Shira Landau@Email Security - Blog
//
The FBI has issued a warning regarding a new data extortion scam where criminals are impersonating the BianLian ransomware group. These fraudsters are sending physical letters through the United States Postal Service to corporate executives, claiming their networks have been breached. The letters demand Bitcoin payments in exchange for preventing the release of sensitive company data.
Analysis suggests these letters are fraudulent, and organizations, particularly within the US healthcare sector, are advised to report such incidents to the FBI. Security vendors, including Arctic Wolf and Guidepoint Security, have studied these letters and believe the campaign is a ruse by someone pretending to be BianLian. The letters mimic conventional ransom notes, demanding payments of between $250,000 to $350,000 within 10 days.
This activity highlights the evolving tactics of cybercriminals who are now employing postal mail to target high-profile individuals in an attempt to extort money under false pretenses. The FBI urges companies to implement internal protocols for verifying ransom demands and to remain vigilant against these deceptive practices. It’s crucial for organizations to discern fake attacks from real ones amidst the increasing complexity of cybercrime.
Recommended read:
References :
- Arctic Wolf: Self-Proclaimed “BianLian Group� Uses Physical Mail to Extort Organizations
- CyberInsider: Fake BianLian Ransom Notes Delivered to Executives via Post Mail
- DataBreaches.Net: Bogus ‘BianLian’ Gang Sends Snail-Mail Extortion Letters
- www.csoonline.com: Ransomware goes postal: US healthcare firms receive fake extortion letters
- PCMag UK security: Businesses Are Receiving Snail Mail Ransomware Threats, But It's a Scam
- BrianKrebs: Someone has been snail mailing letters to various businesses pretending to be the BianLian ransomware group.
- Cyber Security News: FBI Warns of Data Extortion Scam Targeting Corporate Executives
- gbhackers.com: FBI Warns: Threat Actors Impersonating BianLian Group to Target Corporate Executives
- techcrunch.com: There is no confirmed link between the campaign and the actual BianLian ransomware group, making this an elaborate impersonation.
- thecyberexpress.com: FBI Issues Urgent Warning About Data Extortion Scam Targeting Corporate Executives
- Email Security - Blog: The U.S. Federal Bureau of Investigation (FBI) has recently released an urgent advisory pertaining to a sophisticated email-based extortion campaign.
- Threats | CyberScoop: The FBI is warning business leaders about the scam perpetrated by an unidentified threat group.
- gbhackers.com: The novel approach highlights a shift in extortion tactics.
- Vulnerable U: Executives Receive Fake Snail Mail BianLian Ransomware Notes
- Malwarebytes: Ransomware threat mailed in letters to business owners
- www.scworld.com: The FBI is warning of a ransomware operation targeting C-suite executives via the US Postal Service.
- Cyber Security News: Fake BianLian Ransom Scams Target U.S. Firms Through Mailed Letters
- borncity.com: CISA warning: Cyber criminals (BianLian Groupe) attempt to blackmail executives
- Jon Greig: The FBI warned executives of a new scam where people claiming to be part of the BianLian ransomware gang are mailing physical letters with threats Arctic Wolf said it is aware of at least 20 organizations or executives who have received these letters
- Kali Linux Tutorials: Cyber Threat Group Sends Paper-Based Extortion Letters
- The DefendOps Diaries: Cybercriminals exploit YouTube's copyright system to extort creators, spreading malware and demanding ransoms.
- www.bleepingcomputer.com: Cybercriminals are sending bogus copyright claims to YouTubers to coerce them into promoting malware and cryptocurrency miners on their videos.
@ofac.treasury.gov
//
North Korean IT workers are increasingly engaging in aggressive extortion tactics against companies that unknowingly hired them. The FBI and Mandiant have issued warnings about these workers, who exploit remote access to steal sensitive data and demand ransom payments. After being discovered, some of these workers hold stolen data and proprietary code hostage, threatening to publicly release it if demands are not met. There have also been reports of workers attempting to steal code repositories, company credentials, and session cookies for further compromise.
