The conversation around ANZ ransomware threats has shifted noticeably over the past year. What once looked like sporadic, high-profile incidents has evolved into a sustained and structured campaign against organizations across Australia and New Zealand. Signals emerging from underground forums and marketplaces reveal a sobering reality: ransomware is no longer just a technical problem; it is an economic strategy driven by efficiency, specialization, and scale. 

At the center of this shift is ransomware dark web intelligence, which paints a clear picture of attacker intent. Threat actors are not simply increasing volume; they are refining their focus. The ANZ region, with its high-value economy and deeply digitized infrastructure, has become a preferred hunting ground. 

Why High-Value Economies Attract ANZ Ransomware Threats 

Australia’s economic profile plays directly into the hands of ransomware operators. A strong GDP, combined with a relatively small population, creates a high-return environment. Attackers don’t need to cast a wide net; each successful breach can yield significant payouts. 

By mid-2025, 71 ransomware incidents had been publicly claimed in Australia, compared to nine in New Zealand. On the surface, those figures may seem moderate. However, when adjusted for population, the rate of ransomware attacks in Australia and New Zealand stands out globally. Even larger economies have not experienced the same intensity relative to their size. 

This imbalance reflects a fundamental principle driving ANZ organizations cybersecurity risks: attackers prioritize value over volume. In practical terms, fewer victims can still mean higher profits. 

A Fragmented Threat Landscape with No Single Dominant Actor 

Unlike regions where one ransomware group dominates headlines, the dark web ANZ cyber threats ecosystem is notably fragmented. Multiple groups, including Qilin, Akira, INC, Lynx, and Dragonforce, operate concurrently, each claiming a similar share of attacks. 

This decentralization complicates defense strategies. Organizations are not facing a predictable adversary with a consistent playbook. Instead, they must prepare for a rotating cast of threat actors, each bringing different techniques, timelines, and negotiation tactics. 

From a ransomware dark web intelligence perspective, this fragmentation signals a competitive market. Threat actors are actively testing sectors, probing defenses, and adapting quickly based on what works. 

Industries Under Sustained Pressure 

The distribution of ANZ ransomware threats is far from uniform. Certain sectors continue to absorb the majority of attacks due to the nature of their operations. 

Healthcare and professional services sit at the top of the list. In healthcare, the urgency of patient care creates a near-zero tolerance for downtime, increasing the likelihood of ransom payments. Professional services firms, on the other hand, hold large volumes of sensitive client data, making them lucrative targets. 

However, the scope is broader than these two sectors alone. Aviation software providers, pharmaceutical companies, engineering firms, and even steel manufacturers have all been affected. This pattern reinforces a key insight: ransomware attacks in Australia and New Zealand are opportunistic but calculated, targeting environments where disruption carries tangible consequences. 

Notable Incidents Reveal Tactical Evolution 

Several incidents in 2025 highlight how attackers are evolving their methods. 

The Akira group compromised an Australian industrial technology provider, exfiltrating approximately 10GB of sensitive data, including financial records and employee identification documents. This case highlights the growing overlap between ransomware and critical infrastructure risk. 

In another breach, a political organization suffered exposure to communications, identity records, and financial data, highlighting that ANZ organizations' cybersecurity risks extend beyond the private sector. 

Meanwhile, Dragonforce leaked over 100GB of data from an engineering firm, including technical drawings and internal reports. The long-term implications of such intellectual property theft often exceed immediate financial damage. 

These cases share a common thread: encryption is no longer the sole objective. Data exfiltration and double extortion have become standard practices. 

The Rise of Initial Access Brokers 

One of the most important developments in shaping dark web ANZ cyber threats is the growth of the initial access market. In 2025 alone, 92 instances of compromised access sales were observed across Australia and New Zealand. 

Retail organizations accounted for roughly 34% of these cases, followed by BFSI and professional services. The implications are significant. Attackers no longer need to breach networks themselves; they can simply purchase access. 

This shift has redefined how ANZ ransomware threats materialize. The most complex phase of an attack—initial intrusion—is now outsourced, accelerating timelines and increasing overall attack volume. 

It also introduces indirect risk. Organizations may be compromised through vendors, partners, or shared platforms, expanding the attack surface beyond traditional boundaries. 

Ransomware-as-a-Service and the Scaling Problem 

The emergence of affiliate-driven models, particularly groups like INC Ransom, has further amplified ransomware attacks in Australia and New Zealand. Operating under a Ransomware-as-a-Service structure, these groups separate responsibilities: affiliates handle intrusions, while core operators manage ransom negotiations. 

This model enables rapid scaling. Multiple attacks can be executed simultaneously, each leveraging shared infrastructure and tooling. 

INC Ransom’s activity across healthcare and professional services highlights how effective this approach has become. Their operations often involve credential compromise, privilege escalation, lateral movement, and eventual deployment of ransomware—frequently paired with data exfiltration. 

From a ransomware dark web intelligence standpoint, this reflects a mature ecosystem where roles are specialized, and efficiency is maximized. 

A Regional Problem with Cross-Border Impact 

Although Australia is the primary target, the broader region is not immune. A ransomware attack on Tonga’s Ministry of Health disrupted national healthcare services, while a major breach in New Zealand’s healthcare sector involved both data theft and system encryption. 

These incidents reinforce the interconnected nature of ANZ organizations' cybersecurity risks. Threat actors operate without regard for national boundaries, shifting focus wherever defenses appear weakest. 

Common Entry Points and Techniques 

Despite the evolving ecosystem, many attack methods remain consistent. Spear-phishing campaigns, exploitation of unpatched systems, and the use of stolen credentials continue to dominate. 

Once inside, attackers often rely on legitimate tools—file compression utilities, remote management software, and standard data transfer mechanisms—to blend into normal operations. This “living off the land” approach makes detection significantly more difficult. 

From Defense to Resilience 

The steady rise of ANZ ransomware threats signals a need for strategic change. Perimeter-based defenses are no longer sufficient in an environment where access can be purchased, and attacks can be outsourced. 

As access is bought and attacks are outsourced, organizations must shift toward stronger identity controls, continuous monitoring, rapid patching, and tighter third-party risk management. 

Cybersecurity is no longer just about prevention—it’s about resilience. Attacks are inevitable, but their impact doesn’t have to be. Cyble helps organizations stay ahead with AI-powered threat intelligence, dark web monitoring, and predictive defense through its AI-native platform, Cyble Blaze. 

Stay ahead of ransomware threats—book a free demo and build a more resilient security posture.

The post ANZ Organizations Are in the Ransomware Crosshairs— What the Dark Web Is Telling Us appeared first on Cyble.

As the cybersecurity community prepares for Black Hat Asia 2026 Singapore, the conversation is shifting from isolated incidents to systemic risk. The Black Hat Asia 2026 conference arrives at a moment when cyber threats are no longer sporadic disruptions. Instead, they are persistent, industrialized, and intertwined with global infrastructure.  

The discussions expected in the Black Hat Asia 2026 schedule and among Black Hat Asia 2026 speakers will likely reflect a reality that defenders are already grappling with: scale has become the defining feature of modern cybercrime. 

Ransomware Has Entered a High-Throughput Era 

Ransomware activity since late 2025 has moved beyond periodic spikes into a sustained, high-frequency operating model. Over the last four months, threat actors have claimed roughly 700 victims per month on average. This marks a notable jump from the approximately 512 monthly victims observed in the first three quarters of 2025, an increase of more than 30 percent. 

This is not just growth; it highlights maturation. Ransomware groups are no longer operating like loosely organized gangs. They resemble production systems, automated, repeatable, and optimized for throughput. Attack pipelines now rely heavily on credential theft, automated exploitation of known vulnerabilities, and scalable infrastructure that allows campaigns to run continuously. 

Supply chain compromises have amplified this efficiency. Rather than targeting organizations individually, attackers breach IT providers or managed service vendors to access multiple downstream victims. One compromised vendor can cascade into dozens of affected organizations, dramatically increasing operational impact. 

Key Players and Tactical Shifts 

Among active groups, Qilin has demonstrated particularly aggressive activity, with over 100 claimed victims in a single month.  

Meanwhile, CL0P has re-emerged with campaigns targeting enterprise software ecosystems, an approach that historically yields high-volume results when successful. 

Other groups, such as Akira continue to operate at a steady pace, while newer entrants like Sinobi and The Gentlemen are quickly establishing themselves. This constant churn reflects a competitive underground economy where innovation is driven by survival. 

