ransomware

CMC pegs JLR hack at £1.9bn with 5,000 firms affected

JLR’s cyberattack is pegged at £1.9bn, the UK’s costliest on record. Production paused for five weeks from 1 September across Solihull, Halewood, and Wolverhampton. CMC says 5,000 firms were hit, with full recovery expected by January 2026.

JLR is restoring manufacturing in phases and declined to comment on the estimate. UK dealer systems were intermittently down, orders were cancelled or delayed, and suppliers faced uncertainty. More than half of the losses fall on JLR; the remainder hits its supply chain and local economies.

The CMC classed the incident as Category 3 on its five-level scale. Chair Ciaran Martin warned organisations to harden critical networks and plan for disruption. The CMC’s assessment draws on public data, surveys, and interviews rather than on disclosed forensic evidence.

Researchers say costs hinge on the attack type, which JLR has not confirmed. Data theft is faster to recover than ransomware; wiper malware would be worse. A claimed hacker group linked to earlier high-profile breaches is unverified.

The CMC’s estimate excludes any ransom, which could add tens of millions of dollars. Earlier this year, retail hacks at M&S, the Co-op, and Harrods were tagged Category 2. Those were pegged at £270m–£440m, below the £506m cited by some victims.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Microsoft warns of a surge in ransomware and extortion incidents

Financially motivated cybercrime now accounts for the majority of global digital threats, according to Microsoft’s latest Digital Defense Report.

The company’s analysts found that over half of all cyber incidents with known motives in the past year were driven by extortion or ransomware, while espionage represented only a small fraction.

Microsoft warns that automation and accessible off-the-shelf tools have allowed criminals with limited technical skills to launch widespread attacks, making cybercrime a constant global threat.

The report reveals that attackers increasingly target critical services such as hospitals and local governments, where weak security and urgent operational demands make them easy victims.

Cyberattacks on these sectors have already led to real-world harm, from disrupted emergency care to halted transport systems. Microsoft highlights that collaboration between governments and private industry is essential to protect vulnerable sectors and maintain vital services.

While profit-seeking criminals dominate by volume, nation-state actors are also expanding their reach. State-sponsored operations are growing more sophisticated and unpredictable, with espionage often intertwined with financial motives.

Some state actors even exploit the same cybercriminal networks, complicating attribution and increasing risks for global organisations.

Microsoft notes that AI is being used by both attackers and defenders. Criminals are employing AI to refine phishing campaigns, generate synthetic media and develop adaptive malware, while defenders rely on AI to detect threats faster and close security gaps.

The report urges leaders to prioritise cybersecurity as a strategic responsibility, adopt phishing-resistant multifactor authentication, and build strong defences across industries.

Security, Microsoft concludes, must now be treated as a shared societal duty rather than an isolated technical task.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Beer deliveries falter after Asahi cyber crisis

A ransomware attack by the Qilin group has crippled Asahi Group Holdings, Japan’s leading brewer, halting production across most of its 30 factories. Over 27GB of stolen Asahi data appeared online, forcing manual order processing with handwritten notes and faxes.

The attack has slashed shipments to 10-20% of normal capacity, disrupting supplies of its popular Super Dry beer.

Small businesses, like Tokyo’s Ben Thai restaurant, are left with dwindling stocks, some down to just a few bottles. Retail giants such as 7-Eleven, FamilyMart, and Lawson warn of shortages affecting not only beer but also Asahi’s soft drinks and bottled teas.

Liquor store owners, grappling with limited deliveries, fear disruptions could persist for weeks given Asahi’s 40% market dominance.

Experts point to Japan’s outdated legacy systems and low cybersecurity expertise as key vulnerabilities, making firms like Asahi prime targets. Recent attacks on Japan Airlines and Nagoya’s port highlight a growing trend.

The reliance on high trust in Japanese society further emboldens hackers, who often demand ransoms from unprepared organisations.

The government’s Active Cyber Defense Law aims to strengthen protections by enhancing information sharing and empowering proactive counterattacks. Chief Cabinet Secretary Yoshimasa Hayashi confirmed an ongoing investigation into the Asahi breach.

However, small vendors and customers face ongoing uncertainty, with no clear timeline for full recovery of Japan’s beloved brews.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Police arrest two teens after Kido data breach

Two 17-year-olds have been arrested in connection with a ransomware attack on the London-based nursery chain Kido, which led to the theft of data belonging to about 8,000 children. The Metropolitan Police confirmed the arrests took place in Bishop’s Stortford and Hertfordshire.

The suspects are accused of computer misuse and blackmail after hackers demanded a ransom of roughly £600,000 in Bitcoin. The stolen data included names, addresses, photographs, and parent contact details, some of which were briefly published on the darknet.

The hacking group, known as Radiant, claimed responsibility for the attack and later removed the files, saying they had deleted the data. Cybersecurity experts condemned the exposure of children’s personal details as one of the most serious breaches of its kind.

Kido said it fully cooperated with UK law enforcement and welcomed the police action, calling it an important step toward justice. The Metropolitan Police said the investigation remains ongoing as officers continue working to identify everyone involved.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Oracle systems targeted in unverified data theft claims, Google warns

Google has warned that hackers are emailing company executives, claiming to have stolen sensitive data from Oracle business applications. The group behind the campaign identifies itself as affiliated with the Cl0p ransomware gang.

In a statement, Google said the attackers target executives at multiple organisations with extortion emails linked to Oracle’s E-Business Suite. The company stated that it lacks sufficient evidence to verify the claims or confirm whether any data has been taken.

Neither Cl0p nor Oracle responded to requests for comment. Google did not provide additional information about the scale or specific campaign targets.

The cl0p ransomware gang has been involved in several high-profile extortion cases, often using claims of data theft to pressure organisations into paying ransoms, even when breaches remain unverified.