This escalation in tactics is attributed to increased law enforcement action, sanctions, and media coverage, which have impacted the success of their schemes. The US Department of Justice has indicted several individuals, including North Korean nationals, for their involvement in elaborate "laptop farm" schemes. These schemes involve using stolen identities, forged documents and remote access software to deceive companies into hiring North Korean IT workers and generating revenue for the DPRK regime. The indicted individuals are accused of generating over $800,000, which was then laundered, highlighting the sophistication and reach of this cybercrime operation.
Recommended read:
References :
- ciso2ciso.com: North Korean Fake IT Workers More Aggressively Extorting Enterprises
- Cyber Security News: North Korean IT Workers Demands Ransomware By Stealing Companies Source Codes
- securityonline.info: North Korean IT Workers Indicted in Elaborate “Laptop Farm� Scheme to Evade Sanctions
- www.justice.gov: This highlights the evolving cybercrime tactics of North Korea
- ciso2ciso.com: North Korean Fake IT Workers More Aggressively Extorting Enterprises
- cybersecuritynews.com: North Korean IT Workers Demands Ransomware By Stealing Companies Source Codes
- www.bleepingcomputer.com: The FBI warns that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them.
- Techmeme: The FBI warns that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them (Sergiu Gatlan/BleepingComputer)
- oodaloop.com: DoJ nabs five suspects in North Korean remote worker scheme
- www.computerworld.com: DOJ indicts North Korean conspirators for remote IT work scheme
- CSO Online: DOJ indicts North Korean conspirators for remote IT work scheme
- The420.in: FBI Warns: North Korean Hackers Stealing Source Code to Extort Employers
- ciso2ciso.com: DOJ indicts North Korean conspirators for remote IT work scheme
- www.the420.in: FBI Warns: North Korean Hackers Stealing Source Code to Extort Employers
- Pyrzout :vm:: DOJ indicts North Korean conspirators for remote IT work scheme – Source: www.computerworld.com
- Techmeme: The FBI warns that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them (Sergiu Gatlan/BleepingComputer)
- ciso2ciso.com: US Charges Five People Over North Korean IT Worker Scheme – Source: www.securityweek.com
- www.helpnetsecurity.com: North Korean IT workers are extorting employers, FBI warns
- The Register: North Korean dev who renamed himself 'Bane' accused of IT worker fraud scheme
- The Register - Security: North Korean dev who renamed himself 'Bane' accused of IT worker fraud scheme
- ciso2ciso.com: North Korean dev who renamed himself ‘Bane’ accused of IT worker fraud scheme – Source: go.theregister.com
- Techmeme: The FBI warns that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them (Sergiu Gatlan/BleepingComputer)
- Help Net Security: North Korean IT workers are extorting employers, FBI warns
Amar Ćemanović@CyberInsider
//
Japanese telecom giant NTT Communications has confirmed a data breach impacting nearly 18,000 corporate customers. The company discovered unauthorized access to its internal systems on February 5, 2025. Hackers are reported to have accessed details of these organizations, potentially compromising sensitive data.
The stolen data includes customer names, contract numbers, phone numbers, email addresses, physical addresses, and information on service usage belonging to 17,891 organizations, according to NTT Com. While NTT Com has restricted access to compromised devices and disconnected another compromised device, the specific nature of the cyberattack and the identity of the perpetrators remain unknown. It’s not yet known how many individuals had personal data stolen.
Recommended read:
References :
- Carly Page: Japanese telecom giant NTT Communications says hackers stole the data of almost 18,000 corporate customers during a February cyberattack. It’s not yet known how many individuals had personal data stolen or who was behind the NTT breach
- CyberInsider: NTT Communications Suffers Data Breach Impacting 18,000 Companies
- BleepingComputer: Japanese telecommunication services provider NTT Communications Corporation (NTT) is warning almost 18,000 corporate customers that their information was compromised during a cybersecurity incident.
- techcrunch.com: Unidentified hackers breached NTT Com’s network to steal personal information of employees at thousands of corporate customers
- bsky.app: Japanese telecommunication services provider NTT Communications Corporation (NTT) is warning almost 18,000 corporate customers that their information was compromised during a cybersecurity incident.
