Newsletter Archive - "eCrime.ch Ransomware Highlights"

For 2025-04-24
Actor/variant: REvil - Article language: in - Industry: Retail - Organisation/company: Paradies Lagardère / The Paradies Shops, Inc.
Airport retailer agrees to $6.9 million settlement over ransomware data breach | The Record from Recorded Future News
2025-04-17
According to a complaint filed by a former employee, cybercriminals exfiltrated records that held personal information like names and Social Security numbers belonging to 76,000 current and former employees of Paradies Shops. As of 2021, the Atlanta-based company had more than 1,000 stores, bars and restaurants in airports throughout the U.S. and Canada.

The attackers accessed the company’s administrative system over five days in October 2020. The REvil ransomware group reportedly claimed to be behind the incident. Paradies Shops sent out notifications to data breach victims eight months later, as well as notices to state attorneys general.
Article language: in English
Complaints about ransomware attacks on US infrastructure rise 9%, FBI says - reuters.com
2025-04-24
WASHINGTON, April 23 (Reuters) - Ransomware was the most pervasive cyber threat to critical infrastructure in 2024 as complaints regarding such attacks jumped 9% over 2023, the FBI said on Wednesday.
Ransomware attacks on critical infrastructure accounted for almost half of all ransomware complaints received in 2024 by the agency’s Internet Crime Complaint Center (IC3), a top FBI cyber official said ahead of the release of the agency’s annual Internet Crime Report, which details scam and cyber-enabled fraud impacts across sectors and to various demographic groups.
Article language: in English - Industry: Law Firm
The Threat Actor Luna Moth, also called Silent Ransom Group (SRG), UNC3753, is heavily targeting law firms
2025-04-23
The Threat Actor Luna Moth, also called Silent Ransom Group (SRG), UNC3753, is heavily targeting law firms. Luna Moth uses IT themed social engineering calls, and call back subscription themed phishing emails, to gain remote access to victim’s devices and steal sensitive data to extort the victims.
Article language: in English - Industry: Utilities
Aigües de Mataró suffers a cyberattack that does not affect supply
2025-04-23
Aigües de Mataró has suffered a cyberattack that has not affected the water supply or its quality. It also has not affected sewage management or the thermal energy service of Tub Verd. The incident was detected on Monday and reported to the authorities.

https://www.aiguesmataro.com/docs/20250422_Comunicat_Aigues_Mataro.pdf
https://www.aiguesmataro.com/docs/20250423_Comunicat_Aigues_Mataro.pdf
Actor/variant: Gunra - Article language: in English
Gunra Ransomware
2025-04-23
Another ransomware actor operating under the name Gunra has recently surfaced, allegedly claiming several victims in the healthcare, electronics, and beverage manufacturing sectors, as listed on their onion website. In recent activity, the ransomware they deploy appends a .encrt extension to encrypted files and drops a ransom note named r3adm3.txt in multiple directories.
Article language: in English - Industry: Insurance - Organisation/company: Kelly & Associates Insurance Group, Inc.
Data Event | Kelly Benefits
2025-04-23
Kelly & Associates Insurance Group, Inc. (“Kelly Benefits”) is providing notice of an incident that may affect the privacy of certain individuals’ personal information. Kelly Benefits is providing details of the incident, its response, and steps individuals may take to better protect their personal information, should they feel it appropriate to do so.

Kelly Benefits learned of suspicious activity within our environment and immediately launched an investigation, with the assistance of third-party forensic specialists, to determine the nature and scope of the activity. The investigation determined Kelly Benefits’ environment was subject to unauthorized access between December 12, 2024 and December 17, 2024 and certain files were copied and taken.
Actor/variant: Cactus - Article language: in English
Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs
2025-04-23
The Initial Access Broker (IAB), whom Talos calls “ToyMaker” and assesses with medium confidence is a financially motivated threat actor, exploits vulnerable systems exposed to the internet. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints.
A compromise by LAGTOY may result in access handover to a secondary threat actor. Specifically, we’ve observed ToyMaker handover access to Cactus, a double extortion gang who employed their own tactics, techniques and procedures (TTPs) to carry out malicious actions across the victim’s network.
Article language: in English
Pharos Report No. 3: Ransomware’s New Masters: How States Are Hijacking Cybercrime – Virtual Routes
2025-04-23
Ransomware has evolved into one of the most pervasive cyber threats, with high-profile incidents disrupting government organizations and private companies alike. Beyond their financial impact, these attacks now pose direct risks to human safety. While ransomware has long been associated with non-state criminal actors, state-linked actors are increasingly deploying it to achieve their objectives as well.

This report provides a comparative analysis of ransomware use by groups linked to four states: Russia, China, North Korea, and Iran. The authors find that divergent motives and operational ecosystems contribute to varying uses of state-linked ransomware to gain strategic advantages.
Article language: in English - Industry: Retail - Organisation/company: Marks and Spencer Group plc
Marks and Spencer Group plc | London Stock Exchange
2025-04-23
Marks and Spencer Group plc (the Company, or M&S) has been managing a cyber incident over the past few days.

