Ransomware Attackers Evolve Tactics to Disable Endpoint Security Ransomware operators have expanded their methods to bypass endpoint security, moving beyond the traditional Bring Your Own Vulnerable Driver (BYOVD) technique. While BYOVD remains in use with 54 tools exploiting 35 vulnerable drivers attackers now employ script-based tools, misuse legitimate anti-rootkit software, and deploy fully driverless techniques to neutralize security defenses before encryption. This shift prioritizes reliability, allowing ransomware affiliates to disable Endpoint Detection and Response (EDR) systems quickly rather than evading detection. Research from ESET, based on telemetry and incident investigations, identified nearly 90 active EDR killers used by major ransomware groups, including Akira, Medusa, Qilin, RansomHouse, and DragonForce. Many of these tools are commercially traded in underground marketplaces, reflecting a mature, profit-driven ecosystem. Among the most prevalent tools is AbyssKiller, which combines the ABYSSWORKER rootkit with a HeartCrypt-packed loader, and CardSpaceKiller, frequently used by Akira, Medusa, and MedusaLocker. These tools leverage obfuscation techniques such as VX Crypt and VMProtect to evade detection, while others like SmilingKiller use control-flow flattening to complicate analysis. Some groups, like Warlock, deploy multiple EDR killers in succession, with recent samples showing signs of AI-assisted code generation. Attackers often separate the EDR killer from its driver, manually installing the driver first to ensure functionality before executing the payload. This division of labor makes defense evasion more accessible, even to less skilled threat actors. The focus on disabling security tools rather than making encryptors stealthy has become the primary method for ensuring successful ransomware execution. The impact is severe: victims face attacks where security measures are rendered ineffective before encryption begins. While driver blocking remains a necessary defense, organizations must also monitor for suspicious driver installations, enforce least-privilege access, and maintain strong endpoint telemetry to mitigate these evolving threats.