Notably, the tactics themselves are evolving. Traditional ransomware encryption is no longer the centerpiece. Instead, attackers prioritize data exfiltration, public exposure threats, and rapid monetization. Negotiation cycles are shrinking, and pressure tactics are intensifying. 

Where Attacks Are Landing 

Geographically, ransomware activity continues to concentrate in highly digitized economies. The United States remains the primary target, accounting for nearly half of observed incidents in early 2026. However, the United Kingdom and Australia have also seen increased activity, partly linked to large-scale exploitation campaigns. 

The logic is straightforward: attackers follow digital density. Regions with mature enterprise ecosystems, extensive outsourcing, and interconnected infrastructure offer higher payouts and more opportunities for lateral movement. 

From a sector perspective, construction, manufacturing, and professional services remain frequent targets. These industries often operate with fragmented security controls and rely heavily on interconnected supplier networks, conditions that attackers exploit. 

The IT services sector is also attractive. Compromising a service provider can unlock access to multiple client environments, effectively multiplying the impact of a single intrusion.  

Real-World Incidents Reflect Broader Trends 

Recent incidents highlight the diversity and scale of ransomware impact. CL0P-linked campaigns have affected organizations across the finance, healthcare, and hospitality sectors in multiple regions. Meanwhile, the Everest group has reportedly targeted a U.S.-based telecommunications manufacturer, exfiltrating sensitive engineering data such as circuit schematics and design files, assets that carry long-term intellectual property risks. 

Critical infrastructure-adjacent organizations are also under pressure. A breach attributed to Qilin reportedly exposed sensitive data from a U.S. airport authority, including financial records and operational documents.       

In Asia, attacks against IT service providers underscore the ongoing vulnerability of managed environments. When attackers access centralized infrastructure, they gain leverage over multiple organizations simultaneously. 

The Constant Arrival of New Threat Actors 

Even as established groups dominate headlines, new ransomware operations continue to emerge. Groups like Green Blood, DataKeeper, and MonoLock highlight how accessible the ransomware ecosystem has become. Many operate under ransomware-as-a-service models, lowering the barrier to entry for affiliates. 

These newer groups often emphasize technical features such as in-memory execution, multithreaded encryption, and hybrid cryptographic techniques. But more importantly, they reflect a broader trend: ransomware is becoming a business model, complete with revenue-sharing schemes and affiliate programs. 

Beyond Ransomware: Expanding Threat Vectors 

While ransomware dominates, it is only part of the threat landscape leading into Black Hat Asia 2026. Hacktivist activity has expanded, with loosely aligned groups forming coordinated networks across geopolitical lines. These operations are often low in sophistication, focused on DDoS attacks and defacements, but high in volume and visibility. 

At the same time, mobile-based threats and social engineering campaigns are accelerating. Attackers are leveraging real-world events to craft convincing phishing messages, malicious apps, and even voice-based scams. The use of AI tools has made these attacks more scalable and believable, reducing the skill required to execute them. 

AI: A Double-Edged Sword 

The rapid adoption of artificial intelligence, particularly in countries like India, is introducing both opportunity and risk. AI systems are no longer passive tools; they are active decision-makers embedded in critical workflows. 

This shift expands the attack surface. Threats now include data poisoning, model manipulation, prompt injection, and unintended data leakage through AI outputs. At the same time, AI is enabling attackers to automate reconnaissance, personalize phishing, and accelerate vulnerability discovery. 

The result is a more balanced battlefield; both attackers and defenders have access to powerful tools, but the speed of offense is increasing faster than defensive adaptation. 

What This Means for Black Hat Asia 2026 

The Black Hat Asia 2026 schedule is likely to reflect these converging trends: industrialized ransomware, supply chain fragility, AI-driven threats, and the growing complexity of global cyber operations. The Black Hat Asia 2026 speakers will not just be discussing vulnerabilities; they will be addressing systemic risk across interconnected ecosystems. 

The current threat landscape suggests a fundamental shift in how organizations must approach security. Prevention alone is no longer sufficient. Resilience, through segmentation, strong identity controls, continuous monitoring, and robust backup strategies, has become essential. 

Equally important is understanding external risk. Third-party exposure, supply chain dependencies, and shared infrastructure are now central to organizational security posture. 

As Black Hat Asia 2026 Singapore approaches, one thing is cannot be overlooked: cybersecurity is no longer a technical function operating in the background. It is a discipline that must evolve continuously to keep pace with an organized, adaptive, and relentless adversary ecosystem. 

The post Black Hat Asia 2026 Is Coming to Singapore — Here’s What the Threat Landscape Looks Like Ahead of It appeared first on Cyble.

Let's talk about the sector that keeps our lights on, water running, and industries humming—and why it's become ransomware's favorite target. 

In 2025, the global energy and utilities sector faced 187 confirmed ransomware attacks. Not attempts. Confirmed, successful intrusions where attackers locked systems, stole data, and demanded payment. And that's just what we know about. 

If you think that number sounds alarming, you're paying attention. 

When Ransomware Hits Where It Hurts 

Here's the thing about attacking energy infrastructure: the impact cascades. When ransomware paralyzed Halliburton's operations in August 2025, the company disclosed a $35 million loss. When hackers using FrostyGoop malware hit a Ukrainian municipal energy company, residents in Lviv lost heating during sub-zero temperatures. 

These aren't abstract data breaches. They're disruptions that affect millions of people who depend on essential services. And attackers know this—which makes energy companies prime targets for extortion. 

The ransomware groups leading this assault? RansomHub tops the list with 24 incidents (12.8% of the total), followed closely by Akira with 20 attacks (10.7%) and Play with 18 (9.6%). Throw in Qilin and Hunters/Lynx, and you've got five crews responsible for nearly half of all ransomware incidents against energy targets worldwide. 

That's not a diverse threat landscape—that's concentrated, organized, industrial-scale cybercrime targeting critical infrastructure. 

Why Energy? Follow the Vulnerability 

Energy companies face a perfect storm of attack vectors that most sectors don't deal with. 

Legacy Infrastructure 
Many power plants, refineries, and water treatment facilities run on operational technology (OT) systems that are decades old. We're talking about industrial control systems running outdated protocols like Modbus and DNP3—designed in an era when "cybersecurity" wasn't even a concept. These systems were built for reliability and uptime, not network defense. 

IT-OT Convergence 
As energy companies digitized operations for efficiency, they connected previously isolated industrial systems to corporate IT networks. That convergence created pathways for attackers to move from phishing an employee's laptop to accessing SCADA systems controlling physical infrastructure. 

Distributed Attack Surface 
Unlike a bank with centralized data centers, energy infrastructure is geographically dispersed. Solar farms, wind installations, substations, pipeline monitoring stations—each represents a potential entry point. And managing security across hundreds or thousands of remote sites? That's a nightmare. 

The Numbers Tell a Grim Story 

Between July 2024 and June 2025, the energy sector didn't just face ransomware. It got hit from every angle: 

• 37 incidents of compromised network access advertised for sale on criminal forums 

• 57 data breach and leak events exposing sensitive operational data 

• 187 ransomware attacks encrypting systems and exfiltrating files 

• Over 39,000 hacktivist posts targeting energy infrastructure 

To get the complete analysis on data breaches, ransomware attacks and attackers, hacktivists, and vulnerabilities plaguing the energy and utilities sector worldwide, download Cyble’s full report now! 

North America bore the brunt of ransomware attacks, accounting for over one-third of incidents. But Asia and Europe weren't far behind, each absorbing significant portions of compromised access sales and data breaches. 

This geographic distribution tells us something important: attackers aren't focused on one region. They're systematically targeting energy infrastructure globally, exploiting whichever networks offer the easiest access. 

The Broker Economy Feeding the Fire 

Here's a disturbing trend: initial access brokers are specializing in energy targets. 

During the reporting period, Zerosevengroup, mommy, and miyako led sales of compromised energy sector credentials. Together, they posted about 27% of observed access offerings. That might not sound like much until you realize the remaining 73% was split among dozens of one-time sellers. 

What this fragmentation means: barriers to entry for attacking energy infrastructure are low. You don't need to be an elite hacker anymore. Just buy credentials from a broker for a few thousand dollars, and you've got a foothold in a power company's network. 

One particularly alarming listing? In March 2025, ZeroSevenGroup advertised admin-level access to a UAE water and power holding company, claiming reach over 5,000 network hosts. Another broker offered access to an Indonesian power plant operations subsidiary. A third claimed control-level access to a French wastewater treatment platform. 

These aren't theoretical vulnerabilities. They're active criminal advertisements offering buyers the keys to critical infrastructure. 