As soon as we became aware of the incident, it was necessary to make some minor, temporary changes to our store operations to protect customers and the business and we are sorry for any inconvenience experienced. Importantly, our stores remain open and our website and app are operating as normal.

The Company has engaged external cyber security experts to assist with investigating and managing the incident. We are taking actions to further protect our network and ensure we can continue to maintain customer service.
Article language: in English
Ransomware Survey: 80% of Indian Firms Paid Ransom to Recover Data
2025-04-23
New Delhi: About 80 per cent of ransomware-hit Indian organizations paid a ransom to recover their data or to stop the attack in the past one year, said Rubrik Zero Labs survey report.

Significantly, 52 per cent of Indian organizations paid a ransom due to data extortion threats while 44 per cent of Indian organizations reported that cyber attackers successfully affected their backup and recovery options, said the new research report.
Article language: in English
Verizon discovers spike in ransomware and exploited vulnerabilities | CyberScoop
2025-04-23
Verizon’s 2025 Data Breach Investigations Report noted a 37% increase in ransomware attacks and a 34% increase in exploited vulnerabilities.

The rate of ransomware detected in data breaches jumped 37%, occurring in 44% of the 12,195 data breaches reviewed in Verizon’s 2025 Data Breach Investigations Report released Wednesday. Researchers observed the presence of ransomware in 32% of data breaches in last year’s report.

While ransom payments are down — 64% of victim organizations did not pay the ransoms, compared to 50% two years ago — the prevalence of ransomware continues to grow.
Article language: in English
How TAG-124 Enables Targeted Malware Attacks via Traffic Distribution Systems
2025-04-22
Insikt Group has observed multiple threat actors using this malicious TDS, including:

Rhysida Ransomware: A sophisticated ransomware-as-a-service operation notable for extorting healthcare organizations and other critical infrastructure. In 2023, the group claimed responsibility for an attack on Prospect Medical Holdings, which resulted in the theft of over 500,000 social security numbers and impacted operations at seventeen hospitals and 166 clinics.
Interlock Ransomware: Another ransomware group targeting primarily healthcare organizations and other “big game” to extort higher payouts through high-impact attacks on large organizations. In December 2024, the group claimed credit for an attack on the Texas Tech University Health Sciences Center, stealing 2.6 TB of sensitive personal data. Interlock shares many similarities with Rhysida, such as tactics, tools, and encryption behaviors, though the exact relationship between the two is unknown.
Article language: in English - Industry: Telecommunications - Organisation/company: SK Telecom Co., Ltd.
SK Telecom warns customer USIM data exposed in malware attack
2025-04-22
South Korea's largest mobile operator, SK Telecom, is warning that a malware infection allowed threat actors to access sensitive USIM-related information for customers.

SK Telecom is the largest mobile network operator in South Korea, holding approximately 48.4% of the mobile phone service market in the country, corresponding to 34 million subscribers.

The company says they detected malware on their systems at 11 PM local time on Saturday, April 19, 2025, in a weekend cyberattack when most organizations are understaffed.
Article language: in English
Don’t Call It A Comeback: Stay Ready For Ransomware
2025-04-22
According to Forrester’s 2024 Security Survey, 25% of CISOs cite preventing and protecting against ransomware as a top strategic priority for their organization. To do this, security leaders, their teams, and their IR services firms must continue to prioritize ransomware readiness. That’s where our newly-published decision tool comes in.
Article language: in English - Industry: Government Administration - Organisation/company: City of Abilene, Texas
City of Abilene suffers cyber attack
2025-04-21
ABILENE, Texas — A weekend cyber attack on City of Abilene computer servers take some online services offline.

According to the city, officials received reports of unresponsive servers within city internal networks.

The city says after disconnecting affected and critical assets an investigation was launched to determine the nature and scope of the attack.
Article language: in English - Industry: Transportation, Logistics, Supply Chain and Storage
The dangers of Ransomware as a Service
2025-04-21
One of the worst things a trucking company can do is assume it’s safe from a cyberattack because it’s a small fleet. Many people think hackers are after the bigger organizations because it means bigger payouts, but companies of all sizes are at risk as the cybercrime landscape is shifting.

Ransomware, which has become the top cybersecurity concern for the trucking industry, back then wasn’t as dangerous as it is today because the cost of entry was much higher. Now, it’s available to purchase, enabling less sophisticated attackers to launch highly effective ransomware campaigns.
Article language: in English - Industry: Government Administration - Organisation/company: City of Long Beach
City of Long Beach Shares Update on November 14, 2023, Network Security Incident
2025-04-19
Long Beach, CA –The City of Long Beach announced today updates to the ongoing investigation of the network security incident that occurred on or about Nov. 14, 2023. The incident, which the City announced when it occurred, resulted in an unauthorized actor obtaining access to the City’s network. The City values and respects the personal information it maintains and is committed to being open and transparent with the community. Beginning April 14, 2025, the City is notifying people whose personal information may have been accessed and/or acquired as a result of the incident. While there is no indication that any information has been misused for the purpose of committing fraud or identity theft, the City is providing these notifications by law and out of an abundance of caution so that those impacted have the information, tools and resources to safeguard their personal information, should they feel it appropriate to do so.
Article language: in English - Industry: Entertainment Providers - Organisation/company: Legends International, LLC
Legends International notifies customers, employees of data breach | SC Media
2025-04-19
Legends International, the large sports venue support company with reportedly $1.7 billion in sales, earlier this week sent out letters to some customers and employees that it was the victim of a cyberattack.

