SOCRadar research reveals that the FortiBleed initial access broker (IAB) campaign — which compromised thousands of Fortinet FortiGate firewalls using a Golang-based credential sniffer — is now collaborating with Inc Ransom and Lynx ransomware-as-a-service gangs. A single operator was found logged into both ransomware negotiation panels using infrastructure traceable to FortiBleed. The IAB has achieved admin-level access on 409 targets, with at least 12 confirmed ransomware deployments. Additionally, the FortiBleed group is exploiting an undisclosed zero-day vulnerability in Nextcloud to expand access. SOCRadar assesses the IAB as a structured ~20-person operation acting as an access-supply layer, with Inc and Lynx as downstream monetization channels.
Nguồn: https://www.darkreading.com/threat-intelligence/fortibleed-actors-inc-lynx-ransomware-gangs. 8sync News chỉ tóm tắt và dẫn link; bản quyền nội dung thuộc tác giả và nguồn gốc.

Ransomware recovery is widely misunderstood as a simple technical restoration exercise. Five common misconceptions are examined: that backups alone equal cyber resilience, that the latest backup is the safest restore point, that absence of malware or IoCs means a snapshot is clean, that fast recovery is always good recovery, and that recovery is purely an IT problem. The core argument is that true recovery means restoring to a trusted state — addressing identity, persistence, attack pathways, and control gaps — not just getting systems back online quickly. A governance-driven model with defined recovery conditions, cross-team decision rights, and evidence-led confidence criteria is advocated over speed-first approaches.
A report covers what is described as the first end-to-end agentic ransomware attack, where an AI agent autonomously drives the entire ransomware lifecycle. The piece warns that victims should not rely on the LLM to return data even after paying a ransom, highlighting new risks posed by AI-powered cybercrime.
Deep technical analysis of the Everest double-extortion ransomware, a .NET 4.0 binary protected with ConfuserEx. Key findings include misleading cryptographic declarations (code claims RSA-4096/AES-256 but runtime uses RSA-1024/AES-128), a noisy pre-encryption sequence involving recovery sabotage, SMBv1 re-enablement, Controlled Folder Access disablement, and broad permission grants. Distinctive behaviors include Wake-on-LAN broadcasts to wake dormant hosts, DACL-based process self-protection, a dedicated Raccine anti-ransomware neutralization routine, and three continuous background threads that kill analysis tools, disable security/backup services, and terminate memory-intensive processes. The analysis also covers the encryption workflow (full encryption for files ≤10MB, partial for larger files), geo-fencing targeting CIS locales, and self-deletion via fsutil. AttackIQ has released an adversary emulation assessment based on these TTPs to help security teams validate their defenses.
A ransomware group called World Leaks has published files stolen from Tata Electronics, Apple's manufacturing partner in India, exposing iPhone 18 Pro component lists, supplier names, and photographs from drop tests. The leaked bill of materials reveals Apple's supplier architecture — including where it sources from multiple vendors for bargaining leverage and where single-source dependencies create supply chain vulnerabilities. The breach is the second ransomware incident involving Tata, following an earlier claim of stolen Apple and Tesla trade secrets. Apple is investigating alongside Tata, but the supplier maps are already public, posing competitive and strategic risks beyond a typical privacy incident.
CISA has updated its Known Exploited Vulnerabilities catalog to confirm that CVE-2026-33825, a Microsoft Defender privilege escalation flaw dubbed BlueHammer, has been actively exploited in ransomware attacks. The vulnerability was publicly disclosed on April 2 before Microsoft released patches on April 14, and security firm Huntress observed zero-day exploitation in the wild. CISOs are advised to verify patch deployment, monitor KEV catalog updates for ransomware-use designations (not just new entries), and hunt for post-compromise privilege escalation activity in endpoint telemetry.

Check Point Research discovered a browser-native ransomware technique in a DeepSeek-attributed malicious sample. The attack abuses the File System Access API — a legitimate browser feature — to enumerate, exfiltrate, and encrypt local files entirely within the browser, requiring no native payload, no exploit, and no installation. The original sample was AI-generated and incomplete, but researchers confirmed that a working proof-of-concept could be built with minimal effort using modern LLMs. The technique is especially dangerous on Android (Chrome 132+), where a fake AI photo-enhancer lure can trick users into granting write access to their DCIM/photo directory. The research highlights how LLM hallucinations can inadvertently surface practical attack techniques by mapping malicious goals to real browser APIs, lowering the expertise barrier for operationalizing novel attack chains.

A ransomware campaign is targeting small and medium-sized businesses (SMBs) globally using phishing emails impersonating Interpol's cybercrime unit. The emails create urgency by claiming the recipient's company is under investigation, then direct victims to a Proton Drive link containing a password-protected archive. Inside is an executable disguised as a video file that, when opened, encrypts files on available drives. The malware appears custom-built rather than from a known ransomware-as-a-service operation, lacking sophisticated features like hardcoded encryption passwords and dedicated dark web negotiation portals. Victims are directed to contact attackers via Tox messaging. Researchers from Bitdefender note the campaign's strength lies in its social engineering rather than technical sophistication, exploiting fear and authority to trick victims into launching the malware themselves. SMBs are particularly vulnerable due to limited IT staff, security budgets, and lack of formal verification processes.
A large-scale credential-harvesting campaign called 'FortiBleed' has been uncovered, targeting over 430,000 internet-facing FortiGate firewalls by exploiting CVE-2026-35616 (CVSS 9.1) in FortiClient EMS. Attributed to a Russian-speaking initial access broker, the campaign deployed a custom Golang packet sniffer ('FortigateSniffer') on ~12,000 devices to passively intercept authentication traffic across 24 protocols, amassing over 110 million credentials. The operation is directly linked to INC Ransom and Lynx ransomware-as-a-service groups, with at least 12 confirmed ransomware deployments. Immediate mitigations include upgrading FortiClient EMS to 7.4.7+, rotating all credentials, auditing for the 'adminin' backdoor account, restricting port 8013, and enabling MFA on FortiGate admin interfaces.