A major data breach has pulled back the curtain on LockBit, one of the world’s most aggressive ransomware syndicates, revealing deep insights into its affiliate operations and victim engagement methods.

On May 7, 2025, cybercriminals hijacked LockBit’s own leak site and published sensitive data, uncovering extensive details about its “Lite” Ransomware-as-a-Service (RaaS) offering. The compromised files include chat logs between affiliates and victims, covering a critical period from December 19, 2024, to April 29, 2025.

The breach provides cybersecurity experts and law enforcement agencies with rare access to the inner dynamics of ransomware negotiations and operational procedures.

Researchers at SearchLight Cyber confirmed that the leaked data pertains specifically to LockBit’s “Lite” program—a lower-tier entry point designed to lower participation barriers. Unlike the full affiliate model, which requires a Bitcoin deposit and stringent vetting, Lite affiliates could join for just $777 USD with minimal checks.

This streamlined model was crafted to attract less-experienced cybercriminals while limiting their access. Notably, these Lite users didn’t receive encryption keys directly and often had to rely on LockBit’s central team—referred to as “bosses” or “tech support”—to conduct successful ransom negotiations.

Despite these limitations, the Lite initiative helped LockBit broaden its reach. The leak identified five key actors among the most active Lite affiliates: Christopher led with 44 victim negotiations, followed by jhon0722 (42), PiotrBond (19), and both JamesCraig and Swan with 17 each.

Analysts believe the Lite program likely launched in December 2024, aligning with the earliest registration timestamps in the leaked data.

The fallout from this breach equips cybersecurity teams with vital intelligence to strengthen defenses against a ransomware landscape that continues to evolve rapidly.

Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.

News Source: CyberSecurityNews.com

Hackers are now exploiting the viral nature of TikTok videos to distribute Vidar and StealC malware, targeting unsuspecting users through deceptive tutorial content. According to Trend Micro researchers, threat actors are leveraging popular TikTok trends by posting faceless, AI-generated videos that mimic legitimate tech guides. These clips instruct viewers to run harmful PowerShell commands, posing as software activation hacks for tools like Windows OS, CapCut, Spotify, and Microsoft Office.

Unlike typical phishing tactics, these attackers rely entirely on video content to mislead users—no malicious links or code are hosted directly on TikTok. The content appears convincing and garners high engagement. One video alone amassed half a million views, 20,000 likes, and over 100 comments, demonstrating the potential reach of this campaign.

Several TikTok accounts involved have been flagged, including @gitallowed, @zane.houghton, @allaivo2, @sysglow.wow, @alexfixpc, and @digitaldreams771. Once users execute the suggested PowerShell command, the script silently creates hidden folders, modifies Windows Defender settings, and downloads the payloads—Vidar and StealC.

These infostealers are capable of extracting saved passwords, authentication cookies, and crypto wallet data. Once installed, they connect to command-and-control servers—some masked via Telegram channels and Steam profiles—to send back stolen data. Vidar, in particular, uses these as Dead Drop Resolvers to obscure its infrastructure.

By disguising malicious intent within helpful-looking tech tutorials, the campaign reflects a dangerous evolution in social engineering attacks. It underscores the urgent need for digital literacy and caution, especially regarding unsolicited tech advice on social platforms.

Cybersecurity experts urge users to remain skeptical of online videos offering software shortcuts, especially those that involve system-level commands like PowerShell. This emerging threat highlights how social media can be weaponized to bypass conventional security filters and compromise both individual and organizational data.

Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.

News Source: CyberSecurityNews.com

Dell Technologies has introduced new AI-powered cybersecurity enhancements across its PowerStore, PowerScale, and PowerProtect Data Domain product lines, aiming to strengthen data protection and cyber resilience for enterprise environments.

Speaking at the Day 2 keynote of Dell Technologies World, Chief Operating Officer Jeff Clarke spotlighted how the company is expanding its private cloud and data center offerings with security as a core pillar.

PowerStore, Dell’s storage platform launched in 2020, now includes built-in ransomware defense powered by AI. The system analyzes data snapshots directly on the array, allowing early detection of threats and rapid identification of the last clean copy for recovery.

