Immediately after reports of CVE-2025-59287, a critical RCE flaw in WSUS systems, being exploited in the wild, another high-severity Linux kernel flaw has been observed being actively weaponized in ransomware attacks. CISA confirmed its exploitation and warned that abusing CVE-2024-1086 in offensive campaigns allows attackers with local access to gain root privileges on affected systems.
For the third year running, exploited vulnerabilities remain the most common technical root cause of ransomware attacks, involved in 32% of incidents, according to The State of Ransomware 2025 report by Sophos. Ransomware groups are increasingly leveraging software flaws as a primary entry point into enterprise systems, while social engineering and stolen credentials continue to play a major role in attacks. With over 40,000 new vulnerabilities logged by NIST this year, organizations face a growing challenge, as proactively identifying and fixing these flaws is essential to reducing the attack surface and defending against increasingly sophisticated ransomware threats.
Sign up for the SOC Prime Platform to access the global active threats feed, which offers real-time cyber threat intelligence and curated detection algorithms to address emerging threats. All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context. Press the Explore Detections button to see the entire detection stack for proactive defense against critical vulnerabilities filtered by the “CVE” tag.
Additionally, cyber defenders might bullet proof their defenses with a curated detection stack addressing ransomware attacks. Just search for relevant detection content in Threat Detection Marketplace using “Ransomware” tag.
Security engineers can also leverage Uncoder AI, an IDE and co-pilot for detection engineering. With Uncoder, defenders can instantly convert IOCs into custom hunting queries, craft detection code from raw threat reports, generate Attack Flow diagrams, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms.
CVE-2024-1086 Analysis
CISA has recently released an urgent warning about a critical Linux kernel flaw, identified as CVE-2024-1086. This critical use-after-free bug (with a CVSS score of 7.8), hidden within the netfilter: nf_tables component, allows adversaries with local access to gain root privileges on affected systems and potentially deploy ransomware, which could severely disrupt enterprise systems worldwide or possibly cause arbitrary code execution.
The flaw was disclosed and patched in January 2024, though it originated from code introduced back in 2014. It was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 30, 2024, and in late October 2025, CISA issued a notification confirming that the vulnerability is known to be actively used in ransomware campaigns. Notably, the proof-of-concept (PoC) exploit for the flaw is available since March 2024, when a researcher using the alias “Notselwyn” published a CVE-2024-1086 PoC on GitHub, demonstrating local privilege escalation on Linux kernels from 5.14 through 6.6.
Exploiting this vulnerability, attackers can bypass security controls, gain administrative access, and move laterally across networks. Once root privileges are obtained, ransomware operators can disable endpoint protections, encrypt critical files, exfiltrate sensitive data, and establish persistent access.
The netfilter subsystem, responsible for packet filtering and network address translation, makes this vulnerability particularly valuable for attackers seeking to manipulate network traffic or weaken security mechanisms. Typically, CVE-2024-1086 is exploited after adversaries gain an initial foothold through phishing, stolen credentials, or internet-facing vulnerabilities, turning limited user access into full administrative control.
CISA’s classification of CVE-2024-1086 as a vulnerability “known to be used in ransomware campaigns” underscores its severity and the urgent need for organizations to verify patch deployment and implement mitigating controls across Linux environments.
As a potential CVE-2024-1086 mitigation measure, the vendor advises disabling namespace creation for unprivileged users. To turn it off temporarily, running sudo sysctl -w kernel.unprivileged_userns_clone=0 is recommended, while executing echo kernel.unprivileged_userns_clone=0 | \ sudo tee /etc/sysctl.d/99-disable-unpriv-userns.conf serves asa persistent change after reboot.
Enhancing proactive cyber defense strategies is crucial for organizations to effectively and promptly reduce the risks of vulnerability exploitation. By leveraging SOC Prime’s complete product suite for enterprise-ready security protection backed by top cybersecurity expertise and AI, global organizations can future-proof cyber defense and strengthen their cybersecurity posture.
