Newsletter Archive - "eCrime.ch Ransomware Highlights"
For 2026-02-17
|
Article language: in Dutch - Industry: Telecommunications - Organisation/company: Odido NL Holding B.V.
|
|
Informatiepagina cyberincident | Odido
2026-02-12 |
|
Odido is getroffen door een cyberaanval, waarbij gegevens van een aantal klanten zijn geraakt.Odido is getroffen door een cyberaanval, waarbij gegevens van klanten zijn geraakt. Het gaat hierbij om persoonsgegevens die afkomstig zijn uit een door Odido gebruikt klantcontactsysteem. Er zijn geen wachtwoorden, belgegevens of factuurgegevens betrokken.
De ongeautoriseerde toegang tot het systeem is zo snel mogelijk beëindigd. Daarnaast heeft Odido externe cybersecurity-experts ingeschakeld om te ondersteunen bij het nemen van aanvullende beveiligingsmaatregelen als onderdeel van de respons op dit incident. |
|
|
|
Article language: in English - Industry: Financial Services - Organisation/company: Land and Agricultural Development Bank of South Africa
|
|
Land Bank declines to confirm R50m ransom claim as cyber investigation continues
2026-02-15 |
|
Following a cybersecurity breach, the Land and Agricultural Development Bank of South Africa is under scrutiny as reports emerge of a R50 million ransom demand. The bank has confirmed the incident but remains tight-lipped on ransom specifics while investigations continue.
In an emailed response to BR on Friday, the bank confirmed it experienced a cybersecurity incident caused by an unauthorised third party that deployed ransomware, which encrypted part of our server environment. However, it refused to engage on specific details relating to any possible ransom. |
|
|
|
Actor/variant: Rhysida - Article language: in English
|
|
OysterLoader Unmasked: The Multi-Stage Evasion Loader
2026-02-13 |
|
OysterLoader, also known as Broomstick and CleanUp, is a malware developed in C++, composed of multiple stages, belonging to the loader (A.k.a.: downloader) malware family. First reported in June 2024 by Rapid7, it is mainly distributed via web sites impersonating legitimate software which are often IT software for instance: PuTTy, WinSCP, Google Authenticator and Ai software. The loader is primarily employed in campaigns leading to Rhysida ransomware.
|
|
|
|
Article language: in English - Industry: Government Administration - Organisation/company: Winona County, MI
|
|
Winona County Responds to Ransomware Incident
2026-02-13 |
|
The following is an update to County residents about the recent ransomware attack. Winona County officials are being assisted by nationally recognized cybersecurity and data forensics experts and are coordinating with federal law enforcement during our investigation. The County is following industry best practices and has a strategic plan to address this incident. We remain committed to serving our community as we continue working to test and recover impacted systems as quickly and securely as possible. Winona County continues to be focused on a secure and phased approach to bringing our systems back online to ensure a full and efficient resumption of services.
|
|
|
|
Actor/variant: World Leaks - Article language: in English
|
|
World Leaks Ransomware Group Adds Stealthy, Custom Malware ‘RustyRocket’ to Attacks
2026-02-12 |
|
World Leaks, the cyber-criminal data extortion group which has targeted some of the world’s biggest companies, has added a novel, never-before-seen malware to their arsenal, research by Accenture Cybersecurity has revealed.
Accenture has named the malware ‘RustyRocket’. It allows World Leaks to stealthily maintain persistence on networks and forms a key part of the extortion groups’ attacks. “The sophisticated toolset is a critical component of World Leaks’ operations and has functioned entirely under the radar, enabling affiliates to stealthily exfiltrate data and proxy traffic across victim environments,” T. Ryan Wheeler, MD and global head of Accenture cyber intelligence said in a LinkedIn post, which revealed the research. |
|
|
|
Actor/variant: DragonForce - Article language: in English
|
|
Inside the Ecosystem, Operations: DragonForce
2026-02-12 |
|
DragonForce is a ransomware group that first emerged on December 13, 2023, when a user identified as @dragonforce on BreachForums uploaded stolen data. The group developed and deployed its own ransomware based on the leaked LockBit 3.0 (LockBit Black) and Conti source code. As of January 2026, we confirmed that the LockBit 3.0–based DragonForce builder is no longer available.
DragonForce has been expanding its operational scope through attacks on other groups as well as through cooperative relationships, which is assessed as an effort to strengthen its position within the ransomware ecosystem. |
|
|
|
Article language: in English
|
|
Paris trial shines light on everyday cybercrime as couple faces ransomware charges
2026-02-12 |
|
Two Russian nationals stand trial in Paris in a case emblematic of the wave of ransomware attacks that France has seen for more than six years.
The trial opening Wednesday, February 11, before the Paris Judicial Court, provides a window into this daily cybercrime. Local governments, small and medium-sized businesses, law firms: The victims recorded between 2020 and 2022 were scattered across France, with losses ranging from several tens of thousands to more than €150,000. Only one victim paid the ransom, which was typically set at one bitcoin (about €58,000 at the time of this article's publication). However, all had their computers paralyzed by Phobos, a ransomware strain described by Europol as "discreet but highly effective." |
|
|
|
Actor/variant: Global - Article language: in English
|
|
Phorpiex Phishing Campaign Delivers GLOBAL GROUP Ransomware
2026-02-10 |
|
We recently observed a high-volume Phorpiex campaign delivered through phishing emails with the subject "Your Document.” It’s a subject line that’s been heavily used in largescale campaigns throughout 2024 and 2025.
The phishing email includes a seemingly harmless attachment that is in fact a weaponised Windows Shortcut (.lnk) file. This malicious shortcut highlights how attackers continue to exploit everyday file types to gain an initial foothold in a victim’s system. By combining social engineering, stealthy execution, and LivingofftheLand (LotL) techniques, the file silently retrieves and launches a second stage payload raising suspicion. |
|
|
|
Article language: in Japanese - Industry: Hospitality - Organisation/company: ワシントンホテル株式会社 / Fujita Kanko Inc. / WHG Hotels / Washington Hotel
|
|
ランサムウェア感染被害のお知らせ | 【公式】ワシントンホテル株式会社
2026-02-17 |
|
このたび、当社の一部サーバーが第三者による不正アクセス及びランサムウェアによる感染被害を受けましたのでお知らせいたします。
当社は、本件発生を受け対策本部を設置のうえ、外部専門家の助言を受けながら、原因究明と被害状況の確認、情報流出の有無などの調査、ならびに復旧への対応を進めております。 被害の全容究明には今しばらくの時間を要する見込みですが、現時点で判明しております内容については下記の通りです。 お客様ならびに関係者の皆様には、多大なるご心配とご迷惑をおかけいたしますことを、深くお詫び申し上げます このたび、当社の一部サーバーが第三者による不正アクセス及びランサムウェアによる感染被害を受けましたのでお知らせいたします。 当社は、本件発生を受け対策本部を設置のうえ、外部専門家の助言を受けながら、原因究明と被害状況の確認、情報流出の有無などの調査、ならびに復旧への対応を進めております。 被害の全容究明には今しばらくの時間を要する見込みですが、現時点で判明しております内容については下記の通りです。 お客様ならびに関係者の皆様には、多大なるご心配とご迷惑をおかけいたしますことを、深くお詫び申し上げます。 |
|
|