Ransomware as a Geopolitical Weapon: How Nation-States Exploit Cybercrime for Strategic Coercion Ransomware is no longer just a tool for financial extortion it has become a key instrument in geopolitical cyber warfare, enabling nation-states to disrupt adversaries while maintaining plausible deniability. Criminal groups, hacktivists, and state-aligned actors are increasingly converging, sharing infrastructure, tactics, and even strategic objectives to amplify the impact of cyber operations. ### Iran’s Hybrid Cyber Warfare Model Iran has emerged as a leading practitioner of this approach, blending cybercrime, espionage, and industrial sabotage. Recent investigations reveal how pro-Iran hackers have targeted critical wheat reserves, demonstrating how cyberattacks can directly threaten food security. A 2026 Trellix assessment highlighted Iran’s growing sophistication, including the use of ransomware-style operations that blur the line between state-directed campaigns and criminal activity. Meanwhile, Iranian-linked actors have targeted internet-connected cameras across the Middle East, synchronizing cyber operations with physical conflict. Ransomware’s role in the U.S.-Israel-Iran conflict has evolved significantly since 2020, when it was first used as cover for destructive or coercive activity. By 2023, it became a clear tool of strategic pressure, particularly after October 2023, when attacks increasingly intersected with critical infrastructure targeting. Groups like Handala Hack (TAT26-14) and DragonForce have conducted extortion campaigns against energy, healthcare, and manufacturing sectors, often leveraging ransomware-as-a-service (RaaS) models to obscure attribution. ### Blurring Lines Between Cybercrime and State Operations Iranian state actors frequently collaborate with criminal ransomware groups, using them as proxies to conduct attacks while maintaining deniability. The Pay2Key campaign, for example, aligned with geopolitical timelines, while groups like NoEscape, RansomHouse, and ALPHV/BlackCat have been linked to Iranian-backed access brokers. Unlike U.S. or Israeli cyber operations which typically adhere to formal military or intelligence channels Iran’s approach resembles irregular warfare, relying on proxies, criminal markets, and ambiguity to evade clear attribution. Despite the surge in ransomware activity, confirmed cases of direct operational technology (OT) disruption remain rare. Instead, the primary risk stems from enterprise-level compromises that indirectly affect industrial continuity, visibility, and recovery. ### Targeting Trends and Strategic Intent The most exposed sectors include water and wastewater, energy, fuel systems, transportation, manufacturing, government services, and healthcare. Within OT environments, attackers focus on internet-facing PLCs, HMIs, remote access pathways, and engineering workstations, particularly at the Level 0/1 boundary where sensors and actuators lack authentication or logging. The strategic intent is clear: coercive disruption, with the ability to manipulate physical processes while minimizing detectable network evidence. ### The Challenge of Attribution Distinguishing between state-directed campaigns and opportunistic cybercrime has grown increasingly difficult. Threat intelligence teams rely on pattern-based attribution, analyzing capability thresholds, infrastructure overlap, geopolitical timing, and victim selection. However, shared tooling, access brokers, and RaaS models allow different actors to operate on the same infrastructure, complicating attribution. Cases like the Shamir Medical Center attack initially attributed to Eastern European ransomware but later linked to Iran highlight the ambiguity. ### Defensive Shifts: From Prevention to Resilience Industrial operators in the U.S. and Israel are adapting by prioritizing resilience over prevention. Key measures include: - Disconnecting internet-facing PLCs and tightening remote access controls. - Improving IT-OT segmentation and treating CISA advisories as operational baselines. - Enhancing recovery capabilities, particularly for OT systems where traditional IT restoration methods fall short. Governments are providing guidance such as CISA’s Cybersecurity Performance Goals (CPGs) but regulatory frameworks struggle to keep pace with conflict-driven cyber threats. While intelligence sharing has improved, operators often find it insufficiently actionable for real-time defense. As ransomware continues to evolve from a criminal enterprise into a geopolitical weapon, the distinction between cybercrime and state-sponsored warfare will only grow more blurred leaving critical infrastructure in the crosshairs of hybrid conflict.

AI Systems Under Siege: Every Organization Targeted in Past Year, Unit 42 Finds A new report from Palo Alto Networks’ Unit 42 reveals a stark reality: every organization surveyed has faced at least one attack on its AI systems in the past year. The findings, derived from a survey of over 2,800 participants across 10 countries—including the U.S., UK, Germany, Japan, and India—highlight a growing and systemic vulnerability in AI security, with cloud infrastructure at the heart of the problem. Conducted between September 29 and October 17, 2025, the research underscores that AI security cannot rely on reactive measures. Instead, organizations must adopt a proactive, scientific approach to safeguarding AI systems, given their complexity and critical applications. The report emphasizes that AI security is inherently tied to cloud infrastructure, where most AI workloads—data storage, model training, and application deployment—reside. Cloud platforms like AWS, Microsoft Azure, and Google Cloud, while enabling AI scalability, also present prime targets for cyberattacks. Exploitable weaknesses in cloud security can lead to unauthorized access, data theft, or operational disruptions. Traditional security measures often fall short in addressing the unique challenges of AI, such as securing data pipelines, managing identities, and protecting cloud-hosted workloads. The State of Cloud Security Report 2025 argues that the only effective defense is a holistic approach to cloud security, treating it as foundational to AI protection. This includes enforcing strong policies, encryption standards, regular audits, and isolating AI workloads from cloud vulnerabilities. As AI integrates deeper into sectors like healthcare, finance, and autonomous systems, the stakes rise—breaches could compromise sensitive data, disrupt services, or even endanger lives. Emerging threats, such as adversarial attacks designed to manipulate AI models, further complicate the landscape. The report calls for collaboration between cloud providers, AI developers, and security teams to build robust frameworks and real-time threat detection tools. The future of AI security hinges on securing the cloud infrastructure that powers it, ensuring resilience against an evolving threat landscape.