When Hacktivists Target the Grid 

Geopolitical hacktivist groups added another dimension to the threat landscape in 2025—and some crossed lines that genuinely matter. 

Pro-Russian groups like Sector 16 didn't just deface websites or leak stolen documents. They claimed—and provided video evidence of—actual manipulation of operational technology at US oil and gas facilities. We're talking about interfaces controlling shutdown systems, production monitoring, gas-lift controls, and valve actuation. 

Whether they could have caused physical damage is debatable. That they had access to try? Undeniable. 

Similarly, the Golden Falcon Team claimed breach of a French wastewater monitoring platform with access to pH controls, temperature settings, and water distribution parameters. Again, the claimed level of access would allow manipulation of real-world physical processes. 

Most hacktivist activity in 2025 consisted of low-level DDoS attacks and propaganda—more noise than genuine threat. But when groups start demonstrating OT access? That's crossing from nuisance into dangerous territory. 

The Colonial Pipeline Echo 

Remember May 2021? The Colonial Pipeline ransomware attack that caused fuel shortages across the US East Coast? 

That incident was supposed to be a wake-up call. Colonial supplies 45% of fuel for the East Coast. The attack forced them to pay $5 million in ransom just to resume operations. Panic buying. Gas station shortages. Economic disruption. 

Four years later, we're seeing similar attacks globally but with faster execution. The median time from breach to encryption has collapsed. Modern ransomware groups move through networks in hours, not weeks. They know exactly which systems to target for maximum leverage. 

And here's the kicker: many of these attacks succeed using known vulnerabilities that victims simply hadn't patched. 

Vulnerabilities: The Same Old Story 

Throughout 2025, attackers exploited critical flaws in systems that energy companies depend on daily: 

• ABB ASPECT systems used in substations 

• Siemens SENTRON PAC3200 power meters 

• Mass-deployed solar inverter platforms 

• Schneider Electric Jira instances 

• Various VMware, Ivanti, and Fortinet products 

What's frustrating is that patches existed for most of these. The median remediation time across energy enterprises exceeded 21 days—while attackers were weaponizing exploits within 72 hours of public disclosure. 

That 18-day gap? That's your exposure window. That's when you're vulnerable to attacks using publicly documented methods that everyone knows about. 

What Defense Looks Like 

So what actually works when you're defending energy infrastructure against this onslaught? 

Segment Everything 
Your OT networks shouldn't be reachable from corporate IT. Period. Air-gap where possible. When connection is necessary, lock it down with rigorous access controls, monitoring, and authentication. Every pathway between IT and OT is a potential attack vector. 

Hunt the Broker Market 
Continuous monitoring of criminal forums isn't just for intelligence agencies anymore. Organizations need visibility into whether their credentials or network access is being advertised for sale. Finding out after an attack that your access was sold three months earlier? That's too late. 

Patch with Urgency 
I know, I know—patching OT systems is complex. Downtime is expensive. Testing is slow. But you know what's more expensive? Halliburton's $35 million ransomware loss. Or NovaScotia Power dealing with 280,000 customers' exposed data. 

Create aggressive patch timelines. Test in parallel. Prioritize internet-facing systems and known exploited vulnerabilities. Move fast. 

Prepare for the Worst 
Every energy company should have tested incident response playbooks that assume successful breach. Can you isolate compromised systems? Do you have offline backups they can't encrypt? Can you switch to manual operations if SCADA goes down? Have you drilled these scenarios? 

Because when ransomware locks your systems at 3 AM on a Sunday, you won't have time to figure it out. 

The Honest Truth 

Here's what nobody wants to say out loud: perfect security for energy infrastructure is impossible. 

The attack surface is too large. The systems are too old. The connectivity requirements are too complex. The attacker economics favor offense. 

But perfect security isn't the goal. Resilience is. 

Resilient organizations detect breaches quickly. They respond effectively. They recover without paying ransoms. They learn from incidents and improve their defenses. 

The energy sector can't eliminate ransomware risk. But it can reduce the window of exposure, limit the blast radius, and ensure continuity of critical operations even under attack. 

Because the next attack isn't coming someday. It's probably happening right now, somewhere in the supply chain, and the question is whether defenses will catch it before ransomware deploys. 

For energy and utilities operators navigating the 2026 threat landscape, the challenge is clear: defend infrastructure designed for a pre-internet era against adversaries armed with industrialized attack tools. Resilience isn't optional anymore—it's survival. 

The post The Energy Sector’s Ransomware Nightmare: Why Critical Infrastructure Can’t Catch a Break appeared first on Cyble.

The latest Bitrefill cyberattack offers a revealing look into how state-sponsored cybercrime has evolved into a strategic financial weapon. The latest development revolves around the threat actor Lazarus Group, a hacking collective widely attributed to the DPRK (North Korea), whose operations have blurred the line between cyber espionage and economic warfare.  

What makes this breach notable is not just the theft itself, but how methodically it reflects the broader pattern of Lazarus Group crypto attacks and the growing threat of North Korean hackers' cryptocurrency operations. Bitrefill, a Sweden-based cryptocurrency gift card platform, disclosed that attackers had infiltrated its systems on March 1, 2026.  

The breach led to drained crypto wallets and unauthorized access to approximately 18,500 customer purchase records.  

A Breach That Started with a Laptop 

The initial compromise did not rely on zero-day exploits or exotic vulnerabilities. Instead, it followed a pattern that has become almost characteristic of North Korean hackers' cryptocurrency campaigns: exploiting human error. 

According to Bitrefill’s internal investigation, attackers gained access through a compromised employee's laptop. From there, they extracted a legacy credential, an overlooked but still valid key; that opened the door to a snapshot containing production secrets. This foothold allowed them to escalate privileges and move laterally across the company’s infrastructure. 

This method highlights a recurring truth in cybersecurity: attackers often prefer the simplest path. In the case of the Lazarus Group, social engineering and credential abuse consistently outperform more complex technical exploits. 

Inside the Bitrefill Cyberattack 

Once inside, the attackers started understanding the operational model. Rather than immediately exfiltrating large datasets, they probed the environment carefully. Logs indicate they executed a limited number of database queries, likely to identify high-value assets such as cryptocurrency wallets and gift card inventory. 

The breach was ultimately detected through anomalies in purchasing behavior. Suspicious transactions involving suppliers revealed that the attackers were exploiting Bitrefill’s gift card supply chain while simultaneously draining funds from its hot wallets, cryptocurrency wallets connected to the internet for active transactions. 

Bitrefill responded by taking its entire system offline, a move that, while disruptive, likely prevented further losses. Given the company’s global footprint, spanning multiple suppliers, products, and payment systems, this shutdown was far from trivial. 

Data Exposure: Limited but Significant 

Although the attackers did not extract the full database, they accessed around 18,500 purchase records. These included email addresses, crypto payment addresses, and metadata such as IP addresses. 

For roughly 1,000 transactions, encrypted customer names were also at risk. Bitrefill acknowledged that if encryption keys were compromised, this data could potentially be exposed. The affected users were notified directly. 

Importantly, Bitrefill emphasized that customer data was not the primary target. The attackers’ behavior suggests a focus on financial gain rather than large-scale data harvesting, a hallmark of Lazarus Group crypto attacks. 

Attribution to Lazarus Group and DPRK 

Bitrefill attributed the attack to actors linked to the Lazarus Group, citing multiple indicators: malware similarities, reused IP addresses, email patterns, and blockchain tracing. These elements closely match previous campaigns associated with both Lazarus and its financially motivated subgroup, Bluenoroff. 

This attribution aligns with broader intelligence assessments. The DPRK has relied on cyber operations to generate revenue, particularly in response to international sanctions. Cryptocurrency platforms have become prime targets due to their liquidity and relative anonymity. 

In 2025 alone, blockchain analysis firms estimated that North Korea-linked actors stole approximately $2.02 billion in cryptocurrency, accounting for a big portion of global crypto theft. This includes high-profile incidents such as the $1.5 billion Bybit exchange hack, also attributed to the Lazarus Group. 

Cyble’s Tracking of Lazarus Group and DPRK Cyber Operations 

Cyble has long tracked the Lazarus Group, identifying it as one of the most persistent state-sponsored threat actors operating under the umbrella of the DPRK (North Korea). Their assessment frames the group not as a single unit, but as a distributed ecosystem of sub-clusters that carry out financially motivated and espionage-driven operations. 

