Ransomware Surge in Europe Signals Potential US Threat

The U.S. Department of the Treasury has sanctioned several large cyber scam networks in Southeast Asia, primarily in Burma and Cambodia. These operations, which used forced labor and human trafficking, stole over $10 billion from Americans in 2024, a 66% increase from the previous year. The scams included romance baiting and fake cryptocurrency investments. The sanctions target individuals and entities linked to the Karen National Army (KNA) and various organized crime networks. The sanctions block these entities from the U.S. financial system, freeze their U.S.-based assets, and limit their access to international financial services. The move aims to disrupt the operations and impose legal and financial consequences on the perpetrators. The cybercriminal syndicates in Southeast Asia net nearly $40 billion annually in illicit profits. The U.S. actions are part of a broader effort to degrade the infrastructure supporting these scams and punish the system enabling their crimes.

The first half of 2025 saw a 179% increase in ransomware attacks compared to the same period in 2024. Akira and Cl0p are the most active ransomware-as-a-service (RaaS) groups, targeting manufacturing, technology, and the US. The RaaS model enables lower-skilled actors to launch attacks, contributing to the surge. New tactics include pure extortion, AI-assisted phishing, and exploitation of SonicWall SSL VPN vulnerabilities. Akira has targeted SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and misconfigurations, leading to increased threat activity and unauthorized access. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of vulnerable Australian organizations through SonicWall devices. The recent increase in exploitation of CVE-2024-40766 has been linked to incomplete remediation and misconfigurations, with SonicWall advising immediate patching and security measures. Over the past three months, Akira ransomware attacks have led to a surge in the exploitation of CVE-2024-40766, an improper access control issue in SonicWall firewalls. Akira operators are targeting SSL VPN accounts that use a one-time password (OTP) as the multi-factor authentication (MFA) option. Arctic Wolf observed dozens of incidents tied to VPN client logins from VPS hosting providers, network scanning, Impacket SMB activity, and Active Directory discovery. Akira's dwell times are among the shortest recorded for ransomware, measured in hours. Akira affiliates leveraged pre-installed and legitimate utilities to evade detection, using the Datto RMM tool on a domain controller to execute a PowerShell script and gain full control over the server. The attackers modified registries to evade detection, turned off security features, and dropped various files, including scripts that modified firewall rules.

A new AI-powered ransomware strain, named PromptLock, has been identified by ESET researchers. The ransomware leverages an AI model to generate Lua scripts on the fly, complicating detection and defense. PromptLock is not yet active in the wild but is nearly ready for deployment. It can exfiltrate files and encrypt data, with plans to add file destruction capabilities. The ransomware was uploaded to VirusTotal from the United States and is written in Go, targeting both Windows, Linux, and macOS systems. The Bitcoin address used for ransom payments is linked to Satoshi Nakamoto. The development of AI-driven ransomware presents new challenges for cybersecurity defenders. The ransomware strain was discovered by Anton Cherepanov and Peter Strycek, who shared their findings on social media 18 hours after detecting samples on VirusTotal. The use of AI in ransomware introduces variability in indicators of compromise (IoCs), making detection more difficult. PromptLock uses the SPECK 128-bit encryption algorithm to lock files and can generate custom notes based on the files affected and the type of infected machine. The attacker can establish a proxy or tunnel from the compromised network to a server running the Ollama API with the gpt-oss-20b model.

Operation Serengeti 2.0, an INTERPOL-led international operation, resulted in the arrest of 1,209 cybercriminals across Africa. The operation targeted cross-border cybercrime gangs involved in ransomware, online scams, and business email compromise (BEC). The operation, conducted from June to August 2025, involved law enforcement from 18 African countries and the UK. Authorities seized $97.4 million and dismantled 11,432 malicious infrastructures linked to attacks on 88,000 victims worldwide. The operation was supported by data from private sector partners, including Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs, and Uppsala Security. Group-IB provided circumstantial intelligence on a cryptocurrency investment scam and BEC campaigns, while TRM Labs pursued leads tied to the Bl00dy ransomware group in Ghana and RansomHub. Notable actions included dismantling 25 cryptocurrency mining centres in Angola, confiscating 45 illicit power stations, and disrupting an online investment fraud operation in Zambia with 65,000 victims and $300 million in losses. Additionally, a transnational inheritance scam originating in Germany was disrupted, with losses estimated at $1.6 million. Nigeria deported 102 foreign nationals convicted of cyber terrorism and internet fraud. Earlier, Operation Red Card in March 2025 resulted in the arrest of 306 suspects and confiscation of 1,842 devices. The operation was part of the 'African Joint Operation against Cybercrime.' Participating countries included Seychelles, Tanzania, Ghana, Kenya, and others. Operation Serengeti 2.0 is part of a series of multi-month investigations and arrests highlighted by Interpol. The original Operation Serengeti involved two months of investigations with the African Union's Afripol and raids against 1,006 suspects in September and October 2024. In 2022, Interpol and 27 African nations conducted joint investigations as part of Operation Cyber Surge, following up in April 2023 with Operation Cyber Surge II. These joint investigations aim to train local law enforcement and prosecutors, which Interpol has noted are often hard-pressed to deal with the technical requirements of cybercrime prosecutions. In addition, the race is to deter cybercrime, redirect youth into more productive activities, and train law enforcement before the cybercriminals become too smart.

In late 2024, the threat group Storm-0501 compromised hybrid cloud environments across multiple sectors, including government, manufacturing, transportation, law enforcement, schools, and healthcare. The group has been active since 2021, utilizing various ransomware-as-a-service (RaaS) strains. Storm-0501 exploited compromised credentials and overprivileged accounts to move laterally between cloud and on-premise environments, aiming to generate revenue through a ransomware affiliate scheme. This campaign highlights the challenges in maintaining consistent security postures across multicloud and hybrid-cloud environments. The attack underscores the need for unified security platforms and consistent policies to disrupt attack chains. Organizations struggle with managing multiple cloud environments due to inconsistent identity and access controls, tool sprawl, and the complexity of multicloud security architectures. The campaign also reveals the importance of gaining visibility into cloud events and establishing a strong security culture to manage multicloud environments effectively. Storm-0501's tactics include cloud-based ransomware attacks that exploit native capabilities of victim environments, compromising devices not connected to Microsoft Defender and gaining domain administrator privileges. The group used Azure tools to map relationships and permissions, targeting a second tenant by leveraging a non-human identity assigned to a Global Administrator role with no MFA. Storm-0501 has refined its tactics to conduct data exfiltration and extortion attacks, leveraging cloud-native capabilities to exfiltrate large volumes of data, destroy data and backups, and demand ransom without relying on traditional malware deployment.