#ransomware

#ransomware

"We know that getting this resolved quickly is important to you. Our top priority is to securely restore impacted applications, although we do not have a firm timeline on this yet."

On April 7, 2026, Z-CERT received notification that ChipSoft has fallen victim to a ransomware attack. Z-CERT is in contact with ChipSoft, healthcare institutions, and our partners. We are working hard to assess the impact of the incident.

Ransomware gangs, especially those with ransomware-as-a-service (RaaS) programs, frequently produce new builds of their encryptors, and ensuring that each new build is reliably undetected can be time-consuming. More importantly, encryptors are inherently very noisy (as they inherently need to modify a large number of files in a short period); making such malware undetected is rather challenging.

Whole Foods shelves sit empty after a data breach shut down its wholesale distributor. Meat packers working for JBS Foods are paralyzed as an $11 million ransomware attack takes out their processing facilities. Some 2.2 million workers at Stop & Shop and Hannaford have their personal data exposed as the result of a cyberattack on parent company Ahold Delhaize USA. These scenarios, straight from a William Gibson novel, are becoming increasingly common in supply chains across the world.

A 47-year-old man arrested by police in Poland for allegedly being involved in cybercriminal activities has been linked to the Phobos ransomware operation. According to Poland's Central Cybercrime Bureau, officers found hacking tools, credentials, payment card numbers, and server IP addresses on the unnamed suspect's devices during a search. They also discovered that the suspect had exchanged messages with the Phobos ransomware group.

That changed last week when the US Department of Justice published a sentencing memorandum [PDF] that frames Williams' conduct as a betrayal of his employer and the US government, and the cause of significant harm to US national security. Williams "made it possible for the Russian Broker to arm its clients with powerful cyber exploits that could be used against any manner of victim, civilian or military around the world," the DoJ said.

Cybersecurity researchers have disclosed details of an emergent ransomware family dubbed Reynolds that comes embedded with a built-in bring your own vulnerable driver (BYOVD) component for defense evasion purposes within the ransomware payload itself. BYOVD refers to an adversarial technique that abuses legitimate but flawed driver software to escalate privileges and disable Endpoint Detection and Response (EDR) solutions so that malicious activities go unnoticed. The strategy has been adopted by many ransomware groups over the years.

To be clear, ransomware isn't going anywhere, and adversaries continue to innovate. But the data shows a clear strategic pivot away from loud, destructive attacks toward techniques designed to evade detection, persist inside environments, and quietly exploit identity and trusted infrastructure. Rather than breaking in and burning systems down, today's attackers increasingly behave like Digital Parasites. They live inside the host, feed on credentials and services, and remain undetected for as long as possible.

In its annual Red Report, a body of research that analyzes real-world attacker techniques using large-scale attack simulation data, Picus Labs warns cybersecurity professionals that threat actors are rapidly shifting away from ransomware encryption to parasitic "sleeperware" extortion as their means to loot organizations for millions of dollars per attack. Released today and now in its sixth year, the 278-page Red Report gets its name from Picus-organized cybersecurity exercises that take the perspective of the attacker's team, otherwise known as the "red team."