Key Takeaways Private Threat Briefs: 20+ private DFIR reports annually. Contact us today for pricing or a demo! Table of Contents: Case Summary Analysts Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact Timeline Diamond Model Indicators Detections MITRE ATT&CK Case Summary The intrusion began in […]
Key Takeaways Case Summary This intrusion began in November 2024 with a password spray attack targeting an internet-facing RDP server. Over the course of several hours, the threat actor attempted logins against multiple accounts using known malicious IPs (based on OSINT). Several hours later they then logged in via RDP with one of the previously […]
This blog is a summary and analysis of recent additions to
the Ransomware
Tool Matrix (RTM) as well as the Ransomware
Vulnerability Matrix (RVM). Feedback from the infosec community about these projects has
been overwhelmingly positive and many researchers have contacted me to tell me
how helpful they have found these to be. It makes me happy to hear how doing something in my spare
time can help stop ransomware attacks and cybercriminals from exploiting our
society’s systems. And it is for that reason, I shall continue to maintain
these projects as long as ransomware is still around. For anyone new to these projects, please read the
descriptions on GitHub or feel free to watch my talk explaining the project at BSides London.
Background on the current ransomware ecosystem as of May
2025
Following the impact of Operation Cronos against LockBit and
the exit scam by ALPHV/BlackCat, the ransomware ecosystem has been even more unstable
than usual. The exit scams and law enforcement infiltration operations
have created a zero trust environment for the cybercriminals participating in
the ransomware economy. The days of affiliates putting their faith in one RaaS
platform seem to be long gone and many are experimenting and going from one
RaaS to the next.
Sources of Threat Intelligence for the RTM
The RTM was updated with OSINT reports shared by
cybersecurity researchers at various private service providers or vendors. The
thing to remember about these reports is that the tool usage is going to be
slightly outdated due to the time it takes incident response teams to wrap up
an investigation, compile findings, and publish a report.
From the reports, threat groups such as Qilin, BlackSuit,
RansomEXX, Medusa, BianLian, Hunters International and PLAY have been active
for over one year or for multiple years. These are established groups. Since
RansomHub and LockBit have shut down, it is more likely than not that the
affiliates have already shifted to one of the other RaaS platforms, like Qilin,
among others.
There has also been a number of ransomware operations suspected
to be linked to Chinese cyber-espionage groups, such as RA World (for using PlugX),
NailaoLocker (for using ShadowPad and PlugX), and CrazyHunter (for its focus on
Taiwan).
Threat groups such as IMN Crew, QWCrypt (linked to RedCurl),
NightSpire, SuperBlack, and Helldown are all rising threat groups that have
more recently begun their ransomware campaigns.
These factors have led to seeing a large variety of tool
usage in ransomware operations being observed across the landscape. The
reliance on tools from sites like GitHub and other free software sites, however,
continues to remain a constant theme among all of these ransomware operations.
List of sources used for the May 2025 major update to the
RTM:
EDRSandBlast and WKTools are relatively new tools that are
being used by multiple groups to deactivate and overcome EDR tools that many victims
will have on their networks to prevent ransomware attacks.
Typical ransomware tools, such as PsExec, Mimikatz, and
Rclone remain effective and still used by multiple ransomware gangs for the
foreseeable future.
Tool
Type
Groups Using It
WinSCP
Exfiltration
NightSpire
Hunters International
Mimikatz
Credential Theft
RansomHub
Qilin
Helldown
Impacket
Offensive Security Tool
RansomHub
RA World
NailaoLocker
Rclone
Exfiltration
RansomHub
Hunters International Medusa
NetScan
Discovery
RansomHub
Medusa
WKTools
Discovery
RansomHub
BianLian
PLAY
Advanced IP Scanner
Discovery
Hunters International BianLian
Advanced Port Scanner
Discovery
Hunters International Helldown
AnyDesk
RMM Tool
Medusa
BianLian
EDRSandBlast
Defense Evasion
Medusa
Qilin
New Tools Added to the RTM
The most notable new tools added to RTM include several defense
evasion tools for deactivating EDRs, discovery for sensitive files, and tunnelling
tools to conceal adversary network connections.