“This helps customers recover faster and minimize the impact of cyberattacks,” said Varun Chhabra, SVP of Infrastructure and Telecom Marketing at Dell. The AI engine tracks suspicious behavior—such as sudden deletions or encryption—not just known malware signatures. It also delivers post-attack forensic insights for streamlined recovery.

PowerScale has also received a security boost with the launch of the PowerScale Cybersecurity Suite. It actively monitors for anomalies and can instantly block malicious activity to prevent large-scale data loss. It features an air-gapped vault for critical backups and supports disaster recovery. The suite integrates with existing incident response tools like ServiceNow, enabling seamless operation within traditional ITSM workflows.

Dell also introduced PowerProtect Data Domain All-Flash appliances, promising significantly faster performance with enhanced cyber resilience. According to Chhabra, the new appliance offers up to 4x faster data storage, 100% faster replication, and 2.8x faster analytics for data integrity checks—while using 40% less rackspace and consuming up to 80% less power compared to traditional HDD systems.

These announcements follow Dell’s Day 1 focus on its “AI Factories” initiative, made in collaboration with Nvidia, AMD, and Intel.

Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.

News Source: ITPro.com

As the auto transport sector embraces smarter, more connected technology, cybersecurity risks have grown in both scale and complexity. Vehicles now communicate with traffic systems, mobile devices, and other cars, creating seamless experiences—but also expanding the attack surface for hackers.

With digital transformation accelerating across the automotive landscape, manufacturers, transport companies, and drivers must confront a critical truth: technological convenience comes with cyber vulnerability.

Digital Integration Exposes Vehicles to New Risks
Modern vehicles rely heavily on digital infrastructure, including tools like BATS CRM and integrated IoT devices. While these systems streamline operations, they also increase the risk of data breaches, user errors, and unauthorized access.

A recent surge in cyber incidents—up 125% over two years—shows that bad actors are actively exploiting the growing interconnectivity. These cyberattacks don’t just threaten data; they pose a direct risk to vehicle safety and passenger wellbeing.

Connected Cars and Critical Entry Points for Hackers
With vehicle-to-everything (V2X) communication becoming the norm, weak encryption and authentication protocols have opened the door to potential attacks. Hackers can manipulate incoming data, interfere with OTA updates, and even seize control of vehicle functions.

The European Union Agency for Cybersecurity (ENISA) reports that 60% of automotive cyberattacks target infotainment systems and communication protocols—vulnerable areas that must be fortified.

Passenger Safety at Risk as Systems Become Targeted
As vehicles grow more autonomous, the consequences of cybersecurity failures become more severe. A breach could compromise steering, braking, or navigation, endangering lives. The infamous Jeep Cherokee hack of 2022, where attackers remotely controlled key functions, remains a chilling reminder of what’s at stake.

Beyond safety, personal data is also at risk. PwC data reveals that more than 5 million vehicle owners faced data breaches in 2024 alone, leaving sensitive details such as driving patterns and financial information exposed.

Proactive Strategies to Strengthen Defenses
Addressing these threats requires a layered defense strategy. Manufacturers are now urged to implement regular system audits, advanced authentication, and continuous software updates. Multi-factor authentication (MFA), for example, adds crucial protection by requiring additional verification—like biometrics—before granting access to vehicle systems.

Setting Industry Standards to Keep Up with Innovation
Organizations and regulators are working to create strong cybersecurity frameworks tailored for the automotive industry. The National Institute of Standards and Technology (NIST) offers a structured guide to help companies identify and manage risk while fostering a culture of cybersecurity awareness.

Looking Ahead: The Road to Safer Auto Transport
To future-proof vehicles, industry leaders must invest in R&D, tighten API security, and prioritize training. The fast pace of innovation often outpaces existing laws, highlighting the need for ongoing collaboration between manufacturers and policymakers.

With the right investments and a shared commitment to resilience, the auto transport industry can strengthen its cyber defenses—ensuring both data protection and road safety in an increasingly digital world.

Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.

News Source: CyberSecurityNews.com

NHS England has introduced a new cybersecurity charter, urging its suppliers to commit to stronger security measures amid a surge in ransomware attacks.

In a letter addressed to its vendors, NHS England warned of the rising severity and frequency of cyber incidents across its network. The charter outlines eight core security commitments that suppliers must adopt to better safeguard healthcare services.

Mike Fell, NHS England’s Director of Cyber, emphasized the urgency of collaborative action in a LinkedIn post, stating, “The complexity of cybersecurity and our supply chain, combined with the UK’s persistent cyber threats, means we must work together to protect care delivery.”

Suppliers signing the charter are expected to keep their systems up to date with the latest patches and achieve at least ‘Standards Met’ on the Data Security and Protection Toolkit (DSPT). They must also implement multi-factor authentication (MFA) and ensure MFA features are available in their own products.

The initiative also stresses infrastructure security, calling for round-the-clock cyber monitoring and detailed logging of critical IT systems. Suppliers are encouraged to maintain immutable backups of vital data, plan for rapid recovery, and conduct board-level response drills to enhance incident preparedness.

In the event of a breach, suppliers must report swiftly, coordinate with NHS England, and comply with all regulatory obligations. Additionally, software providers are required to align with the DSIT and NCSC’s software code of practice, covering secure design, development, deployment, and customer communication.

NHS England is supporting compliance by creating tools to help identify critical suppliers, drafting national requirements for supplier management, and refining its contractual frameworks to include specific security clauses. A self-assessment form will be introduced later this year, with webinars and a cybersecurity forum planned for autumn.

This move follows several major supply chain cyber attacks, including last year’s ransomware incident targeting Synnovis, which severely disrupted services at NHS King’s College and Guy’s and St Thomas’.

The launch of this charter also sets the stage for the upcoming Cyber Security and Resilience Bill, which aims to strengthen digital and infrastructure security across essential UK services.

Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.

News Source: ITPro.com

In the evolving world of cybersecurity, raw data without context often leaves Security Operations Center (SOC) teams with more questions than answers. Indicators of Compromise (IOCs) can flood systems, but without understanding the story behind them, they rarely translate into meaningful action.

Threat intelligence bridges this gap, helping teams interpret attacker behaviors, tactics, and real-world campaigns. ANY.RUN’s Threat Intelligence (TI) Lookup offers SOC teams a powerful way to enrich IOCs with real-time insights derived from a global malware analysis community and a vast malware database used by over 15,000 teams worldwide.

Here are five practical ways TI Lookup helps SOC analysts connect IOCs to real-world threats:

1. Leverage Mutexes for Initial Investigation
   While a mutex alone doesn’t confirm a threat, it serves as a starting point when data is limited. For example, a mutex tied to Nitrogen ransomware can be searched in TI Lookup to access sandbox analysis, offering fresh insights into this emerging threat and enriching EDR systems.
2. Validate Domains Through Network Indicators
   Suspicious domains—like “eczamedikal.org”—can be investigated via TI Lookup to confirm malicious activity. The tool reveals connections to Lumma stealer infrastructure and uncovers related malware samples, offering a deeper look into ongoing campaigns.
3. Trace Command Lines to Malware Behavior
   Unfamiliar command strings, such as PowerShell fragments, can reveal stealer activity. TI Lookup traces these commands back to malware like AsyncRat, showing the full attack chain and providing clarity on how the breach occurred.
4. Check File Hashes to Identify Known Threats
   Hash-based searches (SHA256, SHA1, MD5) allow analysts to determine if a file is part of a malware campaign. A sample hash, for instance, may reveal ties to the Xworm remote access trojan, helping teams detect known malicious documents.
5. Discover Related Samples with Filename Patterns
   Campaign-related files often share naming patterns. Using wildcards in TI Lookup enables teams to find files linked to campaigns like WannaCry. This expands IOC collections and helps refine detection rules.

