ransomware groups Archives

Winsage

January 11, 2026

Windows 10 Users Are Being Targeted With New Upgrade Offer

A surge of attacks targeting Windows 10 machines highlights the need for users to upgrade to Windows 11 Pro, which is currently available at a discount of approximately 94% off its standard price. Windows 10 is becoming increasingly vulnerable as it approaches its end of support, leaving users exposed to cyber threats. The U.S. Cybersecurity and Infrastructure Security Agency warns that unsupported systems are often exploited by cybercriminals. Windows 10 remains widely used, making it a significant target for attackers, as evidenced by over billion in reported cybercrime losses in 2023. Windows 11 Pro offers enhanced security features, including BitLocker drive encryption, Credential Guard, and Smart App Control, along with a security-first design that requires compatible hardware. Current promotions allow users to purchase a Windows 11 Pro license for under 0, providing a one-time purchase option that includes updates until Microsoft ends support for Windows 11. Users are advised to check compatibility before upgrading and to back up important files. For those unable to upgrade, alternatives include purchasing Extended Security Updates or investing in new hardware that meets Windows 11 specifications.

Winsage

December 15, 2025

Still running Windows 10? Here’s why that’s a bad idea

Hundreds of millions of computers are still using Windows 10, despite it reaching its end-of-support deadline. An Extended Security Updates (ESU) subscription is available for free until October 2026, providing updates to help protect against security threats. By early 2021, around 100 million PCs were still running Windows 7, which had ceased receiving updates in January 2020, making them vulnerable to cyberattacks from groups like Digital Shadows, LockBit, Conti, and Vice Society. Notable incidents include the PrintNightmare flaw in July 2021, which led Microsoft to issue a patch for Windows 7, and the WannaCry attack in 2017, which targeted Windows XP machines. Microsoft releases monthly security fixes, and vulnerabilities like CVE-2025-62215, identified in November 2025, have been categorized as "Exploitation Detected." While current vulnerabilities require local access, history suggests that remote attacks may soon occur, posing severe risks to unpatched systems.

Winsage

November 23, 2025

Fake Windows Defender notifications are on the rise

Microsoft's latest AI language interpreter has raised concerns among cybersecurity experts, as it has inadvertently provided new opportunities for cybercriminals. Scammers are using fake Windows Defender pop-ups, which appear authentic, to deceive users into granting unauthorized remote access to their computers. Certain ransomware groups have found ways to disable Windows Defender remotely using trusted Windows drivers, leaving users vulnerable without alerts. These fraudulent notifications often lock users' browsers and prompt them to call a number associated with the scammers, who then guide them through granting access under false pretenses. The pop-ups originate from compromised websites, malicious ads, or bundled software, exploiting the familiar Defender name to instill fear. Relying solely on Windows Defender is risky, as it struggles against sophisticated attacks, lacks deeper monitoring, and is a prime target for cybercriminals. A multi-layered security approach, including reputable third-party security packages like Trend Micro’s Internet Security, is recommended. Additionally, maintaining smart security habits, such as keeping systems updated and using strong passwords, is essential for effective protection.

Tech Optimizer

November 6, 2025

DragonForce Cartel Emerges Following Conti v3 Ransomware Source Code Leak

Acronis Threat Research Unit (TRU) analyzed the DragonForce ransomware cartel, which emerged in 2023 as a Ransomware-as-a-Service (RaaS) operation and transitioned to a cartel model. DragonForce utilizes leaked Conti v3 code and has similarities with LockBit Green in encryption and backend configurations. By early 2025, it rebranded as the “DragonForce Ransomware Cartel,” offering affiliates 80 percent profit shares and infrastructure support. The cartel has over 200 victims from various sectors since late 2023 and is known for its attack on Marks & Spencer, collaborating with Scattered Spider. DragonForce employs bring-your-own-vulnerable-driver (BYOVD) techniques to evade endpoint protection and has improved its encryption methods. The group has spawned offshoots like Devman and Mamona, which utilize its enhanced encryptor.

Winsage

October 21, 2025

The ESU Gamble: Why Windows 10 Extended Security Updates Are a Risk You Can’t Afford

Many organizations are relying on Extended Security Updates (ESUs) for Microsoft’s Windows 10 as the end-of-life deadline approaches, but this solution is limited and does not protect against zero-day exploits or sophisticated attacks. The ESU program will end in October 2026, leading to increased costs and risks. Legacy systems like Windows 10 are particularly vulnerable to cybercriminals, and even with ESUs, they can be exploited by advanced threats. Transitioning to Windows 11 is complicated for many organizations due to compatibility and hardware issues. Morphisec offers a proactive solution with its Automated Moving Target Defense (AMTD) technology, which continuously alters system memory to protect against attacks without needing updates or patches. The cost of Morphisec is lower than potential expenses from ransomware incidents or ESUs. Organizations face significant risks if they delay action, as seen in past ransomware outbreaks like WannaCry. Unsupported systems can lead to compliance failures and reputational harm. Morphisec provides a way to secure Windows 10 systems while facilitating a smooth migration to Windows 11, ensuring protection across hybrid environments.