- The DefendOps Diaries: Lessons from the NTT Data Breach: A 2025 Perspective
- bsky.app: Japanese telecommunication services provider NTT Communications Corporation (NTT) is warning almost 18,000 corporate customers that their information was compromised during a cybersecurity incident.
- www.scworld.com: NTT Communications says hackers stole the data of almost 18,000 corporate customers during a February cyberattack
- securityaffairs.com: Japanese telecom giant NTT suffered a data breach that impacted 18,000 companies
- The420.in: Japanese Telecom Giant NTT Suffers Data Breach, Impacting 18,000 Companies
- www.it-daily.net: The Japanese ICT provider NTT Communications (NTT Com) has admitted to a serious security breach that resulted in the loss of information on a total of 17,891 corporate customers.
- www.scworld.com: Nearly 18K orgs' data compromised in NTT Communications hack
@cyberalerts.io
//
Europol has issued a warning about the escalating use of Artificial Intelligence by organized crime groups, detailed in its EU-SOCTA 2025 report. Criminal networks are increasingly exploiting AI to automate tasks, expand their operations, and evade law enforcement, making their activities harder to detect. The agency highlights how the inherent accessibility, adaptability, and sophistication of AI render it a potent tool for criminals, who are leveraging it for cyberattacks, AI-driven fraud, and the weaponization of digital technologies.
The report emphasizes that nearly every type of serious crime now has a digital component, with the internet becoming the primary theater for organized crime and data serving as the new currency of power. Criminal networks are also increasingly acting as proxies in the service of hybrid threat actors, cooperating with state-aligned entities for mutual benefit. This dangerous trend also weakens the EU’s institutions and social fabric, with Europol revealing how the European criminal underworld is evolving, posing a growing threat to security and stability.
Recommended read:
References :
- The Register - Security: Mobsters now overlap with cybercrime gangs and use AI for evil, Europol warns
- iHLS: This is How AI Technology Amplifies Organized Crime Threats
- Help Net Security: How AI, corruption and digital tools fuel Europe’s criminal underworld
- thecyberexpress.com: The Cyber Express covers the EU’s organized crime landscape in 2025.
@www.reliaquest.com
//
ReliaQuest researchers are warning that the BlackLock ransomware group is poised to become the most prolific ransomware-as-a-service (RaaS) operation in 2025. BlackLock, also known as El Dorado, first emerged in early 2024 and quickly ascended the ranks of ransomware groups. By the fourth quarter of 2024, it was already the seventh most prolific group based on data leaks, experiencing a massive 1,425% increase in activity compared to the previous quarter.
BlackLock's success is attributed to its active presence and strong reputation within the RAMP forum, a Russian-language platform for ransomware activities. The group is also known for its aggressive recruitment of traffers, initial access brokers, and affiliates. They employ double extortion tactics, encrypting data and exfiltrating sensitive information, threatening to publish it if a ransom is not paid. Their custom-built ransomware targets Windows, VMWare ESXi, and Linux environments.
Recommended read:
References :
- AAKL: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock More: Infosecurity-Magazine: BlackLock On Track to Be 2025’s Most Prolific Ransomware Group
- Christoffer S.: ReliaQuest Inside the World’s Fastest Rising Ransomware Operator - BlackLock Somewhat of a deep dive into a relatively new RaaS (BlackLock), a very active group both on RAMP and with adding new victims to their leaksite.
- www.helpnetsecurity.com: BlackLock ransomware onslaught: What to expect and how to fight it
- www.reliaquest.com: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock
- Help Net Security: In-depth analysis of the BlackLock ransomware group and their operational methods.
