{ "id": "f5865a51-745e-491b-a0c1-50e4921d2f2c", "created_at": "2026-04-06T01:29:20.161861Z", "updated_at": "2026-04-10T13:11:51.031374Z", "deleted_at": null, "sha1_hash": "f56a50fe9e55cf77ab8266420cdbe1d43733a3a1", "title": "Ransomware | Latest Threats | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 248119, "plain_text": "Ransomware | Latest Threats | Microsoft Security Blog\r\nPublished: 2025-10-06 · Archived: 2026-04-06 00:50:31 UTC\r\nRansomware as a service ecosystems make it easier for attackers of any skill to launch effective attacks. Learn\r\nhow these threats work—and how to detect, contain, and recover from them.\r\nFiltered by\r\nClear All\r\nransomware\r\nRefine results\r\nInvestigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer\r\nvulnerability\r\nhttps://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/\r\nPage 1 of 3\n\nStorm-1175, a financially motivated actor known for deploying Medusa ransomware and exploiting public-facing applications for initial access, was observed exploiting the deserialization vulnerability in\r\nGoAnywhere MFT’s License Servlet, tracked as CVE-2025-10035.\r\nStorm-0501’s evolving techniques lead to cloud-based ransomware\r\nFinancially motivated threat actor Storm-0501 has continuously evolved their campaigns to achieve\r\nsharpened focus on cloud-based tactics, techniques, and procedures (TTPs).\r\nUnveiling RIFT: Enhancing Rust malware analysis through pattern matching\r\nAs threat actors are adopting Rust for malware development, RIFT, an open-source tool, helps reverse\r\nengineers analyze Rust malware, solving challenges in the security industry.\r\nExploitation of CLFS zero-day leads to ransomware activity\r\nMicrosoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have\r\ndiscovered post-compromise exploitation of a newly discovered zero-day vulnerability in the Windows\r\nCommon Log File System (CLFS) against a small number of targets.\r\nCyber Signals Issue 8 | Education under siege: How cybercriminals target our schools\r\nThis edition of Cyber Signals delves into the cybersecurity challenges facing classrooms and campuses,\r\nhighlighting the critical need for robust defenses and proactive measures.\r\nStorm-0501: Ransomware attacks expanding to hybrid cloud environments\r\nAugust 27, 2025 update: Storm-0501 has continuously evolved to achieve sharpened focus on cloud-based\r\nTTPs as their primary objective shifted from deploying on-premises endpoint ransomware to using cloud-based ransomware tactics.\r\nRansomware operators exploit ESXi hypervisor vulnerability for mass encryption\r\nMicrosoft Security researchers have observed a vulnerability used by various ransomware operators to get\r\nfull administrative access to domain-joined ESXi hypervisors and encrypt the virtual machines running on\r\nthem.\r\nMoonstone Sleet emerges as new North Korean threat actor with new bag of tricks\r\nMicrosoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet (formerly\r\nStorm-1789), that combines many tried-and-true techniques used by other North Korean threat actors, as\r\nwell as unique attack methodologies to target companies for its financial and cyberespionage objectives.\r\nThreat actors misusing Quick Assist in social engineering attacks leading to ransomware\r\nhttps://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/\r\nPage 2 of 3\n\nMicrosoft Threat Intelligence has observed Storm-1811 misusing the client management tool Quick Assist\r\nto target users in social engineering attacks that lead to malware like Qakbot followed by Black Basta\r\nransomware deployment.\r\nOcto Tempest crosses boundaries to facilitate extortion, encryption, and destruction\r\nMicrosoft has been tracking activity related to the financially motivated threat actor Octo Tempest, whose\r\nevolving campaigns represent a growing concern for many organizations across multiple industries.