ransomware

LockBit ransomware platform breached again

LockBit, one of the most notorious ransomware groups of recent years, has suffered a significant breach of its dark web platform. Its admin and affiliate panels were defaced and replaced with a message linking to a leaked MySQL database, seemingly exposing sensitive operational details.

The message mocked the gang with the line ‘Don’t do crime CRIME IS BAD xoxo from Prague,’ raising suspicions of a rival hacker or vigilante group behind the attack.

The leaked database, first flagged by a threat actor known as Rey, contains 20 tables revealing details about LockBit’s affiliate network, tactics, and operations. Among them are nearly 60,000 Bitcoin addresses, payload information tied to specific targets, and thousands of extortion chat messages.

A ‘users’ table lists 75 affiliate and admin identities, many with passwords stored in plain text—some comically weak, like ‘Weekendlover69.’

While a LockBit spokesperson confirmed the breach via Tox chat, they insisted no private keys were exposed and that losses were minimal. However, the attack echoes a recent breach of the Everest ransomware site, suggesting the same actor may be responsible.

Combined with past law enforcement actions—such as Operation Cronos, which dismantled parts of LockBit’s infrastructure in 2024—the new leak could harm the group’s credibility with affiliates.

LockBit has long operated under a ransomware-as-a-service model, providing malware to affiliates in exchange for a cut of ransom profits. It has targeted both Linux and Windows systems, used double extortion tactics, and accounted for a large share of global ransomware attacks in 2022.

Despite ongoing pressure from authorities, the group has continued its operations—though this latest breach could prove harder to recover from.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

LockBit ransomware Bitcoin addresses exposed

Nearly 60,000 Bitcoin addresses linked to LockBit’s ransomware operations have been exposed following a major breach of the group’s dark web affiliate panel.

The leak, which included a MySQL database dump, was shared publicly online and could assist blockchain analysts in tracing LockBit’s financial activity instead of leaving such transactions untracked.

Despite the scale of the breach, no private keys were leaked. A LockBit representative reportedly confirmed the incident in a message, stating that no sensitive access data was compromised.

However, the exposed database included 20 tables, such as one labelled ‘builds’ that contained details about ransomware created by affiliates and their targeted companies.

Another table, ‘chats,’ revealed over 4,400 messages from negotiations between victims and LockBit operators, offering a rare glimpse into the inner workings of ransomware extortion tactics.

Analysts believe the hack may be connected to a separate breach of the Everest ransomware site, as both featured identical messages, hinting at a possible link.

The incident has again underscored the central role of cryptocurrency in the ransomware economy. Each victim is typically given a unique address for payments, making tracking difficult.

Instead of remaining hidden, these addresses now give law enforcement and blockchain experts a chance to trace payments and potentially link them to previously unidentified actors.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

M&S halts meal deals amid ongoing cyber attack disruption

Marks & Spencer has temporarily suspended some of its popular meal deal offers as the retailer continues to grapple with the fallout from a serious cyber attack.

Signs in stores, including at major transport hubs such as Victoria Station, explain that availability issues have made it impossible to fulfil certain promotions, and ask customers for patience while the company works through the disruption.

Instead of offering its usual lunchtime combinations and dine-in meal deals priced between £6 and £15, M&S is facing stock shortfalls due to the hack, which is now in its third week.

The attack is reportedly linked to a group of teenage hackers using ransomware tactics, locking computer systems and demanding payment for their release.

The breach has already caused significant operational challenges, with fears internally that the disruption could drag on for weeks. Sources suggest the financial impact could run into tens of millions in lost orders, as systems remain frozen and supply chains struggle to recover.

Meal deal suspensions are the latest sign of the broader strain the retailer is under as it scrambles to restore normal service.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

New research highlights escalating cyberthreats to global energy sector

Resecurity has published new research examining recent cyber threat activity targeting energy infrastructure across North America, Asia, and the European Union. The report, a continuation of Resecurity’s earlier analysis, focuses on incidents involving energy firms, including nuclear facilities and associated research entities.

