For some reason people are sharing llm garbage instead of the real chat logs for black basta. Here are the real logs and the telegram channel they're being shared in: https://t[.]me/shopotbasta/21
CTI is a team sport. Not a secret boys club. Sharing is caring.
Law enforcement confirm they did a takedown of 8base ransomware group. You heard it here on Mastodon first thanks to @cR0w
https://techcrunch.com/2025/02/10/global-police-operation-seizes-8base-ransomware-gang-leak-site/
8base ransomware group has apparently been seized or done an exit scam.
Two of its Tor portals say "This hidden site and the criminal content have been seized by the Bavarian State Criminal Police Office on behalf of the Office of the Public Prosecutor General in Bamberg"
They had been hitting some high profile targets in recent times.
HT @cR0w
The New York Blood Center was already having a blood shortage emergency and then they got hit with a ransomware attack.
Whoever hit them: please, please, please: you are putting more lives at risk every day. Give them a decryptor.
ENGlobal Corporation has filed an updated 8K with the SEC to say they have evicted the ransomware actor from their network and restored service, two months later.
https://www.sec.gov/ix?doc=/Archives/edgar/data/933738/000165495425000798/eng_8ka.htm
Cl0p have started publishing the stolen Cleo MFT data. Have confirmed with one of the victim orgs it came from their Cleo server.
I didn't realize #cl0p started posting their latest victims. Everything else listed is supposedly getting published Friday 24 January.
#Ransomware threat actors are increasingly abusing AWS's Server-Side Encryption (SSE-C) to encrypt S3 buckets without needing to drop malware. Most recently a TA known as #Codefinger is using this technique.
đľ Make sure you're monitoring S3 and encryption activity via CloudTrail & GuardDuty.
https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c
Space Bears changed their ATOS page to say "SOLD", which feels like it's not true given they never provided proof.
With prior victims they provided download links which had legit data, so they've damaged their reputation over this one.
The Brain Cipher #ransomware gang has begun to leak documents stolen in an attack on Rhode Island's "RIBridges" social services platformâď¸â ď¸ #cybercrime
So Atos got the "company database" element from the updated Space Bears post - since the original post (as captured by @Ransomlook) they added a file list bit.
Generally speaking, Space Bears are quite descriptive about what they've taken - which they haven't been here.
Statement from ATOS, they say they are basically unaware of a security incident their end.
The Space Bears claim makes no reference to a database, so I donât know where ATOS have got that from.
Space Bears ransomware group are claiming they have breached Atos Business Services France aka Atos SE, aka Eviden, aka the businesses formerly known as Appcentrica, Cloudreach, Edifixio, Engage ESM, Maven Wave, Syntel and Visual BI.
The Termite download site is back up. In terms of Blue Yonder, there's 220k files for download across about 700gb of data.
I don't know if this is not news, but it is to me - there's a few ransomware groups using Session messenger (https://getsession.org) nowadays. And yes, the chats are being monitored.
Termite's ransomware groups download site has mysteriously been offline for several days.
BT Americas didn't pay their ransom (good for them btw), their BT Conferencing data was released. It's just a small business unit, I doubt anybody cares.
Termite ransomware group appear to have quietly published some Blue Yonder content, on 13th December.
Deloitte are involved in (another?) ransomware incident, it is unclear if this is the Brain Cipher one.
Blue Yonder update, they say a significant majority of customers have service restored after 23 days, and theyâre working with the rest.
And yes, thatâs Mastodon beating the media by 5 days again.
Watsonville Hospital has now been added to Termite ransomwareâs portal. I guess they can finally admit itâs not an IT fault.
Congrats to DarkSide, Conti, REvil, ALPHV and LockBit, among others, for being recognized by Congress in the NDAA as hostile foreign cyber actors benefiting a designated country.
Krispy Kreme has filed an 8K with the SEC for a cybersecurity incident. They say it will have a material impact on their business.
I have been tracking a ransomware group which I believe gained access to them in that timeframe.
https://www.sec.gov/ix?doc=/Archives/edgar/data/1857154/000185715424000123/dnut-20241211.htm
After my toot Cleo have issued a public advisory, they're saying versions up to 5.8.0.23 (not out yet) are impacted.
In terms of threat intel, the ransomware operators I know of only have an exploit for the Windows versions, not Linux.
https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Peding
