INCransom is a double-extortion ransomware group that has been active since mid-2023, targeting organizations across Europe and North America with a focus on exploiting public-facing applications for initial access. The group is known for its use of legitimate remote access tooling and WMI-based execution to blend into normal network activity before deploying encryption. Today's confirmed victim, FIZA based in the Czech Republic, represents the group's continued interest in Central European targets where sector classification remains unconfirmed.

• Initial Access: Exploit Public-Facing Application (T1190); leverages unpatched web-facing services as primary entry point
• Execution: Windows Management Instrumentation — WMI used to execute payloads remotely and silently (T1047)
• Persistence: Remote Access Tools deployed post-compromise to maintain persistent C2 channels (T1219); Application Layer Protocol for C2 beaconing (T1071)
• Lateral Movement: Network Share Discovery used to map reachable shares prior to movement (T1135); Domain Account and Domain Group enumeration to identify high-value targets (T1087.002, T1069.002)
• Exfiltration: Data staged locally prior to exfiltration using Archive via Utility — likely 7-Zip or WinRAR (T1560.001); Data Staged before outbound transfer (T1074)
• Pre-Encryption: Masquerading via legitimate resource name or location to evade detection during payload staging (T1036.005)
• Encryption: AES/RSA hybrid encryption; appends .INC extension to encrypted files

A hit here means you may have time to stop the attack.

• Patch public-facing applications immediately — INCransom's primary entry point is unpatched web services; prioritize internet-exposed IIS, Apache, and VPN appliances for emergency patching (T1190)
• Restrict and monitor WMI execution — Implement AppLocker or WDAC policies to block unauthorized WMI-based process spawning; alert on wmiprvse.exe spawning unusual child processes (T1047)
• Audit and disable unnecessary remote access tools — Remove or restrict RMM tools not explicitly approved; alert on new remote access software installations (T1219)
• Enable enhanced logging for domain enumeration — Deploy Sysmon Event ID 1 and Windows Event 4688 with command-line logging; alert on net.exe querying domain accounts or groups (T1087.002, T1069.002)
• Enforce network segmentation to limit SMB share reachability — Reduce the blast radius of lateral movement by blocking unnecessary inter-VLAN SMB traffic (T1135)
• Deploy EDR behavioral detections for masquerading — Alert on binaries executing from temp directories or using names matching system processes (T1036.005)

Lamashtu is an emerging ransomware group with limited public attribution, first observed in late 2024, believed to operate as a small but technically capable threat actor targeting regional organizations in Asia and Eastern Europe. The group appears to focus on sectors with lower cybersecurity maturity, including agriculture and food production, where defensive tooling and incident response capabilities are often limited. Today's confirmed victim, PatayaFood in Thailand, aligns with this targeting pattern and suggests the group is actively expanding its geographic footprint in Southeast Asia.

• Initial Access: Phishing campaigns with malicious attachments and exploitation of internet-facing remote access services including RDP and VPN appliances; credential stuffing against weak or reused passwords
• Execution: PowerShell-based payload execution; living-off-the-land binaries (LOLBins) used to minimize footprint during initial compromise stages
• Persistence: Scheduled Tasks and registry run key modification used to survive reboots; deployment of lightweight backdoors masquerading as legitimate services
• Lateral Movement: Pass-the-hash and Pass-the-ticket techniques against Active Directory environments; RDP pivoting once initial credentials are harvested
• Exfiltration: Data exfiltrated to cloud storage services prior to encryption using custom scripts or publicly available tools such as rclone or MEGAsync
• Pre-Encryption: Shadow copy deletion via vssadmin and wbadmin; Windows Event Log clearing to hinder forensic investigation; antivirus and EDR service termination via net stop commands
• Encryption: ChaCha20 encryption algorithm reported in early samples; file extension varies by campaign — .lamashtu observed in confirmed cases

A hit here means you may have time to stop the attack.

