Ransomware (2)

The Scattered Spider cybercrime group launched sophisticated ransomware attacks on July 28, 2025, targeting VMware ESXi servers across critical U.S. infrastructure including retail and airline sectors. The hackers used stolen credentials and social engineering to hijack ESXi hypervisors, encrypting multiple virtual machines at once and causing widespread business disruptions.

CISA issued an urgent advisory urging organizations to patch vulnerable ESXi systems and strengthen access controls. Security experts say their evolving tactics make detection increasingly difficult for defenders. The attacks underscore urgent concerns about ransomware threats to virtualized environments that many organizations rely on for core operations.

Source: The Hacker News

A new ransomware group called Chaos has launched attacks across multiple sectors, primarily targeting US organizations with some victims in the UK, New Zealand, and India. The gang, which emerged in February 2025, uses sophisticated social engineering tactics—flooding targets with spam emails then impersonating IT security staff over phone calls to trick victims into granting remote access via Microsoft Quick Assist.

Cisco Talos researchers believe Chaos is likely formed by former BlackSuit/Royal gang members based on similar encryption methods and ransom note structures. The group demands large ransoms (one case involved $300,000) and threatens DDoS attacks plus data disclosure if victims don't pay.

Source: Infosecurity

Ingram Micro, a major technology distributor with $48 billion in annual sales, confirmed a ransomware attack has disrupted its operations for days. The breach, attributed to the SafePay ransomware group, has halted software licensing services and left customers unable to access products dependent on the company's backend systems.

Sources suggest hackers breached Ingram Micro through Palo Alto's GlobalProtect VPN using stolen credentials. SafePay, active since November 2024 with over 220 victims, has previously targeted organizations across multiple countries. The company's website remains down, with customers reporting continued inability to access portals or receive email responses from departments.

Source: BankInfoSecurity