Posts by Bill Siegel

Q4 of 2025 was marked by the latest large-scale data theft campaign by the CL0P ransomware gang, this time exploiting a zero-day vulnerability in Oracle E-Business Suite (EBS). The campaign came from a playbook CL0P pioneered nearly five years ago. The strategy involves: purchase a zero-day exploit of a widely used enterprise file transfer or data storage appliance, compromise as many instances as possible before detection, exfiltrate as much data as possible from as many downstream customers as possible, and finally monetize at scale the attack through extortion of each unique downstream party. Read more

Nitrogen ransomware was derived from the previously leaked Conti 2 builder code and is similar to other Conti-based ransomware, but a coding mistake in its ESXi malware causes it to encrypt files with the wrong public key, irreversibly corrupting them. In practice, this means even the threat actor can’t decrypt affected files. If victims don’t have viable backups, they have no way to recover ESXi-encrypted servers. Paying a ransom won’t help in these cases, because any decryption key or tool the attacker provides won’t work. Read more

“If you pay a ransom, will you get your files back?" It’s a ubiquitous question that the majority of security blogs and vendor surveys fail to answer correctly. A quick search online will yield a dozen contradictory statistics. Why is this such a difficult question to answer? The truth is outcome statistics vary dramatically from case to case, and broad averages are useless for making real time, critical decisions. Read more

As we enter the final quarter of 2025, the cyber extortion landscape has split along two clear paths: volume-driven Ransomware-as-a-Service (RaaS) campaigns targeting the mid-market, and high-cost, targeted intrusions aimed at larger enterprises. Read more

“Don’t say the “S…” word. But which adjective starting with S are we talking about? Three specifically come to mind in Q2, as these groups were both prolific in the sheer volume of attacks and novel iterations of social engineering in their intrusion vectors. Read more

As we approach the one year anniversary of two prominent ransomware group collapses (Lockbit and BlackCat/ALPHV), we find the ransomware ecosystem to be as fractured and uncertain as it did in the months following these events. The Ransomware-as-a-Service (RaaS) model remains irreversibly tarnished after the groups that pioneered this framework were exposed as being fraught with infighting, deception, lost profits, and compromised anonymity for their affiliates. Joint law enforcement actions over the last year have systematically impaired the resources ransomware actors depend on to operate. In the case of domestic threats, law enforcement efforts have even put a number of bad actors behind bars. While certain groups persist and new names continue to trickle in and out of the ransom-sphere, ... Read more

Throughout 2024, law enforcement agencies worldwide intensified their fight against cybercrime, leading to significant arrests and takedowns of major cybercriminal groups. Q4 alone saw a substantial flurry of actions. On Oct. 1, 2024, authorities arrested four individuals linked to the notorious LockBit ransomware gang, including a developer, a bulletproof hosting service administrator, and two other affiliates. This followed formal sanctions imposed by the U.S. Treasury Department on LockBit members, marking a major step in disrupting the group's global operations. Later in the month, on Oct. 28, Dutch law enforcement executed Operation Magnus, successfully seizing the infrastructure of Redline and Meta Infostealer, two malware-as-a-service platforms used to steal sensitive credentials. Read more