Newsletter Archive - "eCrime.ch Ransomware Highlights"

For 2025-10-08
Actor/variant: Chaos - Article language: in English
The Evolution of Chaos Ransomware: Faster, Smarter, and More Dangerous | FortiGuard Labs
2025-10-08
In 2025, Chaos ransomware resurfaced with a C++ variant. We believe this marks the first time it was not written in .NET. Beyond encryption and ransom demands, it adds destructive extortion tactics and clipboard hijacking for cryptocurrency theft. This evolution underscores Chaos's shift toward more aggressive methods, amplifying both its operational impact and the financial risk it poses to victims.

This blog provides a comprehensive technical analysis of Chaos-C++, covering its execution flow, encryption process, and clipboard hijacking mechanism. In addition, we will compare different behaviors between Chaos’s earlier variants.
Actor/variant: Crimson Collective - Article language: in English
Crimson Collective: A New Threat Group Observed Operating in the Cloud | Rapid7 Labs
2025-10-08
Rapid7 has observed increased activity of a new threat group attacking AWS cloud environments, Crimson Collective, who recently claimed to have stolen private repositories from Red Hat’s GitLab.

Rapid7 observed the Crimson Collective in two cases in September. The threat group’s activity has been observed to start with compromising long-term access keys and leveraging privileges attached to the compromised IAM (Identity & Access Management) accounts. The threat group was observed creating new users and escalating privileges by attaching policies. When successful, the Crimson Collective performed reconnaissance to identify valuable data and exfiltrated them via AWS services. In case of the successful exfiltration of data, an extortion note is received by the victim.
Actor/variant: Radiant - Article language: in English - Industry: Education Administration Programs
Two arrested over nursery cyber-attack
2025-10-07
Two men have been arrested by police investigating reports of a cyber-attack on a chain of London-based nurseries.

The Met Police say the pair, aged 17 and 22, were arrested in Bishop's Stortford, Hertfordshire, on suspicion of computer misuse and blackmail.
Article language: in English
The Ransomware Pricing Paradox: An Empirical Study of the Six Stages of Ransomware Negotiations
2025-10-07
Ransomware has become the most common cyber risk for businesses. The rise is not driven by attackers using innovative attacks, but instead by deteriorating negotiation outcomes. The average payment grew by almost 20,000% since 2018. However, it remains unclear why attackers can demand ever higher ransoms. Our study explores potential explanations: lack of backups, cyber insurance, access to incident response (IR) firms, data exfiltration, and negotiating style. We model negotiation as a sixstage model: attacker intent, victim engagement, discount offer, discount magnitude, payment decision, and re-extortion. We test hypothetical explanations for ransom outcomes using two datasets: (1) 481 police-reported incidents (2019–2023); and (2) 237 negotiation transcripts from 23 ransomware groups.

We discover a pricing paradox: victims are more likely to pay after high initial demands, followed by large discounts, than after low fixed-price demands. Stage-level regression resolves this paradox: progression through stages is shaped by backup status, victim revenue, IR involvement, and negotiation duration. Fully recoverable backups sharply reduce payment rates and discount offers; higher revenue increases engagement and discount likelihood; and longer negotiations reduce payment. We find no evidence that insurance increases payment rates, that discount size matters once interaction is accounted for, or that re-extortion is common. These results position ransomware as a market-driven crime shaped by selection effects and signaling.
Actor/variant: Medusa - Article language: in English
Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability | Microsoft Security Blog
2025-10-06
On September 18, 2025, Fortra published a security advisory regarding a critical deserialization vulnerability in GoAnywhere MFT’s License Servlet, which is tracked as CVE-2025-10035 and has a CVSS score of 10.0. The vulnerability could allow a threat actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection and potential remote code execution (RCE). A cybercriminal group tracked by Microsoft Threat Intelligence as Storm-1175, known for deploying Medusa ransomware and exploiting public-facing applications for initial access, was observed exploiting the vulnerability.
Article language: in English
XWorm malware resurfaces with ransomware module, over 35 plugins
2025-10-06
New versions of the XWorm backdoor are being distributed in phishing campaigns after the original developer, XCoder, abandoned the project last year.

According to Trellix researchers, XWorm now has more than 35 plugins that extend its capabilities from stealing sensitive information to ransomware.

The file encrypting functionality, Ransomware.dll, lets malware operators set a desktop wallpaper after locking the data, the ransom amount, wallet address, and contact email.
Article language: in English - Industry: Software Development - Organisation/company: Discord Inc. / Discord Netherlands BV
Update on a Security Incident Involving Third-Party Customer Service
2025-10-04
Recently, we discovered an incident where an unauthorized party compromised one of Discord’s third-party customer service providers. The unauthorized party then gained access to information from a limited number of users who had contacted Discord through our Customer Support and/or Trust & Safety teams.

As soon as we became aware of this attack, we took immediate steps to address the situation. This included revoking the customer support provider’s access to our ticketing system, launching an internal investigation, engaging a leading computer forensics firm to support our investigation and remediation efforts, and engaging law enforcement.
Actor/variant: Crimson Collective - Article language: in English - Industry: Software Development - Organisation/company: Red Hat, Inc.
Red Hat confirms security incident after hackers claim GitHub breach
2025-10-02
An extortion group calling itself the Crimson Collective claims to have breached Red Hat's private GitHub repositories, stealing nearly 570GB of compressed data across 28,000 internal projects.

This data allegedly includes approximately 800 Customer Engagement Reports (CERs), which can contain sensitive information about a customer's network and platforms.

A CER is a consulting document prepared for clients that often contains infrastructure details, configuration data, authentication tokens, and other information that could be abused to breach customer networks.
Article language: in German - Industry: Machinery Manufacturing - Organisation/company: SAACKE GmbH
Wichtige Information - SAACKE Group
2025-10-08
Am 30.09.2025 wurde unsere IT-Infrastruktur Ziel eines Hackerangriffs. Wir haben sofort reagiert, betroffene Systeme isoliert und zusätzliche Sicherheitsmaßnahmen eingeleitet. Gemeinsam mit externen IT-Sicherheitsexperten arbeiten wir intensiv an der Aufklärung und Absicherung des Vorfalls.

Aktuell können wir nur eingeschränkt arbeiten, wodurch es zu Verzögerungen in der Bearbeitung von Anfragen und Aufträgen kommen kann. Wir bitten hierfür um Ihr Verständnis.