Akamai's latest Ransomware Report 2025 reveals "quadruple extortion," new AI-driven tactics by groups like Black Basta, FunkSec, and TrickBot, and growing threats to non-profits. Learn about evolving cyber threats.

Cybercriminals are escalating their tactics, moving beyond traditional data encryption to employ a more aggressive approach known as quadruple extortion. This alarming trend is explained in the latest Ransomware Report 2025: Building Resilience Amid a Volatile Threat Landscape, released today by Akamai, a leading cybersecurity and cloud computing firm.

The report reveals that while double extortion (a technique where attackers encrypt data and threaten to leak it if a ransom isn’t paid) remains common, the emerging quadruple extortion adds layers of pressure. This includes using distributed denial-of-service (DDoS) attacks to shut down a victim’s operations and harassing third parties, like customers, business partners, or even the media, to increase the demand for payment.

Image via Akamai

“Ransomware threats today aren’t just about encryption anymore,” stated Steve Winterfeld, Advisory CISO at Akamai. He emphasised that attackers are now leveraging “stolen data, public exposure, and service outages to increase the pressure on victims,” turning cyberattacks into major business crises.

The Akamai report also highlights other significant developments in the world of cybercrime. Generative AI and large language models (LLMs) are making it easier for individuals with less technical skill to launch complex ransomware attacks by helping them write malicious code and improve their social engineering techniques. The report specifically notes that groups like Black Basta and FunkSec, along with other RaaS platforms, are quickly adopting AI and evolving their extortion tactics.

Additionally, hybrid groups, combining the motives of hacktivists with ransomware, are increasingly using ransomware-as-a-service (RaaS) platforms. These platforms allow individuals or groups to rent access to ransomware tools and infrastructure, amplifying their impact for a mix of political, ideological, and financial reasons. An example is Dragon RaaS, which emerged in 2024 from the Stormous group, now focusing on smaller, less secure organisations.

The research indicates that certain sectors are particularly vulnerable. Nearly half of all cryptomining attacks, which involve secretly using a victim’s computer resources to mine cryptocurrency, targeted non-profit and educational organisations. This is likely due to these organisations often having fewer resources dedicated to cybersecurity.

****TrickBot: The Malware Behind Hundreds of Millions in Crypto Extortion****

For decades, Trickbot malware has been known for hijacking cryptocurrency transactions, and the financial damage caused by these groups is finally showing up. The TrickBot malware family, widely used by ransomware groups, has alone been responsible for extorting over $724 million in cryptocurrency from victims since 2016.

Although the Trickbot’s infrastructure was dismantled in 2020, Akamai’s Guardicore Hunt Team recently identified its continued suspicious activity on several customer systems.

****How Does TrickBot Infect a Device****

TrickBot malware spreads primarily through phishing emails, which are created to look like legitimate messages from banks, delivery services, or government agencies. These emails include malicious attachments, such as Word or Excel files, or links to compromised websites. When a user opens one of these attachments, they may be prompted to enable macros. If they do, malicious scripts run in the background and quietly install TrickBot on the system.

In addition to phishing, TrickBot can exploit unpatched software vulnerabilities. If a system hasn’t been updated with the latest security fixes, the malware can use those flaws to gain access or spread across the network. It’s also common for TrickBot to be delivered by other malware, especially Emotet or QakBot. These act as loaders, setting up the infection so TrickBot can follow.

Once TrickBot gains access, it harvests login credentials, maps out connected systems, and infects other machines. This infection chain allows it to collect more data and sometimes even deploy ransomware.

James A. Casey, Akamai’s Vice President and Chief Privacy Officer, emphasised the importance of strong cybersecurity measures, incident reporting, and effective risk management strategies, such as Zero Trust and micro-segmentation, to build resilience against these evolving threats. He stressed that organisations must stay updated and adapt their defences to counter the changing tactics of cyber extortion.

TrickBot Behind More Than $724 Million in Crypto Theft and Extortion

Get to know the real people behind cybersecurity’s front lines. In this week’s newsletter, sci-fi meets reality, humanity powers technology and a few surprises are waiting to be discovered.