The group has accumulated a wide range of aliases over the years, including APT-C-26, Hidden Cobra, TraderTraitor, and Diamond Sleet. The geographic breadth of North Korean hackers' cryptocurrency operations spanned countries such as the United States, Japan, India, Germany, South Korea, and Australia, alongside sectors like banking, aerospace, healthcare, energy, and telecommunications. However, in recent years, the financial and crypto sectors have become disproportionately affected due to their high liquidity and cross-border transaction flows. 

From a tactical standpoint, Cyble’s mapping of Lazarus Group crypto attacks shows a consistent reliance on multi-stage intrusion chains. These often begin with spearphishing campaigns, move into malware deployment, and end with long-term persistence inside compromised networks.  

Tools such as credential stealers (for example, Mimikatz), remote access trojans, and custom loaders frequently appear across campaigns. 

One of the key observations is that Lazarus operations are rarely purely opportunistic. Instead, they are structured, iterative, and adaptive. The group refines its intrusion methods based on defensive responses observed in earlier campaigns, often reusing infrastructure components such as IP ranges, email patterns, and malware variants with slight modifications to avoid detection. 

Why Cryptocurrency Platforms Are Prime Targets 

The Bitrefill cyberattack reinforces a larger trend: cryptocurrency ecosystems are uniquely vulnerable to state-sponsored exploitation. 

Unlike traditional financial systems, crypto platforms often prioritize speed and accessibility, sometimes at the expense of layered security controls. Hot wallets, in particular, present an attractive target because they maintain immediate liquidity. 

Additionally, services like Bitrefill introduce hybrid use cases, bridging crypto with real-world spending through gift cards and digital purchases. This creates new attack surfaces, especially within supply chains that were not originally designed with adversarial threat models in mind. 

The Playbook of Lazarus Group 

The tactics observed in this breach are consistent with the broader operational playbook of the Lazarus Group: 

• Spearphishing and social engineering: Often using fake job offers or professional outreach on platforms like LinkedIn 

• Credential theft and reuse: Leveraging weak or outdated authentication practices 

• Living-off-the-land techniques: Using legitimate system tools to avoid detection 

• Custom malware deployment: Including backdoors, loaders, and credential stealers 

• Persistence mechanisms: Such as scheduled tasks and renamed administrative accounts 

Their malware arsenal is extensive, ranging from tools like Mimikatz for credential extraction to destructive wipers like Destover. This versatility allows them to pivot between espionage, disruption, and financial theft depending on mission objectives. 

Response and Recovery 

Bitrefill has stated that it will absorb the financial losses through its operational capital. The company also engaged multiple cybersecurity firms and law enforcement agencies to investigate the breach and strengthen its defenses. 

Post-incident measures include: 

• Enhanced access controls 

• Expanded logging and monitoring capabilities 

• Ongoing penetration testing 

• Improved incident response procedures 

Notably, the platform’s design, minimizing stored personal data and avoiding mandatory KYC, helped limit the potential impact on users. 

By March 5, the company had restored its systems, with payments, inventory, and user accounts returning to normal operation. 

Conclusion 

The Bitrefill cyberattack shows how Lazarus Group, DPRK, and North Korean hackers' cryptocurrency operations exploit human error, legacy credentials, and limited visibility to access systems and drain assets. The incident highlights that defending against Lazarus Group crypto attacks depends on strict credential hygiene, behavioral monitoring, and rapid anomaly detection rather than perimeter defenses alone.  

It also reinforces that limiting data exposure and access scope reduces breach impact. Intelligence-led platforms like Cyble provide real-time threat intelligence and visibility to detect and respond to such intrusions faster. Organizations looking to strengthen resilience against North Korean hackers' cryptocurrency threats can schedule a demo with Cyble to see how AI-native threat intelligence and real-time detection can help identify and stop attacks before they escalate. 

References: 

• https://cyble.com/threat-actor-profiles/lazarus-group/ 

• https://x.com/bitrefill/status/2033931580352221656 

The post North Korea’s Crypto Theft Operations: The Role of Lazarus Group in State-Sponsored Financial Warfare appeared first on Cyble.

Russia-linked hacktivist activity has entered a noticeably different phase. While earlier campaigns leaned heavily on disruption through denial-of-service and opportunistic scanning of exposed systems, the current trajectory shows a stronger dependence on credential-based intrusions and identity-based cyber attacks. For security leaders, this evolution matters because it lowers the technical barrier to entry while increasing the blast radius of compromise.

In 2026, CISOs are no longer dealing with isolated intrusion attempts. They are facing an ecosystem where credential-based attacks, credential stuffing attacks, and stolen credentials cyber attacks are becoming the primary access vectors into operational technology (OT) and industrial environments, often followed by rapid escalation into account takeover attacks on human-machine interfaces (HMIs) and control systems.

The Shift From Exposure Hunting to Credential-Based Intrusions 

A key inflection point appears in a series of joint intelligence efforts culminating in a Dec 10, 2025, Cybersecurity Advisory. This advisory expanded upon the May 6, 2025, CISA joint fact sheet “Primary Mitigations to Reduce Cyber Threats to Operational Technology”, while also aligning with findings from the European Cybercrime Centre’s Operation Eastwood (EC3). The effort involved multiple agencies, including the FBI, CISA, NSA, Department of Energy (DOE), Environmental Protection Agency (EPA), and European partners. 

The advisory highlighted sustained targeting of industrial control systems (ICS) and OT environments across critical infrastructure sectors such as water treatment, energy, and agriculture. Earlier intrusions often relied on exposed remote services like virtual network computing (VNC) endpoints on ports 5900–5910, combined with brute-force attempts and default credentials. However, by 2026, these behaviors resemble structured credential-based intrusions, where attackers prioritize authentication weaknesses over pure network exposure. 

This evolution is significant: instead of merely scanning for open systems, adversaries are now systematically exploiting weak identity layers, reused passwords, and leaked authentication data to execute identity-based cyber attacks at scale. 

The Hacktivist Ecosystem Driving Credential-Based Attacks 

The advisory identifies a loosely connected ecosystem of pro-Russia hacktivist groups that have accelerated this shift. These include Cyber Army of Russia Reborn (CARR), NoName057(16), Z-Pentest, and Sector16. 

CARR is assessed to have had early support linked to Russia’s GRU Unit 74455, particularly in its formative stage. While initially focused on distributed denial-of-service (DDoS) activity, the group later expanded into OT intrusions involving industrial environments. 

1. NoName057(16) remains one of the most persistent actors, widely known for its DDoS tool “DDoSia,” distributed via Telegram and GitHub. Although traditionally disruption-focused, its campaigns now frequently overlap with credential exploitation activity that enables follow-on access. 
2. Z-Pentest, formed in late 2024 through the fragmentation of earlier groups, represents a turning point. It blends propaganda-driven operations with direct intrusions into OT systems. By 2025, it was already demonstrating repeated access to industrial interfaces through compromised authentication pathways, aligning closely with credential stuffing attacks and reused password exploitation patterns. 
3. Sector16, emerging in 2025, reflects a newer wave of less experienced operators who still manage to achieve access through opportunistic stolen credentials cyber attacks and weak authentication controls. 

How Credential-Based Intrusions Actually Work in OT Environments 

The mechanics behind modern credential-based intrusions are not complex, but they are effective. Attackers typically begin with broad scanning of exposed services, particularly VNC endpoints used for remote industrial monitoring. Tools such as Nmap and OpenVAS are frequently referenced in advisory reporting. 

Once exposed interfaces are identified, attackers shift toward authentication abuse: 

• Password spraying against operator accounts 

• Exploitation of default or unchanged credentials 

• Reuse of previously leaked credentials from unrelated breaches 

• Automated login attempts resembling credential stuffing attacks 

After gaining access, adversaries often reach HMIs that control industrial processes. From there, account takeover attacks become operational rather than theoretical: attackers manipulate system parameters, disable alarms, or intentionally create a “loss of view,” forcing operators into manual control. 

What makes these identity-based cyber attacks particularly dangerous is their simplicity. No advanced malware is required. In many cases, legitimate administrative interfaces are being used exactly as intended, just by the wrong user. 

Measured Impact Across Critical Infrastructure 

The scale of activity has increased steadily across 2025. Previously, Cyble reported that ICS-related attacks accounted for 25% of all hacktivist operations, nearly doubling from Q2 levels. Earlier in 2025, ICS, data leaks, and access-based intrusions collectively represented 31% of hacktivist activity, compared to just 15% for website defacements and 54% for DDoS attacks. 

This shift reflects a migration away from surface disruption toward deeper credential-based attacks and infrastructure compromises. 