Google advised recipients to treat such messages cautiously and report any suspicious emails to security teams while investigations continue.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Cybersecurity researchers identify ransomware using open-source tools

A ransomware group calling itself Yurei first emerged on 5 September, targeting a food manufacturing company in Sri Lanka. Within days, the group had added victims in India and Nigeria, bringing the total confirmed incidents to three.

The Check Point researchers identified that Yurei’s code is largely derived from Prince-Ransomware, an open-source project, and this reuse includes retaining function and module names because the developers did not strip symbols from the compiled binary, making the link to Prince-Ransomware clear.

Yurei operates using a double-extortion model, combining file encryption with theft of sensitive data. Victims are pressured to pay not only for a decryption key but also to prevent stolen data from being leaked.

Yurei’s extortion workflow involves posting victims on a darknet blog, sharing proof of compromise such as internal document screenshots, and offering a chat interface for negotiation. If a ransom is paid, the group promises a decryption tool and a report detailing the vulnerabilities exploited during the attack, akin to a pen-test report.

Preliminary findings (with ‘low confidence’) suggest that Yurei may be based in Morocco, though attribution remains uncertain.

The emergence of Yurei illustrates how open-source ransomware projects lower the barrier to entry, enabling relatively unsophisticated actors to launch effective campaigns. The focus on data theft rather than purely encryption may represent an escalating trend in modern cyberextortion.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Cyberattack keeps JLR factories shut, hackers claim responsibility

Jaguar Land Rover (JLR) has confirmed that data was affected in a cyberattack that has kept its UK factories idle for more than a week. The company stated that it is contacting anyone whose data was involved, although it did not clarify whether the breach affected customers, suppliers, or internal systems.

JLR reported the incident to the Information Commissioner’s Office and immediately shut down IT systems to limit damage. Production at Midlands and Merseyside sites has been halted until at least Thursday, with staff instructed not to return before next week.

The disruption has also hit suppliers and retailers, with garages struggling to order spare parts and dealers facing delays registering vehicles. JLR said it is working around the clock to restore operations in a safe and controlled way, though the process is complex.

Responsibility for the hack has been claimed by Scattered Lapsus$ Hunters, a group linked to previous attacks on Marks & Spencer, the Co-op, and Las Vegas casinos in the UK and the US. The hackers posted alleged screenshots from JLR’s internal systems on Telegram last week.

Cybersecurity experts say the group’s claim that ransomware was deployed raises questions, as it appears to have severed ties with Russian ransomware gangs. Analysts suggest the hackers may have only stolen data or are building their own ransomware infrastructure.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

International search widens for ransomware fugitive on EU Most Wanted

A Ukrainian cybercrime suspect has been added to the EU’s Most Wanted list for his role in the 2019 LockerGoga ransomware attack against a major Norwegian aluminium company and other global incidents.

The fugitive is considered a high-value target and is wanted by multiple countries. The US Department of Justice has offered up to USD 10 million for information leading to the arrest.

Europol stated that the identification of the suspect followed a lengthy, multinational investigation supported by Eurojust, with damages from the network estimated to be in the billions. Several members of the group have already been detained in Ukraine.

Investigators have mapped the network’s operations, tracing its hierarchy from malware developers and intrusion experts to money launderers who processed illicit proceeds. The wanted man is accused of directly deploying LockerGoga ransomware.

Europol has urged the public to visit the EU Most Wanted website and share information that could assist in locating the fugitive. The suspect’s profile is now live on the platform.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Anthropic reveals hackers are ‘weaponising’ AI to launch cyberattacks

In its latest threat intelligence report, Anthropic has revealed that its AI tool Claude has been purposefully weaponised by hackers, offering a disturbing glimpse into how quickly AI is shifting the cyber threat landscape.

In one operation, termed ‘vibe hacking’, attackers used Claude Code to automate reconnaissance, ransomware creation, credential theft, and ransom-demand generation across 17 organisations, including those in healthcare, emergency services and government.

The firm also documents other troubling abuses: North Korean operatives used Claude to fabricate identities, successfully get hired at Fortune 500 companies and maintain access, all with minimal real-world technical skills. In another case, AI-generated ransomware variants were developed, marketed and sold to other criminals on the dark web.

Experts warn that such agentic AI systems enable single individuals to carry out complex cybercrime acts once reserved for well-trained groups.

While Anthropic has deactivated the compromised accounts and strengthened its safeguards, the incident highlights an urgent need for proactive risk management and regulation of AI systems.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Microsoft uncovers strategic cloud-based ransomware

The Microsoft Threat Intelligence team has warned about a financially motivated threat actor known as Storm-0501. The group has been adapting tactics to steal data stored in the cloud and lock companies out of their systems. Essentially, these cloud-based ransomware tactics enable the threat actors to rapidly exfiltrate large volumes of data while destroying backups and demanding ransoms.

It was also found that they targeted subsidiaries lacking Microsoft security tools to evade detection, moved laterally across the network, and exploited an account that did not have multi-factor authentication enabled. After resetting the account’s password and registering their own Multi-Factor Authentication (MFA) method, they gained full access to the cloud environment, created a backdoor, and accessed critical assets. The hacker stole sensitive data, deleted backups, and demanded a ransom, demonstrating a calculated and strategic approach to breaching the organisation’s defences.

According to The Record, several security firms have reported that former ransomware hackers are now targeting data stored in the cloud. Over the past year, major breaches have involved the theft of data from providers such as Snowflake and Salesforce.

Recently, Google identified a campaign in which attackers used a third-party service to steal Salesforce data. Their goal was to obtain login credentials, allowing them to compromise victim environments further and potentially pivot into the systems of clients or partners, signalling a shift towards more strategic, credential-focused cloud attacks.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!