Special Offer Until May 31

SOC teams can take advantage of a limited-time offer: ANY.RUN is doubling TI Lookup search quotas and offering extra Interactive Sandbox licenses. This means faster alert triaging, improved threat visibility, and more efficient incident response.

Conclusion

By enriching IOCs with threat context, TI Lookup empowers SOC teams to respond with clarity and speed. It’s not just about improving detection—it’s about aligning cybersecurity with real business priorities and responding to the threats that matter most.

Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.

News Source: CyberSecurityNews.com

Data breaches across the U.S. healthcare sector have reached alarming levels, with more than 409 million patient records compromised over the past two years, according to two new studies.

Indusface, a leading application security firm, reported 1,200 healthcare breaches in the last 24 months. Notably, 83% of these incidents involved exposed personal health data.

Texas led the nation with 66 breaches and over 14 million people affected, the most significant being a January 2024 breach at Concentra Health Services, which impacted nearly 4 million individuals.

California followed with 9.2 million affected, including the largest breach recorded in the study — 4.7 million records — when Blue Shield of California shared member data with Google for advertising purposes.

Other states also reported substantial exposure. Ohio faced 45 incidents affecting 3.7 million individuals, while Massachusetts saw 28 breaches with a nearly identical number of impacted patients.

“Healthcare systems are highly vulnerable due to outdated software and the high market value of patient data,” said Venky Sundar, founder and president of Indusface. He also noted that vulnerability exploits have now surpassed phishing as the leading cause of breaches, with the average patch taking more than 200 days.

A separate study by Michigan State University, Yale, and Johns Hopkins highlighted ransomware as a growing threat. In 2024, ransomware accounted for only 11% of breaches by number but was responsible for 69% of compromised records. This marks a significant rise from zero ransomware incidents in 2010 to 222 attacks in 2021, representing nearly a third of major breaches that year.

The study also revealed that hacking and IT incidents now account for 81% of healthcare breaches, up from just 4% in 2010. Researchers believe the real numbers may be even higher due to underreporting and lack of disclosure on ransom payments.

“Ransomware is now the most disruptive threat to healthcare cybersecurity,” said John Jiang, lead author and professor at Michigan State University. “With limited cybersecurity budgets, healthcare providers must prioritize protection around the most sensitive data. The tools exist — what’s needed is urgency and coordinated action.”

Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.

News Source: ITPro.com

On May 13, 2025, cybercriminals briefly turned VMware’s trusted RVTools utility into a malware delivery channel by compromising its installer. The attackers used the installer to deploy Bumblebee, a dangerous malware loader often linked to ransomware preparation and post-exploitation attacks.

Microsoft Defender for Endpoint flagged the breach after detecting suspicious activity from a file named “version.dll,” found in the same directory as the RVTools installer. Though the installer appeared authentic, it was embedded with malicious code that executed immediately upon installation.

Hash comparisons revealed clear discrepancies between the infected installer and the official version. Analysts at ZERODAY LABS identified the payload as a customized variant of Bumblebee—frequently used by attackers to gain initial access before launching larger cyberattacks.

VirusTotal scans showed 33 of 71 antivirus engines flagged the file as malicious, prompting serious concerns about the malware’s potential spread. The compromised version of RVTools was available for nearly an hour before the website was taken offline and later restored with verified, clean files.

Forensics uncovered unusual obfuscation tactics in the malware’s metadata, including strange descriptors like “Hydrarthrus” and “Enlargers pharmakos submatrix,” likely designed to mislead analysts.

Infection Mechanism

Victims unknowingly downloaded the trojanized installer from RVTools’ official website. Upon execution, it installed the usual RVTools components but also dropped a rogue version.dll file in the same directory. Exploiting Windows’ DLL search order, the malware tricked the system into running the malicious DLL instead of the legitimate one.

The threat actors had infiltrated the website’s file repository, replacing the genuine installer with a significantly larger malicious version. Once executed, the malware established persistence and contacted command and control servers, potentially downloading further harmful payloads.

Organizations that downloaded RVTools during the affected period should immediately verify installer hashes and check for unauthorized version.dll files on their systems.

Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.

News Source: Cybersecuritynews.com

Cybersecurity researchers have successfully replicated the advanced tactics and tools used by VanHelsing, a rapidly spreading ransomware-as-a-service (RaaS) operation first identified in March 2025. Known for its sophisticated double extortion strategy, VanHelsing encrypts files using ChaCha20 and Curve25519 algorithms while stealing sensitive data, threatening public exposure unless a ransom is paid.

Victims typically find their files appended with a “.vanhelsing” extension, and ransom demands—payable in Bitcoin—vary based on the target’s profile. The ransomware’s cross-platform reach is especially concerning, with variants affecting Windows, Linux, BSD, ARM devices, and VMware ESXi systems.

AttackIQ researchers report that VanHelsing has already compromised five organizations in the United States, France, Italy, and Australia. Data from three of those entities has been leaked after they refused to pay. A detailed emulation graph has been released, allowing security teams to simulate attacks and strengthen defenses.

The ransomware’s Windows version, developed in C++, showcases advanced persistence and anti-detection methods. Affiliates, who must pay a $5,000 deposit to join the VanHelsing program, receive 80% of the ransom payments and gain access to a dedicated portal to manage their attacks.

VanHelsing’s attack chain starts with deployment on targeted systems, followed by reconnaissance to evaluate viability. It avoids infecting certain geographies and leverages anti-analysis techniques such as debugger detection via the IsDebuggerPresent API. It also uses location APIs like GetUserDefaultLCID and GetLocaleInfoA to determine the system’s locale.

Further tactics include environment fingerprinting through GetEnvironmentStrings and GetNativeSystemInfo, as well as file system traversal using FindFirstFileW and FindNextFileW. Targeted files are then encrypted, and the ransomware alters registry settings to display a ransom note via a new desktop wallpaper.

Given its evolving tactics and growing impact, experts urge organizations to test their cyber defenses using the newly published emulation tools to better prepare for this emerging threat.

Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.

News Source: Cybersecuritynews.com

Enterprises investing in employee phishing awareness training are seeing significant reductions in vulnerability, according to KnowBe4’s latest Phishing by Industry Benchmarking Report 2025. The report reveals that training is particularly effective in large organizations, with measurable improvements across all regions.

KnowBe4 tracks what it calls the Phish-prone Percentage (PPP)—the proportion of employees likely to fall for phishing or social engineering scams. Globally, the average baseline PPP starts at about 33%. However, organizations that implement training programs see this rate drop to 19% after just three months, and further to 4.8% after a year.

All regions reported over 80% improvement after one year of consistent training. North America led with a 90% improvement rate, closely followed by South America at 89%. Regions with the highest initial vulnerability included South America (39%), North America (37%), and Australia and New Zealand (37%). Among the most at-risk were large firms in Australia and New Zealand, where nearly 45% of employees initially clicked on simulated phishing links.

On the other hand, organizations in Asia and the UK & Ireland with fewer than 249 employees showed the strongest initial resistance, with fewer than 25% falling for phishing attempts.

Javvad Malik, Lead Security Awareness Advocate at KnowBe4, emphasized the evolving cybersecurity landscape in the UK and Ireland. “Advancements in AI, supply chain challenges, and a renewed focus on human behavior are reshaping security strategies,” he said.

Malik highlighted that sectors like healthcare, consumer services, and hospitality in the UK and Ireland often begin with stronger resilience, particularly among larger companies. These organizations typically have the resources to support more comprehensive training programs, leading to greater improvements over time.

The report also points to a cultural shift within companies. Increasingly, employers are viewing staff as active defenders against cyber threats. Rather than penalizing errors, organizations now promote a supportive environment where employees feel empowered to recognize and report suspicious activity.

“The most significant change is how businesses now view employees—as a vital first line of defense,” Malik added. “But ongoing training is crucial to maintain this momentum and embed lasting behavioral change.”

KnowBe4’s findings underscore the importance of sustained education in building a strong cybersecurity culture and minimizing organizational risk.

Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.

News Source: ITpro.com