Summary: Sicarii ransomware operations have been observed using an encryption process that can render post-payment data recovery impossible, even if a decryptor is provided. Halcyon malware analysts were the first to observe that the Sicarii binary includes a functional RSA implementation, but it is used in a way that undermines recoverability. During execution, the malware...Read More
Ransomware attacks kept climbing through 2025, even as major criminal groups collapsed and reformed. A new study conducted by the Symantec and Carbon Black Threat Hunter Team shows that disruption inside the ransomware economy slowed activity only briefly, while extortion methods expanded and diversified. Claimed ransomware attacks by actors operating data leak sites, 2022–2025 (Source:...Read More
Artificial intelligence has already changed how organizations detect and respond to cyber threats. Now it is beginning to reshape how those threats are created. A recently reported campaign shows that attackers are using AI-assisted malware development to support ransomware operations. Security researchers observed a threat group deploying a malware family called Slopoly during post-intrusion activity...Read More
Sierra Management Group Inc., a medical practice management and consulting company based in Newcastle, California, appears to have been targeted in a ransomware attack. Because Sierra Management Group serves as a business partner for medical practices, the potential exposure of healthcare and insurance data could impact thousands. What happened in the Sierra Management Group breach...Read More
T1189 – Drive-by CompromiseThe Agenda ransomware has been observed being delivered using various methods such as drive-by downloads, cloned sites, hosted files, and scripted web delivery or via compromised systems. T1091 – Replication Through Removable MediaIt has the capability to generate payloads that autoplay via removable media such as USB drives and CDs. T1078 –...Read More
Ravie LakshmananMar 18, 2026Network Security / Ransomware Amazon Threat Intelligence is warning of an active Interlock ransomware campaign that’s exploiting a recently disclosed critical security flaw in Cisco Secure Firewall Management Center (FMC) Software. The vulnerability in question is CVE-2026-20131 (CVSS score: 10.0), a case of insecure deserialization of user-supplied Java byte stream, which could...Read More
Shamis & Gentile P.A., one of the nation’s premier class action law firms specializing in data breach cases, is investigating the Mosley Glick O’Brien data breach. If you were affected by the data breach, your sensitive personally identifiable information may have been exposed, and you may be eligible for compensation. About Mosley Glick O’Brien Mosley...Read More
Mosley Glick O’Brien Inc. (MGO), a certified public accounting firm now based in Maumee, Ohio, disclosed a ransomware attack that may have exposed sensitive personal information belonging to certain clients and individuals. The company discovered the attack on Feb. 19, 2025, but its review of what data was affected took roughly one year to complete....Read More
Marquis, a Texas-based financial services provider, revealed this week that a ransomware gang stole the data of over 670,000 individuals in an August 2025 cyberattack that also disrupted operations at 74 banks across the United States. The company provides digital marketing, data analytics, compliance, and CRM services to more than 700 banks, credit unions, and mortgage lenders across...Read More
LeakNet is scaling its ransomware operation by pairing mass-market ClickFix lures with a stealthy Deno-based loader that executes almost entirely in memory, shrinking the window for defenders to intervene. Ransomware operator LeakNet is currently averaging around three victims per month. However, recent activity shows the group investing in its own delivery and execution infrastructure to grow that...Read More