• Harden internet-facing RDP and VPN services — Disable RDP where not required, enforce Network Level Authentication, and implement geo-blocking for regions with no business justification; this directly addresses Lamashtu's primary initial access vector
• Enforce MFA on all remote access services — Credential stuffing is ineffective against phishing-resistant MFA; deploy hardware keys or authenticator-app-based MFA across all VPN and remote desktop gateways immediately
• Block unauthorized cloud sync tools at the perimeter — Lamashtu uses rclone and MEGAsync for exfiltration; enforce application control policies and DNS/proxy blocking for known cloud exfil destinations
• Protect Volume Shadow Copies — Enable VSS protections via Windows Server Backup policy; alert on vssadmin.exe and wbadmin.exe execution by non-administrator service accounts
• Deploy PowerShell constrained language mode and ScriptBlock logging — Reduces effectiveness of PowerShell-based payloads; enables forensic visibility into attacker commands executed during compromise
• Conduct phishing-awareness training with agriculture sector staff — Food production environments often have lower cyber hygiene; targeted training on attachment-based phishing reduces initial compromise risk significantly

Play ransomware, also tracked as Balloonfly, is a prolific double-extortion group active since mid-2022 with a well-documented history of exploiting vulnerable external remote services including Fortinet SSL-VPN and Microsoft Exchange ProxyNotShell vulnerabilities to gain initial access. The group is technically sophisticated, developing custom malware tooling and employing a disciplined multi-stage attack chain that includes LSASS credential dumping, SMB lateral movement, and aggressive defense evasion before deploying encryption. Today's two US-based victims — Mundt and Associates in Business Services and Rainbow Distributors USA in Consumer Services — are consistent with Play's demonstrated preference for mid-market North American organizations where extended dwell time is exploitable.

• Initial Access: Exploit Public-Facing Application targeting VPN and Exchange servers (T1190); External Remote Services abuse via compromised VPN credentials (T1133)
• Execution: Custom malware deployed post-access as part of a resource-development pipeline (T1587.001); living-off-the-land execution via native Windows utilities
• Persistence: External Remote Services used for re-entry if primary implant is removed (T1133); maintains multiple persistence mechanisms across compromised hosts
• Lateral Movement: SMB/Windows Admin Shares used to propagate across the network using harvested credentials (T1021.002)
• Exfiltration: Data archived prior to exfiltration using Archive via Utility — 7-Zip confirmed in multiple incidents (T1560.001)
• Pre-Encryption: LSASS Memory dumped to harvest credentials for lateral movement (T1003.001); File and Directory Discovery to identify high-value data stores (T1083); System Information and Network Configuration Discovery for environment mapping (T1082, T1016); Windows Event Logs cleared to destroy forensic evidence (T1685.005)
• Encryption: AES-RSA hybrid encryption; appends .play extension to all encrypted files; drops ReadMe.txt ransom note in each directory

A hit here means you may have time to stop the attack.

• Patch Fortinet and Exchange vulnerabilities immediately — Play has historically exploited ProxyNotShell, OWASSRF, and Fortinet SSL-VPN flaws as primary initial access; validate all external-facing appliances are on current firmware and patch levels (T1190)
• Rotate all VPN and external service credentials — Assume compromised credentials are in use if any unpatched exposure existed; enforce MFA on all external remote services to neutralize credential-based re-entry (T1133)
• Protect LSASS with Credential Guard — Enable Windows Defender Credential Guard to prevent LSASS memory dumping; configure the Attack Surface Reduction rule to block credential stealing from lsass.exe (T1003.001)
• Restrict SMB Admin Share access — Limit C$ and ADMIN$ accessibility to only required systems; alert on lateral SMB authentication events originating from workstations (T1021.002)
• Alert on Windows Event Log clearing — Any execution of wevtutil.exe with clear-log parameters should trigger an immediate P1 alert — this is a near-definitive indicator of active ransomware pre-deployment activity (T1685.005)
• Implement immutable backup solutions — Ensure at least one backup copy is stored offline or in a write-once cloud storage configuration; Play consistently deletes VSS shadow copies before encryption (T1560.001)

DragonForce is a ransomware-as-a-service (RaaS) operation that emerged in late 2023 and has rapidly expanded its affiliate program, targeting organizations across multiple sectors with double-extortion tactics. The group is known for combining data theft with file encryption, threatening to publish exfiltrated data on their leak site if ransoms go unpaid. Today's confirmed victim, Sayre Associates, is a US-based business services firm, consistent with DragonForce's pattern of targeting mid-market professional services organizations for high-leverage extortion.

