ransomware

Cyberattack keeps JLR factories shut, hackers claim responsibility

Jaguar Land Rover (JLR) has confirmed that data was affected in a cyberattack that has kept its UK factories idle for more than a week. The company stated that it is contacting anyone whose data was involved, although it did not clarify whether the breach affected customers, suppliers, or internal systems.

JLR reported the incident to the Information Commissioner’s Office and immediately shut down IT systems to limit damage. Production at Midlands and Merseyside sites has been halted until at least Thursday, with staff instructed not to return before next week.

The disruption has also hit suppliers and retailers, with garages struggling to order spare parts and dealers facing delays registering vehicles. JLR said it is working around the clock to restore operations in a safe and controlled way, though the process is complex.

Responsibility for the hack has been claimed by Scattered Lapsus$ Hunters, a group linked to previous attacks on Marks & Spencer, the Co-op, and Las Vegas casinos in the UK and the US. The hackers posted alleged screenshots from JLR’s internal systems on Telegram last week.

Cybersecurity experts say the group’s claim that ransomware was deployed raises questions, as it appears to have severed ties with Russian ransomware gangs. Analysts suggest the hackers may have only stolen data or are building their own ransomware infrastructure.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

International search widens for ransomware fugitive on EU Most Wanted

A Ukrainian cybercrime suspect has been added to the EU’s Most Wanted list for his role in the 2019 LockerGoga ransomware attack against a major Norwegian aluminium company and other global incidents.

The fugitive is considered a high-value target and is wanted by multiple countries. The US Department of Justice has offered up to USD 10 million for information leading to the arrest.

Europol stated that the identification of the suspect followed a lengthy, multinational investigation supported by Eurojust, with damages from the network estimated to be in the billions. Several members of the group have already been detained in Ukraine.

Investigators have mapped the network’s operations, tracing its hierarchy from malware developers and intrusion experts to money launderers who processed illicit proceeds. The wanted man is accused of directly deploying LockerGoga ransomware.

Europol has urged the public to visit the EU Most Wanted website and share information that could assist in locating the fugitive. The suspect’s profile is now live on the platform.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Anthropic reveals hackers are ‘weaponising’ AI to launch cyberattacks

In its latest threat intelligence report, Anthropic has revealed that its AI tool Claude has been purposefully weaponised by hackers, offering a disturbing glimpse into how quickly AI is shifting the cyber threat landscape.

In one operation, termed ‘vibe hacking’, attackers used Claude Code to automate reconnaissance, ransomware creation, credential theft, and ransom-demand generation across 17 organisations, including those in healthcare, emergency services and government.

The firm also documents other troubling abuses: North Korean operatives used Claude to fabricate identities, successfully get hired at Fortune 500 companies and maintain access, all with minimal real-world technical skills. In another case, AI-generated ransomware variants were developed, marketed and sold to other criminals on the dark web.

Experts warn that such agentic AI systems enable single individuals to carry out complex cybercrime acts once reserved for well-trained groups.

While Anthropic has deactivated the compromised accounts and strengthened its safeguards, the incident highlights an urgent need for proactive risk management and regulation of AI systems.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Microsoft uncovers strategic cloud-based ransomware

The Microsoft Threat Intelligence team has warned about a financially motivated threat actor known as Storm-0501. The group has been adapting tactics to steal data stored in the cloud and lock companies out of their systems. Essentially, these cloud-based ransomware tactics enable the threat actors to rapidly exfiltrate large volumes of data while destroying backups and demanding ransoms.

It was also found that they targeted subsidiaries lacking Microsoft security tools to evade detection, moved laterally across the network, and exploited an account that did not have multi-factor authentication enabled. After resetting the account’s password and registering their own Multi-Factor Authentication (MFA) method, they gained full access to the cloud environment, created a backdoor, and accessed critical assets. The hacker stole sensitive data, deleted backups, and demanded a ransom, demonstrating a calculated and strategic approach to breaching the organisation’s defences.

According to The Record, several security firms have reported that former ransomware hackers are now targeting data stored in the cloud. Over the past year, major breaches have involved the theft of data from providers such as Snowflake and Salesforce.

Recently, Google identified a campaign in which attackers used a third-party service to steal Salesforce data. Their goal was to obtain login credentials, allowing them to compromise victim environments further and potentially pivot into the systems of clients or partners, signalling a shift towards more strategic, credential-focused cloud attacks.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Storm-0501 wipes Azure data after ransomware attack

A ransomware group has destroyed data and backups in a Microsoft Azure environment after exfiltrating sensitive information, which experts describe as a significant escalation in cloud-based attacks.

The threat actor, tracked as Storm-0501, gained complete control over a victim’s Azure domain by exploiting privileged accounts.

Microsoft researchers said the group used native Azure tools to copy data before systematically deleting resources to block recovery efforts.

After exfiltration, Storm-0501 used AzCopy to steal storage account contents and erase cloud assets. Immutable resources were encrypted instead.

