ransomware attack Archives

Tech Optimizer

May 10, 2025

Databricks looks to buy database startup Neon for over $1B

Databricks is in advanced talks to acquire Neon, a startup that provides a commercial version of the open-source PostgreSQL database, with the deal valued at over billion. Neon, based in San Francisco, has raised more than million from investors, including Microsoft's M12 fund. Neon’s PostgreSQL version features a serverless architecture, automatic hardware scaling, separate allocation of storage and computing power, and connection pooling to enhance performance. Neon also offers a security tool for user access management and the ability to restore databases to previous states. Databricks' interest in Neon is likely linked to AI applications, as Neon’s database supports vector storage and can launch new database instances in one second. Databricks has previously acquired several startups to enhance its AI capabilities, including Fennel AI, Lilac AI, and MosaicML Inc.

Winsage

May 8, 2025

Windows 0-Day Vulnerability Exploited in Wild to Deploy Play ransomware

Threat actors associated with the Play ransomware operation exploited a zero-day vulnerability in Microsoft Windows, identified as CVE-2025-29824, before a patch was released on April 8, 2025. This vulnerability affects the Windows Common Log File System (CLFS) driver, allowing attackers to elevate their privileges to full system access. The Play ransomware group targeted an unnamed organization in the United States, likely gaining initial access through a public-facing Cisco Adaptive Security Appliance (ASA). During this intrusion, no ransomware payload was deployed; instead, the attackers used a custom information-stealing tool named Grixba. Microsoft attributed this activity to the threat group Storm-2460, known for deploying PipeMagic malware. The exploitation affected various sectors, including IT, real estate in the U.S., finance in Venezuela, software in Spain, and retail in Saudi Arabia. The vulnerability received a CVSS score of 7.8 and was addressed in Microsoft's April 2025 Patch Tuesday updates. The attack involved creating files in the path C:ProgramDataSkyPDF, injecting a DLL into the winlogon.exe process, extracting credentials from LSASS memory, creating new administrator users, and establishing persistence. The Play ransomware group has been active since June 2022 and employs double-extortion tactics. Organizations are urged to apply the security updates released on April 8, 2025, especially for vulnerable Windows versions, while Windows 11 version 24H2 is not affected due to existing security mitigations.

Winsage

April 18, 2025

Your Windows 10 PC isn’t dead yet – this OS from Google can revive it

On October 14, 2025, Windows 10 will reach its end of life, affecting users with older PCs that cannot upgrade to Windows 11. ChromeOS Flex is a free operating system by Google designed to modernize older Windows PCs and Macs, offering a fast and secure alternative built on Chromium OS. It does not support standalone Windows applications but allows access to Microsoft 365 and other SaaS applications via web portals. ChromeOS Flex focuses on security with features like automatic updates and data encryption, and it has never experienced a reported ransomware attack. The minimum system requirements include an Intel or AMD x86-64-bit compatible device, 4 GB of RAM, 16 GB of internal storage, and the ability to boot from a USB drive. To install ChromeOS Flex, users must back up their files, create a USB installation drive using the Chromebook Recovery Utility, and boot from the USB drive to test compatibility before proceeding with a full installation.

Winsage

April 9, 2025

Exploitation of CLFS zero-day leads to ransomware activity

The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) identified a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS), designated as CVE-2025-29824. This vulnerability has been exploited by the PipeMagic malware, attributed to the group Storm-2460, affecting organizations in various sectors across the U.S., Venezuela, Spain, and Saudi Arabia. Microsoft released security updates on April 8, 2025, to address this vulnerability. The exploit allows attackers with standard user privileges to escalate their access, and it was executed from a dllhost.exe process. The exploit utilizes memory corruption techniques and the RtlSetAllBits API to gain all privileges and inject processes into SYSTEM processes. Post-exploitation, the attackers injected a payload into winlogon.exe, leading to ransomware activity characterized by file encryption and the creation of ransom notes. Indicators of compromise include the creation of a CLFS BLF file at C:ProgramDataSkyPDFPDUDrv.blf, command lines associated with ransomware activities, and specific domains linked to PipeMagic. Microsoft advises applying security updates promptly and recommends strategies for mitigating ransomware threats, including enabling cloud-delivered protection and utilizing device discovery.

Tech Optimizer

March 31, 2025

Traditional EDR can’t keep up with modern cyber threats

By 2025, the global cost of cybercrime is projected to reach .5 trillion annually. Many organizations continue to use outdated Endpoint Detection and Response (EDR) solutions, which are increasingly ineffective against sophisticated cyber threats. EDR was introduced in 2013 but has struggled to keep pace with evolving attack techniques. Traditional EDR is reactive, responding to incidents after they occur, and relies on known Indicators of Compromise (IoCs), which limits its effectiveness. Real-world examples of traditional EDR failures include a misconfigured update to CrowdStrike’s Falcon EDR causing an IT outage, the Akira ransomware exploiting an unsecured webcam, the Medibank breach despite multiple alerts from EDR, and the BlackCat ransomware attack on Henry Schein. These incidents highlight the inadequacy of traditional EDR in preventing modern threats. The next phase of endpoint security is Preemptive Endpoint Protection (PEP), which actively prevents attacks rather than just detecting and responding to them. PEP utilizes proactive strategies like Automated Moving Target Defense (AMTD) and Adaptive Exposure Management (AEM), and research indicates that organizations using proactive security save 30% more on breach costs compared to those relying solely on reactive measures.