• Initial Access: Phishing with malicious attachments (T1566.001), exploitation of public-facing applications including VPN and RDP (T1190), use of valid stolen credentials obtained via infostealer markets (T1078)
• Execution: PowerShell script execution (T1059.001), Windows Management Instrumentation (T1047), malicious batch scripts deployed post-access
• Persistence: Scheduled task creation (T1053.005), registry run key modifications (T1547.001), creation of new local admin accounts (T1136.001)
• Lateral Movement: RDP hijacking (T1563.002), PsExec for remote execution (T1569.002), SMB-based propagation using harvested credentials (T1021.002)
• Exfiltration: Rclone used to sync data to attacker-controlled cloud storage, MEGAsync observed in some affiliate deployments, WinSCP for FTP-based staging (T1048)
• Pre-Encryption: Shadow copy deletion via vssadmin and wmic (T1490), Windows Defender and AV service termination via net stop commands, backup catalog destruction, firewall rule modifications to allow C2 egress
• Encryption: ChaCha20 combined with RSA-4096 key wrapping; appends .dragonforce extension to encrypted files; drops ransom note named dragonforce_readme.txt in each directory

A hit here means you may have time to stop the attack.

• Block known C2 IP immediately: Firewall-block 45.135.232.195 at perimeter and endpoint levels with no exception policy
• Restrict RDP exposure: Disable RDP on internet-facing systems; enforce RDP access exclusively through VPN with MFA — DragonForce affiliates actively scan for exposed RDP endpoints
• Infostealer credential monitoring: Audit for use of credentials that may have been harvested by infostealers; enforce password resets on any accounts identified in dark web dumps
• Block Rclone and MEGAsync binaries: Create application control rules preventing execution of known exfiltration tools; alert on new cloud sync utility installations
• Protect shadow copies: Enable VSS protection policy and configure tamper-protection on backup services; alert on any vssadmin or wmic shadowcopy commands immediately
• Harden PowerShell policy: Enforce Constrained Language Mode and enable Script Block Logging (T1059.001) to catch dropper scripts at execution time
• Deploy file hash blocklist: Add all five confirmed DragonForce MD5 hashes to endpoint deny lists and scan historical logs for prior execution

Krybit is an emerging ransomware group that has demonstrated a clear focus on financial services and mid-market businesses across Latin America and Southeast Asia, suggesting deliberate geographic targeting where cyber insurance penetration is lower and regulatory pressure to pay may be higher. The group employs double-extortion tactics, maintaining a data leak site to pressure victims into compliance. Today's confirmed victims — Liberty Insurance in the Philippines and PROBE S.A. DE C.V. in Mexico — reinforce Krybit's pattern of targeting regional financial and service-sector organizations that may have less mature incident response capabilities.

• Initial Access: Exploitation of internet-facing services including exposed RDP and unpatched VPN appliances (T1190), spear-phishing with credential-harvesting links (T1566.002), use of purchased access from initial access brokers (T1078.004)
• Execution: PowerShell and cmd.exe for payload staging (T1059.001/T1059.003), living-off-the-land binaries (LOLBins) to avoid AV detection (T1218)
• Persistence: New local administrator account creation (T1136.001), modification of startup registry keys (T1547.001), scheduled tasks configured for payload re-execution (T1053.005)
• Lateral Movement: Pass-the-hash against internal Windows hosts (T1550.002), SMB share enumeration and access using compromised credentials (T1021.002), WMI-based remote execution (T1047)
• Exfiltration: Rclone to remote cloud endpoints for bulk data staging (T1048.002), archiving via 7-Zip prior to transfer (T1560.001)
• Pre-Encryption: Termination of database, backup, and security services via net stop and taskkill, shadow copy deletion using vssadmin and wmic, disabling Windows Defender real-time protection via registry modification (T1562.001)
• Encryption: AES-256 encryption with RSA key wrapping; appends .krybit extension to encrypted files; drops ransom note named README_KRYBIT.txt in each affected directory

A hit here means you may have time to stop the attack.