According to the findings, these organisations are being targeted by various threat actors, including hacktivist groups, ransomware operators, and nation state entities. The report observes that geopolitical tensions remain a significant factor behind many of these activities, with actors associated with China, Iran, North Korea, and Russia among those identified.

The primary focus of these campaigns has been cyber-espionage, although incidents involving ransomware operations against operational technology (OT) systems have also been reported. The convergence of IT and OT systems, the growing use of cloud technologies, and the increased deployment of Industrial Internet of Things (IIoT) devices are noted as factors contributing to the expanded attack surface within the sector.

Resecurity’s HUNTER unit documented various threat actors engaged in targeting critical infrastructure. The report emphasises the need for energy firms to monitor potential exposure of credentials across dark web platforms, particularly due to vulnerabilities within IT and software supply chains.

Technological developments such as AI adoption within the energy sector are also discussed as contributing to the evolving threat landscape. AI is reported to lower entry barriers for certain types of cyber operations, while its integration into critical infrastructure networks introduces additional risks.

The Resecurity analysis also underscores the role of cyber supply chain risks, citing the MOVEit managed file transfer breach as an example of downstream impacts affecting multiple layers of vendors and service providers.

In response to these developments, the US Department of Energy (DOE), alongside the National Association of Regulatory Utility Commissioners (NARUC), issued updated cybersecurity guidelines in 2024 aimed at strengthening the resilience of electric distribution systems and distributed energy resources.

Overall, the research identifies an increase in cyberattacks targeting energy infrastructure globally, suggesting that some of these activities may be linked to broader geopolitical strategies. The report highlights the involvement of both state-sponsored and criminal actors in shaping this threat environment.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ransomware decline masks growing threat

A recent drop in reported ransomware attacks might seem encouraging, yet experts warn this is likely misleading. Figures from the NCC Group show a 32% decline in March 2025 compared to the previous month, totalling 600 incidents.

However, this dip is attributed to unusually large-scale attacks in earlier months, rather than an actual reduction in cybercrime. In fact, incidents were up 46% compared with March last year, highlighting the continued escalation in threat activity.

Rather than fading, ransomware groups are becoming more sophisticated. Babuk 2.0 emerged as the most active group in March, though doubts surround its legitimacy. Security researchers believe it may be recycling leaked data from previous breaches, aiming to trick victims instead of launching new attacks.

A tactic like this mirrors behaviours seen after law enforcement disrupted other major ransomware networks, such as LockBit in 2024.

Industrials were the hardest hit, followed by consumer-focused sectors, while North America bore the brunt of geographic targeting.

With nearly half of all recorded attacks occurring in the region, analysts expect North America, especially Canada, to remain a prime target amid rising political tensions and cyber vulnerability.

Meanwhile, cybercriminals are turning to malvertising, malicious code hidden in online advertisements, as a stealthier route of attack. This tactic has gained traction through the misuse of trusted platforms like GitHub and Dropbox, and is increasingly being enhanced with generative AI tools.

Instead of relying solely on technical expertise, attackers now use AI to craft more convincing and complex threats. As these strategies grow more advanced, experts urge organisations to stay alert and prioritise threat intelligence and collaboration to navigate this volatile cyber landscape.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Neptune RAT malware targeting Windows users

A highly advanced malware known as Neptune RAT is making waves in the cybersecurity world, posing a major threat to Windows PC users. Labelled by experts as the ‘most advanced RAT ever,’ it is capable of hijacking systems, stealing cryptocurrency, extracting passwords, and even launching ransomware attacks.

According to cybersecurity firm CYFIRMA, Neptune RAT is being distributed via platforms like GitHub, Telegram and YouTube, and is available as malware-as-a-service, allowing virtually anyone to deploy it for a fee.

Neptune RAT’s feature set is alarmingly broad. It includes a crypto clipper that silently redirects cryptocurrency transactions by replacing wallet addresses with those controlled by the attackers.

It also comes with a password-stealing tool that can extract credentials from over 270 applications, including popular browsers like Chrome. Beyond theft, the malware can spy on users in real-time, disable antivirus tools including Windows Defender, and encrypt files for ransom, making it a formidable threat.