While extensive details of the attack were not released, the company told the Texas Office of the Attorney General that the compromised information includes the following: dates of birth, Social Security numbers, driver’s license and government ID numbers, and payment card, medical, and health insurance information.

According to the April 15 letter, on Nov. 9, 2024, the company identified certain unauthorized activity occurring in its IT systems. After learning of the attack, the company terminated the activity, and took some systems offline as a precaution.
Article language: in English - Industry: Higher Education - Organisation/company: Tokai University
Tokai University Cyberattack Sparks Investigation By Police - The Pinnacle Gazette
2025-04-18
On April 18, 2025, Tokai University in Hiratsuka City, Kanagawa Prefecture, reported a significant cyberattack that has rendered many of its systems unusable. This incident has prompted the Kanagawa Prefectural Police to launch a full investigation into the cybercrime.

The attack was first detected on April 17, 2025, at approximately 6:50 AM when some university-related websites failed to display correctly. Following this, the university initiated an investigation, which revealed that servers within its network had been compromised and infected with ransomware due to unauthorized access. To mitigate further damage, the university took the precautionary step of blocking all internet connections, which resulted in the unavailability of critical systems, including student portals and email services.
Article language: in English - Industry: Hospitals and Health Care - Organisation/company: Guam Memorial Hospital Authority (GMHA)
HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Public Hospital
2025-04-18
Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Guam Memorial Hospital Authority (GMHA), a public hospital on the U.S. Territory, island of Guam, concerning a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following the receipt of two complaints alleging that the electronic protected health information (ePHI) of GMHA patients was impermissibly disclosed.

OCR initiated an investigation following the receipt of a complaint in January 2019 alleging that GMHA experienced a ransomware attack affecting the ePHI of approximately 5,000 individuals. During the investigation, OCR received another complaint in March 2023 alleging that hacker(s) had accessed patient records. OCR’s investigation determined that GMHA had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI held by GMHA.
Article language: in English - Industry: Education Administration Programs - Organisation/company: Limestone District School Board
Network Disruption Update - Limestone District School Board
2025-04-17
The Limestone District School Board is experiencing a network disruption that is impacting all schools. All schools remain open, however there is no access to the internet.
Article language: in English - Industry: Accounting - Organisation/company: William Buck
William Buck Cyber Incident - William Buck Australia
2025-04-17
William Buck is investigating a cyber incident involving unauthorised access to our IT systems and potentially some data held on these systems.

As soon as this was detected, we implemented our incident response plan and mobilised our Crisis Management Team to ensure the security of our systems and investigate further. We also engaged external experts to assist with our investigation and to help ensure we are taking all appropriate steps in response.

We want to assure our stakeholders that we are working to determine what data was impacted as a priority and will provide further updates as we know more. At this time, we have identified a limited number of potentially impacted files and are directly notifying affected clients.
Article language: in German - Organisation/company: Réseau Radiologique Romand SA
Cyberangriff auf Röntgenunternehmen in der Westschweiz - computerworld.ch
2025-04-22
Das Westschweizer Röntgennetzwerk 3R (Réseau Radiologique Romand) ist Opfer eines Cyberangriffs geworden. Es ruft seine Kunden auf, sich vor verdächtigen Kontakten zu schützen.

Die Hacker kopierten demnach medizinische und administrative Kundendaten. Untersuchungsergebnisse seien nicht verloren gegangen.
Die kopierten Daten könnten die Hacker den Informationen der Gruppe 3R vom Donnerstagabend zufolge zu betrügerischen Zwecken missbrauchen. Die Kundinnen und Kunden sollten sich vor verdächtigen Kontakten per Brief, E-mail oder Telefon in Acht nehmen. Diese könnten etwa eine Nachforderung für eine kürzlich durchgeführte Untersuchung enthalten.

https://www.groupe3r.ch/fr/le-groupe-3r/actualites/suite-a-un-vol-de-donnees-le-groupe-3r-appelle-les-patients-de-ses-centres-dimagerie-romands-a-la-prudence-5040/
Article language: in Italian - Industry: Government Administration
Attacco hacker ai vigili, cellulari e tablet in tilt: a Roma multe compilate a mano
2025-04-23
Per colpa di un attacco hacker vanno in tilt tablet e cellulari dei vigili urbani. E così per le multe, gli agenti sono costretti ad arrangiarsi, rispolverando i vecchi bloc notes. I problemi informatici sono cominciati mercoledì e nelle ore in cui scriviamo (venerdì sera) l'operatività del sistema non risulta essere stata ancora riportata alla normalità. Ma, spiegano fonti della polizia locale, il problema è stato risolto a livello cyber e mancano ora gli ultimi accertamenti, necessari per ricostruire quanto accaduto.