• Audit initial access broker (IAB) exposure: Check for compromised credentials associated with your domain on underground markets and enforce immediate resets — Krybit is known to purchase pre-established access rather than conduct primary intrusion
• Patch internet-facing VPN and RDP immediately: Prioritize any unpatched Fortinet, Pulse Secure, or Cisco VPN appliances; disable RDP on all hosts not requiring it and place remainder behind VPN with MFA
• Restrict SMB between workstations: Implement host-based firewall rules blocking lateral SMB (port 445) between endpoints; enforce SMB signing to defeat pass-the-hash attacks
• Block cloud sync and archiving tools: Prevent Rclone and 7-Zip execution in non-approved contexts via application control; alert on any new installation of these tools
• Protect backup and database services: Monitor for net stop commands targeting backup agents, SQL, and AV services; configure service tamper-protection alerts in your SIEM immediately
• Enable LSASS protection: Configure Windows Credential Guard and LSASS audit logging to detect pass-the-hash and credential dumping activity consistent with Krybit's lateral movement phase

ShinyHunters is a prolific threat actor group originally known for large-scale database breaches and the sale of stolen data on criminal marketplaces, responsible for some of the largest credential and personal data exposures in recent years including high-profile attacks against major SaaS and cloud-hosted platforms. The group has evolved its monetization model to incorporate extortion tactics alongside data sales, making them a hybrid data-theft and extortion threat rather than a traditional file-encrypting ransomware operator. Today's posting remains unverified with victim details not yet confirmed, though ShinyHunters' activity should be treated as a significant data exposure risk particularly for organizations with cloud-hosted databases and SaaS integrations.

• Initial Access: Exploitation of misconfigured cloud storage buckets and exposed APIs (T1190), credential stuffing using previously breached credentials (T1110.004), targeting of developer tokens and secrets exposed in public repositories (T1552.001), SaaS OAuth token abuse (T1528)
• Execution: API-native data access requiring no traditional payload execution; direct database query via compromised service credentials (T1078.004), automated scraping scripts to bulk-extract records
• Persistence: Backdoor OAuth application registrations in cloud identity providers (T1098.001), long-term use of stolen API tokens and service account credentials to maintain persistent data access
• Lateral Movement: Cloud identity federation abuse to pivot between connected SaaS applications (T1199), enumeration of cloud storage and database services using compromised admin tokens (T1526)
• Exfiltration: Bulk database dumps transferred to attacker-controlled infrastructure, data sold on criminal forums and Telegram channels, BreachForums and successor platforms used for public release (T1567), direct HTTPS exfiltration blending with legitimate traffic (T1048.003)
• Pre-Encryption: ShinyHunters does not typically deploy file-encrypting ransomware; primary pressure tactic is threatened public release of exfiltrated data — organizations should treat any ShinyHunters contact as a confirmed data breach requiring breach notification assessment
• Encryption: Not applicable — ShinyHunters operates primarily as a data extortion and theft actor without file-encrypting ransomware deployment in the traditional sense; extortion leverage is data exposure threat

A hit here means you may have time to stop the attack.