Thursday, July 24, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

Yesterday, Cisco Talos debuted the first Humans of Talos episode, where I interviewed Hazel Burton, a face and voice you’re probably familiar with. In our conversation, Hazel shared not just the story of how she found her way onto the team, but also the passions and hobbies that energize her work. Plus, she offered a sneak peek into what she’s most looking forward to at Black Hat this year! With future Humans of Talos episodes, you’ll get to learn not only about the people behind the research, but the people behind the communications, operations, and design, too.

My team chose to name the series “Humans of Talos” as a cheeky wink to the world of machine learning (ML) and a reminder that no matter how sophisticated our technology gets, it’s always our humanity that makes the difference. 

I'm a sci-fi nerd who loves a captive audience, so let’s consider Murderbot from Martha Wells’ “The Murderbot Diaries” (now a TV show starring Alexander Skarsgård). Designed as a security unit with both organic and mechanic parts, self-named Murderbot secretly hacks its own governor module and, instead of turning on humans, spends its free time watching soap operas like “The Rise and Fall of Sanctuary Moon." So relatable, right? What draws readers in isn’t its technical specs. It’s Murderbot’s dry humor, awkwardness, struggle with newfound autonomy, and the way it wrestles with what it means to care for others (even if it pretends not to). Despite its past, when it was treated as a piece of equipment rather than a living thing, Murderbot is both highly analytical and empathetic. Advanced technology is most powerful when paired with genuine human creativity and insight, and this is a balance we seek every day at Talos.

If cozy, found family sci-fi is more your vibe, take Lovey (aka Sidra) from Becky Chambers’ “A Long Way to a Small, Angry Planet” and “A Closed and Common Orbit.” Originally an AI managing a tunneling spaceship, Lovey is suddenly transferred into a human-like body kit and faces the challenge of living in a world she was never designed for, which is where her story really gets interesting. She has to learn everything from how to move and act to how to build friendships and find her own purpose. Learning to ask for help, make mistakes and trust the people around us is familiar to many of us in the cybersecurity community. No matter how advanced our tools become, it’s our willingness to learn from each other, collaborate and grow together that truly makes us stronger and better at our work.

So while Talos has practically always used ML in our work, I’ll always say that it is nothing without the humans behind it. We all share one mission: protecting our customers.

Tune into the next episode mid-August, and whether you’re streaming “Sanctuary Moon” or finding your place in the universe like Lovey, stay safe and secure out there!

**The one big thing **

Cisco Talos Incident Response (Talos IR) has identified a new ransomware-as-a-service (RaaS) group called Chaos, which is actively targeting organizations worldwide with sophisticated attacks involving phishing, remote management tool abuse, and double extortion tactics.  

We assess with moderate confidence that Chaos was likely formed by former members of the BlackSuit (Royal) gang. They use advanced encryption, anti-analysis techniques, and target both local and networked systems for maximum disruption. We believe the new Chaos ransomware is unrelated to previous Chaos builder-generated variants, and the group uses the same name to create confusion.   

**Why do I care? **

Chaos is going after organizations of all sizes across verticals using techniques that can bypass common security measures, steal sensitive data and disrupt business operations. Even if you’re not a direct target, your company could be affected if you work with a business that is attacked, or if similar tactics are used against your sector.

**So now what? **

Review your organization’s security posture, especially around email, remote access and backup systems. Make sure you’re using multi-factor authentication, keeping software up-to-date and educating employees about phishing and social engineering.

**Top security headlines of the week **

**Microsoft rushes emergency patch for actively exploited SharePoint “ToolShell” bug**   
Malicious actors already have already pounced on the zero-day vulnerability in Microsoft Sharepoint Server, tracked as CVE-2025-53770, to compromise US government agencies and other businesses in ongoing and widespread attacks. (DarkReading) (Cisco Talos) 

**Europol sting leaves Russian cybercrime's “NoName057(16)” group fractured**   
National authorities have issued seven arrest warrants in total relating to the cybercrime collective known as NoName057(16), which recruits followers to carry out DDoS attacks on perceived enemies of Russia. (DarkReading) 

**Indian crypto exchange CoinDCX confirms $44M stolen during hack**   
On Saturday, CoinDCX co-founder and CEO Sumit Gupta disclosed in a post on X that an internal account was compromised during the hack. The executive assured that the incident did not affect customer funds and that all its customer assets remain secure. (TechCrunch) 

**Ryuk ransomware operator extradited to US, faces five years in federal prison**   
Justice Department officials said the operators received about 1,160 bitcoins — valued at more than $15 million at the time — in ransom payments from victim companies. (CyberScoop)

**Can’t get enough Talos? **

We have lots of videos to share, so queue them up and let’s get learning!