Tech Optimizer

March 31, 2025

Ransomware crews add EDR killers to their arsenal

Antivirus and endpoint security tools are increasingly challenged by ransomware groups that use sophisticated strategies to disable defenses early in attacks. Cisco Talos reported that in nearly half of the ransomware incidents they handled in 2024, attackers successfully employed "EDR killers" to neutralize endpoint detection and response (EDR) systems, achieving success 48 percent of the time. Tools such as EDRSilencer, EDRSandblast, EDRKillShifter, and Terminator pose significant threats to organizational security. EDRKillShifter exploits vulnerable drivers on Windows machines to terminate EDR products, a tactic observed in operations by rival gangs like Medusa, BianLian, and Play. The primary goal of these tools is to disable EDR protections, allowing attackers to operate undetected, complicating system recovery efforts. Recovery often requires wiping and rebuilding entire networks if robust backups are available. Some EDR killers, like HRSword, are legitimate software tools misused by ransomware actors to disable endpoint protection systems. Attackers have exploited misconfigured systems, particularly EDR products set to audit-only mode, which detect but do not block malicious activity. LockBit has remained the most active ransomware-as-a-service group for the third consecutive year, accounting for 16 percent of claimed attacks in 2024. Newcomer RansomHub secured the second position with 11 percent of posts to leak sites. The effectiveness of law enforcement actions plays a significant role in shaping the ransomware landscape.

Winsage

March 25, 2025

How To Secure Windows on a Mid-Sized Business Budget

Access provides advice on IT challenges, career transitions, and workplace dynamics. A mid-sized company faced a ransomware scare due to a user opening a malicious attachment but recovered data without paying the ransom. To enhance security in a Windows environment on a limited budget, the following steps are recommended: 1. Evaluate data storage by centralizing it on servers rather than individual workstations to improve security and simplify backups. 2. Implement the principle of Least Privilege Access, limiting user access to only necessary resources to reduce potential damage during attacks. 3. Utilize Microsoft's AppLocker to control which applications can run on Windows desktops, blocking unauthorized software. 4. Set up a ransomware kill switch using a custom PowerShell script to monitor for suspicious activities and trigger defensive actions if ransomware is detected.

Tech Optimizer

March 25, 2025

APT and ransomware attacks continue to plague Vietnam’s IT systems

In 2024, Vietnam experienced over 155,640 ransomware attacks, leading to financial losses in the tens of trillions of VND (hundreds of millions of USD) for organizations. A cybersecurity assessment on March 25 revealed that 60% of Vietnamese businesses lack adequate cybersecurity solutions. On the first day of a ransomware attack, one company reported losses exceeding 100 billion VND (approximately .1 million), while another faced losses of up to 800 billion VND (about .3 million). Bkav's research indicated that ransomware attacks are becoming more sophisticated, with many organizations lacking sufficient antivirus protection. The National Cybersecurity Association reported over 659,000 cyberattacks in 2024, with APT and ransomware attacks accounting for 26.14% and 14.59% of incidents, respectively. Experts recommend regular vulnerability assessments, 24/7 cybersecurity monitoring, and comprehensive incident response plans.

Tech Optimizer

March 9, 2025

Do Macs Really Need Antivirus? The Truth About Mac Security in 2025

Mac users have historically believed their computers are immune to viruses and malware, but this notion may be outdated as cyber threats evolve. The rise in popularity of Macs has attracted cybercriminals, leading to the development of sophisticated malware and ransomware specifically targeting Mac operating systems. Phishing attacks have also become more prevalent, using impersonation tactics to extract sensitive information from users. Built-in security features like Gatekeeper and XProtect provide some protection, but experts now recommend considering third-party antivirus solutions for enhanced security, especially when handling private information, downloading from unverified sources, or using Macs in business environments. While some users worry that antivirus programs may slow down their systems, modern options are designed to be more efficient. Ultimately, the decision to use antivirus software depends on individual digital habits and risk tolerance.

Winsage

December 22, 2024

Asus bombards Windows 11 with christmas.exe malware-like Christmas wreath banner

A festive banner featuring a Christmas wreath and labeled “Christmas.exe” has appeared on some ASUS PCs, causing confusion among users who feared it was malware. This banner is part of a promotional campaign integrated into the Armoury Crate software, which comes pre-installed on certain ASUS systems. Users reported that the banner occupies a large portion of the screen and prompts them to “Press ESC to exit.” The association with the process “Christmas.exe” in Task Manager heightened concerns about a potential ransomware attack. The process is located within ASUS program files and is tied to the Aura effects in the Armoury Crate software. Users expressed frustration over its intrusive nature and reported issues like RAM leaks. To prevent these promotions, users can uninstall ASUS Armoury Crate or disable it from the BIOS. The banner is expected to disappear after the holiday season.