Tool
Type
Groups Usage
Bublup
Exfiltration
BlackSuit
WKTools
Discovery
BianLian, PLAY
AmmyyAdmin
RMM Tool
BianLian
CQHashDump
Credential Theft
NailaoLocker
Throttle Stop Driver
Defense Evasion
Medusa
KillAV
Defense Evasion
Medusa
BadRentdrv2
Defense Evasion
RansomHub
Toshiba Power Driver (BYOVD)
Defense Evasion
Qilin
ZammoCide
Defense Evasion
CrazyHunter
FRP
Networking
Medusa
Stowaway
Networking
RansomHub
Navicat
Discovery
Medusa
Everything.exe
Discovery
NighSpire
RoboCopy
Discovery
Medusa
NPS
Networking
RA World
SharpGPOAbuse
Offensive Security Tool
CrazyHunter
Attrib
LOLBAS
BlackSuit
Curl
LOLBAS
QWCrypt (RedCurl)
PCA Utility (pcalua)
LOLBAS
QWCrypt (RedCurl)
Exploits used by Ransomware Gangs added to the RVM
As is now usual, multiple ransomware groups have been targeting
Fortinet networking devices for initial access into to victim environments.
Multiple ransomware groups continue to exploit the Windows Common
Log File System (CLFS) for local privilege escalation to run hacking tools and
steal credentials.
Other exploits involve targeting edge devices, such as Check
Point VPNs or PAN Firewalls, or exposed servers, such as Atlassian Confluence Data
Center Servers.
The targeting of Veeam backup software should come as no
surprise as preventing backups or stealing sensitive files, such as Active
Directory backups, are key objectives of ransomware gangs to complete their
mission.
My recommendation for defenders who continue the fight against ransomware is to take some of the findings from this report and begin threat hunting, detection rule writing, and start blocking some of these tools not present in the environments you are protecting.
Here are a few sites to help you get started with:
This blog is
part of a cyber threat intelligence (CTI) blog series called Tracking
Adversaries that investigates prominent or new threat groups.
The focus of
this blog is EvilCorp, a sanctioned Russia-based cybercriminal enterprise known
for launching ransomware attacks, and RansomHub, a prominent ransomware as a
service (RaaS) operation run by Russian-speaking cybercriminals.
These two threat groups have been linked together through cooperation on intrusions and IOCs and TTPs shared by multiple CTI sources. The implication of this link is critical due to RansomHub being the most active ransomware gang and is working with a well-known sanctioned affiliate.
Who is RansomHub?
Active since
February 2024, RansomHub
is a RaaS operation formerly known as Cyclops and
Knight and is run by Russian-speaking adversaries. It is currently used by more and more cybercriminals that are ex-affiliates
of other RaaS operations. This includes the ALPHV/BlackCat RaaS and the LockBit
RaaS, which have since shutdown or disappeared. This has made the RansomHub RaaS one
of the most widespread ransomware families as of early 2025.
Due to
having a high number of affiliates, the tools and TTPs observed before the
final RansomHub payload is deployed can vary significantly.
Each affiliate may have their own set of tools and TTPs to achieve the final
objectives of data exfiltration and ransomware deployment.
Who is EvilCorp?
Evil Corp is
an international cybercrime network sanctioned for
orchestrating large-scale financial cyberattacks led by Maksim Yakubets. EvilCorp’s operations have evolved over time, expanding from Dridex
banking trojan campaigns into developing
ransomware like BitPaymer, WastedLocker, Hades, PhoenixLocker, and MacawLocker.
Notably,
Aleksandr Ryzhenkov, was identified
by the National Crime Agency (NCA) as a high-ranking member of EvilCorp and
also LockBit affiliate. Ryzhenkov became a LockBit affiliate around 2022, contributing to over 60
LockBit ransomware builds and attempting to extort more than $100 million from
victims. This discovery aligns with Mandiant’s previous reporting
on EvilCorp shifting to LockBit as well.
The NCA also
found that EvilCorp maintains close ties with Russian intelligence agencies
through Yakubets' father-in-law, Eduard Bendersky, a former FSB officer, who is
suspected of using his influence to shield the group from prosecution in Russia.
