A US government entity, likely Union County, Ohio, paid approximately $1 million in bitcoin to the Kairos extortion group to prevent stolen files from being published. Notably, no encryption was involved — Kairos operated purely as a data-theft extortion group, reflecting a growing trend where attackers skip ransomware lockers entirely and use stolen data as leverage. The negotiation ran about a month, starting at $3m and settling at $1m. The payment was traced through wallets to exchanges including Bybit, OKX, and a Russian service. Kairos provided a 'proof of deletion' file, though such promises are historically unreliable. The case highlights that encryption-free extortion is rising — Sophos reported only ~50% of 2025 ransomware attacks involved encryption. Defensive recommendations include MFA, monitoring outbound transfers, and network segmentation of sensitive records.
Nguồn: https://thenextweb.com/news/kairos-data-extortion-million-payment. 8sync News chỉ tóm tắt và dẫn link; bản quyền nội dung thuộc tác giả và nguồn gốc.
Năm 2026, những mối đe dọa mạng nguy hiểm bao gồm lừa đảo bằng AI, giọng nói deepfake, ransomware tống tiền kép, rủi ro từ cấu hình sai trên cloud, tấn công thiết bị di động, tái sử dụng mật khẩu, kỹ thuật xã hội tinh vi và tấn công chuỗi cung ứng. Để phòng tránh, người dùng nên sử dụng quản lý mật khẩu, bật xác thực đa yếu tố (MFA), cập nhật thiết bị thường xuyên và cẩn trọng khi nhấp vào liên kết.
Lập trình viên nên đọc bài này để hiểu cách bảo vệ hệ thống và ứng dụng của mình trước những mối đe dọa mới nổi từ AI, ransomware và các tấn công phức tạp, từ đó xây dựng các giải pháp bảo mật hiệu quả và phòng ngừa trước các cuộc tấn công trong tương lai.
Market research company Klue confirmed that hackers used a credential from a 2022 limited pilot to breach its systems on June 12, stealing OAuth tokens that granted access to customer data stored in third-party clouds and databases. Affected customers include LastPass and several other cybersecurity firms. The hacking group Icarus claimed responsibility and is threatening to release stolen data unless a ransom is paid. Klue has not explained why the four-year-old credential was never revoked after the pilot ended, raising serious questions about its credential management and vendor-access controls.
A large-scale credential-harvesting campaign called 'FortiBleed' has been uncovered, targeting over 430,000 internet-facing FortiGate firewalls by exploiting CVE-2026-35616 (CVSS 9.1) in FortiClient EMS. Attributed to a Russian-speaking initial access broker, the campaign deployed a custom Golang packet sniffer ('FortigateSniffer') on ~12,000 devices to passively intercept authentication traffic across 24 protocols, amassing over 110 million credentials. The operation is directly linked to INC Ransom and Lynx ransomware-as-a-service groups, with at least 12 confirmed ransomware deployments. Immediate mitigations include upgrading FortiClient EMS to 7.4.7+, rotating all credentials, auditing for the 'adminin' backdoor account, restricting port 8013, and enabling MFA on FortiGate admin interfaces.
Despite international crackdowns and high-profile arrests, cybercrime scam centers in Southeast Asia — particularly in Cambodia, Myanmar, Laos, and the Philippines — continue to generate an estimated $40 billion annually. Two new reports from Interpol and Amnesty International reveal that local police corruption is a primary reason enforcement efforts fail, with Cambodian authorities allegedly communicating directly with scam compound managers. Amnesty International found that 73 trafficking survivors were treated as irregular migrants rather than victims, and Cambodia's gambling commission approved casino plans for 16 known scam locations. Internationally, the criminal model is spreading to Africa and other regions, with syndicates adopting multi-layer extortion tactics and improved money laundering strategies. Interpol warns that dismantling individual facilities without addressing the broader ecosystem leads to a Whac-A-Mole dynamic where operations simply relocate.
SOCRadar research reveals that the FortiBleed initial access broker (IAB) campaign — which compromised thousands of Fortinet FortiGate firewalls using a Golang-based credential sniffer — is now collaborating with Inc Ransom and Lynx ransomware-as-a-service gangs. A single operator was found logged into both ransomware negotiation panels using infrastructure traceable to FortiBleed. The IAB has achieved admin-level access on 409 targets, with at least 12 confirmed ransomware deployments. Additionally, the FortiBleed group is exploiting an undisclosed zero-day vulnerability in Nextcloud to expand access. SOCRadar assesses the IAB as a structured ~20-person operation acting as an access-supply layer, with Inc and Lynx as downstream monetization channels.

Ransomware recovery is widely misunderstood as a simple technical restoration exercise. Five common misconceptions are examined: that backups alone equal cyber resilience, that the latest backup is the safest restore point, that absence of malware or IoCs means a snapshot is clean, that fast recovery is always good recovery, and that recovery is purely an IT problem. The core argument is that true recovery means restoring to a trusted state — addressing identity, persistence, attack pathways, and control gaps — not just getting systems back online quickly. A governance-driven model with defined recovery conditions, cross-team decision rights, and evidence-led confidence criteria is advocated over speed-first approaches.
Công ty bảo mật Sysdig ghi nhận cuộc tấn công ransomware đầu tiên do AI agent JADEPUFFER thực hiện hoàn toàn tự động, khai thác lỗ hổng CVE-2025-3248 trong Langflow để xâm nhập, sau đó tự động thu thập thông tin đăng nhập, duy trì quyền truy cập, tấn công cơ sở dữ liệu sản xuất, mã hóa 1.342 tập tin và xóa dữ liệu gốc kèm theo lời đe dọa tống tiền. Điểm độc ác là AI sinh khóa mã hóa ngẫu nhiên chỉ hiển thị một lần rồi biến mất, khiến nạn nhân không thể khôi phục dữ liệu ngay cả khi trả tiền chuộc.
Lập trình viên nên đọc bài này để hiểu cách AI tự động hóa tấn công phức tạp như ransomware, từ lỗ hổng ban đầu đến khóa dữ liệu và phá hủy bằng cách sử dụng kỹ thuật tự động hóa và sai sót tự động sửa chữa, cho thấy nguy cơ mới trong thế hệ tấn công tự động hóa.
Germany's cooperative and savings banks are rolling out cryptocurrency trading to tens of millions of retail customers, reversing a position held just four years ago when they cited 'incalculable risks.' DZ Bank has already secured a MiCA licence from BaFin and launched the 'meinKrypto' platform integrated into its VR Banking App, supporting Bitcoin, Ethereum, Litecoin, and Cardano. DekaBank is building a separate platform for the Sparkassen network's roughly 50 million customers, expected later this year. The shift was enabled by the EU's MiCA regulation, which replaced fragmented national rules with a unified licensing framework. Banks are betting on customer trust — Germans trust their primary bank more than twice as much as crypto exchanges — and on staying relevant against digital-first competitors. Critics, including academics and the savings banks' own lobby group, warn that traditional customers may not fully understand the risks of highly speculative crypto assets.