “you-know-what” for our incident responders for over a year now, came in at No. 1.
Qilin uses a double-extortion approach, combining data encryption with threats to release stolen information publicly. According to their data leak site, in 2025, Qilin targeted more than 40 victims every month except January, signaling that this ransomware group will remain a persistent and significant threat in 2026.
Akira and Play (No. 2 and 3 in the chart) had continued success, which can likely be credited to their evolving and adaptable tactics and absorption of affiliates from defunct ransomware groups (i.e., LockBit).
What’s interesting to note is that for the second year running, January saw lower activity, likely tied to holiday slowdowns and Eastern European public holidays.
It may be wise for security teams to consider testing ransomware defenses in months where activity levels are generally lower, such as January, as there is a reduced chance of interfering with real incidents.
Read the full 2025 Talos Year in Review to dig deeper into ransomware trends, vulnerability exploitation, phishing and MFA bypass, state-sponsored activity, and how AI is shaping the threat landscape.
Cisco Talos Blog – Read More
March was a packed month for ANY.RUN. We rolled out major product improvements that help security teams investigate phishing inside encrypted traffic, expand cross-platform analysis with macOS, and bring Windows Server into the sandbox workflow.
At the same time, our detection team continued to strengthen threat coverage with new behavior signatures, Suricata rules, and fresh threat intelligence reports focused on active malware and attack techniques.
Here’s a closer look at what’s new.
This month’s updates are all about helping security teams see more and investigate with less friction. We improved phishing detection inside encrypted traffic, expanded sandbox coverage to macOS, and added Windows Server analysis so teams can work across more of the environments they protect every day.
Encrypted HTTPS traffic remains one of the main reasons phishing is harder to confirm quickly. It hides credential theft, redirect chains, and token-based attacks inside traffic that often appears legitimate, forcing teams to spend more time on validation and increasing the chance of missed compromise.
In March, ANY.RUN introduced automatic SSL decryption in the Interactive Sandbox across all subscription tiers. By extracting encryption keys directly from process memory, the sandbox can now inspect decrypted traffic during analysis and apply Suricata rules, detection signatures, and IOC extraction immediately.
Check real-world example: Detecting Salty2FA phishing campaign with SSL decryption
This significantly expands phishing visibility across every sandbox session. After implementing the technology, ANY.RUN saw a 5x increase in SSL-decrypted phishing detection and added 60,000 more confirmed malicious URLs to TI Lookup each month.
For your SOC, this means:
As enterprise environments grow more complex, SOC teams are expected to investigate threats across multiple operating systems without slowing down triage. But when analysis is split across separate tools and environments, investigations take longer, alert backlogs grow, and the risk of delayed or missed detection increases.
To help solve this, ANY.RUN expanded its sandbox OS coverage with macOS virtual machine, now available in beta for Enterprise Suite users. This gives teams one environment to investigate threats across Windows, Linux, Android, and now macOS.
Bringing interactive macOS analysis into the workflow is especially important for threats that stay dormant until a user enters a password, approves a system dialog, or triggers another action. By allowing real user interaction during detonation, the sandbox can expose behaviors that automated analysis often misses, including fake authentication prompts, staged execution chains, file collection, and post-authentication data exfiltration.
This operational improvement leads to measurable outcomes:
For many enterprise teams, critical infrastructure runs on Windows Server, from domain services and file storage to business applications and backups. But malware that targets server environments often behaves differently from threats launched on standard Windows systems, making it harder to assess risk accurately in a desktop-focused setup.
To close that gap, ANY.RUN Sandbox now supports analysis in a Windows Server environment. This gives security teams a way to observe attack behavior in a server OS and investigate techniques tied to infrastructure, including changes to domain accounts, security policies, and the use of administrative tools.
This addition helps teams strengthen infrastructure-focused triage and response:
In March, our detection team continued to expand coverage across phishing, credential theft, backdoors, miners, stealers, loaders, and evasive system abuse.
This month’s updates include:
These additions give security teams better visibility into modern attack chains, from OAuth phishing and Telegram-based credential theft to backdoor communication, loader behavior, and suspicious use of built-in system tools.
In March, we added 91 new behavior signatures to strengthen detection across malware families, Android threats, stealers, loaders, RATs, ransomware, and suspicious system-level activity.
These updates improve visibility into behaviors often seen in real attacks, including persistence, self-deletion, loader activity, shell delivery, registry tampering, PowerShell abuse, and virtual machine checks used to evade analysis.
Highlighted families and detections include:
New behavior-based detections also cover:
Together, these additions give security teams broader behavioral coverage across both established malware families and attacker techniques that commonly appear in multi-stage intrusions.
In March, we added 1,293 new Suricata rules to strengthen detection of credential theft, phishing activity, and malicious command-and-control traffic.
Key highlights include:
In March, our team published new threat reports covering emerging malware, banking trojans, ransomware, backdoors, and stealthy delivery techniques.
ANY.RUN provides interactive malware analysis and threat intelligence solutions built to support modern security operations.
By combining Interactive Sandbox, Threat Intelligence Lookup, and Threat Intelligence Feeds, ANY.RUN helps SOC and MSSP teams accelerate threat analysis, investigate incidents with greater clarity, and detect emerging attacks earlier.
Used by more than 15,000 organizations and over 600,000 security professionals worldwide, including 74% of Fortune 100 companies, ANY.RUN is focused on helping teams improve detection and response while meeting the data protection, compliance, and workflow demands of real-world security operation
Integrate ANY.RUN’s solution for Tier 1/2/3 in your organization →
The post Release Notes: Cross-Platform Threat Analysis with macOS, SSL Decryption, and 1,300+ New Detections appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
The popular HTTP client known as Axios has suffered a supply chain attack after two newly published versions of the npm package introduced a malicious dependency.
Versions 1.14.1 and 0.30.4 of Axios have been found to inject “plain-crypto-js” version 4.2.1 as a fake dependency.
According to StepSecurity, the two versions were published using the compromised npm credentials of the primary Axios
The Hacker News – Read More
Researchers found an OpenAI Codex vulnerability that could have been exploited to compromise GitHub tokens.
The post Critical Vulnerability in OpenAI Codex Allowed GitHub Token Compromise appeared first on SecurityWeek.
SecurityWeek – Read More