Customer hit by ransomware attack
Incident
Summary
Hide ▲
Show ▼
A customer environment was intruded by RansomHub affiliates, and the compromise was contained before it became ransomware, preventing business interruption. The attackers progressed from initial access to persistence, privilege escalation, and mass data exfiltration. The incident was stopped within 48 hours, and the customer reported zero business downtime. That matters because the intrusion was already active enough to reach Domain Admin access and steal data.
Related Happenings
Charter Communications hit by network compromise linked to ShinyHunters
Incident
First: 26.05.2026 22:46
Last: 26.05.2026 22:46
Sources 1
About this happening:
**Charter Communications** confirmed a **data breach** tied to **ShinyHunters** extortion, raising the risk of customer-data exposure and active follow-on pressure. The company sa...
Charter Communications hit by network compromise linked to ShinyHunters
IncidentAbout this happening: **Charter Communications** confirmed a **data breach** tied to **ShinyHunters** extortion, raising the risk of customer-data exposure and active follow-on pressure. The company sa...
Microsoft civil action against Fox Tempest infrastructure takedown
Regulatory/Legal Action
First: 19.05.2026 18:00
Last: 19.05.2026 18:00
Sources 1
About this happening:
Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...
Microsoft civil action against Fox Tempest infrastructure takedown
Regulatory/Legal ActionAbout this happening: Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...
Pay2Key ransomware activity with enhanced evasion and anti-forensics
Malware Activity
First: 26.03.2026 12:45
Last: 26.03.2026 12:45
Sources 1
About this happening:
**Pay2Key** has re-emerged as a **ransomware** threat with enhanced **evasion, execution and anti-forensics** capabilities, increasing the difficulty of detection and response. Th...
Pay2Key ransomware activity with enhanced evasion and anti-forensics
Malware ActivityAbout this happening: **Pay2Key** has re-emerged as a **ransomware** threat with enhanced **evasion, execution and anti-forensics** capabilities, increasing the difficulty of detection and response. Th...
Latest development: 31.03.2026 16:31
Iran has revived Pay2Key by recruiting affiliates from Russian cybercriminal forums and positioning the ransomware operation as a punitive arm of the Iranian state against high-impact US targets. KELA says the activity blends ransomware, pseudo-ransomware, and destructive wiper-like behavior, and that Iran-backed APT Agrius is also using Apostle malware, retrofitted from a data wiper into a ransomware variant, to obscure geopolitical motives.
2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates
Target Trend
First: 17.03.2026 23:41
Last: 17.03.2026 23:41
Sources 1
About this happening:
**Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...
2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates
Target TrendAbout this happening: **Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...
Optimizely hit by network compromise
Incident
First: 23.02.2026 20:04
Last: 23.02.2026 20:04
Sources 1
About this happening:
**Optimizely** confirmed a **voice-phishing breach** that exposed **basic business contact information**, creating a limited but real follow-on phishing risk. The intrusion touche...
Optimizely hit by network compromise
IncidentAbout this happening: **Optimizely** confirmed a **voice-phishing breach** that exposed **basic business contact information**, creating a limited but real follow-on phishing risk. The intrusion touche...
Timeline
-
11.11.2025 17:01 2 articles · 6mo ago
Customer hit by ransomware attack
Initial DisclosureA user launched a **malicious JavaScript payload** posing as a browser update, triggering immediate reconnaissance, credential hunting, and persistence activity inside the environment.
Show sources
- How a CPU spike led to uncovering a RansomHub ransomware attack — www.bleepingcomputer.com — 11.11.2025 17:01
- How a CPU spike led to uncovering a RansomHub ransomware attack — www.bleepingcomputer.com — 11.11.2025 17:01