Winsage

September 1, 2025

Hackers Leverage Windows Defender Application Control Policies to Disable EDR Agents

Cybercriminals are using Windows Defender Application Control (WDAC) policies to disable Endpoint Detection and Response (EDR) agents, creating vulnerabilities in corporate security. Ransomware groups like Black Basta have adopted this method, which evolved from a proof-of-concept tool called "Krueger" into real malware named "DreamDemon." Attackers manipulate the C:WindowsSystem32CodeIntegritySiPolicy.p7b file to implement malicious WDAC policies that block EDR executables during system startup. The technique involves a four-step process: loading the policy, placing it in the CodeIntegrity directory, hiding the policy file, and creating decoy log files. DreamDemon samples, written in C++, exhibit enhanced stealth and target major EDR vendors. Detection efforts focus on monitoring specific registry keys and analyzing file signatures. Despite awareness of this threat, EDR vendors have not implemented sufficient preventative measures, leaving systems exposed.

Winsage

August 28, 2025

Hackers Abuse Microsoft Teams to Gain Remote Access With PowerShell-based Malware

Cybercriminals are increasingly targeting Microsoft Teams to deploy malware and gain control over victim systems, shifting from traditional email phishing attacks. They impersonate IT support staff in Teams chats to deceive employees into granting remote access. Attackers use newly created or compromised accounts with names like “IT SUPPORT ✅” to appear legitimate. They establish trust and persuade employees to install remote access software, allowing direct access to corporate networks. Recent incidents involve malware loaders like DarkGate and Matanbuchus, with attackers executing PowerShell commands to download malicious payloads designed for credential theft and remote code execution. The malware can designate its process as “critical” to evade detection and trick users into entering passwords through a legitimate-looking prompt. Analysis links these campaigns to the financially motivated threat actor known as Water Gamayun. Employees must be trained to verify unsolicited requests for credentials or software installations through separate communication channels.

Winsage

August 19, 2025

Ransomware gang masking PipeMagic backdoor as ChatGPT desktop app: Microsoft

Microsoft has identified a sophisticated malware called PipeMagic, disguised as a ChatGPT desktop application, linked to the threat actor Storm-2460, who is preparing for ransomware attacks. This malware exploits a zero-day vulnerability (CVE-2025-29824) affecting the Windows Common Log File System Driver (CFLS), first disclosed in April. PipeMagic has targeted sectors such as information technology, financial, and real estate across the U.S., Europe, South America, and the Middle East. It emerged in 2022 during attacks on Asian entities and resurfaced in September 2024. Victims see a blank screen upon opening the malicious application, complicating detection. Hackers modified an open-source ChatGPT project to embed malicious code that activates the malware, allowing privilege escalation and ransomware deployment. Kaspersky reported that PipeMagic was used in a RansomExx ransomware campaign, and Symantec noted its exploitation by the Play ransomware group.

Tech Optimizer

August 12, 2025

Your antivirus is under attack from new “killer” tool – here’s what we know

Cybercriminals are enhancing their capabilities to disable antivirus and endpoint detection and response (EDR) systems, with a new malware tool called EDRKillShifter being circulated in underground forums. This tool can neutralize EDR systems from vendors like Sophos, Bitdefender, and Kaspersky, using obfuscation techniques and signed drivers that may be stolen or compromised. EDRKillShifter was found embedded in the legitimate Clipboard Compare tool from Beyond Compare, indicating sophisticated tactics to evade detection. The malware emerged in mid-2024 after an unsuccessful attempt to disable antivirus software and deploy ransomware, revealing evolving strategies among attackers. To mitigate risks, Sophos recommends enabling tamper protection, maintaining robust security hygiene, and keeping systems updated, particularly regarding outdated signed drivers.

Tech Optimizer

June 27, 2025

ClickFix fake error message malware spikes over 500%, takes second place as the most abused attack vector

The ClickFix attack vector has increased by 517% since the latter half of 2024, becoming the second most exploited method for cyberattacks, following phishing. Hackers are using ClickFix to deploy various infostealing malware, including Lumma Stealer, VidarStealer, StealC, and Danabot. The ClickFix mechanism involves a counterfeit reCAPTCHA that misleads users into executing harmful Powershell commands. This method is primarily spread through phishing emails directing users to fraudulent websites. ESET’s Threat Report indicates that SnakeStealer has surpassed Agent Tesla as the most frequently detected infostealer, targeting businesses in the US and EU for credential theft. The ransomware landscape has been disrupted by internal conflicts among groups, with DragonForce launching defacement campaigns against other ransomware entities. On mobile devices, Kaleidoscope infections have caused a 160% increase in Android adware detections, and the SparkKitty malware has been found in both the Apple App Store and Google Play Store. Kaleidoscope generates revenue through intrusive ads while infecting devices with a malicious app from third-party stores.