Cybercrime
,
Fraud Management & Cybercrime
,
Incident & Breach Response
Also, US Sanction Cybercrime Enablers, Celine Dion Ticket Scam
Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, ransomware victims paying less, the United States sanctioned cybercrime enablers, scammers targeted Celine Dion fans, 23andMe to pay $18 million for 2023 data breach, a 13-year old Daixin infection, Spiral ransomware, Patch Tuesday, CISA ordered rapid SharePoint patching and Spanish police busted a 140 million euro cybercrime ring. The Argentine Football Association probed fake emails sent to journalists. Vamos, vamos Argentina.
See Also: Know Thy Enemy: Threats to Cyber Resilience
Ransomware Victims Pay Less, But AI-Accelerated Gangs Loom
Ransomware victims are shelling out less to cybercriminals, leading attackers to seek new strategies reshape the extortion industry.
Top-flight ransomware groups remain constant innovators. Among their advances: new endpoint detection and response evasion capabilities, as demonstrated by the Deadlock group. Another evolution, demonstrated by the ransomware-as-a-service operation The Gentlemen, has been to tap artificial intelligence tools to refresh tools more quickly than ever before, and to use that as a selling point for recruiting hotshot affiliates, says a Thursday report from cybersecurity firm ReliaQuest.
Perhaps not coincidentally, The Gentlemen for the first time racked up the greatest number of non-paying victims of any ransomware group, ReliaQuest said in analysis about second quarter trends. Groups never list all of the victims who do pay, leading researchers to track market share based on posts to their data-leak blogs, which detail a subset of alleged victims who didn’t pay.
ReliaQuest counted 2,252 victim listings in total during the second quarter, up 51% year over year, with Qilin, DragonForce, Akira and LockBit rounding out the top five.
Of course, rankings don’t tell the full story. “Defenders must focus on attacker behaviors, not the leaderboard shuffle, especially as some of the most disruptive groups may never crack the top ranks at all,” ReliaQuest said.
Going in the other direction from decreasing ransomware payments is the cost of recovering from a successful attack, which averages $1.7 million over the past 12 months, up 11% from the prior year, found Sophos.
The cybersecurity firm found the median ransom payment in this year’s report is now $698,000, down from $1.3 million from the year before and $2 million in 2024 report. The median ransom payment is now $769,000, down from $1 million last year.
The proclivity of victims to pay a ransom varied greatly by sector, ranging from 72% of local and state governments paying, to 45% of healthcare firms, to 32% of retailers, Sophos found. Encryption is also a factor. Last year, 56% of ransomware attacks succeeded in encrypting a victim’s system, up slightly from the prior year, and 48% of those victims said they paid.
US Sanctions Against Cybercrime Enablers
The United States sanctioned two accused cybercrime facilitators and a virtual private sector it said was as favorite of ransomware cybercriminals.
The U.S. Department of the Treasury’s Office of Foreign Assets Control sanctioned Ukrainian national Dmytro Rashevskyi, administrator of VPN provider First VPN Service, and Belarusian national Yegeniy Silayev, who allegedly sold cryptors used to disguise ransomware and other malware from security tools.
According to the Treasury, 1VPNS enabled ransomware groups to conceal the origins of attacks, deploy malware and manage stolen data. The VPN service was dismantled in a multinational law enforcement operation in May, advertised that it kept no customer logs and did not cooperate with law enforcement. U.S. officials said ransomware actors using the sanctioned services caused billions of dollars in losses across businesses, hospitals, financial institutions and government entities.
Fake Ticket Scam Targets Celine Dion Fans With Cloned Sites
Cybercriminals are exploiting demand for Celine Dion’s upcoming Paris concerts through a coordinated ticket scam that combines social engineering on Facebook with fake ticketing websites impersonating legitimate sellers.
Researchers from Group-IB found fraudsters infiltrating Facebook groups and Marketplace listings dedicated to queen of power ballads concerts, where they build trust with fans before offering tickets through direct bank transfers instead of official resale platforms. Victims are sent what appears to be a legitimate Ticketmaster ticket transfer, but the same digital ticket and entry code are sold repeatedly to multiple buyers. Because the ticket can only be scanned once, only the first attendee gains entry while the rest are denied access.
Researchers also uncovered more than 20 fraudulent websites impersonating Ticketmaster, AXS, Celine Dion’s official site and Paris La Défense Arena. The sites use Shopify’s payment infrastructure and mimic legitimate checkout and login pages to convince fans they are buying authentic tickets.