**SnortML in 60 seconds**   
Most detection engines rely on signatures, but when threats evolve or the exploit is brand new, these rules can fall short. **Enter SnortML!** 

**Humans of Talos: Hazel Burton**   
Okay, I know I hammered this into you in the intro, but Hazel is a delight to listen to, and she gives a lot of wonderful insights. **Watch here.**

**Upcoming events where you can find Talos **

*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV 
*   BlueTeamCon (Sept. 4 – 7) Chicago, IL

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376   
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details   
Typical Filename: IMG001.exe    
Detection Name: Simple\_Custom\_Detection

**SHA 256: ee33aaa05be135969d86452a49a8e50a5313efdfc46ae2e7fc8a9af33556046c**   
MD5: 17e33efb1b100397c3a9908df7032da1   
VirusTotal: https://www.virustotal.com/gui/file/ee33aaa05be135969d86452a49a8e50a5313efdfc46ae2e7fc8a9af33556046c/details    
Typical Filename: tacticalrmm.exe   
Claimed Product: N/A   
Detection Name: W32.EE33AAA05B-95.SBX.TG

**SHA 256: 0581bd9f0e1a6979eb2b0e2fd93ed6c034036dadaee863ff2e46c168813fe442**   
MD5: 7854b00a94921b108f0aed00f77c7833   
VirusTotal: https://www.virustotal.com/gui/file/0581bd9f0e1a6979eb2b0e2fd93ed6c034036dadaee863ff2e46c168813fe442/details    
Typical Filename: winword.exe   
Claimed Product: Microsoft Word, Excel, Outlook, Visio, OneNote   
Detection Name: W32.0581BD9F0E.in12.Talos

**SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa**   
MD5: df11b3105df8d7c70e7b501e210e3cc3   
VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details   
Typical Filename: DOC001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201

**SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08**   
MD5: 906282640ae3088481d19561c55025e4   
VirusTotal: https://www.virustotal.com/gui/file/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08/details   
Typical Filename: AAct\_x64.exe   
Claimed Product: N/A   
Detection Name: PUA.Win.Tool.Winactivator::1201

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**   
MD5: 8c69830a50fb85d8a794fa46643493b2    
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details   
Typical Filename: AAct.exe    
Claimed Product: N/A    
Detection Name: PUA.Win.Dropper.Generic::1201

BRB, pausing for a "Sanctuary Moon" marathon

Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks.

Unmasking the new Chaos RaaS group attacks

National authorities have issued seven arrest warrants in total relating to the cybercrime collective known as NoName057(16), which recruits followers to carry out DDoS attacks on perceived enemies of Russia.

Europol Sting Leaves Russian Cybercrime's 'NoName057(16)' Group Fractured

Hackers are exploiting a new TeleMessage SGNL flaw that exposes sensitive data. CISA warns agencies to patch or stop using it by July 22.

TeleMessage SGNL, a made-in-Israel clone of the Signal app used by US government agencies and regulated businesses, has been found running with an outdated configuration that exposes sensitive internal data to the internet, no login required.

The main cause of the problem is how some deployments of TeleMessage SGNL are using older versions of Spring Boot, a Java-based framework. These versions leave a diagnostic endpoint called /heapdump exposed by default.

When not locked down, this endpoint returns a full memory snapshot of the app, weighing in at around 150MB. These dumps can contain usernames, passwords, session details, and other data that should never be public.

According to cybersecurity researchers at GrayNoise, who identified this exploitation and shared its details with Hackread.com earlier today, say that even though newer Spring Boot releases disable this by default, TeleMessage instances were still running the insecure configuration as late as May 5, 2025.

The vulnerability, tracked as CVE-2025-48927, was added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalogue on July 14, which also suggests that real-world attacks are already underway.

According to GreyNoise, attackers have wasted no time. As of July 16, at least 11 IPs have been logged attempting to exploit the flaw directly. These are not random pings; they’re specific attempts to retrieve the heap memory from exposed TeleMessage SGNL deployments.

