The #FBI and #DCIS disrupted #Danabot. #ESET was one of several companies that cooperated in this effort. https://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/
#ESETresearch has been involved in this operation since 2018. Our contribution included providing technical analyses of the malware and its backend infrastructure, as well as identifying Danabot’s C&C servers. Danabot is a #MaaS #infostealer that has also been seen pushing additional malware – even #ransomware, such as #LockBit, #Buran, and #Crisis – to compromised systems.
We have analyzed Danabot campaigns all around the world and found a substantial number of distinct samples of the malware, as well as identified more than 1,000 C&Cs.
This infostealer is frequently promoted on underground forums. The affiliates are offered an administration panel application, a backconnect tool for real-time control of bots, and a proxy server application that relays the communication between the bots and the C&C server.
IoCs are available in our GitHub repo. You can expect updates with more details in the coming days. https://github.com/eset/malware-ioc/tree/master/danabot
#lockbit
The hackers got hacked! In an ironic twist, LockBit, the infamous ransomware-as-a-service gang, was breached. Watch the new episode of Cyberside Chats as @sherridavidoff and @MDurrin share the details and explain what it means for cyber defenders.
We explore what was leaked, why it matters, and how this incident compares to past takedowns like Conti. You'll also get the latest insights into the 2025 ransomware landscape, from victim stats to best practices for defending your organization.
Watch or listen now and get practical takeaways to strengthen your ransomware response playbook.
Watch: https://youtu.be/xr-8GhazgME
Listen: https://www.chatcyberside.com/e/lockbits-own-medicine-when-hackers-get-hacked/?token=914ee622fe9d4797c7a87bfedd0294f0
Latest issue of my curated #cybersecurity and #infosec list of resources for week #19/2025 is out!
It includes the following and much more:
The #Signal clone the Trump admin uses was hacked;
ICE's airline hacked;
The DragonForce #ransomware group claimed responsibility for recent cyberattacks on UK retailers;
NATO hosting the Locked Shields 2025 cyber defense exercise in Estonia;
The #LockBit ransomware gang was hacked!
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end 
https://infosec-mashup.santolaria.net/p/infosec-mashup-19-2025
#ESETresearch discovered previously unknown links between the #RansomHub, #Medusa, #BianLian, and #Play ransomware gangs, and leveraged #EDRKillShifter to learn more about RansomHub’s affiliates. @SCrow357 https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/
RansomHub emerged in February 2024 and in just three months reached the top of the ransomware ladder, recruiting affiliates from disrupted #LockBit and #BlackCat. Since then, it dominated the ransomware world, showing similar growth as LockBit once did.
Previously linked to North Korea-aligned group #Andariel, Play strictly denies operating as #RaaS. We found its members utilized RansomHub’s EDR killer EDRKillShifter, multiple times during their intrusions, meaning some members likely became RansomHub affiliates.
BianLian focuses on extortion-only attacks and does not publicly recruit new affiliates. Its access to EDRKillShifter suggests a similar approach as Play – having trusted members, who are not limited to working only with them.
Medusa, same as RansomHub, is a typical RaaS gang, actively recruiting new affiliates. Since it is common knowledge that affiliates of such RaaS groups often work for multiple operators, this connection is to be expected.
Our blogpost also emphasizes the growing threat of EDR killers. We observed an increase in the number of such tools, while the set of abused drivers remains quite small. Gangs such as RansomHub and #Embargo offer their killers as part of the affiliate program.
IoCs available on our GitHub: https://github.com/eset/malware-ioc/tree/master/ransomhub
Rostislav Panev, a 51-year-old Russian and Israeli national, has been extradited to the United States. He is suspected of being a developer for LockBit.
#LockBit #Russia #cybersecurity #ransomware
https://cnews.link/lockbit-ransomware-developer-extradited-to-the-us-1/
Russian cybercrime group sent a message of congratulations to Kash Patel and an offer.
...the Lockbit administrator then offered an “archive of classified information for you personally, Mr. Kash Patel.” This, it was claimed, contained information that could “not only negatively affect the reputation of the FBI, but destroy it as a structure.”
#Lockbit #FBI https://www.forbes.com/sites/daveywinder/2025/02/26/this-data-could-destroy-the-fbi-russian-crime-gang-warns-kash-patel/
Ukraine Daily summary - Wednesday, February 12 2025
Russia concerned with weakening sway over allies amid Western pressure, FT reports -- Ukraine strikes Russia's Saratov oil refinery -- North Korea has sent 200 long-range artillery guns to Russia -- Russia records worst-ever ranking in key corruption index -- and more
AUKUS blasts holes in LockBit's #bulletproofvest #hosting provider • The Register
Huge if true: Brit Foreign Sec says #Putin running a 'corrupt mafia state'
#aukus #LockBit #privacy #security #cybersecurity
https://www.theregister.com/2025/02/11/aukus_zservers_lockbit_sanctions/
#LockBit lied: Stolen data is from a #bank, not US Federal Reserve
Evolve Bank and Trust breached and ransomwared by LockBit. Personal information of both Evolve's retail customers and #FinTech partners' customers (but varies by individual):
- Name
- SSN
- DOB
- account information
- other (address, etc) information
Since #Evolve is a common/"friendly" bank partner for many FinTech companies, as stated previously this affects more than just direct/retail customers of Evolve.
Evolve is offering thoughts and prayers to customers (AKA free credit monitoring) and won't give further statement as of this time.
Headline: #LockBit lied: Stolen data is from a bank, not US Federal Reserve
LockBit claims the hack of the US Federal Reserve
"The #Lockbit #ransomware group announced that it had breached the US #FederalReserve and exfiltrated 33 TB of sensitive data."
https://securityaffairs.com/164873/cyber-crime/lockbit-claims-hacked-us-federal-reserve.html
Possible Brain Chiper chat with their victim that have 8 millon USD ransom. Sound familiar guys? 
@indonesia
IF this turns out to be real, it'll be one hell of a shitstorm...
Headline: #LockBit claims the hack of the US #FederalReserve
Snippet: “33 terabytes of juicy banking information containing Americans’ banking secrets.
You better hire another negotiator within 48 hours, and fire this clinical idiot who values Americans’ bank secrecy at $50,000.”
Source: https://securityaffairs.com/164873/cyber-crime/lockbit-claims-hacked-us-federal-reserve.html
Hit by #LockBit? The FBI is waiting to help you with over 7,000 decryption keys
#Ransomware
https://www.tripwire.com/state-of-security/hit-lockbit-fbi-waiting-help-you-over-7000-decryption-keys
7,000 #LockBit #decryption keys now in the hands of the #FBI, offering victims hope
#privacy #security #ransomware
The kingpin of the LockBit ransomware is named and sanctioned, a cybersecurity consultant is charged with a $1.5 million extortion, and a romance fraudster defrauded women he met on Tinder of £80,000.
All this and much much more is discussed in the latest edition of the @smashingsecurity podcast with yours truly and Carole Theriault, joined this week by “Ransomware Sommelier” Allan Liska.
$10 million reward offer for apprehension of unmasked LockBit ransomware leader.
Read more in my article on the Exponential-e blog: https://www.exponential-e.com/blog/10-million-reward-offer-for-apprehension-of-unmasked-lockbit-ransomware-leader