Specific group activity underscores this trend: 

• Z-Pentest conducted 38 ICS attacks in Q2 2025, up from 15 in the previous quarter 

• Dark Engine was linked to 26 ICS incidents 

• Sector16 accounted for 14 attacks in the same period 

In parallel, hacktivist campaigns expanded across sectors including energy, manufacturing, transportation, and telecommunications, with Italy, the United States, and NATO-aligned countries frequently targeted. 

More advanced incidents also emerged, including claims by Cyber Partisans BY and Silent Crow of a breach involving Russian airline systems and the exfiltration of over 22TB of data, alongside operations reported by Ukrainian Cyber Alliance and BO Team against industrial environments. 

Why Credential-Based Intrusions Matter More Than Exploits 

For CISOs, the most important shift is conceptual. Traditional security models often focus on patching vulnerabilities and reducing exposed services. However, credential-based intrusions bypass much of this logic. 

If attackers already possess valid credentials, whether through phishing, reuse, leakage, or automated credential stuffing attacks, then perimeter defenses become significantly less relevant. 

This is particularly dangerous in OT environments where: 

• Identity management is inconsistent 

• Shared accounts are common 

• Multi-factor authentication is often absent 

• Legacy systems cannot easily enforce modern authentication 

In such environments, stolen credentials cyber attacks effectively collapse the security boundary. 

Strategic Implications for CISOs in 2026 

The convergence of hacktivist coordination and identity-driven access patterns creates a predictable outcome: more frequent account takeover attacks leading to operational disruption rather than traditional data theft. 

The Dec 10, 2025 advisory emphasized mitigation steps that now define baseline OT security maturity: 

• Eliminating exposed VNC services from the public internet 

• Enforcing strong authentication and eliminating default credentials 

• Segmenting IT and OT environments to contain lateral movement 

• Continuous monitoring of industrial control traffic 

• Treating any system with weak credentials as potentially compromised 

More importantly, organizations are being pushed toward identity-centric security models where identity based cyber attacks are treated as primary threat vectors, not secondary concerns. 

Credential Warfare Becomes the Default Entry Point 

The trajectory of Russia-linked hacktivist operations suggests a sustained move toward scalable, low-friction intrusion methods. While these groups may lack the sophistication of advanced persistent threats, their ability to coordinate, amplify, and reuse credential-based attacks across multiple targets makes them disproportionately impactful. 

As 2026 unfolds, the defining challenge for defenders will not be detecting exotic exploits but controlling identity exposure. In this environment, credential stuffing attacks, stolen credentials cyber attacks, and rapid account takeover attacks will continue to serve as the most reliable entry point into critical infrastructure networks. 

References: 

• https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/pro-russia-hacktivists-conduct-opportunistic-attacks-against-us-and-global-critical-infrastructure 

• https://cyble.com/blog/hacktivist-attacks-critical-infrastructure-q3-2025/ 

The post Inside Russia’s Shift to Credential-Based Intrusions: What CISOs Need to Know in 2026 appeared first on Cyble.

In 2026, cyber threats are originating on the dark web, where stolen credentials, exploit kits, and attack plans are bought and sold before they ever reach corporate networks. Organizations are turning to dark web intelligence and dark web monitoring solutions 2026 to detect new cyber threats early, monitor underground activity, and prevent breaches that traditional security tools may miss.

Recent data from Cyble Research and Intelligence Labs (CRIL) shows the scale of this threat. In 2025 alone, Cyble tracked 6,046 global data breach and leak incidents, with sectors such as government and finance among the most targeted. The research has also identified thousands of enterprise credentials circulating on dark web marketplaces, often harvested by infostealer malware and sold to cybercriminals. 

For organizations that want to protect sensitive data, maintain reputation, and reduce operational risk, investing in dark web intelligence and dark web monitoring solutions is no longer optional; it’s a necessity. 

What Is Dark Web Monitoring and Why It Matters in 2026 

Dark web monitoring involves continuous scanning and intelligence gathering from hidden parts of the internet that aren’t indexed by traditional search engines, including TOR, I2P, ZeroNet, and encrypted chat channels. Cybercriminals use these platforms to trade stolen data, discuss exploits, and plan attacks. 

Effective dark web surveillance allows organizations to detect threats early. By identifying stolen credentials, leaked data, and malicious activity before the attacker acts, security teams can reset passwords, notify affected personnel, and fortify defenses, turning reactive security into a proactive advantage. 

How the Dark Web Has Evolved as a Threat Landscape 

Once considered a fringe network, the dark web has become a structured ecosystem for cybercrime. Threat actors collaborate globally with the same levels of sophistication as legitimate enterprises, complete with forums for selling vulnerabilities, reputation systems for traders, and encrypted channels for planning attacks. 

From ransomware kits to stolen databases and insider trading in sensitive corporate data, the dark web now functions as a hub for criminal collaboration and the commercialization of cyberattacks. Organizations that ignore this underground economy risk being blindsided. 

What Kind of Data Ends Up on the Dark Web 

Not all information on the dark web carries the same risk, but much of it is highly sensitive: 

• Stolen credentials: Email/password combinations, VPN logins 

• Breached corporate databases: Financial, HR, and client information 

• Identity documents: Social Security numbers, passports 

• Internal communications or proprietary IP 

Even seemingly minor leaks, if unnoticed, can be exploited for data breaches. Platforms with data leak monitoring and dark web alerts allow teams to act before these threats escalate. 

How Dark Web Monitoring Works 

Modern dark web monitoring relies on a combination of automated technologies and expert analysis. Tools crawl hidden networks, marketplaces, paste sites, and private forums to collect data. AI and machine learning analyze signals, identify patterns of malicious behavior, and provide cyber threat intelligence in actionable formats. 

Key capabilities include: 

• Deep web and dark web scanning: Covering TOR, I2P, and other hidden networks 

• Threat actor tracking: Linking chatter to known malicious entities 

• Natural Language Processing (NLP): Interpreting unstructured forum text 

• Actionable alerts: Prioritized intelligence for immediate response 

This ensures organizations can anticipate threats rather than merely respond after an incident. 

Key Features to Look for in a Dark Web Monitoring Solution 

In 2026, an effective platform should offer: 

• Continuous, real-time scanning 

• Comprehensive monitoring of marketplaces, forums, and paste sites 

• Automated alerts with remediation guidance 

• Integration with existing cybersecurity systems 

• Reporting for compliance and risk assessment 

• Threat actor profiling and predictive analytics 

Solutions lacking contextual intelligence or actionable insights are insufficient for modern threat landscapes. 

Cyble Hawk for Advanced Threat Intelligence and Protection 

To counter cyber threats from advanced adversaries, Cyble Hawk represents the next generation of dark web monitoring and threat intelligence. Beyond merely detecting leaks, Cyble Hawk tracks threat actors, uncovers emerging attack trends, and provides actionable insights across cyber and physical domains. 

Key advantages of Cyble Hawk include: 

• Deep Intelligence Fusion: Integrates open-source and proprietary intelligence for a 360-degree view of threats. 

• AI & Deep Learning: Identifies threat actors and patterns in real time. 

• Real-Time Alerts & Rapid Response: Immediate notifications for compromised credentials, breaches, and vulnerabilities. 

• Incident Response & Resilience: Supports frameworks to continuously strengthen the cybersecurity posture. 

Cyble Hawk doesn’t just monitor; it empowers organizations to detect, respond, and protect against the most advanced cyber threats before they escalate. 

Dark Web Monitoring Across Industries 

Different sectors face unique exposures, and tailored monitoring is critical: 

• Financial Services: Detect compromised customer databases, prevent fraud schemes 

• Healthcare: Identify patient data leaks, PHI exposure, and ransomware chatter 

• Retail & E-Commerce: Monitor credential-stuffing lists, card dumps, and phishing campaigns 

• Manufacturing & Critical Infrastructure: Track trade-secret exposure and APT activity 

• Government & Public Sector: Detect contractor data leaks, APT campaigns, and impersonation threats 

Building a Dark Web Monitoring Strategy in 2026 

A robust strategy combines continuous monitoring with proactive response: 

1. Asset Prioritization: Identify the most critical data, accounts, and intellectual property 

2. Continuous Intelligence Gathering: Real-time scanning of forums, marketplaces, and paste sites 

3. Automated, Actionable Alerts: Ensure teams can respond quickly to compromised assets 

4. Integration with Cybersecurity Infrastructure: Link dark web intelligence with firewalls, identity protection, and incident response tools 

5. Employee Awareness: Educate staff to recognize phishing and social engineering attempts 

This approach transforms dark web intelligence into a defensive advantage, reducing exposure and operational risk. 