The scanning doesn’t stop there. In the past 90 days, over 2,000 IPs have probed Spring Boot Actuator endpoints in general. More than 1,500 IPs targeted the /health endpoint, often used by attackers to check if an app is built on Spring Boot and potentially misconfigured. This kind of scanning is often a sign that more targeted exploitation could follow.

GreyNoise has created a dedicated tracking tag for this activity. The tag identifies scanning behaviour specific to TeleMessage SGNL instances running with the vulnerable /heapdump endpoint exposed.

****TeleMessage SGNL and Cybersecurity Issues****

Security flaws can surface in any platform, but the issue with TeleMessage is more serious. This is a service built to protect sensitive communication, used by government agencies and enterprise organisations, yet it was left open because of outdated setup choices.

When a platform selling secure communication is involved, these kinds of misconfigurations can damage more than just systems. But, reputational damage is not new at TeleMessage. Back in May 2025, the platform suffered a massive breach after an anonymous hacker broke into its systems. The attacker accessed backend infrastructure and private user messages, forcing the company to take its website offline.

Just days later, on May 13, the CISA added CVE-2025-47729, the vulnerability behind that breach, to its Known Exploited Vulnerabilities (KEV) list. Then things got worse. Distributed Denial of Secrets (DDoSecrets), a nonprofit known for publishing leaked datasets, archived and indexed the entire stolen dataset on its website. That archive contained 410 gigabytes of sensitive data taken from the breach.

****CISA’s Binding Operational Directive****

Under its Binding Operational Directive, CISA has instructed all federal agencies to either apply available patches or stop using the affected software by July 22, 2025. While the directive only applies to federal systems, it’s a strong reminder for any organisation using TeleMessage SGNL to act quickly.

Until confirmed patches are applied, the safer approach is to restrict access or temporarily disable the app in environments handling sensitive communication. Nevertheless, researchers are urging organisations using TeleMessage or Spring Boot for internal services to take this seriously and:

*   Review all Actuator endpoint exposure

*   Disable or restrict access to the /heapdump endpoint immediately

*   Block IPs flagged by GreyNoise that are probing for this vulnerability

*   Upgrade to a supported version of Spring Boot that uses more secure default configurations

New TeleMessage SGNL Flaw Is Actively Being Exploited by Attackers

In an operation called Eastwood, authorities arrested two people and shut down more than 100 servers linked to the Russian group NoName057(16).

In a coordinated operation this week, law enforcement from a dozen countries gathered together in an attempt to dismantle the infrastructure of the pro-Russian hacking group known as NoName057(16). The operation, named Eastwood, was led by Europol and Eurojust and included action across Europe and North America.

NoName057(16) has been known for flooding websites with traffic in politically motivated distributed denial-of-service (DDoS) attacks. Their usual targets have ranged from Ukrainian government platforms to critical websites in NATO countries that support Ukraine.

While many of their attackers were disruptive, they rarely caused long-lasting damage due to quick mitigation from targeted organisations. What’s noteworthy is that this group didn’t rely on elite hackers with advanced techniques. Instead, its strength came from numbers. Investigators found more than 4,000 people involved, many of them Russian-speaking with limited technical skills.

The group relied heavily on automation tools and “gamified tactics” to recruit and motivate followers. Some were lured in with cryptocurrency payments and leaderboard-style shoutouts that turned cyberattacks into a form of competitive sport.

According to Europol’s press release, during the joint operation between 14 and 17 July, over 100 servers connected to the group’s operations were taken offline. Authorities also carried out 24 house searches in seven countries, questioned 13 individuals, and made two arrests in France and Spain.

Germany, which has been a major target of the group’s activity, issued six arrest warrants. These include two people accused of being central figures in NoName057(16)’s operations. Seven arrest warrants have been issued in total, all linked to Russian nationals who are now internationally wanted.

Since its emergence, NoName057(16) also targeted countries that backed Ukraine with military or diplomatic support. In Germany alone, 14 waves of DDoS attacks since late 2023 have hit more than 250 organisations. Similar attempts were reported during major political events in Switzerland and the Netherlands, including the NATO summit and the 2024 Ukraine Peace Summit.

The investigators also took a different route to put pressure on low-level participants. More than 1,000 supporters of the network received official warnings via messaging apps, with 15 of them flagged as administrators. The messages reminded them of their individual legal liability under national laws.