- www.infosecurity-magazine.com: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock More: Infosecurity-Magazine: BlackLock On Track to Be 2025’s Most Prolific Ransomware Group
- cyberpress.org: BlackLock Ransomware Evolves: Threatens Windows, VMware ESXi, and Linux Systems
- gbhackers.com: BlackLock Ransomware Targets Windows, VMware ESXi, & Linux Environments
- Cyber Security News: BlackLock Ransomware Evolves: Threatens Windows, VMware ESXi, and Linux Systems
- gbhackers.com: BlackLock Ransomware Targets Windows, VMware ESXi, & Linux Environments
do son@Daily CyberSecurity
//
FunkSec, a new ransomware group, has quickly risen to prominence since late 2024, claiming over 85 victims in its first month, more than any other group during the same period. This four-member team operates as a ransomware-as-a-service (RaaS), but has no established connections to other ransomware networks. FunkSec uses a blend of financial and ideological motivations, targeting governments and corporations in the USA, India and Israel while also aligning with some hacktivist causes, creating a complex operational profile. The group employs double extortion tactics, breaching databases and selling access to compromised websites.
A key aspect of FunkSec's operations is their use of AI to enhance their tools, such as developing malware, creating phishing templates, and even a chatbot for malicious activities. The group developed a proprietary AI tool called WormGPT for desktop use. Their ransomware is advanced using multiple encryption methods, and is able to disable protection mechanisms while gaining administrator privileges. They claim that AI contributes to only about 20% of their operations; despite their technical capabilities sometimes revealing inexperience, the rapid iteration of their tools suggests the AI assistance lowers the barrier for new actors in cybercrime.
Recommended read:
References :
- : Check Point Research : The FunkSec ransomware group emerged in late 2024 and published over 85 victims in December, surpassing every other ransomware group that month.
- malware.news: Malware News article about FunkSec.
- research.checkpoint.com: FunkSec – Alleged Top Ransomware Group Powered by AI
- The Hacker News: AI-Driven Ransomware FunkSec Targets 85 Victims Using Double Extortion Tactics
- osint10x.com: New amateurish ransomware group FunkSec using AI to develop malware
- securityonline.info: FunkSec: The Rising Ransomware Group Blurring the Lines Between Cybercrime and Hacktivism
- securityonline.info: SecurityOnline article on FunkSec.
- osint10x.com: Threat Actor Interview: Spotlighting on Funksec Ransomware Group
- training.invokere.com: FunkSec – Alleged Top Ransomware Group Powered by AI
- Osint10x: Threat Actor Interview: Spotlighting on Funksec Ransomware Group
- blog.checkpoint.com: Meet FunkSec: A New, Surprising Ransomware Group, Powered by AI
- Virus Bulletin: Check Point researchers explore FunkSec’s ties to hacktivist activity and provide an in-depth analysis of the group’s public operations and tools, including a custom encryptor.
- ciso2ciso.com: New Ransomware Group Uses AI to Develop Nefarious Tools – Source: www.infosecurity-magazine.com
- www.the420.in: First AI-Driven Ransomware ‘FunkSec’ Claims Over 80 Victims in December 2024
- ciso2ciso.com: Inexperienced actors developed the FunkSec ransomware using AI tools – Source: securityaffairs.com
Mandvi@Cyber Security News
//
AI has become a powerful weapon for cybercriminals, enabling them to launch attacks with unprecedented speed and precision. A recent CrowdStrike report highlights the increasing sophistication and frequency of AI-driven cyberattacks. Cybercriminals are leveraging AI to automate attacks, allowing them to be launched with minimal human intervention, which leads to an increase of network penetrations and data theft.
AI's ability to analyze large datasets and identify patterns in user behavior allows cybercriminals to develop more effective methods of stealing credentials and committing fraud. For example, AI can predict common password patterns, making traditional authentication methods vulnerable. AI-powered tools can generate highly personalized phishing emails, making them almost indistinguishable from legitimate communications and greatly increasing the profitability of cyberattacks.
Recommended read:
References :
- Cyber Security News: AI Emerges as a Potent Tool for Cybercriminals to Accelerate Attacks
- gbhackers.com: AI Becomes a Powerful Weapon for Cybercriminals to Launch Attacks at High Speed
- www.cysecurity.news: CrowdStrike Report Reveals a Surge in AI-Driven Threats and Malware-Free Attacks
|
|
DeeperML - #cybercrime