German authorities have shut down 47 cryptocurrency exchange services in a major crackdown on illegal money laundering. The Federal Criminal Police Office (BKA) and the Central Office for Combating Internet Crime led the operation, targeting platforms that allowed users to exchange conventional currencies and cryptocurrencies without verifying their identities. These services bypassed the ‘know-your-customer’ (KYC) rules, enabling users to trade cryptocurrencies like Bitcoin and Ethereum quickly and anonymously.
Criminals reportedly used these exchanges to conceal the origins of illicit funds, often obtained through dark web drug sales or ransomware attacks. As part of the operation on 20 August, authorities confiscated 13 crypto ATMs and seized nearly $28 million in cash from 35 locations across Germany. Financial watchdog BaFin led the raids, targeting machines operating without the necessary licences, which posed significant money laundering risks.
The closure of these exchanges is part of a wider effort to disrupt cybercrime networks. Investigators managed to secure vital user and transaction data, which could assist in future money-laundering investigations. It follows earlier German crackdowns, including the seizure of ChipMixer, a platform involved in laundering €90 million in crypto.
An undisclosed victim paid $75 million to the Dark Angels ransomware group, setting a record for the largest ransomware payout. Zscaler, a cloud security firm, discovered the payment early in 2024 but did not name the affected organisation. The unprecedented payout is expected to attract other attackers aiming to replicate the Dark Angels’ success.
Zscaler reported an 18% increase in ransomware attacks from April 2023 to April 2024, with manufacturing, healthcare, and technology sectors being the most targeted. The rise in ransomware-as-a-service models, zero-day attacks, vishing, and AI-powered attacks has contributed to record-breaking ransom payments. The energy sector experienced a 500% increase in attacks, making it a prime target for cybercriminals.
The United States remains the top target for ransomware attacks, accounting for nearly half of all incidents. The Dark Angels group, which emerged in May 2022, is notable for targeting high-value healthcare, government, finance, and education companies. Their highest-profile attack in September 2023 involved stealing over 27TB of data from an international conglomerate and demanding a $51 million ransom. Zscaler warns that the success of Dark Angels may inspire similar tactics from other ransomware groups.
Nearly 300 small Indian banks that were forced offline by a ransomware attack have resumed operations, according to the National Payments Corporation of India (NPCI). The attack had targeted C-Edge Technologies, a service provider for these banks, affecting about one-fifth of 1,500 cooperative and rural regional banks in India.
To contain the attack, the NPCI had temporarily isolated the affected banks from the country’s retail payments system. A forensic audit confirmed that the attack did not spread to the banks’ systems but was limited to C-Edge’s infrastructure.
The impacted banks can now resume transactions through the United Payments Interface and other NPCI-operated payment systems. The ransomware attack, attributed to a group called RansomEXX, also affected Brontoo Technology Solutions, a key collaborator with C-Edge Technologies.
Indonesia is starting to recover data encrypted in a significant ransomware attack last month, which impacted over 160 government agencies. The cybercriminals, identified as Brain Cipher, initially demanded $8 million in ransom but later apologised and released the decryption key for free, according to cybersecurity firm StealthMole.
The attack disrupted several government services, including immigration and primary airport operations. Officials acknowledged that much of the data had yet to be backed up. Chief Security Minister Hadi Tjahjanto stated that data for 30 public services across 12 ministries had been recovered using a ‘decryption strategy,’ though details were not provided.
The Communications Ministry is gradually restoring services and assets affected by the attack. It remains to be seen if the government used Brain Cipher’s decryption key directly. Neither Hadi nor Communications Minister Budi Arie Setiadi commented on the matter.
Ransomware attacks involve encrypting data and demanding a ransom to unlock it. In this case, the attackers used malicious software known as Lockbit 3.0.
An international coalition of law enforcement agencies has dismantled hundreds of illegal installations of Cobalt Strike, a penetration testing tool frequently abused by state-sponsored and criminal hackers in ransomware attacks. The operation, coordinated by Britain’s National Crime Agency (NCA), targeted 690 IP addresses hosting illegal versions of the software across 27 countries.