One of the
TTPs that makes EvilCorp standout from the rest of the RaaS affiliates is their
own affiliation
to the SocGholish
JavaScript malware (aka FAKEUPDATES). If ransomware deployment takes place
following a SocGholish infection, then the attackers responsible for the attack
will be affiliated with EvilCorp.
Reported Connections Between EvilCorp and RansomHub
On 15 July
2024, Microsoft shared a post on X stating that RansomHub was
observed being deployed in post-compromise activity by Manatee Tempest (which is Microsoft’s name for
EvilCorp) following initial access via SocGholish (aka FakeUpdates) infections
(which Microsoft tracks as Mustard Tempest).
On 15
January 2025, Guidepoint wrote a blog on a new Python backdoor used by an
affiliate of RansomHub. Notably, the new Python backdoor was delivered by
SocGholish. Therefore, this Python backdoor is another potential artifact worth
monitoring for its connection to known EvilCorp-related malware.
The next
day, on 16 January 2025, Google shared a report on EvilCorp (which Google tracks as
UNC2165) that disclosed numerous tools and malware families they have been using to deliver RansomHub, including a Python
backdoor dubbed VIPERTUNNEL (see the image below). The presence of a Python
backdoor following a SocGholish infection is notable TTP that overlaps with the
Guidepoint blog on RansomHub.
On 14 March
2025, Trend Micro disclosed further details that also confirmed the
SocGholish malware is leading to the deployment of RansomHub ransomware. The
operators of SocGholish are tracked as Water Scylla by Trend Micro. The
operators distribute SocGholish via the Keitaro Traffic Direction System (TDS), a legitimate service used for marketing campaigns. Trend Micro
also observed SocGholish dropping the same custom Python backdoor (aka
VIPERTUNNEL) as well.
So What?
EvilCorp has been under US sanctions since 2019, making it
illegal for affected organisations to pay ransoms to them without facing
potential fines from the US Treasury’s Office of Foreign Assets Control (OFAC).
Despite these sanctions, EvilCorp has continued its cybercriminal activities by
adapting its tactics to include rebranding their ransomware and becoming an affiliate of RaaS operations, such as LockBit and RansomHub.
The key indicator of EvilCorp's involvement in ransomware attacks continues to be the
use of the SocGholish malware, which employs drive-by downloads masquerading as web browser software updates to gain initial access to systems.
EvilCorp’s affiliation with RansomHub raises the
possibilities that RansomHub may soon face sanctions similar to those imposed
on EvilCorp. Consequently, any victim that pays a ransom to RansomHub could
become significantly riskier for cyber insurance organisations, incident
responders, and ransomware negotiators, as they may inadvertently violate
sanctions and face legal repercussions.
Given EvilCorp's prominence as a target for international
law enforcement, its association with RansomHub is likely to draw increased
scrutiny. This could result in RansomHub becoming the focus of future law
enforcement actions, including potential takedowns and additional sanctions,
further complicating the landscape for entities involved in ransomware response
and mitigation.
There is also the increased likelihood that RansomHub will
now rebrand. As we saw in the BlackBasta
Leaks, ransomware groups pay close attention to the news, CTI reports, and
even posts on X and even blogs by researchers. This association to EvilCorp and
threat of sanctions is an issue for ransomware groups as it impacts their
business model and makes earning harder. Therefore, by linking the two entities together CTI analysts can impose cost on these cybercriminals.
The scourge of ransomware continues primarily because of
three main reasons: Ransomware-as-a-Service (RaaS), cryptocurrency, and safe havens.
RaaS platforms enable aspiring cybercriminals to join a gang and begin launching attacks with a support system that help extract ransom payments from their victims.
Cryptocurrency enables cybercriminals to receive funds from victims around the world without the option to freeze or refund them due to the immutable nature of the virtual funds.
Safe havens are countries that permit cybercriminals to launch attacks without immediate fear of arrest, enabling them to earn vast fortunes through ransomware campaigns.