• Audit all cloud storage bucket permissions immediately: Ensure no S3, Azure Blob, or GCS buckets are publicly accessible or accessible via overly broad IAM policies — ShinyHunters consistently exploits cloud misconfigurations as primary entry points
• Rotate all API keys and service account tokens: Conduct an immediate audit of all active API credentials; rotate any tokens older than 90 days or exposed in source code repositories including historical commits
• Scan public repositories for secret exposure: Run automated secret scanning across all GitHub, GitLab, and Bitbucket repositories — both public and private — for hardcoded credentials, tokens, and connection strings
• Review and restrict OAuth application consents: Audit all third-party applications with OAuth access to your Microsoft 365, Google Workspace, or other SaaS environments; revoke any unrecognized or overly permissive consent grants
• Enable cloud data egress anomaly alerting: Configure threshold-based alerts for unusual volumes of read operations against cloud databases and storage — early detection of bulk access is the primary defense against ShinyHunters-style exfiltration
• Implement database activity monitoring (DAM): Deploy query-level monitoring on all customer databases; alert on bulk SELECT operations exceeding normal baselines, particularly outside business hours or from new source IPs
• Enforce MFA on all cloud console and API access: ShinyHunters relies heavily on credential stuffing; MFA on cloud management consoles eliminates a significant portion of their initial access methodology

Qilin (also tracked as Agenda) is a prolific Rust- and Go-based ransomware-as-a-service operation known for aggressive double-extortion campaigns across diverse sectors. Today's cluster of 16 victims skews heavily toward U.S.-based legal, professional services, and consumer firms, with notable hits against a healthcare organization and a financial services firm, indicating opportunistic broad targeting rather than a single vertical focus. The volume and geographic spread of today's postings suggests a well-resourced affiliate network operating simultaneously across multiple regions.

• Initial Access: Phishing via social media lure accounts (T1585.001), exploitation of internet-facing VPN and RDP endpoints, stolen credentials obtained from initial access brokers
• Execution: PowerShell and command-line scripting for payload delivery and persistence setup; legitimate remote management tools abused for execution
• Persistence: Scheduled tasks and registry run keys; deployment of backdoors via remote management utilities
• Lateral Movement: Pass-the-hash and credential reuse across domain systems; exploitation of SMB and RDP for network traversal
• Exfiltration: Rclone and custom tooling used to stage and exfiltrate data to attacker-controlled cloud infrastructure prior to encryption
• Pre-Encryption: Shadow copy deletion via vssadmin; EDR and AV process termination; clearing of Windows event logs; financial theft activity targeting accessible accounts and payment systems (T1657)
• Encryption: AES-256 + RSA-4096 hybrid encryption; files appended with .qilin or randomized victim-specific extension

A hit here means you may have time to stop the attack.

• Block known Qilin C2 IPs at perimeter: Immediately null-route or firewall-block 176.113.115.97, 176.113.115.209, 85.209.11.49, and 31.41.244.100 across all egress points.
• Enforce MFA on all VPN and RDP endpoints: Qilin affiliates heavily leverage stolen credentials against unprotected remote access — MFA eliminates this initial access vector for the majority of attempts.
• Restrict and monitor Rclone and similar sync tools: Block execution of rclone.exe via application control policies; alert on any cloud sync utility spawned from unusual parent processes.
• Protect Volume Shadow Copies: Enable VSS protection via Windows Server Backup policies and RBAC restrictions on vssadmin to prevent shadow copy deletion before backups can protect you.
• Audit and harden social media-linked accounts: Qilin leverages fake or compromised social media accounts (T1585.001) for phishing — train staff to verify sender identity and report unsolicited credential requests.
• Deploy IOC-based file hash blocking: Block execution of known Qilin payload hashes (d6e7547ad7dfd1fbc62e8282aebcc391, f588802958c35fe18eb87bc36651a3d1, 2bb209ccfc5103eccab523c875050cfa, a7e7d00d531cb7ca27d0f3bee448573f, 964c13b68dc6b6b918b66a9a10469d2a) via EDR and endpoint application control.

WorldLeaks is an emerging extortion-focused threat group that combines data theft with public leak threats as its primary pressure mechanism, though ransomware deployment has also been observed. Today's victim set spans three distinct sectors across India and the United States — including a large Indian electronics manufacturer, a U.S. savings and loan institution, and a Midwest agricultural cooperative — suggesting geographically and vertically opportunistic targeting. The inclusion of an agricultural cooperative and a financial institution in the same campaign cycle indicates WorldLeaks affiliates are casting a wide net, likely exploiting publicly known vulnerabilities rather than conducting bespoke intrusions.