Authorities have also pointed out that NoName057(16) doesn’t need a traditional chain of command to keep going. Instead, they used a mix of messaging apps, social media, and online forums to spread attack guides, updates, and propaganda. These channels also recruited individuals, often coming from gaming or low-level hacking communities.

Although Operation Eastwood has disrupted NoName057(16)’s infrastructure, it doesn’t mean the group is finished. Russian-based groups have a track record of rebranding or regrouping and continuing their attacks.

Police Shut Down 100 Servers Tied to Russian NoName057(16), Arrest 2

An international operation coordinated by Europol has disrupted the infrastructure of a pro-Russian hacktivist group known as NoName057(16) that has been linked to a string of distributed denial-of-service (DDoS) attacks against Ukraine and its allies.
The actions have led to the dismantling of a major part of the group's central server infrastructure and more than 100 systems across the world.

Europol Disrupts NoName057(16) Hacktivist Group Linked to DDoS Attacks Against Ukraine

Cloudflare on Tuesday said it mitigated 7.3 million distributed denial-of-service (DDoS) attacks in the second quarter of 2025, a significant drop from 20.5 million DDoS attacks it fended off the previous quarter.
"Overall, in Q2 2025, hyper-volumetric DDoS attacks skyrocketed," Omer Yoachimik and Jorge Pacheco said. "Cloudflare blocked over 6,500 hyper-volumetric DDoS attacks, an average of 71

Hyper-Volumetric DDoS Attacks Reach Record 7.3 Tbps, Targeting Key Global Sectors

Cybersecurity researchers are calling attention to a malware campaign that's targeting security flaws in TBK digital video recorders (DVRs) and Four-Faith routers to rope the devices into a new botnet called RondoDox.
The vulnerabilities in question include CVE-2024-3721, a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 DVRs, and CVE-2024-12856, an operating

RondoDox Botnet Exploits Flaws in TBK DVRs and Four-Faith Routers to Launch DDoS Attacks

International Criminal Court faces new "sophisticated" cyberattack in The Hague. Occurring near the NATO summit, this incident impacts the ICC as it handles major global cases.

The International Criminal Court (ICC) recently announced it was hit by a sophisticated cyberattack. The attack, detected late last week, has been contained, and the Court is now assessing its full impact. This incident, publicly confirmed on Monday, marks the second such major cyber security challenge for the ICC in recent years.

****Targeted Attack and Quick Response****

The ICC, located in The Hague, **described the event** as a “sophisticated and targeted cyber security incident.” Its internal alert systems quickly spotted the intrusion, allowing for swift confirmation and containment. An analysis is currently underway to understand the full effects across the Court’s systems. Steps are already being taken to reduce any negative outcomes. The Court emphasizes the importance of informing the public and its member countries about such events and seeks their continued support to maintain its vital work of justice.

****Broader Context and Past Incidents****

This cyberattack happened around the same time as the **NATO summit** in The Hague. During that period, Dutch cybersecurity officials reported various cyberattacks, known as Distributed Denial-of-Service (DDoS) attacks, against local government and other organizations. These attacks, which aim to overwhelm systems with traffic, were claimed by pro-Russian hacker groups.

A **power outage** also disrupted train traffic in the country on June 24, 2025, with authorities investigating possible sabotage. Reportedly, the outage occurred at Schiphol airport in the Netherlands, which disrupted traffic, causing around 30 cables to be damaged due to a fire. This affected trains from Amsterdam, Schiphol, and Utrecht stations, which are 50 kilometers away from NATO leaders’ gathering. The ICC itself experienced a similar “targeted and sophisticated” **cybersecurity incident in 2023**, believed to be an attempt at espionage.

The recent attack also occurs as the ICC is handling several major cases. These include arrest warrants for Russian President Vladimir Putin, Israeli Prime Minister Benjamin Netanyahu, and Hamas leader Ibrahim ‘Deif’ Al-Masri. The Court has faced increased attention following its recent decision to issue arrest warrants for Prime Minister Netanyahu and his former defence minister, Yoav Gallant, regarding Israel’s military actions in Gaza.

In a related development, the Trump administration previously sanctioned the Court’s Chief Prosecutor Karim Khan, who also faced an email access issue with Microsoft in May. US Secretary of State Marco Rubio announced sanctions against four ICC judges in early June, connected to the Court’s investigations and arrest warrants.

Tag

#ddos