RansomHouse Upgrades Encryption Tactics, Escalating Threats to Enterprises Researchers from Palo Alto Networks’ Unit 42 have uncovered a significant evolution in the RansomHouse ransomware-as-a-service (RaaS) operation, introducing a multi-layered, dual-key encryption model that heightens recovery challenges for targeted organizations. The updated encryptor, dubbed "Mario," replaces the group’s previous linear encryption approach with a complex, multi-phase process that complicates decryption and key recovery efforts. The new encryption scheme generates a 32-byte primary key and an 8-byte secondary key, executing interlocking encryption passes that make data recovery nearly impossible without paying the ransom. This shift tracked under the name Jolly Scorpius specifically targets VMware ESXi hosts, encrypting files with the extension .e.mario and leaving ransom notes demanding payment. The attack chain also leverages MrAgent, a deployment and persistence utility, to impair operational continuity and recovery. RansomHouse operates under a modular RaaS model, separating tool developers and leak managers from affiliates who deploy the ransomware. This structure enables rapid scaling and adaptation, even as individual affiliates are disrupted. The group employs a double-extortion tactic, exfiltrating sensitive data before encryption and threatening public disclosure to pressure victims into compliance. Unit 42’s analysis highlights the group’s growing sophistication, with at least 123 victims listed on its leak site across sectors including healthcare, finance, transportation, and government. The updated encryption not only complicates incident response but also extends recovery timelines, forcing security teams to reassess negotiation strategies. Indicators of compromise (IoCs), including file hashes, extensions, and ransom note artifacts, have been published to aid enterprises in proactively hunting for related activity in affected environments. The disclosure underscores the limitations of static signature-based detection, emphasizing the need for behavioral analytics, real-time monitoring, and hardened segmentation to counter evolving ransomware threats.

Palo Alto Networks faced a massive, coordinated brute-force cyberattack targeting its GlobalProtect VPN systems, beginning on November 14, 2025. The assault escalated rapidly, with a 40-fold spike in malicious sessions (2.3 million attacks) in 24 hours, focusing on the `/global-protect/login.esp` endpoint. Threat actors exploited distributed infrastructure, primarily via AS200373 (3xK Tech GmbH, Germany) and secondary ASNs, using consistent JA4t fingerprints to evade detection. While no confirmed data breach occurred yet, the attack’s scale and historical correlation with pre-exploitation scanning (similar to past Fortinet VPN breaches) suggests imminent risk of vulnerability exploitation. The campaign’s indiscriminate global targeting (U.S., Mexico, Pakistan) and highly organized nature (temporal patterns, ASN concentration) indicate a sophisticated threat actor probing for weaknesses. Though currently a brute-force operation, unpatched systems (e.g., CVE-2025-0108, an actively exploited authentication bypass) heighten the risk of follow-on attacks, including credential theft, lateral movement, or ransomware deployment. Organizations were urged to patch immediately, restrict VPN access, and block malicious IPs. The incident underscores critical vulnerabilities in enterprise VPN security, with potential operational disruption, reputational damage, and financial losses if exploited further.

