RansomHub ransomware group was most active ransomware operation in 2024

The RansomHub ransomware group has targeted over 600 organisations worldwide, making it the most active ransomware operation of 2024, according to Group-IB. The group leverages now-patched vulnerabilities in Microsoft Active Directory and Netlogon to gain domain controller access and spread across networks.

RansomHub emerged in February 2024, acquiring source code from the defunct Knight ransomware group. It has since expanded its capabilities, offering variants capable of encrypting Windows, VMware ESXi, and SFTP servers. The group also recruits affiliates from LockBit and BlackCat to strengthen operations.

A recent attack saw RansomHub brute-force a VPN service using a dictionary of 5,000 credentials before exploiting Active Directory and Netlogon flaws to gain control. Data was encrypted and exfiltrated within 24 hours.

The ransomware landscape is shifting towards extortion-based attacks, with groups like RansomHub and Akira profiting from stolen data rather than encryption alone, as victims increasingly refuse to pay ransoms.

NailaoLocker ransomware targets European healthcare in cyber-espionage attacks

A newly discovered ransomware strain, NailaoLocker, has been spotted targeting European healthcare organizations between June and October 2024. Attackers exploited CVE-2024-24919, a Check Point Security Gateway vulnerability, to breach networks and deploy ShadowPad and PlugX, malware linked to Chinese state-sponsored threat actors.

Key findings:

• NailaoLocker is a basic ransomware with no anti-debugging or sandbox evasion capabilities.
• It encrypts files using AES-256-CTR, appending “.locked” to affected files.
• The ransomware drops an unusually long ransom note filename, instructing victims to contact a ProtonMail address.
• No evidence suggests data exfiltration, which is rare for modern ransomware attacks.

Security researchers suggest the attacks could be a false flag, strategic data theft, or state-backed hackers moonlighting for profit—a shift in tactics for Chinese groups.

Snake Keylogger variant targets Windows users with advanced evasion techniques

A new variant of the Snake Keylogger (detected as Autolt/Injector.GTY!tr) is posing a significant threat to Windows users, using advanced evasion techniques to steal sensitive data from Chrome, Edge, and Firefox browsers.

FortiGuard Labs has blocked over 280 million infection attempts since January 2025, with major attacks in China, Turkey, Indonesia, Taiwan, and Spain. The malware spreads via phishing emails, using AutoIt scripting and process hollowing to bypass detection. It injects into RegSvcs.exe, a legitimate Windows process, ensuring stealth and persistence.

Once active, it captures keystrokes, browser autofill details, and clipboard data, exfiltrating stolen information via SMTP and Telegram bots. Attackers also use checkip.dyndns.org for victim geolocation.

Organisations are advised to deploy advanced sandboxing, block known C2 servers, and educate employees on phishing risks. As Snake Keylogger evolves, AI-powered threat intelligence and layered defences are essential to mitigating its impact.

Ransomware attacks hit UK’s leading book printer and literary agency

Two major UK publishing firms, CPI Books and The Agency, have fallen victim to ransomware attacks, significantly impacting operations and finances.

CPI Books, the UK’s leading book printer, had its IT systems disabled on 7th February, disrupting production across its nine UK factories. Independent publisher Firefly Press reported major losses, with profits “wiped out” as they scrambled to print elsewhere. CPI is working with cyber security specialists to restore services.

The Agency, a top literary agency, was targeted by the Rhysida ransomware group, which also hit the British Library. Hackers have threatened to leak stolen data if a ransom isn’t paid. Clients were warned to stay alert for potential data exposure.

These attacks highlight the growing cyber threat facing publishing and media industries. The British Library previously spent £6 million recovering from a Rhysida attack in 2023.

Cyber attack disrupts Northern Ireland’s largest housing provider

Choice Housing, one of Northern Ireland’s largest social housing providers, was hit by a cyber attack earlier this month, causing major IT disruptions and delays for tenants. The attack, believed to have originated from a malicious email, forced staff to work through the weekend to contain the fallout.

Choice, which manages over 10,000 social homes and 4,700 properties in Belfast, shut down its systems as a precaution but does not believe any data was compromised. IT teams are executing a recovery plan to restore operations as quickly as possible.

Staff have been warned to stay vigilant against further threats, and a full review of the incident is underway.

The Housing sector under increasing cyber threat. A 2024 report by RSM UK found that one in four UK housing associations had been targeted by cyber criminals in the past year.

Jamaica now top cyber attack target in Latin America and the Caribbean

Jamaica has become the most targeted country in Latin America and the Caribbean for cyber attacks, according to Mervyn Eyre, CEO of Fujitsu Caribbean. He highlighted the region’s high attack rates and low readiness, with Jamaican organisations facing 2,582 attacks per week—well above the global average.

Recent incidents include a ransomware attack on Biomedical Caledonia Medical Lab, with over 70,000 stolen files leaked on the dark web. Other victims include a listed company on the Jamaica Stock Exchange and a car dealership that had to shut down operations.

Cyber criminals are also using stolen data for fraud, with reports of phishing calls and malicious messages. Despite the growing threat, businesses are increasing cybersecurity investments. Jamaica’s Data Protection Act, effective since December 2023, mandates breach reporting within 72 hours, but compliance remains inconsistent. The Office of the Information Commissioner urges organisations to prioritise data security to avoid fines or legal action.

Insight Partners confirms cyber attack

New York-based venture capital firm Insight Partners has confirmed it suffered a cyber attack in January 2025. In a statement on February 18, the firm revealed that an unauthorised third party accessed parts of its information systems through a “sophisticated social engineering attack.”

The breach was detected on January 16, prompting immediate containment and remediation efforts. Insight Partners assured that its operations, portfolio companies, and funds were not materially impacted, and there is no evidence of continued unauthorised access.

The company has informed law enforcement and notified its partners, which include IT and cybersecurity firms such as Armis, SentinelOne, and Wiz. It is working with third-party cybersecurity experts and forensic analysts to assess the full scope of the breach.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.