\r\nAutomatic disruption of human-operated attacks through containment of compromised\r\nuser accounts\r\nUser containment is a unique and innovative defense mechanism that stops human-operated attacks in their\r\ntracks.\r\nMalware distributor Storm-0324 facilitates ransomware access\r\nThe threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial\r\naccess using email-based initial infection vectors and then hand off access to compromised networks to\r\nother threat actors.\r\nSource: https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/\r\nhttps://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/" ], "report_names": [ "troldesh-ransomware-influenced-by-the-da-vinci-code" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "1998ad13-b343-4409-9a37-b1930d156a28", "created_at": "2023-09-17T02:00:09.948891Z", "updated_at": "2026-04-10T02:00:03.372224Z", "deleted_at": null, "main_name": "Storm-0324", "aliases": [ "DEV-0324", "Sagrid", "TA543" ], "source_name": "MISPGALAXY:Storm-0324", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c2f84ab8-e990-4fa8-97db-81eb3166b207", "created_at": "2025-10-29T02:00:51.915334Z", "updated_at": "2026-04-10T02:00:05.318636Z", "deleted_at": null, "main_name": "Storm-0501", "aliases": [ "Storm-0501" ], "source_name": "MITRE:Storm-0501", "tools": [ "Impacket", "Tasklist", "Cobalt Strike", "Rclone", "Nltest", "AADInternals" ], "source_id": "MITRE", "reports": null }, { "id": "45e6e2b3-43fe-44cd-8025-aea18a7f488f", "created_at": "2024-06-20T02:02:09.897489Z", "updated_at": "2026-04-10T02:00:04.769917Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Storm-1789", "Stressed Pungsan" ], "source_name": "ETDA:Moonstone Sleet", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "908cf62e-45cd-492b-bf12-d0902e12fece", "created_at": "2024-08-20T02:00:04.543947Z", "updated_at": "2026-04-10T02:00:03.68848Z", "deleted_at": null, "main_name": "UNC4393", "aliases": [ "Storm-1811", "CURLY SPIDER", "STAC5777" ], "source_name": "MISPGALAXY:UNC4393", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "28523c53-1944-4ff0-bbdc-89b06e4e3c84", "created_at": "2024-11-01T02:00:52.752463Z", "updated_at": "2026-04-10T02:00:05.359782Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Moonstone Sleet", "Storm-1789" ], "source_name": "MITRE:Moonstone Sleet", "tools": [ "Qilin" ], "source_id": "MITRE", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6bc98fce-5e1c-46d8-9d1a-64b5cb5febc3", "created_at": "2025-04-23T02:00:55.20526Z", "updated_at": "2026-04-10T02:00:05.307504Z", "deleted_at": null, "main_name": "Storm-1811", "aliases": [ "Storm-1811" ], "source_name": "MITRE:Storm-1811", "tools": [ "Black Basta", "Cobalt Strike", "Quick Assist", "BITSAdmin", "PsExec", "Impacket", "QakBot" ], "source_id": "MITRE", "reports": null }, { "id": "6a0c148e-64fe-40fa-a35a-4d9a6ddd7fb0", "created_at": "2024-10-04T02:00:04.769179Z", "updated_at": "2026-04-10T02:00:03.716865Z", "deleted_at": null, "main_name": "Storm-0501", "aliases": [], "source_name": "MISPGALAXY:Storm-0501", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86e3a92b-2e59-4c29-aacb-e84f829f3e95", "created_at": "2026-02-03T02:00:03.437562Z", "updated_at": "2026-04-10T02:00:03.938623Z", "deleted_at": null, "main_name": "Storm-1175", "aliases": [], "source_name": "MISPGALAXY:Storm-1175", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775438960, "ts_updated_at": 1775826711, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f56a50fe9e55cf77ab8266420cdbe1d43733a3a1.pdf", "text": "https://archive.orkl.eu/f56a50fe9e55cf77ab8266420cdbe1d43733a3a1.txt", "img": "https://archive.orkl.eu/f56a50fe9e55cf77ab8266420cdbe1d43733a3a1.jpg" } }