With these three challenges in mind, law enforcement and
governments have a very difficult job to do when it comes to fighting ransomware
but fight it they must. In this blog we shall recall what counter-ransomware
activities took place in 2024, analyse their effectiveness, and assess how the
landscape shall evolve as a result.
A podcast version of this blog is also available here.
Ransomware Operator Arrests and Sanctions
During 2024, there were significant disruption operations by
law enforcement and financial authorities targeting individuals behind
ransomware campaigns (see the Table below). The main focus of 2024 for Western
law enforcement was squarely on the LockBit RaaS and its affiliates as it was
the largest and highest earning ransomware operation to date.
Several key players of the ransomware ecosystem were
arrested, including the main developer of LockBit ransomware. Interestingly,
Russian law enforcement also decided to arrest ransomware threat actors located
in Moscow and Kaliningrad as well.
European police took down malicious spam botnets that support ransomware campaigns. This resulted in 4 arrests (1 in Armenia and 3 in Ukraine), over 100 servers and 2,000 domains being seized. One of the main suspects earned €69 million by renting out infrastructure sites to deploy ransomware.
Deniss Zolotarjovs, a Latvian national was arrested and extradited to the US from Georgia for running the Karakurt data extortion gang linked to Conti.
Mikhail “Wazawaka” Matveev was arrested in Russia for violating domestic laws against the creation and use of malware. He was fined and had his cryptocurrency seized and is awaiting trial.
The ransomware ecosystem has fragmented due to the law enforcement disruptions of the largest players, such as
ALPHV/BlackCat and LockBit. In the case of ALPHV/BlackCat, the operators staged
a law enforcement takedown as they put up a fake seizure notice as part of
an exit scam in March 2024 after the attack on UnitedHealth.
Following these disruptions, some affiliates have migrated
to less effective strains or launched their own strains. This includes
Akira and RansomHub at the top of the list as well as Hunters International and
PLAY.
Cryptocurrency Exchanges Disrupted
During 2024, law enforcement seized funds from and
sanctioned a number of cryptocurrency exchanges and individuals running payment
processors using cryptocurrency (see the Table below).
One of the most interesting disclosures this year came from
the UK National Crime Agency (NCA) around Operation Destablise. The NCA linked
payments to ransomware gangs to money laundering networks used by Russian
oligarchs to covertly purchase property and Russia Today, the state-run media
organization, to covertly fund pro-Russia foreign entities.
Another notable investigation in 2024 was when the US
Treasury sanctioned more Russian cryptocurrency exchanges, such as PM2BTC and
Cryptex, that led to money launderers that facilitate the cashing out of ransom
payments being arrested by Russian law enforcement.
The US Justice Department indicted Russian national Roman Pikulev and Cryptonator, which processed a total of $1.4 billion in transactions, of which $8 million were ransom payments. Cryptonator also has ties to other sanctioned entities including Blender, Hydra Market, Bitzlato, and Garantex, among others.
FinCEN identified PM2BTC as being of “primary money laundering concern” in connection with Russian illicit finance. This was alongside Cryptex and Sergey Sergeevich Ivanov, a Russian national, who is associated with UAPS and PinPays, as well as Genesis Market. Cryptex also facilitated more than $115 million of proceeds from ransomware payments.
In Operation Final Exchange, German federal police (BKA) shut down 47 cryptocurrency exchange services that ransomware gangs use that operated without requiring registration or identity verification.
Russian authorities have arrested nearly 100 suspected cybercriminals linked to the anonymous payment system UAPS and the cryptocurrency exchange Cryptex.
The NCA uncovered a Russian money-laundering network operated by two companies called Smart and TGR Group as part of Operation Destabilise that involved UK-based cash-to-crypto networks that laundered Ryuk ransom payments as well as the money of Russian oligarchs and Russia Today.
Safe Havens Enabling Ransomware
While ransomware is a global problem, there are only a few
countries that are to blame for this rapid expansion of the ransomware
ecosystem. The state that is blamed the most for preventing many ransomware operators
from facing justice is Russia. There are explicit rules posted to
Russian-speaking cybercrime forums that state as long as members avoid
targeting Russia and the Commonwealth of Independent States (CIS), they are
free to operate.
