Newsletter Archive - "eCrime.ch Ransomware Highlights"

For 2025-10-30
Article language: in English - Industry: Business Consulting and Services - Organisation/company: Merkle (UK) Ltd.
Cyber Incident Statement—International Markets - Dentsu Group Inc.
2025-10-29
What happened?
We detected unusual activity on servers in Merkle’s network. We immediately implemented our incident response protocols, took steps to contain the activity, and launched an investigation. A cybersecurity firm that has worked with other companies to address similar situations was engaged to assist. Law enforcement was notified, and we notified the Information Commissioner’s Office (ICO) and National Cyber Security Centre (NCSC).

What Information was involved?
The investigation identified that certain files were taken from Merkle’s network. A review of those files determined that they contained information concerning current and former employees. Our investigation is ongoing; however, at present we anticipate that the files include bank and payroll details, salary, National Insurance number, and personal contact details.
Article language: in English - Industry: Information Technology and Services - Organisation/company: ReadyTech Holdings Ltd.
Response to cyber incident - ReadyTech
2025-10-29
17 October 2025 – ReadyTech Holdings Limited (ASX:RDY) (ReadyTech or Company), has become
aware of a cyber incident involving its hosted student management system, VETtrak (Platform).

On detecting the incident, ReadyTech immediately isolated the Platform as a precautionary
measure and engaged external experts to assist with managing our response to the incident.
Access to the Platform by customers is expected to be temporarily unavailable for a period as
we work to bring systems back online.
Article language: in English - Industry: Government Administration - Organisation/company: City of Gloversville, NY
City of Gloversville hit by ransomware attack
2025-10-28
GLOVERSVILLE, N.Y. (NEWS10)– On Saturday, the city of Gloversville announced it was hit by a ransomware attack. According to officials, a digital ransom note was discovered by the city’s finance commissioner on March 14.

During the negotiation process, legal and security teams recommended the city to pay the ransom. The original demand was $300,000, but the city council approved a $150,000 payment to the Threat Actor Group and all the stolen data was recovered and de-encrypted.
Actor/variant: Qilin - Article language: in English
Uncovering Qilin attack methods exposed through multiple cases
2025-10-27
In recent trends, the open-source software Cyberduck — which enables file transfers to cloud servers — has been widely abused in cases involving Qilin ransomware. By abusing legitimate cloud-based services for exfiltration, the attacker can obfuscate their activities within trusted domains and legitimate web traffic. As shown in Figure 12, the Cyberduck history file indicates that a Backblaze host was specified as the destination and that a custom setting for split/multipart uploads was enabled to transfer large files.
Article language: in English - Industry: Civil Engineering - Organisation/company: Jennings O’Donovan & Partners Ltd.
Defective block grant scheme firm hit by cyber attack
2025-10-27
The Irish government 's Housing Agency said it had been notified of the "cyber incident" involving engineering firm, Jennings O'Donovan, which assesses defective block grant scheme applications.

Personal data - including addresses, personal contact details and photos of affected homes - may have been impacted, the agency said.

Jennings O'Donovan said the incident involved "temporary unauthorised access to a limited part of our IT system" and that "personal financial information was stored securely on systems that have been unaffected".
Article language: in English
UK leads global fight to stop ransomware attacks on supply chains - GOV.UK
2025-10-27
The new guidance helps organisations spot weaknesses in their supply chain before criminals do – setting out clear practical steps to check the security of key suppliers and safeguard against vulnerabilities.

Developed by the UK and Singapore at a global summit of the Counter Ransomware Initiative (CRI), it’s designed to make businesses more resilient and prevent hackers from exploiting the links that connect suppliers and customers.

Sixty-seven members of the CRI have endorsed the guidance, demonstrating its international significance.
Actor/variant: Warlock - Article language: in English
Warlock Ransomware: Old Actor, New Tricks?
2025-10-23
The China-based actor behind the Warlock ransomware may not be a new player and has links to malicious activity dating as far back as 2019.

The Warlock ransomware first appeared in June 2025 and made an impact weeks later, after attackers deploying it were discovered exploiting the ToolShell zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770) on July 19, 2025.

Warlock is an unusual threat. Unlike many ransomware operations, which are headquartered in Russia or other countries in the Commonwealth of Independent States, Warlock appears to be used by a group based in China. And, while its name is new, its origins appear to date back much further, with links to a diverse range of activity.
Article language: in German - Industry: Environmental Services - Organisation/company: Nickelhütte Aue GmbH
Ransomware-Attacke auf Nickelhütte Aue | CSO Online
2025-10-23
Der Metallverarbeiter Nickelhütte Aue wurde Ziel einer Cyberattacke. Das Unternehmen kämpft aktuell mit verschlüsselten Daten und IT-Ausfällen.

Wie die Nickelhütte Aue auf ihrer Webseite mitteilt, haben Cyberkriminelle die Büro-IT angegriffen und Daten verschlüsselt. Infolgedessen komme es derzeit zu Beeinträchtigungen der IT-Systeme, heißt es. Ein Sprecher erklärte gegenüber CSO, dass die betroffenen Daten aus den Bereichen HR, Buchhaltung, Finanzen sowie Einkauf und Verkauf stammen.