Frequently Asked Questions (FAQs) 

Q.1: What is dark web intelligence? 

Intelligence is collected from unindexed networks and underground forums to detect threats, leaked data, or compromised credentials. 

Q.2: Can dark web monitoring prevent attacks? 

It doesn’t prevent breaches outright, but early detection of leaks or malicious activity enables mitigation before exploitation. 

Q.3: Who should use dark web monitoring? 

Any organization handling sensitive data, including enterprises, government agencies, and financial institutions. 

Q.4: How does Cyble Hawk enhance monitoring? 

By combining AI, threat actor tracking, and real-time alerts, Cyble Hawk delivers actionable intelligence that allows organizations to detect, respond, and fortify defenses effectively. 

Conclusion 

In 2026, the dark web remains one of the most dynamic and high-risk areas of the cyber threat landscape. Organizations can no longer afford to rely on reactive security. By leveraging advanced monitoring platforms like Cyble Hawk, security teams gain early visibility into compromised data, track threat actors, and respond to risks before they escalate into major incidents. 

Cyble Hawk combines AI-driven intelligence, real-time alerts, and expert threat analysis to help organizations detect threats faster and strengthen their cybersecurity posture. Schedule a personalized demo to see Cyble Hawk in action and learn how it can help protect your organization’s critical assets. 

The post The Ultimate Guide to Dark Web Monitoring in 2026: Protect Your Data Before Attackers Strike appeared first on Cyble.

Cybersecurity agencies across the Pacific region are sharing concerns about the ransomware group INC Ransom's expanding activities and the growing influence of its affiliate network.

A joint advisory issued by the Australian Cyber Security Centre (ACSC), National Computer Emergency Response Team Tonga (CERT Tonga), and the New Zealand National Cyber Security Centre (NCSC) highlights how the INC Ransom ecosystem has become an active threat to organizations in Australia, New Zealand, and Pacific Island states.

The advisory from the agencies down under is designed for both technical specialists and general network defenders. It outlines how INC Ransom operates, the techniques its affiliates use, and the steps organizations can take to reduce their exposure. Officials from the three agencies are urging both government ministries and private organizations to review the mitigation measures outlined in the guidance to strengthen defenses against INC Ransom activity.

What distinguishes this campaign is not only the ransomware itself, but the operational structure behind it. The INC Ransom ecosystem relies on a distributed affiliate model, enabling a broad range of cybercriminal operators to conduct attacks using shared tools and infrastructure.

The INC Ransom Affiliate Model and the RaaS Ecosystem

The operational structure of INC Ransom, which functions as a Ransomware-as-a-Service (RaaS) platform. The model allows external affiliates to deploy ransomware against victims while the core operators manage extortion negotiations and payment collection. 

INC Ransom first emerged in mid-2023 as a financially motivated cybercriminal group believed to be based in Russia. Since then, the group has built an affiliate network that distributes ransomware to attackers targeting organizations worldwide. Within this structure, affiliates perform the technical intrusion and deployment of the malware, while the core INC Ransom operators handle victim communication and ransom demands. 

The group is also known by other threat-intelligence labels, including Tarnished Scorpion and GOLD IONIC. 

According to the advisory from ACSC, NCSC, and CERT Tonga, INC Ransom operations are particularly focused on organizations that manage sensitive or high-value information. Health care providers have become a prominent target globally, likely due to the operational pressure these organizations face when systems become unavailable. 

Although earlier activity concentrated on victims in the United States and the United Kingdom, threat intelligence collected by ACSC, NCSC, and CERT Tonga indicates that the group has shifted attention toward the Pacific region since early 2025. 

INC Ransom Incidents in Australia

In Australia, ACSC has tracked a series of incidents linked to INC Ransom affiliates. 

Between 1 July 2024 and 31 December 2025, the ACSC responded to 11 incidents attributed to the ransomware operation. These incidents primarily affected organizations in professional services and the health care sector. 

Since January 2025, analysts at the ACSC have observed INC Ransom affiliates targeting Australian health care entities through compromised user accounts. Once access is obtained, attackers typically escalate privileges by creating new administrator-level accounts. They then move laterally through internal systems to expand control within the network. 

During these operations, INC Ransom affiliates have deployed malicious payloads using filenames such as “win.exe.” Investigations conducted by the ACSC have also identified cases in which attackers exfiltrated personally identifiable information and medical records before launching the encryption phase. 

Victims typically discover ransom notes containing instructions and links to the INC Ransom Tor-based data leak site (DLS) where negotiations occur. 

Health Infrastructure Disruption in Tonga 

One of the most disruptive incidents linked to INC Ransom occurred in the Kingdom of Tonga. 

On 15 June 2025, the ICT environment of the Tongan Ministry of Health was hit by a ransomware attack that disrupted the national health care network and rendered several core services inaccessible. Investigators from CERT Tonga, working with regional partners including ACSC and NCSC, discovered a ransom note associated with INC Ransom embedded within the ministry’s file systems. 

On 26 June 2025, the INC Ransom group publicly claimed responsibility for the incident on its dark-web data leak site. 

The advisory further identifies Roman Khubov, a cybercriminal also known as “blackod,” as the individual controlling the malicious infrastructure used to exfiltrate data during the Ministry of Health breach. 

Ransomware Incident in New Zealand 

Ransomware activity remains a persistent problem in New Zealand, where multiple sectors of the economy have experienced disruptions. 

In May 2025, the NCSC received a report from a health-sector organization that had suffered a major ransomware intrusion. According to the notification, attackers encrypted a large number of servers and endpoint devices while also stealing significant volumes of data. 

The NCSC investigation determined that INC Ransom was responsible for the incident. After the organization refused to meet the extortion demand, the attackers published the stolen dataset on the INC Ransom data leak site. 

The event reinforced concerns among cybersecurity officials at NCSC, ACSC, and CERT Tonga that the group’s tactics are targeting organizations whose operations are highly sensitive to disruption. 

Technical Tactics Used by INC Ransom 

Technical analysis from ACSC, NCSC, and CERT Tonga shows that INC Ransom affiliates rely on several common intrusion techniques to gain initial access to victim networks. 

The most frequently observed entry points include: 

• Spear-phishing campaigns targeting employees 

• Exploitation of unpatched internet-facing systems 

• Purchased credentials from initial access brokers 

Once inside the network, INC Ransom affiliates often rely on legitimate software tools rather than custom malware to perform key tasks. This tactic allows malicious activity to blend into normal administrative operations. 

For example: 

• 7-Zip and WinRAR are used to compress data before theft. 

• The file synchronization tool rclone is frequently used to transfer stolen data outside the network. 

After data exfiltration, attackers deploy the encryption component of INC Ransom. A ransom note is then left on affected systems with payment instructions and contact details. 

If the targeted organization refuses to pay, INC Ransom operators initiate double-extortion tactics by publishing both the victim’s name and stolen information on the group’s leak site. 

Security analysts note that the tactics, techniques, and procedures (TTPs) used by INC Ransom share similarities with other ransomware operations such as Lynx, Nemty, Nemty X, Karma, and Nokoyawa. 

Defensive Measures Recommended by ACSC, NCSC, and CERT Tonga 

The joint advisory from ACSC, NCSC, and CERT Tonga outlines several practical security measures designed to reduce the risk of INC Ransom compromise. 

Key defensive actions include: 

• Maintain Reliable Backups: Organizations should maintain regular, tested backups of critical systems and store them securely to prevent unauthorized modification or deletion. 

• Restrict Network Traffic: Network administrators should limit inbound and outbound traffic to only what is necessary for operations. Firewalls and filtering technologies can help reduce exposure to phishing campaigns and malicious attachments. 

• Harden Remote Access: Virtual private networks (VPNs) and other remote access systems should be carefully configured to ensure only authorized users can reach sensitive resources. 

• Implement Multi-Factor Authentication: The advisory from ACSC, NCSC, and CERT Tonga emphasizes implementing phishing-resistant multi-factor authentication (MFA) for internet-facing services and privileged accounts. 

• Manage Privileged Access: Administrative privileges should be tightly controlled. Unique accounts for administrators improve accountability and reduce the impact of credential compromise. 

• Maintain Strong Vulnerability Management: Regular vulnerability scanning and rapid patching of exposed systems remain critical, particularly for internet-facing services that ransomware actors commonly target. 