Group-IB said technical indicators, including shared OAuth identifiers and similar website code, suggest the domains were created from the same phishing kit, potentially repurposed from scams targeting previous high-profile tours.
The company urged consumers near and far to purchase tickets only through official distributors or authorized resale platforms, verify website URLs carefully and avoid direct bank transfers when buying tickets from private sellers. The heart of careful fans will go and on.
23andMe to Pay $18M Over 2023 Data Breach
Genetic testing firm 23andMe, now operating as Chrome Holding, will pay $18 million to settle allegations by 43 U.S. state attorneys general over security failures tied to its 2023 data breach that exposed the personal information of nearly 7 million people.
The settlement resolves claims that the company failed to implement adequate security safeguards before the breach. The funds will be distributed among participating states.
In a separate ruling, the same bankruptcy court ordered California Attorney General Rob Bonta to either dismiss or amend the state’s lawsuit against Chrome Holding by July 25 to remove claims seeking monetary damages. The court said the company’s Chapter 11 reorganization plan bars creditors from pursuing separate monetary claims against the reorganized business.
California may continue pursuing civil penalties and other nonmonetary relief in the bankruptcy proceedings, while claims against unnamed defendants may also proceed.
California’s complaint alleges that despite warning signs, 23andMe failed to detect the breach for months, delayed implementing additional security measures such as mandatory password resets and notified affected consumers only after hackers demanded a ransom and advertised stolen data for sale online (see: 23andMe Failed to Stop Months-Long Hack, State Alleges).
The ruling follows the court’s approval last week of a separate $46.75 million settlement to compensate victims of the credential-stuffing attack, including more than 855,000 affected California residents.
China Espionage Malware Daxin Hit Taiwan Tech Firm
A China-linked rootkit malware and a previously unknown backdoor were present on a compromised host in a Taiwan-based subsidiary of a multinational high-tech manufacturer, researchers found.
Backdoor.Daxin was found on the machine in May and might have gone undetected on the network for 13 years, said endpoint security firm Symantec. The same host was infected with Backdoor.Stupig around the same time, suggesting it may be linked to the Daxin operation.
First discovered in 2022, Daxin is a kernel-mode rootkit characterized by its sophisticated command and control mechanism.
“Rather than establishing its own outbound connections, the driver monitors incoming TCP traffic for specific patterns and hijacks existing legitimate connections to carry encrypted command and control traffic,” Symantec said. “This made Daxin exceptionally difficult to identify with conventional network monitoring.”
The malware is also capable of communicating through chains of infected hosts, reaching systems on isolated network segments after multiple hops, Symantec said.
Daxin has been attributed to an unidentified Chinese state-sponsored group by Symantec.
The new Stupig backdoor’s developers seem to be familiar with Daxin’s source code as the two share similarities in their buildout, Symantec said.
Stupig injects malicious code into a Windows keyboard-layout dynamic-link library loaded during the logon process to handle keyboard input, allowing attackers to execute commands with the operating system’s highest privileges directly from the logon screen before anyone signs in without triggering unusual logon audit events.
Spirals Ransomware Hits IT Firm Hours After Initial Breach
Cybercriminals deployed a previously unknown ransomware family to breach a South Asian IT services company and launch a double extortion attack within a day after their initial breach, researchers found.
The ransomware, named Spirals on the attacker darkweb site, is a Rust-based payload that emerged in June, security firm Symantec said. The malware has a wide range of capabilities including defense evasion, encryption, lateral movement, process termination, obfuscation and privilege escalation.
Attackers gained initial access through Microsoft’s Internet Information Services web server software. The web host isolates different web applications into individual worker processes, which attackers exploited to upload a web shell that enabled a hands-on-keyboard session.
Over a three-hour interactive session, attackers escalated privileges via a User Account Control bypass, started a remote-control session and created a local account to maintain persistent access. They also enumerated user accounts, shared folders and installed program directories and harvested credentials by transferring a Security Account Manager database that stores local user logins to a password-protected archive.
To deploy the ransomware, attackers set up covert remote access through a reverse-SOCK proxy and delivered the payload, masquerading as a legitimate Windows utility executable, across the victim’s network.