Cybersecurity experts are urging users to avoid clicking on unknown links or downloading suspicious files from platforms where the malware is circulating. In extreme cases, Neptune RAT even includes a data-wiping feature, allowing attackers to destroy all data on a compromised system.

Users are advised to stay cautious online and consider identity theft protection plans that offer financial recovery and insurance should a system replacement become necessary.

For more information on these topics, visit diplomacy.edu.

NHS contractor fined after ransomware attack

The tech firm Advanced, which provides services to the NHS, has been fined over £3 million by the UK data watchdog following a major ransomware attack in 2022.

The breach disrupted NHS systems and exposed personal data from tens of thousands across the country.

Originally facing a £6 million penalty, Advanced saw the fine halved after settling with the Information Commissioner’s Office.

Regulators said the firm failed to implement multi-factor authentication, allowing hackers to access systems using stolen login details.

The LockBit attack caused widespread outages, including access to UK patient data. While Advanced acknowledged the resolution, it declined to offer further comment or name a spokesperson when contacted.

For more information on these topics, visit diplomacy.edu.

Ransomware spreads through online conversion tools

The FBI’s Denver Field Office has issued a national warning over a rising cyber threat involving fake file converter websites. These sites, posing as free tools for tasks like converting documents or media formats, are secretly distributing ransomware and malware while appearing to perform legitimate functions.

According to the FBI, users are lured by services that convert files such as ‘.doc’ to ‘.pdf’ or combine image files, but the downloaded output often contains hidden malware.

A recent case revealed that a site impersonating Convertio delivered RedLine Stealer, a dangerous strain that harvests sensitive data from browsers, crypto wallets, and applications like Telegram and Discord.

Security experts have identified multiple malicious domains involved, with active incidents reported in the US, Denver area, just weeks ago.

The FBI urges the public to avoid unknown converter sites, keep antivirus software updated, and use built-in conversion features within trusted apps.

For more information on these topics, visit diplomacy.edu.

Europol arrests four Russians in ransomware crackdown

Authorities have arrested four Russian nationals suspected of deploying Phobos ransomware to extort payments from victims across Europe and beyond. Europol announced that law enforcement agencies from 14 countries worked together to dismantle the network, taking down 27 servers linked to the cybercriminals. The individuals arrested were reportedly leaders of the 8Base ransomware group, a key player in distributing Phobos malware.

The operation follows a series of recent arrests targeting Phobos-related cybercrime. In June 2024, a key administrator of the ransomware was apprehended in South Korea and later extradited to the United States, while another major affiliate was arrested in Italy last year. Authorities have since issued warnings to over 400 companies worldwide about imminent cyberattacks.

Phobos ransomware has been particularly damaging to small and medium-sized businesses, which often lack strong cybersecurity protections. Europol’s latest Russian crackdown is a significant step in weakening the ransomware network and preventing further cyber extortion efforts.

For more information on these topics, visit diplomacy.edu

Ransomware attack locks energy contractor out of financial systems for six weeks

ENGlobal Corporation, a major contractor in the energy sector and federal government, was locked out of its financial systems for six weeks following a ransomware attack that began on 25 November 2024, the company disclosed in a filing with the US Securities and Exchange Commission (SEC).

The attack disrupted access to key business applications, affecting operational and corporate functions, including financial and reporting systems. However, ENGlobal stated that its systems have been fully restored, and the attackers no longer have access.

The Oklahoma-based company also confirmed that the breach involved unauthorised access to sensitive personal information stored on its IT systems. The company stated that affected individuals will be notified accordingly.

In an earlier SEC filing in December, ENGlobal revealed that the attackers had encrypted data files after gaining access, forcing the company to restrict IT system access and limit operations to essential functions. Despite the disruption, the company does not expect a material financial impact from the incident.

Founded in 1985, ENGlobal specialises in designing and constructing automation and instrumentation systems for commercial and government clients, including the US defence industry. The company reported $6 million in 2024 third-quarter revenue last quarter.

No ransomware group has claimed responsibility for the attack, which caused a longer-than-average outage.