惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Hacker News: Ask HN
Hacker News: Ask HN
WordPress大学
WordPress大学
H
Help Net Security
小众软件
小众软件
N
Netflix TechBlog - Medium
C
Check Point Blog
量子位
Last Week in AI
Last Week in AI
GbyAI
GbyAI
Martin Fowler
Martin Fowler
M
MIT News - Artificial intelligence
博客园 - 聂微东
Engineering at Meta
Engineering at Meta
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
J
Java Code Geeks
D
DataBreaches.Net
Project Zero
Project Zero
P
Proofpoint News Feed
T
Threat Research - Cisco Blogs
Security Latest
Security Latest
Cisco Talos Blog
Cisco Talos Blog
Recorded Future
Recorded Future
I
Intezer
L
Lohrmann on Cybersecurity
Cyberwarzone
Cyberwarzone
博客园_首页
C
Cyber Attacks, Cyber Crime and Cyber Security
L
LangChain Blog
P
Palo Alto Networks Blog
V
V2EX
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
The Exploit Database - CXSecurity.com
The Hacker News
The Hacker News
Blog — PlanetScale
Blog — PlanetScale
G
GRAHAM CLULEY
T
The Blog of Author Tim Ferriss
C
Cisco Blogs
The Register - Security
The Register - Security
L
LINUX DO - 热门话题
P
Privacy & Cybersecurity Law Blog
Scott Helme
Scott Helme
F
Full Disclosure
博客园 - 司徒正美
Recent Announcements
Recent Announcements
IT之家
IT之家
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Attack and Defense Labs
Attack and Defense Labs
Cloudbric
Cloudbric
Help Net Security
Help Net Security
The Last Watchdog
The Last Watchdog

Threat Intelligence – ThreatDown by Malwarebytes

Prinz Eugen ransomware: a deep dive into a new Go-based encryptor - ThreatDown by Malwarebytes CastleRAT attack first to abuse Deno JavaScript runtime to evade enterprise security Machine-scale cybercrime: The 2026 State of Malware report How to prevent a rootkit attack AI-orchestrated cyberattacks Inside EDR-Freeze: How ThreatDown stops the attack before it spreads EDR vs MDR vs XDR – What’s the Difference? KMSpico explained: No, KMS is not “kill Microsoft” When you shouldn’t trust a trusted root certificate - ThreatDown by Malwarebytes Ransomware in March 2025
Ransomware in April 2025—RansomHub is gone
Mark Stockley · 2025-05-07 · via Threat Intelligence – ThreatDown by Malwarebytes
Ransomware review

While DaVita and Marks & Spencer reel from devastating attacks, the most dominant ransomware group of the last year has disappeared.

In April 2025, dialysis giant DaVita suffered a high-impact ransomware attack at the hands of the lesser-known “Interlock” gang. Oregon’s state environmental agency refused to pay a $2.5 million ransom, so the attackers retaliated by leaking confidential patient data stolen from the company.

Around the same time, one of the UK’s biggest retailers, Marks & Spencer, was forced to suspend its online orders after a “cyber incident” disrupted its e-commerce operations. Bleeping Computer reports that the threat actors behind the attack are believed to be part of the Scattered Spider network. The publication believes that the threat actors cracked password hashes from a stolen NTDS.dit database to allow lateral movement through the organization, before using the DragonForce encryptor to attack VMware ESXi hosts.

In Germany, recycling company Eu-Rec GmbH filed for insolvency after being attacked by the SafePay ransomware group.

Known ransomware attacks by group, April 2025

The most startling feature of April’s known ransomware attacks by group chart is the absence of the RansomHub group, which emerged as the successor to LockBit and ALPHV in 2024 as the most dominant ransomware gang.

The RansomHub dark web leak site is currently down, and it’s reported that the DragonForce ransomware group recently announced on its own leak site that RansomHub had “decided to move to our infrastructure.” Currently, the DragonForce leak site simply says “We will be up soon”.

The RansomHub dark web leak site is currently down.
The RansomHub dark web leak site is currently down.
The DragonForce dark web leak site is giving nothing away.
The DragonForce dark web leak site is giving nothing away.

In April, the USA remained by far the most actively targeted country.

Known ransomware attacks by country, April 2025

Manufacturing was the most attacked sector in April 2025, surpassing even the technology sector. The number of attacks on manufacturing has increased steadily over the last few years.

Known ransomware attacks by industry, April 2025

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

To learn more about ransomware and how to defend against the Living Off the Land tactics used by ransomware gangs, download the 2025 State of Malware report.