• Initial Access: Exploitation of internet-exposed services including unpatched VPN appliances, Exchange servers, and web-facing applications; credential stuffing using leaked credential databases
• Execution: PowerShell scripts and batch files for payload staging; abuse of WMI for remote execution across domain-joined hosts
• Persistence: Web shells planted on compromised internet-facing servers; scheduled tasks created under system-level accounts to maintain access across reboots
• Lateral Movement: Abuse of legitimate administrative tools (PsExec, WMI); RDP pivoting using harvested domain credentials
• Exfiltration: Data staged locally before exfiltration via HTTPS to cloud storage services; use of WinSCP and modified FTP clients observed in related campaigns
• Pre-Encryption: Enumeration of network shares and backup locations; disabling of endpoint protection via registry edits and service stop commands; deletion of local backups
• Encryption: AES-based symmetric encryption with RSA-wrapped key; victim-specific file extensions appended post-encryption

A hit here means you may have time to stop the attack.

• Patch internet-facing appliances immediately: WorldLeaks exploits unpatched VPN and remote access appliances as a primary entry vector — prioritize patching of perimeter devices within 24 hours of vendor advisory release.
• Deploy web application firewall rules targeting web shell patterns: Block HTTP requests matching known web shell URI patterns (.aspx uploads, cmd= parameters) on all externally accessible web servers.
• Implement egress filtering for cloud storage and FTP destinations: WorldLeaks uses WinSCP and HTTPS-based cloud exfiltration — restrict outbound connections to approved cloud storage endpoints only.
• Enable and monitor Windows event log 4688 (process creation) with command-line logging: Lateral movement via WMI and PsExec generates distinctive process creation events that are only visible when command-line auditing is enabled.
• Segment agricultural and operational technology (OT) networks: Given the targeting of cooperative infrastructure, ensure IT and OT/SCADA environments are segmented so ransomware cannot traverse from corporate to operational systems.

Morpheus is a ransomware group that has demonstrated a pattern of targeting high-value financial sector organizations, as evidenced today by the claimed compromise of HDFC FUND, a major Indian financial services entity. The group employs double-extortion tactics, exfiltrating sensitive financial data prior to encryption and threatening public disclosure to increase ransom pressure on victims. A financial sector hit of this profile suggests Morpheus operators are deliberately selecting targets where data sensitivity amplifies leverage and regulatory consequences can be weaponized as additional coercive pressure.

• Initial Access: Spear-phishing emails with malicious attachments or links targeting finance and IT staff; exploitation of exposed remote desktop and VPN services with weak or reused credentials
• Execution: Malicious macro-enabled documents for initial payload execution; PowerShell-based loaders and droppers used post-access to deploy ransomware components
• Persistence: Registry run key modification; creation of rogue local administrator accounts to maintain foothold if primary access is disrupted
• Lateral Movement: Credential dumping via LSASS memory access; use of harvested credentials for RDP and SMB-based lateral traversal across domain-joined systems
• Exfiltration: Staged data collection to local or network shares followed by exfiltration via encrypted HTTPS channels to attacker-controlled endpoints; Rclone and MEGAcmd observed in similar campaigns
• Pre-Encryption: Enumeration of backup servers and cloud backup configurations; termination of database services (SQL, Oracle) and accounting software processes to unlock files for encryption; disabling of Windows Defender and third-party AV via PowerShell
• Encryption: ChaCha20 or AES-256 symmetric encryption; RSA-2048 key wrapping; victim-specific extension appended to encrypted files

A hit here means you may have time to stop the attack.

