Ransomware

April 8, 2025
7 min read

Exploitation of CLFS zero-day leads to ransomware activity

Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a newly discovered zero-day vulnerability in the Windows Common Log File System (CLFS) against a small number of targets.

Layout of education-related items on a desk and a representation of cyberthreat vectors, next to the title text “Cyber Signals Issue 8, From Classrooms to Research Labs: Cyberthreats in K-12 and Higher Education, by Cyber Signals, A Microsoft Threat Intelligence Report.”

October 10, 2024
12 min read

Cyber Signals Issue 8 | Education under siege: How cybercriminals target our schools

This edition of Cyber Signals delves into the cybersecurity challenges facing classrooms and campuses, highlighting the critical need for robust defenses and proactive measures.

Two engineers wearing safety goggles work on a desktop PC at a manufacturing plant.

September 26, 2024
20 min read

Storm-0501: Ransomware attacks expanding to hybrid cloud environments

Microsoft has observed the threat actor tracked as Storm-0501 launching a multi-staged attack where they compromised hybrid cloud environments and performed lateral movement from on-premises to cloud environment, leading to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment.

Hallway view of servers in hot aisle. Green tones, no people.

July 29, 2024
9 min read

Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption

Microsoft Security researchers have observed a vulnerability used by various ransomware operators to get full administrative access to domain-joined ESXi hypervisors and encrypt the virtual machines running on them.

Photo of young adult male gaming with keyboard and mouse with laptop attached to additional monitor

May 28, 2024
14 min read

Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks

Microsoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet (formerly Storm-1789), that combines many tried-and-true techniques used by other North Korean threat actors, as well as unique attack methodologies to target companies for its financial and cyberespionage objectives.

Computer developer working at night in office.

May 15, 2024
10 min read

Threat actors misusing Quick Assist in social engineering attacks leading to ransomware

Microsoft Threat Intelligence has observed Storm-1811 misusing the client management tool Quick Assist to target users in social engineering attacks that lead to malware like Qakbot followed by Black Basta ransomware deployment.

a man sitting in front of a laptop computer

October 25, 2023
17 min read

Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction

Microsoft has been tracking activity related to the financially motivated threat actor Octo Tempest, whose evolving campaigns represent a growing concern for many organizations across multiple industries.

Photo of medical researchers collaborating and using technology to review medical research insights.

October 11, 2023
10 min read

Automatic disruption of human-operated attacks through containment of compromised user accounts

User containment is a unique and innovative defense mechanism that stops human-operated attacks in their tracks.

Photo of a man sitting alone at a table in an office building and works on a laptop.

September 12, 2023
8 min read

Malware distributor Storm-0324 facilitates ransomware access

The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors.

Photograph of time-lapse of nighttime traffic around a city core

July 11, 2023
7 min read

Storm-0978 attacks reveal financial and espionage motives

Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America.

Looking into a conference room or board room meeting including people sitting around table in a room with international time clocks.

July 6, 2023
18 min read

The five-day job: A BlackByte ransomware intrusion case study

In a recent investigation by Microsoft Incident Response of a BlackByte 2.

November 3, 2022
6 min read

Stopping C2 communications in human-operated ransomware through network protection

Providing advanced protection against increasingly sophisticated human-operated ransomware, Microsoft Defender for Endpoint’s network protection leverages threat intelligence and machine learning to block command-and-control (C2) communications.

Refine results