Cobalt Strike, now owned by Fortra, was developed in 2012 to simulate hacker attacks on networks. However, its effectiveness has led to widespread abuse by malicious actors using pirated versions. The crackdown is part of broader efforts to combat ransomware gangs by disrupting critical points in their operations, similar to the recent seizure of bulletproof hosting provider LolekHosted.
In addition to legitimate uses, Cobalt Strike has been exploited by hackers linked to Russia, China, and North Korea. The NCA highlighted that pirated versions of the software, available on illegal marketplaces and the dark web since the mid-2010s, have become a preferred tool for network intrusions and rapid ransomware deployment.
Typically, unlicensed versions of Cobalt Strike are used in spear phishing campaigns to install beacons on target devices, allowing attackers to profile and remotely access networks. Its multifunctional nature, including command and control management, makes it a ‘Swiss army knife’ for cybercriminals and nation-state actors, according to Don Smith, VP of threat research at Secureworks Counter Threats Unit.
Europol confirmed Fortra’s significant efforts to prevent software abuse and its partnership throughout the investigation. Nevertheless, older versions of Cobalt Strike have been cracked and used by criminals, linking the tool to numerous malware and ransomware cases, including those involving RYUK, Trickbot, and Conti.
The University Hospital Centre in Zagreb, Croatia, was hit by a cyberattack on 27 June, claimed by the LockBit ransomware group. The attack crippled the hospital’s networks, forcing emergency patients to be redirected to other facilities. Despite the disruption, hospital officials assured that patient safety was never compromised. Over 100 experts worked tirelessly to restore the IT systems, bringing the hospital back online within 24 hours.
LockBit, a Russian-affiliated ransomware group, posted on its dark leak site that it had stolen a large cache of sensitive data from the hospital in Croatia, including medical records and employee information. The hospital has not confirmed the specifics of the stolen data but has involved the authorities, and a criminal investigation is underway. LockBit, operating since 2019, has been linked to over 1,400 attacks globally and continues to evade law enforcement despite setbacks like the FBI and Interpol’s Operation Cronos.
The attack on KBC Zagreb coincided with multiple cyberattacks on Croatian government agencies by another Russian-linked group, NoName057(16). Known for targeting the critical infrastructure of nations supporting Ukraine, NoName denied responsibility for the hospital attack, emphasising their principle of not targeting medical facilities. NoName has been responsible for numerous cyberattacks across Europe, affecting several countries’ banking systems and critical infrastructure.
On 8 June, Kadokawa, a Japanese media conglomerate, reported a data security incident on its website, stating that multiple servers within the Kadokawa Group had become inaccessible. In response, the company promptly shut down the affected systems and investigated to determine the incident’s nature and scope.
The ongoing investigation revealed various services, including Niconico, Kadokawa’s official website, and the e-commerce site ‘ebten,’ were impacted. Kadokawa is also looking into potential information leaks resulting from the incident.
Subsequent updates from Kadokawa confirmed that the disruption was caused by a large-scale cyberattack involving ransomware. Emergency measures were taken, such as shutting down servers and forming a task force to assess the damage, identify the cause, and restore operations. The ransomware attack primarily targeted Niconico’s systems, Japan’s popular video-sharing service, as well as affected the company’s payment system, leading to payment delays for some business partners.
The BlackSuit ransomware group claimed responsibility for the attack on Kadokawa and listed the company as a victim on its data leak site. The group alleges to have stolen over 1.5TB of confidential data and threatened to publish it on 1 July unless ransom demands were met.
Kadokawa acknowledged the hacker group’s claims and stated that they are investigating the possibility of data leakage with external cybersecurity experts. The company reassured stakeholders that no credit card information of customers, including Niconico users, is stored in their systems, ensuring that such data remains secure.
A recent report from SentinelLabs and Recorded Future analysts contends that cyberespionage groups have increasingly turned to ransomware as a strategic tool to complicate attribution, divert attention from defenders, or as a secondary objective for financial gain alongside data theft.
