The ransomware threat landscape is constantly evolving, with increasingly structured groups adopting sophisticated strategies to maximize profits. VanHelsing is a new player positioning itself in the Ransomware-as-a-Service (RaaS) market, a model that enables even cybercriminals with limited expertise to conduct advanced attacks using an automated platform. Following the February 23, 2025 announcement on an underground forum regarding the VanHelsing RaaS affiliate program, the ransomware group has officially published its first possible victim on its Data Leak Site (DLS). Less than a month after its launch, the appearance of the first compromised organization confirms that VanHelsing is now actively operating. Although the DLS

Babuk, one of the most notorious ransomware groups in cybercrime, has launched the Babuk Locker 2.0 Affiliate Program 2025, an affiliate program for skilled hackers looking to profit from ransomware attacks. This program, published on their data leak site, introduces new advanced features and a more structured model for those wishing to join their criminal network. How the Program Works Babuk Locker 2.0 accepts affiliates from all over the world, regardless of language or origin, provided they have experience in penetration testing and compromising IT systems. Their goal is clear: maximize profits through targeted attacks and manage ransom payments more efficiently. The

During our reconnaissance into the underground world and criminal groups conducted by Red Hot Cyber’s threat intelligence laboratory DarkLab, we stumbled upon a Data Leak Site of a cyber gang never monitored before: NightSpire. NightSpire is a new ransomware group that has recently emerged on the cybercrime scene. Although no previous information is available about this actor, an analysis of their data leak site (DLS) and their communication provides some key insights into their strategy and operational methods. The group portrays itself as an unstoppable threat to businesses and promises to exploit every vulnerability to their advantage. Below, we analyze the details

Akira represents one of the most recent ransomware threats capable of bypassing traditional organizational defense mechanisms. A recent case analyzed by the S-RM team highlighted how this group leveraged an unprotected webcam to deploy its payload, evading the defenses of an Endpoint Detection and Response (EDR) system. The Initial Modus Operandi The attack began with the compromise of the victim’s network through an internet-exposed remote access solution. Once inside, Akira deployed AnyDesk.exe, a remote management tool, to maintain control over the environment and proceed with data exfiltration. During the later stages of the attack, the attackers used the Remote Desktop Protocol (RDP)

The Qilin Ransomware group claims to have compromised the systems of Ukraine’s Ministry of Foreign Affairs, stealing private correspondence, personal information, and official decrees. According to the attackers, some of this data has already been sold to third parties. At the moment, it is not possible to confirm the veracity of these statements because the organization has not yet released any official press statement on its website regarding the incident. Consequently, the information presented in this article should be treated solely as an intelligence source. Details of the Alleged Breach Status of the Investigation Conclusions At present, the alleged breach claimed by