• Disable Office macros by Group Policy for all non-essential users: Morpheus gains initial execution through macro-enabled documents — enforcing macro blocking via GPO for finance and administrative staff eliminates a primary delivery vector.
• Enable LSASS protection (RunAsPPL) and Credential Guard: Morpheus relies on LSASS credential dumping for lateral movement — Protected Process Light and Credential Guard make this significantly harder to execute without kernel-level access.
• Implement Privileged Access Workstations (PAWs) for financial system administrators: Restrict administrative access to critical financial systems to dedicated hardened workstations that cannot be compromised via standard phishing.
• Deploy and test immutable offsite backups for financial databases: Morpheus specifically terminates database services before encryption — ensure SQL and Oracle backups replicate to write-once offsite storage not accessible from domain-joined systems.
• Monitor and alert on Windows Defender tampering events: Morpheus disables AV pre-encryption — alert on EventID 5001 (Windows Defender disabled) and Set-MpPreference PowerShell calls as high-priority indicators of compromise.

PEAR is an emerging ransomware operation demonstrating a broad targeting appetite, hitting victims across North America, Europe, and the Caribbean in today's confirmed activity. The group has claimed four victims spanning logistics, electrical contracting, public health, and IT services — suggesting opportunistic rather than sector-specific targeting. Notably, the compromise of National Health Fund in Jamaica indicates the group is willing to target critical public health infrastructure in smaller markets where defenses may be less mature.

• Initial Access: Phishing campaigns with malicious attachments, exploitation of exposed RDP and VPN appliances (T1566, T1133, T1190)
• Execution: PowerShell scripts and living-off-the-land binaries used post-access to deploy payloads (T1059.001, T1059.003)
• Persistence: Scheduled tasks and registry run key modifications to survive reboots (T1053.005, T1547.001)
• Lateral Movement: RDP pivoting and SMB-based share enumeration across the internal network (T1021.001, T1021.002)
• Exfiltration: Rclone and MEGAsync used for staging and exfiltrating data to cloud storage prior to encryption
• Pre-Encryption: Shadow copy deletion, backup targeting, and disabling of endpoint protection via WMIC and net commands
• Encryption: AES-256 encryption with RSA key wrapping; appends a randomised .PEAR extension to encrypted files

A hit here means you may have time to stop the attack.

• Disable or enforce MFA on all externally exposed RDP and VPN endpoints immediately — PEAR's primary entry vector is credential-based exploitation of remote access services
• Block or alert on execution of Rclone and MEGAsync binaries via application allowlisting; these tools are not expected in most corporate environments and signal active exfiltration
• Enforce PowerShell Constrained Language Mode and script block logging (Event ID 4104) to detect and limit post-exploitation scripting activity
• Implement and regularly test offline backup procedures — ensure Volume Shadow Copies are protected and cannot be deleted by standard user-level or even admin-level processes without additional approval
• Deploy network segmentation between logistics, finance, and IT systems to prevent the rapid lateral spread observed in this group's campaigns

SpaceBears is a double-extortion ransomware group operating a dedicated leak site and known for targeting mid-market technology and managed service providers, where a single compromise can cascade into downstream client exposure. Today's confirmed victim, Cattani — classified within the IT sector in Italy — fits the group's established preference for technology-adjacent businesses that hold sensitive client data. SpaceBears applies significant pressure through staged data releases, threatening to publish stolen data in tranches if ransom demands are not met within defined windows.

• Initial Access: Exploitation of public-facing applications and unpatched VPN concentrators; credential stuffing against remote access portals (T1190, T1078, T1133)
• Execution: Custom loader dropper deployed via PowerShell and certutil for payload staging; WMI used for remote execution (T1059.001, T1047, T1105)
• Persistence: Creation of rogue local administrator accounts and installation of remote monitoring and management tools for persistent backdoor access (T1136.001, T1219)
• Lateral Movement: Pass-the-Hash and Pass-the-Ticket techniques leveraging harvested NTLM and Kerberos credentials; PsExec used for lateral spread (T1550.002, T1021.002)
• Exfiltration: WinSCP and custom FTP scripts used to exfiltrate data to actor-controlled infrastructure; data staged locally in compressed archives before transfer
• Pre-Encryption: Termination of database, backup agent, and security software processes; deletion of VSS snapshots via vssadmin; firewall rules modified to block recovery traffic
• Encryption: ChaCha20 encryption combined with RSA-4096 key exchange; encrypted files receive a .spacebears or group-specific extension appended

A hit here means you may have time to stop the attack.