The report specifically sheds light on the activities of ChamelGang, a suspected Chinese advanced persistent threat (APT) group that uses the CatB ransomware strain in attacks targeting prominent organisations globally. Operating under aliases like CamoFei, ChamelGang has targeted mostly governmental bodies and critical infrastructure entities, operating mostly from 2021 to 2023.
Employing sophisticated tactics for initial access, reconnaissance, lateral movement, and data exfiltration, ChamelGang executed a notable attack in November 2022 on the Presidency of Brazil, compromising 192 computers. The group leveraged standard reconnaissance tools to map the network and identify critical systems before deploying CatB ransomware, leaving ransom notes with contact details and payment instructions on encrypted files. While initially attributed to TeslaCrypt, new evidence points to ChamelGang’s involvement.
In a separate incident, ChamelGang targeted the All India Institute Of Medical Sciences (AIIMS), disrupting healthcare services with CatB ransomware. Other suspected attacks on a government entity in East Asia and an aviation organisation in the Indian subcontinent share similarities in tactics, techniques, and procedures (TTPs) and the use of custom malware like BeaconLoader.
These intrusions have impacted 37 organisations, primarily in North America, with additional victims in South America and Europe. Moreover, analysis of past cyber incidents reveals connections to suspected Chinese and North Korean APTs.
Why does it matter?
The integration of ransomware into cyberespionage operations offers strategic advantages, blurring the lines between APT and cybercriminal activities to obfuscate attribution and mask data collection efforts. The emergence of ChamelGang in ransomware incidents stresses adversaries’ evolving tactics to achieve their objectives while evading detection.
Hackers have encrypted systems at Indonesia’s national data centre with ransomware, causing disruptions in immigration checks at airports and various public services, according to the country’s communications ministry. The ministry reported that the Temporary National Data Centre (PDNS) systems were infected with Brain Cipher, a new variant of the LockBit 3.0 ransomware.
Communications Minister Budi Arie Setiadi informed that the hackers demanded $8 million for decryption but emphasised that the government would not comply. The attack targeted the Surabaya branch of the national data centre, not the Jakarta location.
The breach risks exposing data from state institutions and local governments. The cyberattack, which began last Thursday, disrupted services such as visa and residence permit processing, passport services, and immigration document management, according to Hinsa Siburian, head of the national cyber agency. The ransomware also impacted online enrollment for schools and universities, prompting an extension of the registration period, as local media reported. Overall, at least 210 local services were disrupted.
Although LockBit ransomware was used, it may have been deployed by a different group, as many use the leaked LockBit 3.0 builder, noted SANS Institute instructor Will Thomas. LockBit was a prolific ransomware operation until its extortion site was shut down in February, but it resurfaced three months later. Cybersecurity analyst Dominic Alvieri also pointed out that the Indonesian government hasn’t been listed on LockBit’s leak site, likely due to typical delays during negotiations. Previously, Indonesia’s data centre has been targeted by hackers, and in 2023, ThreatSec claimed to have breached its systems, stealing sensitive data, including criminal records.
Dubai, known for its ultra-luxurious lifestyle and wealthy population, has reportedly fallen victim to a ransomware attack by the Daixin Team. The cybercriminal group claimed on their dark blog to have exfiltrated 60-80GB of sensitive data from the Government of Dubai’s network systems, including ID cards, passports, and other personally identifiable information (PII).
The stolen data, which has not yet been fully analysed or released, reportedly includes many personal and business records. Among the sensitive information are details about the residents of this city in the UAE, many of whom are expatriates and high-net-worth individuals. Due to the city’s high concentration of wealthy residents, this data breach poses significant risks, such as identity theft and targeted phishing attacks.
The Daixin Team, a Russian-speaking ransomware group active since at least June 2022, is known for targeting various sectors, including healthcare and utilities. They typically gain access through compromised VPN servers or phishing attacks and often publish stolen data if ransom demands are not met. The Government of Dubai has been contacted for comment but has not yet responded.