The group later contacted the victim via Microsoft Teams using a compromised account to issue ransom demands.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Researchers uncover first-ever AI-powered ransomware ‘Promptlock’

The Slovak software company specialising in cybersecurity has discovered a GenAI-powered ransomware named PromptLock in its latest research report. The researchers describe it as the ‘first known AI-powered ransomware’. Although it has not been observed in an actual attack, it is considered a proof of concept (PoC) or a work in progress.

Researchers also found that this type of ransomware may have the ability to exfiltrate, encrypt, and possibly even destroy data.

They noted: ‘The PromptLock malware uses the gpt-oss-20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes.’

The report highlights how AI tools have made it easier to create convincing phishing messages and deepfakes, lowering the barrier for less-skilled attackers. As ransomware becomes more widespread, often deployed by advanced persistent threat (APT) groups, AI is expected to increase both the scale and effectiveness of such attacks.

PromptLock demonstrates how AI can automate key ransomware stages, such as reconnaissance and data theft, faster than ever. The emergence of malware capable of adapting its tactics in real time signals a new and more dangerous frontier in cybercrime.

Additionally, the GenAI company Anthropic has published a threat intelligence report revealing that malicious actors have attempted to exploit its AI model, Claude, for cybercriminal activities. The report outlines eight cases, including three major incidents.

One involved a cybercriminal group using Claude to automate data theft and extortion, targeting 17 organisations. Another detailed how North Korean actors used Claude to create fake identities, pass interviews, and secure remote IT jobs to fund the regime. A third case involved a criminal using Claude to create sophisticated ransomware variants with strong encryption and advanced evasion techniques. Most attempts were detected and disrupted before being carried out.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

AI chatbot Claude misused for high-value ransomware

Anthropic has warned that its AI chatbot Claude is being misused to carry out large-scale cyberattacks, with ransom demands reaching up to $500,000 in Bitcoin. Attackers used ‘vibe hacking’ to let low-skill individuals automate ransomware and create customised extortion notes.

The report details attacks on at least 17 organisations across healthcare, government, emergency services, and religious sectors. Claude was used to guide encryption, reconnaissance, exploit creation, and automated ransom calculations, lowering the skill needed for cybercrime.

North Korean IT workers misused Claude to forge identities, pass coding tests, and secure US tech roles, funneling revenue to the regime despite sanctions. Analysts warn generative AI is making ransomware attacks more scalable and affordable, with risks expected to rise in 2025.

Experts advise organisations to enforce multi-factor authentication, apply least-privilege access, monitor anomalies, and filter AI outputs. Coordinated threat intelligence sharing and operational controls are essential to reduce exposure to AI-assisted attacks.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

AI tools underpin a new wave of ransomware

Avast researchers uncovered that the FunkSec ransomware group used generative AI tools to accelerate attack development.

While the malware was not fully AI-generated, AI aided in writing code, crafting phishing templates and enhancing internal tooling.

A subtle encryption flaw in FunkSec’s code became the decryption breakthrough. Avast quietly developed a free tool, bypassing the need for ransom payments and rescuing dozens of affected users in cooperation with law enforcement.

However, this marks one of the earliest recorded instances of AI being used in ransomware, targeting productivity and stealth. It demonstrates how cybercriminals are adopting AI to lower entry barriers and that forensic investigation and technical agility remain crucial defence tools.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ransomware attack at DaVita exposes data of 2.7 million patients in the US

A ransomware attack against dialysis provider DaVita has exposed the personal data of 2.7 million people, according to a notice on the US health department’s website.

The company first disclosed the cyber incident in April, saying it had taken steps to restore operations but could not predict the scale of disruption.

DaVita confirmed that hackers gained unauthorised access to its laboratory database, which contained sensitive information belonging to some current and former patients. The firm said it is now contacting those affected and offering free credit monitoring to help protect against identity theft.

Despite the intrusion, DaVita maintained uninterrupted dialysis services across its network of nearly 3,000 outpatient clinics and home treatment programmes. The company described the cyberattack as a temporary disruption but stressed that patient care was never compromised.

Financial disclosures show the incident led to around $13.5 million in charges during the second quarter of 2025. Most of the costs were linked to system restoration and third-party support, with $1 million attributed to higher patient care expenses.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

North Korean hackers switch to ransomware in major cyber campaign

A North Korean hacking unit has launched a ransomware campaign targeting South Korea and other countries, marking a shift from pure espionage. Security firm S2W identified the subgroup, ‘ChinopuNK’, as part of the ScarCruft threat actor.

The operation began in July, utilising phishing emails and a malicious shortcut file within a RAR archive to deploy multiple malware types. These included a keylogger, stealer, ransomware, and a backdoor.

ScarCruft, active since 2016, has targeted defectors, journalists, and government agencies. Researchers say the move to ransomware indicates either a new revenue stream or a more disruptive mission.

The campaign has expanded beyond South Korea to Japan, Vietnam, Russia, Nepal, and the Middle East. Analysts note the group’s technical sophistication has improved in recent years.

Security experts advise monitoring URLs, file hashes, behaviour-based indicators, and ongoing tracking of ScarCruft’s tools and infrastructure, to detect related campaigns from North Korea and other countries early.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!