Growing Regional Collaboration Against the INC Ransom 

The joint advisory reflects cooperation among cybersecurity agencies across the Pacific. By sharing intelligence and incident data, organizations such as ACSC, NCSC, and CERT Tonga are building a more coordinated response to ransomware threats like INC Ransom. 

The rise of affiliate-driven ransomware operations has significantly lowered the barrier to entry for cybercriminal activity. In this environment, the INC Ransom ecosystem demonstrates how distributed attacker networks can rapidly shift focus across geographic regions. 

For organizations in Australia, New Zealand, and the Pacific islands, the advisory from the Australian Cyber Security Centre (ACSC), New Zealand National Cyber Security Centre (NCSC), and National Computer Emergency Response Team Tonga (CERT Tonga) highlights the need to strengthen access controls, monitor network activity, and maintain a tested incident response plan to limit the impact of ransomware attacks. 

Threat intelligence from Cyble helps organizations track ransomware activity, monitor dark web exposure, and identify indicators of compromise earlier. 

Schedule a demo with Cyble to see how its threat intelligence platform supports ransomware detection and response. 

References:

• https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/inc-ransom-affiliate-model-enabling-targeting-of-critical-networks 

• https://www.cyber.gov.au/about-us/view-all-content/news/inc-ransom-and-affiliate-network-operating-in-australia-new-zealand-and-the-pacific-island-states 

The post Australia, New Zealand, Tonga, Warn of Rising INC Ransom Attacks Targeting Pacific Networks appeared first on Cyble.

Ransomware groups claimed more than 2,000 attacks in the last three months of 2025 – and they’re starting 2026 at the same elevated pace. 

Cyble recorded 2,018 claimed attacks by ransomware groups in the fourth quarter of 2025, an average of just under 673 a month. The threat groups maintained that pace in January 2026, claiming 679 ransomware victims. 

By comparison, in the first nine months of 2025, ransomware groups averaged 512 claimed victims a month, so the trend in the last four months has been more than 30% above the previous nine-month period. The chart below shows ransomware attacks by month since 2021. 

Qilin Leads All Ransomware Groups as CL0P Returns 

Qilin once again led all ransomware groups, with 115 claimed attacks in January. A resurgent CL0P has claimed scores of victims in the last two weeks, yet as of this writing had provided no technical details on the group’s latest campaign. Akira once again remained among the leaders with 76 claimed victims, while newcomers Sinobi and The Gentlemen rounded out the top five (chart below). 

The U.S. once again was the most attacked country by a significant margin, accounting for just under half of all ransomware attacks in January (chart below). The UK and Australia experienced higher-than-usual attack volumes; CL0P’s recent campaign was a factor in both of those increases. 

Construction, professional services, and manufacturing continue to lead the sectors hit by ransomware attacks, likely due to opportunistic threat actors targeting vulnerable environments (chart below). The IT industry also remains a frequent target of ransomware groups, likely due to the rich target the sector represents and the potential to pivot into downstream customer environments.

Recent Ransomware Attacks 

Here are some of the most significant ransomware attacks that occurred in January, several of which had supply chain implications. Additional details will be provided in Cyble’s forthcoming January 2026 Threat Landscape Report, which will be published in the Research Reports section. 

As CL0P tends to claim victims in clusters, such as its exploitation of Oracle E-Business Suite flaws that helped drive supply chain attacks to records in October, new campaigns by the group are noteworthy. Among the claimed victims in the latest campaign have been 11 Australia-based companies spanning a broad range of sectors such as IT and IT services, banking and financial services (BFSI), construction, hospitality, professional services, and healthcare.  

Other claimed victims have included a U.S.-based IT services and staffing company, a global hotel company, a major media firm, a UK payment processing company, and a Canada-based mining company engaged in platinum group metals production. 

The Everest ransomware group claimed responsibility for breaching a major U.S. manufacturer of telecommunications networking equipment and claimed to have exfiltrated 11 GB of data. Everest claims the data includes PDF documents containing sensitive engineering materials, such as electrical schematics, block diagrams, and service subsystem documentation.  

Additional directories reportedly contain .brd files, which are printed circuit board (PCB) layout files detailing information critical to hardware manufacturing and replication. The group also shared multiple samples showing internal directories, engineering blueprints, and 3D design-related materials. 

The Qilin ransomware group claimed responsibility for breaching a U.S.-based airport authority responsible for managing commercial aviation operations and related services. The group shared 16 data samples as proof-of-compromise. The materials suggest access to financial documents, telehealth-related reports, internal email correspondence, scanned identification documents, non-disclosure agreements (NDAs), and other confidential agreements, suggesting exposure of sensitive administrative and operational information. 

The Sinobi ransomware group claimed a breach of an India-based IT services company providing digital transformation, cloud, ERP, and managed services. The threat group alleges the theft of more than 150 GB of data, including contracts, financial records, and customer data. Samples shared by the attackers indicate access to internal infrastructure, including Microsoft Hyper-V servers, multiple virtual machines, backups, and storage volumes. 

The Rhysida ransomware group claimed responsibility for breaching a U.S. company providing life sciences and biotechnology instrumentation and solutions. According to the threat group, the allegedly stolen data has already been sold, though no information was provided regarding the buyer or the price at which the dataset was advertised.  

The victim was listed as directly sold rather than placed under a traditional negotiation or countdown model. Despite this, samples remain accessible and indicate exposure of email correspondence, engineering blueprints, project documentation, and non-disclosure agreements (NDAs), suggesting compromise of both technical and corporate information. 

The RansomHouse extortion group claimed responsibility for breaching a China-based electronics manufacturing company providing precision components and assembly services for global technology and automotive manufacturers. As evidence, RansomHouse published documentation indicating access to extensive proprietary engineering and production-related data. The shared materials reference confidential 3D CAD models (STEP/PRT), 2D CAD drawings (DWG/DXF), engineering documentation, printed circuit board (PCB) design data, Gerber files, electrical and layout architecture data, and manufacturing drawings. Notably, the group claims the compromised archives contain data associated with multiple major technology and automotive companies. 

INC Ransom claimed responsibility for breaching a Hong Kong–based manufacturer supplying precision components to the global electronics and automotive industries. According to the group, approximately 200 GB of data was allegedly exfiltrated. The claimed dataset reportedly includes client-related information associated with more than a dozen major global brands, plus confidential contracts and project documentation for at least three major IT companies. 

The Qilin ransomware group claimed responsibility for breaching a Taiwan-based company operating in the semiconductor and electronics manufacturing sector. According to the group, approximately 275 GB of data was allegedly exfiltrated. Based on the file tree information shared by Qilin, the dataset reportedly consists of 19,822 directories and 177,551 files, suggesting broad access to internal systems. 

The Nitrogen ransomware group leaked more than 71 GB of data allegedly stolen from a U.S. company providing engineered components and systems for the automotive industry. According to the threat group, the exposed data includes sensitive corporate and technical information such as CAD drawings, accounts payable and receivable records, invoices, and balance sheet documentation. To substantiate its claims, Nitrogen published selected project blueprints and shared a file tree indicating the alleged theft of approximately 116,180 files, suggesting broad access to internal engineering and financial systems. 

The Anubis ransomware group claimed responsibility for breaching an Italian government authority responsible for the management, regulation, and development of regional maritime port operations. According to the group, the compromised data includes incident and safety reports, logistics and operational data, port infrastructure layouts, audit results, internal reports, and business correspondence. 

New Ransomware Groups 

Among new ransomware groups that have emerged recently, Green Blood has launched an onion-based data leak site. While the group has not yet publicly named specific victims, it claims that affected organizations are located in India, Senegal, and Colombia. The group provides TOX ID and email-based communication channels for victim contact. Notably, malware samples associated with Green Blood have been observed in the wild. The ransomware encrypts files using the “.tgbg” extension and drops a ransom note titled “!!!READ_ME_TO_RECOVER_FILES!!!.txt” 

A new ransomware-as-a-service (RaaS) operation named DataKeeper has surfaced, promoting an updated affiliate model referred to as CrystalPartnership RaaS. The group claims this approach improves trust by splitting ransom payments directly between the operator’s and affiliate’s Bitcoin addresses at the time of payment, removing reliance on centralized payout handling. DataKeeper is advertised as a Windows-focused ransomware toolkit. The operation claims to use a hybrid encryption scheme combining symmetric file encryption with RSA-4096 key protection, unique per-build identifiers, and TOR-based payment links. Encryption and decryption workflows are tied to a victim-specific ID, with decryption requiring delivery of a key file following payment.  

