Newsletter Archive - "eCrime.ch Ransomware Highlights"
For 2025-12-22
|
Article language: in English
|
|
Interpol-led action decrypts 6 ransomware strains, arrests hundreds
2025-12-22 |
|
An Interpol-coordinated initiative called Operation Sentinel led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents.
Between October 27 and November 27, the investigation, which involved law enforcement in 19 countries, took down more than 6,000 malicious links and decrypted six distinct ransomware variants. Interpol says that the cybercrime cases investigated are connected to more than $21 million in financial losses. |
|
|
|
Actor/variant: CL0P - Article language: in English
|
|
Clop ransomware targets Gladinet CentreStack in data theft attacks
2025-12-19 |
|
The Clop ransomware gang (also known as Cl0p) is targeting Internet-exposed Gladinet CentreStack file servers in a new data theft extortion campaign.
Gladinet CentreStack enables businesses to securely share files hosted on on-premises file servers through web browsers, mobile apps, and mapped drives without requiring a VPN. According to Gladinet, CentreStack "is used by thousands of businesses from over 49 countries." |
|
|
|
Article language: in English - Industry: Education - Organisation/company: Minersville School District
|
|
Minersville School District continues to probe ransomware attack – Pottsville Republican Herald
2025-12-18 |
|
The Minersville School District on Wednesday continued to investigate a ransomware attack that forced it to close schools for two days so far and left the district unable to access some of its computer data. The attack was discovered Monday morning by an antivirus program that the district had installed. Minersville officials received an alert, took the entire computer system offline, and contacted their insurance company, whose cybersecurity team has been advising the district. The district canceled classes for Tuesday and Wednesday and planned to make a decision about Thursday’s school day by Wednesday evening, said Superintendent Michael Maley.
|
|
|
|
Article language: in English - Industry: Hospitals and Health Care - Organisation/company: Ungava Tulattavik Health Centre
|
|
Cyberattack results in information breach at Nunavik health centre | CBC News
2025-12-18 |
|
Officials at the Ungava Tulattavik Health Centre (UTHC) in Kuujjuaq, Que., say a cyberattack in November compromised some client and staff information.
Early analyses "indicated that no sensitive data had been compromised,” but more recent information suggests that may not have been the case, reads a news release. New information shows that files "potentially containing clinical and administrative information concerning certain users and employees" may have been stolen. |
|
|
|
Article language: in English - Industry: Government Administration - Organisation/company: The Office of the Ombudsman, Ireland
|
|
Ombudsman IT systems taken offline after ransomware attack as data may have been accessed
2025-12-18 |
|
THE OFFICE OF the Ombudsman has taken its IT systems offline after being targeted in a “financially motivated” ransomware attack, with investigators operating on the basis that data may have been accessed.
The move comes as a precaution while a forensic investigation is carried out and the nature and extent of the cybersecurity incident are assessed. The Office is working with the National Cyber Security Centre and external cyber incident response specialists to contain the threat, a spokesperson said. The Ombudsman, Ger Deering, said the priority is to establish what has occurred, restore services safely, and protect the people who rely on the services of the Ombudsman and the offices it supports. More at: https://ombudsman.ie/en/news/7fec0-office-of-the-ombudsman-responding-to-cybersecurity-incident/ |
|
|
|
Article language: in English - Industry: Chemical Manufacturing - Organisation/company: Dainichi Color Vietnam Co., Ltd.
|
|
Notice Concerning Ransomware Incident at Consolidated Subsidiary - Dainichiseika Color & Chemicals Mfg.Co.,Ltd.
2025-12-17 |
|
We hereby announce that our local subsidiary in Vietnam, DAINICHI COLOR VIETNAM CO., LTD. (the “Subsidiary”), has experienced unauthorized access by a third party, resulting in a ransomware infection of its internal servers and related systems.
We sincerely apologize for the significant concern and inconvenience this has caused to our customers, business partners, and all other relevant parties. |
|
|
|
Article language: in English - Industry: Textile Manufacturing - Organisation/company: Fieldtex Products, Inc.
|
|
Notification of Data Security Incident – Fieldtex Products Inc.
2025-12-17 |
|
[11/20/2025] – Fieldtex Products, Inc. (“Fieldtex”) has become aware of a data security incident that may have impacted certain protected health information. Fieldtex is a medical supply fulfillment organization and provided over the counter, healthcare-related products to members through their health plans. In order to deliver these services, Fieldtex received certain protected health information from the members health plans.
On or around August 19, 2025, Fieldtex discovered certain unauthorized activity within its computer systems. Upon discovery, Fieldtex immediately secured its network and swiftly engaged a third-party team of forensic investigators in order to determine the full nature and scope of the incident. Following a thorough investigation, Fieldtex confirmed that a limited amount of protected health information may have been impacted in connection with this incident. |
|
|
|
Actor/variant: Weaxor - Article language: in English
|
|
React2Shell used as initial access vector for Weaxor ransomware deployment
2025-12-16 |
|
Immediately after the threat actor gained access to our client’s network on 5 December 2025, they ran an obfuscated PowerShell command, which established command and control (C2) by downloading a Cobalt Strike PowerShell stager and installing a beacon that called back to their remote infrastructure. After this, the threat actor disabled real time protection on Windows Defender Antivirus to prepare the environment for secondary payloads.
The ransomware binary was dropped and executed on the system within less than one minute of initial access. Recovery notes titled "RECOVERY INFORMATION.txt" were created in multiple directories. Encrypted files were modified with the file extension “.weax”. After ransomware detonation, a text file was also created on disk which included the public IP address of the target. This was likely sent back to the threat actor’s C2 server. As a defence evasion tactic, event logs were cleared, and volume shadow copies were deleted. |
|
|