Top news stories this week
- S-RM insights. 2024 saw a surge in new extortion groups while ransomware payments decreased.
- Leaked. Black Basta chats reveal gang's tactics and procedures.
- Uninstalled, mate. Australia bans government use of Kaspersky software.
- Breached. An incident at DISA Global Solutions exposes records of more than 3 million individuals.
- LockBit’s legacy. Siberia’s largest dairy processing plant ransomed by LockBit strain.
- Botnet blitz. Botnet launches password spray attack as keylogger targets Windows users.
1. S-RM’s Cyber Incident Insights Report: Number of threat actors doubled while ransomware payments decreased
Our 2025 Cyber Incident Insights Report highlights a number of key trends in the cyber threat landscape, including a significant rise in the number of threat actors, and an increased focus on small and medium-sized businesses. We also noted a slowdown in ransom payments, with only 14% of ransomware cases resulting in a payment, and an increase in the rate of viable backups.
So what?
Download your copy of the full report here.
[Researcher: Blanche MacArthur]
2. Leaked Black Basta chats reveal details about ransomware gang’s operations
Over 200,000 internal chat messages from the Black Basta ransomware group have been leaked online, revealing details about the group’s tactics and administrators. The leak consists of chats from between September 2023 and September 2024, and sheds light on internal disputes, such as about whether to cease attacking healthcare organizations. The leak was allegedly published in retaliation for targeting a Russian bank.
So what?
This leak provides a rare insight into Black Basta's operations and tactics, which can help organizations improve defensive strategies, as former operators are understood to have moved to other groups such as Cactus and Akira.
[Researcher: Waithera Junghae]
3. Australia bans government use of Kaspersky software
Citing national security risks, Australia’s Department of Home Affairs has issued a directive that prohibits government agencies from installing Kaspersky products on official systems and devices, and has instructed any existing deployments to be removed. This follows similar bans by other members of the Five Eyes intelligence pact of countries to announce similar restrictions, joining the United States, the United Kingdom, and Canada.
So what?
Unlike the US, Australia has not fully banned sales of Kaspersky products, but given this development, companies – particularly those with significant interactions with the government – should carefully monitor developments and consider alternative products.
[Researcher: Lester Lim]
4. Incident at DISA Global Solutions exposes records of more than 3 million individuals
A data breach at DISA Global Solutions exposed the sensitive personal information of more than 3.3 million individuals undergoing employment screenings. DISA is a US-based provider of background checks and drug testing for more than 55,000 enterprises and a third of Fortune 500 companies. According to the internal investigation, the criminals had accessed the company’s network on 9 February 2024 and they were not detected for over two months.
SO WHAT?
Organizations should ensure that robust incident detection and response controls across people, processes and technology are in place to enable timely incident detection, fast resolution, and limited business impact.
[Researcher: Milda Petraityte]
5. Siberia’s largest dairy processing plant ransomed by LockBit strain
According to the Russia’s FSB security service, an unknown threat actor allegedly launched a variant of LockBit ransomware against Semyonishana, the largest dairy processing plant in Siberia. The attack occurred last December and was reportedly in retaliation for the company's support for Russian troops in Ukraine.
So What?
A builder for the LockBit 3.0 ransomware variant was leaked in December 2023, and various hackers have continued to carry out attacks using the malware even after the group was taken down by law enforcement.
[Researcher: Denisa Greconici]
6. Botnet launches password spray attack as keylogger targets Windows users
A massive botnet of over 130,000 devices is conducting a large-scale password spray attack by exploiting the basic authentication feature in Microsoft. A variant of the Snake Keylogger is targeting Windows users, stealing sensitive data from Chrome, Edge, and Firefox browsers in China, Turkey, Indonesia, Taiwan, and Spain. Separately, the popular credential breach notification site HaveIBeenPwned has added 244 million new passwords to its database, which were originally harvested by infostealer malware.
SO WHAT?
Threat actors frequently use credentials obtained through keyloggers or infostealer malware to try and infiltrate target infrastructure. Often, these harvested credentials are sold to other threat actors, who can then exploit them for their own purposes.
[Researcher: Aditya Ganjam Mahesh]
-1-1.jpeg?width=121&height=121&name=MicrosoftTeams-image%20(11)-1-1.jpeg)