The group emphasizes operational features such as in-memory execution, multithreaded encryption, optional shadow copy removal, network share targeting, and evading security controls. 

The threat actor (TA) MonoLock announced a new RaaS operation on the RAMP cybercrime forum (the forum has since been seized by the FBI). MonoLock’s core design is based on Beacon Object Files (BoF), enabling full in-memory execution, reduced payload exposure, and centralized control from a single post-exploitation command-and-control (C2) instance without dropping files.  

While BoF usage is common in Windows environments, MonoLock introduced a custom Linux ELF-based BoF loader, derived from the TrustedSec ELFLoader, adding chained execution, command packing, encryption, and in-memory deployment. The group promotes a “Zero Panel” extortion model, explicitly rejecting leak sites and Tor-based negotiation panels.  

MonoLock claims that avoiding public extortion infrastructure reduces law enforcement exposure and leverages silence as negotiation pressure, minimizing reputational damage for victims. Affiliates are recruited under a 20% revenue share with a USD $500 registration fee, alongside a limited referral program running from January 11 to March 31. 

Conclusion 

The persistently high level of ransomware attacks – and the emergence of new ransomware groups eager to compete on features and price – highlight the urgent need for security teams to adopt a defense-in-depth cyber strategy. Cybersecurity best practices that can help build resilience against attacks include: 

• Prioritizing vulnerabilities based on risk. 

• Protecting web-facing assets. 

• Segmenting networks and critical assets. 

• Hardening endpoints and infrastructure. 

• Strong access controls, allowing no more access than is required, with frequent verification. 

• A strong source of user identity and authentication, including multi-factor authentication and biometrics, as well as machine authentication with device compliance and health checks. 

• Encryption of data at rest and in transit. 

• Ransomware-resistant backups that are immutable, air-gapped, and isolated as much as possible. 

• Honeypots that lure attackers to fake assets for early breach detection. 

• Proper configuration of APIs and cloud service connections. 

• Monitoring for unusual and anomalous activity with SIEM, Active Directory monitoring, endpoint security, and data loss prevention (DLP) tools. 

• Routinely assessing and confirming controls through audits, vulnerability scanning, and penetration tests. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. 

Additionally, Cyble’s third-party risk intelligence can help organizations carefully vet partners and suppliers, providing an early warning of potential risks. 

The post Ransomware Attacks Have Surged 30% Since Q4 2025 appeared first on Cyble.

Overview 

Ransomware and supply chain attacks soared in 2025, and persistently elevated attack levels suggest that the global threat landscape will remain perilous heading into 2026. 

Cyble recorded 6,604 ransomware attacks in 2025, up 52% from the 4,346 attacks claimed by ransomware groups in 2024. The year ended with a near-record 731 ransomware attacks in December, second only to February 2025’s record totals (chart below). 

Supply chain attacks nearly doubled in 2025, as Cyble dark web researchers recorded 297 supply chain attacks claimed by threat groups in 2025, up 93% from 154 such events in 2024 (chart below). As ransomware groups are consistently behind more than half of supply chain attacks, the two attack types have become increasingly linked. 

While supply chain attacks have declined in the two months since October’s record, they remain above even the elevated trend that began in April 2025. 

We’ll take a deeper look at ransomware and supply chain attack data, including targeted sectors and regions, attack trends, and leading threat actors. Some of the data and insights come from Cyble’s new Annual Threat Landscape Report covering cybercrime, ransomware, vulnerabilities, and other 2025-2026 cyber threat trends. 

Qilin Dominated After RansomHub Declined 

Qilin emerged as the leading ransomware group in April after RansomHub went offline amid possible sabotage by rival Dragonforce. Qilin has remained on top in every month but one since, and was once again the top ransomware group in December with 190 claimed victims (December chart below). 

December was also noteworthy for the long-awaited resurgence of Lockbit and the continued emergence of Sinobi. 

For full-year 2025, Qilin dominated, claiming 17% of all ransomware victims (full-year chart below). Of the top five ransomware groups in 2025, only Akira and Play also made the top five in 2024, as RansomHub, Lockbit and Hunters all fell from the top five. Lockbit was hampered by repeated law enforcement actions, while Hunters announced it was shutting down in mid-2025. 

Cyble documented 57 new ransomware groups and 27 new extortion groups in 2025, including emerging leaders like Sinobi and The Gentlemen. Over 350 new ransomware strains were discovered in 2025, largely based on the MedusaLocker, Chaos, and Makop ransomware families. 

Among newly emerged ransomware groups, Cyble observed heightened attacks on critical infrastructure industries (CII), especially in Government & LEA and Energy & Utilities, by groups such as Devman, Sinobi, Warlock, and Gunra. Several newly emerged groups targeted the software supply chain, among them RALord/Nova, Warlock, Sinobi, The Gentlemen, and BlackNevas, with a particular focus on the IT & ITES, Technology, and Transportation & Logistics sectors. 

Cl0p’s Oracle E-Business Suite vulnerability exploitation campaign led to a supply-chain impact on more than 118 entities globally, including those in the IT & ITES sector. Among these, six entities from the critical infrastructure industries (CII) were observed to have fallen victim to this exploitation campaign. The Fog ransomware group also leaked multiple GitLab source codes from several IT companies. 

The U.S. remains by far the most frequent target of ransomware groups, accounting for 55% of ransomware attacks in 2025 (chart below). Canada, Germany, the UK, Italy, and France were also consistent targets for ransomware groups. 

Construction, professional services, and manufacturing were consistently the sectors most targeted by ransomware groups, with healthcare and IT rounding out the top five (chart below). 

Supply Chain Attacks Hit Every Industry and Sector in 2025 

Every sector tracked by Cyble was hit by a software supply chain attack in 2025 (chart below), but because of the rich target they represent and their significant downstream customer base, the IT and Technology sectors were by far the most frequently targeted, accounting for more than a third of supply chain attacks. 

Supply chain intrusions in 2025 expanded far beyond traditional package poisoning, targeting cloud integrations, SaaS trust relationships, and vendor distribution pipelines. 

Adversaries are increasingly abusing upstream services—such as identity providers, package registries, and software delivery channels—to compromise downstream environments on a large scale. 

A few examples highlighting the evolving third-party risk landscape include: 

Attacks targeting Salesforce data via third-party integrations did not modify code; instead, they weaponized trust between SaaS platforms, illustrating how OAuth-based integrations can become high-impact supply chain vulnerabilities when third-party tokens have been compromised. 

The nation-state group Silk Typhoon intensified operations against IT and cloud service providers, exploiting VPN zero-days, password-spraying attacks, and misconfigured privileged access systems. After breaching upstream vendors such as MSPs, remote-management platforms, or PAM service providers, the group pivoted into customer environments via inherited admin credentials, compromised service principals, and high-privilege cloud API permissions. 

A China-aligned APT group, PlushDaemon, compromised the distribution channel of a South Korean VPN vendor, replacing legitimate installers with a trojanized version bundling the SlowStepper backdoor. The malicious installer, delivered directly from the vendor’s website, installed both the VPN client and a modular surveillance framework supporting credential theft, keylogging, remote execution, and multimedia capture. By infiltrating trusted security software, the attackers gained persistent access to organizations relying on the VPN for secure remote connectivity, turning a defensive tool into an espionage vector. 

Conclusion 

The significant supply chain and ransomware threats facing security teams as we enter 2026 require a renewed focus on cybersecurity best practices that can help protect against a wide range of cyber threats. These practices include: 

• Prioritizing vulnerabilities based on risk. 

• Protecting web-facing assets. 

• Segmenting networks and critical assets. 

• Hardening endpoints and infrastructure. 

• Strong access controls, allowing no more access than is required, with frequent verification. 

• A strong source of user identity and authentication, including multi-factor authentication and biometrics, as well as machine authentication with device compliance and health checks. 

• Encryption of data at rest and in transit. 

• Ransomware-resistant backups that are immutable, air-gapped, and isolated as much as possible. 

• Honeypots that lure attackers to fake assets for early breach detection. 

• Proper configuration of APIs and cloud service connections. 

• Monitoring for unusual and anomalous activity with SIEM, Active Directory monitoring, endpoint security, and data loss prevention (DLP) tools. 

• Routinely assessing and confirming controls through audits, vulnerability scanning, and penetration tests. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Additionally, Cyble’s third-party risk intelligence can help organizations carefully vet partners and suppliers, providing an early warning of potential risks. 

The post Ransomware and Supply Chain Attacks Soared in 2025 appeared first on Cyble.