• Audit and immediately disable all unused remote management tools and RMM agents — SpaceBears abuses legitimate RMM software as persistent backdoors to avoid detection by security tooling
• Enforce privileged access workstations (PAWs) and just-in-time (JIT) access for administrative accounts to prevent Pass-the-Hash and Pass-the-Ticket attacks from being effective across the environment
• Monitor for and alert on new local administrator account creation (Event ID 4720 + 4732) outside of approved provisioning windows — rogue account creation is a key persistence indicator for this group
• Apply patches to all public-facing VPN and remote access appliances within 24 hours of vendor advisories, particularly Fortinet, Cisco, and Palo Alto products commonly targeted by this actor
• Restrict outbound FTP and SFTP traffic to approved destinations only; alert on WinSCP or non-standard SFTP client execution, particularly outside business hours

Akira is a prolific and technically sophisticated ransomware group that has been active since 2023, consistently ranking among the most active operations globally and maintaining a retro-aesthetic leak site used to pressure victims. Today's confirmed victims span air freight logistics, live entertainment venue operations, and investment services — a broad cross-sector footprint that reflects Akira's opportunistic targeting strategy rather than sector-specific campaigns. The group is well-documented for leveraging Cisco VPN vulnerabilities and compromised credentials as primary entry vectors, and is known to operate both Windows and Linux (ESXi-targeting) encryptors in parallel.

• Initial Access: Exploitation of Cisco ASA/FTD VPN appliances lacking MFA; use of valid compromised credentials for VPN and RDP access (T1133, T1078, T1190)
• Execution: Windows Management Instrumentation for remote command execution, Native API calls for direct system interaction, PowerShell and Windows Command Shell for post-exploitation scripting (T1047, T1106, T1059.001, T1059.003)
• Persistence: Deployment of AnyDesk and other remote access tools; creation of new accounts for persistent re-entry (T1136, T1219)
• Lateral Movement: Network share discovery to identify accessible file stores and spread across the environment; RDP-based pivoting using harvested credentials (T1135, T1021.001)
• Exfiltration: WinSCP and Rclone used for transferring stolen data to actor-controlled infrastructure; FileZilla also observed in some intrusions prior to encryption
• Pre-Encryption: System information and process discovery to map the environment (T1082, T1083, T1057); inhibiting system recovery by deleting shadow copies and disabling Windows recovery mechanisms (T1490); termination of backup and AV processes
• Encryption: ChaCha20 symmetric encryption with RSA-4096 key protection; appends .akira extension on Windows and .powerranges on Linux/ESXi variants; targets both network shares and local drives

A hit here means you may have time to stop the attack.

• Enforce MFA on all Cisco ASA and FTD VPN configurations without exception — Akira's most reliable initial access vector is MFA-absent VPN portals, and this single control would eliminate the majority of their known entry attempts
• Apply all available patches to Cisco ASA/FTD appliances immediately; prioritise CVE-2023-20269 and CVE-2023-20198-class vulnerabilities which Akira has actively weaponised
• Audit WMI activity and alert on WMIC.exe spawning child processes or executing remote commands (T1047) — this is a primary Akira execution technique used shortly after gaining initial access
• Restrict PowerShell execution to signed scripts only via Group Policy and enable full PowerShell Script Block Logging (Event ID 4104) and Module Logging to capture post-exploitation commands
• Protect VSS snapshots using WDAC or equivalent policies that prevent vssadmin and wbadmin from executing without an explicit break-glass approval workflow, reducing the effectiveness of Akira's recovery inhibition actions (T1490)
• Deploy network-based DLP controls to detect and block large outbound transfers via SFTP or cloud sync tools, particularly from servers that do not normally initiate outbound file transfer sessions