Sophisticated Supply-Chain Attack Grants UNC6426 Full AWS Control in Under 72 Hours In August 2025, cybersecurity firm Mandiant uncovered a high-impact attack by the threat group UNC6426, which exploited a compromised NPM package to infiltrate and seize full control of a client’s AWS cloud environment in less than three days. The breach underscored the escalating risks of supply-chain attacks and misconfigured CI/CD pipelines, particularly those integrated with cloud identity management systems like OpenID Connect (OIDC). ### Attack Breakdown The intrusion followed a multi-phase approach, beginning with a supply-chain compromise and culminating in full AWS administrative access: 1. Phase 1: Supply-Chain Infection On August 24, 2025, attackers injected malicious code (QUIETVAULT) into the Nx NPM package, a widely used JavaScript framework. The malware executed a postinstall script, stealing environment variables, system data, and GitHub Personal Access Tokens (PATs) upon installation or update. 2. Phase 2: Initial Compromise via Corporate Endpoint A developer unknowingly triggered the malware by running an Nx Console update, which exfiltrated their GitHub PAT to a public repository. The attackers then used the token to access the victim’s GitHub environment, while the malware employed a Large Language Model (LLM) for system enumeration. 3. Phase 3: Pivot to AWS via OIDC Exploitation Two days later, UNC6426 deployed NORDSTREAM, a tool designed to extract secrets from CI/CD pipelines. It uncovered a GitHub service account with an OIDC trust relationship to AWS, allowing the attackers to generate temporary AWS Security Token Service (STS) tokens and gain initial cloud access. 4. Phase 4: Privilege Escalation via CloudFormation Leveraging a GitHub Actions CloudFormation role, the attackers deployed a new AWS Stack with overly permissive IAM policies, including the AdministratorAccess permission. This granted them full administrative control over the AWS environment. 5. Phase 5: Data Exfiltration & Destruction With unrestricted access, UNC6426 enumerated S3 buckets, terminated EC2 and RDS instances, decrypted application keys, and exfiltrated intellectual property by making internal GitHub repositories public. The victim detected the breach three days after the initial compromise and contained the incident, though significant damage had already occurred. ### Key Takeaways The attack highlights critical vulnerabilities in CI/CD security, particularly the risks of overly permissive OIDC trust relationships and unsecured supply-chain dependencies. While the victim mitigated the breach, the incident demonstrates how automated pipelines designed for efficiency can become high-value attack vectors when misconfigured or exploited.

CISA’s Silent Updates to Ransomware-Linked Vulnerabilities Raise Concerns in 2025 In 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) quietly updated its Known Exploited Vulnerabilities (KEV) catalog 59 times to reflect new evidence of ransomware exploitation without notifying defenders. The oversight, highlighted by Glenn Thorpe, senior director of security research at GreyNoise, underscores a critical gap in how organizations track evolving threats. CISA’s KEV catalog is designed to flag high-priority vulnerabilities actively exploited by attackers, helping federal agencies and security teams prioritize patches. One key feature is a field indicating whether a flaw is tied to ransomware operations. However, when this status changes from "Unknown" to "Known" signaling confirmed ransomware use CISA does not issue alerts. Instead, the update appears only as a silent modification in a JSON file, leaving defenders unaware of the heightened risk. Thorpe’s analysis revealed that 16 of the 59 updated vulnerabilities were Microsoft CVEs, with other frequent targets including Ivanti, Fortinet, Palo Alto Networks (PANW), and Zimbra. These vendors’ products often firewalls, VPNs, and email servers are prime targets for ransomware groups due to their widespread deployment and access to high-value networks. Notably, 39% of the vulnerabilities confirmed for ransomware use in 2025 had been listed in the KEV catalog before 2023. The oldest flaw updated last year had been in the catalog for 1,353 days, while the fastest flip occurred within a single day. Authentication bypasses and remote code execution (RCE) flaws were the most common types to see delayed ransomware confirmation. In response to the issue, GreyNoise launched an RSS feed that tracks KEV catalog updates, including ransomware status changes, with hourly refreshes. The tool addresses a long-standing frustration among security professionals, who argue that timely notifications could help organizations adjust their patching priorities and mitigate attacks. CISA has not yet responded to requests for comment.

Palo Alto Networks Unit 42 uncovered a Dark Gate malware campaign exploiting legitimate tools for distributing malware. Using Excel files, the malware leveraged public SMB shares to spread across North America, Europe, and Asia. DarkGate, a sophisticated RAT, is capable of various malicious activities, evading detection, and has been active since 2018. The surge in activity followed Qakbot infrastructure disruption and reached its peak with 2,000 samples in a single day, indicating a widespread and significant breach.