Microsoft Fixes 2 Zero-Day Flaws in July
Microsoft released fixes for a record 622 vulnerabilities on Tuesday, including two zero-day flaws that are already being exploited in attacks.
The actively exploited bugs effect on-premises SharePoint Server and Active Directory federation services. Tracked as CVE-2026-56164 and CVE-2026-56155, both are privilege escalation flaws that could give attackers elevated access to critical enterprise systems. The U.S. Cybersecurity and Infrastructure Security Agency added both flaws to its Known Exploited Vulnerabilities catalog.
The SharePoint flaw enables unauthenticated attackers to elevate privileges over a network, making it the highest-priority fix for organizations running self-hosted SharePoint. The release also coincides with the end of extended support for SharePoint Server 2016 and 2019, leaving no paid security update option for customers that delay upgrades.
Microsoft also addressed a publicly disclosed BitLocker bypass vulnerability, CVE-2026-50661, which requires physical access and is not known to be exploited.
Researchers highlighted another SharePoint authentication bypass, CVE-2026-55040, disclosed by Rapid7. Although Microsoft patched part of the attack chain, a related remote code execution flaw is scheduled for release in August.
CISA Orders Rapid SharePoint Patching
Following Microsoft’s Patch Tuesday release, the U.S. Cybersecurity and Infrastructure Security Agency warned that attackers are actively exploiting three vulnerabilities in internet-facing, on-premises SharePoint Server deployments and urged organizations to apply the newly released patches immediately.
The campaign exploits CVE-2026-32201, CVE-2026-45659 and the newly patched CVE-2026-56164 to bypass authentication, achieve remote code execution and deploy malware. CISA also flagged CVE-2026-55040 and CVE-2026-58644 as high-risk vulnerabilities that could soon become targets for attackers, although neither is currently known to be exploited.
CISA recommended enabling Antimalware Scan Interface integration for SharePoint, reviewing systems for signs of compromise, rotating IIS machine keys after remediation and limiting internet exposure of SharePoint servers. The agency gave federal agencies until July 17 to secure systems affected by CVE-2026-56164 or remove them from service.
Spanish Police Bust 140M Euro Cybercrime Ring
Spanish police dismantled an international cybercrime and money-laundering network accused of stealing approximately $160 million through investment fraud and business email compromise scams.
The operation, carried out with support from Europol and Interpol, resulted in the arrest of four suspects in Spain, Portugal and Panama. Investigators described the group as operating on an “industrial scale,” using more than 800 bank accounts, 120 business accounts and dozens of money mules to move and conceal illicit funds.
Authorities said the network laundered at least $107 million in criminal proceeds and linked another $69.5 million to BEC attacks carried out in 2024. The scams, also known as CEO fraud or false-invoice fraud, rely on social engineering to impersonate senior executives and trick organizations into transferring money to accounts controlled by the criminals.
The investigation began after police identified suspicious money-laundering activity involving 19 companies connected to the operation. Searches were conducted at six locations across Barcelona, Girona, Tarragona and Porto, Portugal, while another suspect was arrested in Panama after allegedly continuing to support the scheme from abroad.
Law enforcement officers seized 15 computers and more than 170 smartphones believed to have been used to facilitate thousands of fraudulent transactions. Authorities also froze $3.4 million in suspected criminal proceeds, which they said will be made available for victim compensation.
Police said the network’s core operators have been arrested and the laundering operation has been dismantled.
AFA Probes Cyberattack After Fake Emails Sent to Journalists
The Argentine Football Association is investigating a cyberattack after unauthorized emails were sent from one of its official accounts claiming Argentina’s World Cup victory over Egypt was aided by “corrupt refereeing decisions.”
The fraudulent messages, distributed to journalists following Argentina’s Round of 16 win, falsely stated that the national team “did not win” and praised Egypt’s performance while alleging that the referees were corrupt. The emails also referenced Egypt’s support for Palestine and ended with the warning: “If there is no justice on the pitch, do not expect peace on your networks.”
In a statement, the AFA said it had detected possible unauthorized access to an institutional email account. The organization said it is investigating the incident and implementing additional security measures.
Local media reported that early findings point to an Egyptian online forum where credentials linked to the compromised account may have been leaked.
Other Stories From Last Week
With reporting from Information Security Media Group’s Mathew Schwartz in Scotland, Tiffany Wang in New York City and Marianne Kolbasuk McGee in the Boston exurbs.
Click Here For The Original Source.