The Russian ransomware safe haven theory was further proven
following sanctions levied against Evil Corp by the UK, US, and Australia. One
of the sanctioned men connected to Evil Corp was Eduard
Benderskiy, a former Russian federal security service (FSB) official.
Benderskiy is reportedly
the father-in-law of Maksim Yakubets, the leader of Evil Corp, an organized cybercrime
group responsible for multiple
ransomware strains including BitPaymer, WastedLocker, Hades, PhoenixLocker,
and MacawLocker. In total, Evil Corp has reportedly extorted at least $300
million from victims globally, according to the UK NCA. It is now clear that
Evil Corp has protection from a highly connected Russian FSB official who has
also been involved
in multiple overseas assassinations on behalf of the Kremlin, according to
Bellingcat investigators.
While a number of ransomware operators were arrested in 2024
and some were extradited to the US, the work done by law enforcement
specializing in cybercrime was put in the spotlight during the August
2024 prisoner swap. Multiple countries decided to release cybercriminals,
spies and an assassin as part of a historic
prisoner exchange with Russia at an airport in Ankara, Turkey. The US negotiated
the release of 16 people from Russia, including five Germans as well as seven
Russian citizens who were political prisoners in their own country.
Notably, from a cybercrime intelligence perspective, the Russian
nationals released from the West included the infamous cybercriminals Roman
Seleznev and Vladislav Klyushin. The latter, Klyushin, was sentenced
in 2023 to nine years in US prison after he was caught in a $93 million stock
market cheating scheme that involved hacking into US companies for insider
knowledge. The other cybercriminal, Seleznev, was sentenced
to 27 years in prison in 2017 for stealing and selling millions of credit card
numbers from 500 businesses using point-of-sale (POS) malware and causing more
than $169 million in damage to small businesses and financial institutions,
including those in the US.
In 2024, we saw several more Russian nationals get
extradited to the US after being arrested by law enforcement in the country
they were residing in. This includes the Phobos operator living in South Korea
and the LockBit developer living in Israel. This follows others arrested in
previous years such as a TrickBot developer arrested
in South Korea as well as the two LockBit affiliates extradited
to the US. There is a potential that these Russian nationals involved in
ransomware could be used in prisoner exchanges in the future.
Further, another curious trend in 2024 was that some Russians
inside Russia, which is firmly considered a safe haven for ransomware gang, did
get arrested. This includes the SugarLocker operators arrested in Moscow and
the LockBit affiliate Wazawaka who was arrested in Kaliningrad. This is
alongside the money launderers arrested around Russia linked to the Cryptex
exchange.
The arrests of Russian nationals in Russia for ransomware
activities appear to be more symbolic than a true crackdown on this type of
activity. This is because there are several dozen Russian-speaking ransomware
gangs that continue to operate, as well as a plethora of other types of cybercrime
in the Russian-speaking underground.
Outlook
In 2024, there was lots of significant action by law
enforcement to shake up the ransomware economy. One of the main successes of the
notable Operation Cronos action taken against LockBit was the sowing of
distrust and disharmony in the ransomware ecosystem. Despite the admins of
LockBit trying to recover, their reputation and army of affiliates have been
smashed.
Many of Russian law enforcement activities could all be
related to the costs of the Russian invasion of Ukraine. Russian authorities seizing funds of the illicit cryptocurrency exchanges could be to pay for
the war in Ukraine and they could be recruiting arresting cybercriminals for offensive
cyber operations related to the war in Ukraine. The true motivations of Russian law enforcement arresting these specific ransomware operators but allowing others to operate are unclear. The cybercriminals could also simply have not paid their protection money or lack connections in the FSB like Evil Corp has.
Due to the fall of LockBit and ALPHV/BlackCat
in 2024, there has been a rise of other ransomware groups like RansomHub and
Akira to fill the vacuum. However, the rate of attacks by these emerging groups
is still noticeably lower than when LockBit was operating at full force. This
should be perceived as a success for law enforcement operations in 2024 due to the overall
number of ransomware attacks lowering, which we should all be thankful
for.
Entrar
