The tech giant attributed the attacks to Vanilla Tempest, also known as Vice Spider and Vice Society.

The post Microsoft Revokes Over 200 Certificates to Disrupt Ransomware Campaign appeared first on SecurityWeek.

North Korean operatives that dupe job seekers into installing malicious code on their devices have been spotted using new malware strains and techniques, resulting in the theft of credentials or cryptocurrency and ransomware deployment, according to researchers from Cisco Talos and Google Threat Intelligence Group.

Cisco Talos said it observed an attack linked to Famous Chollima that involved the use of BeaverTail and OtterCookie — separate but complementary malware strains frequently used by the North Korea-aligned threat group. Researchers said their analysis determined the extent to which BeaverTail and OtterCookie have merged and displayed new functionality in recent campaigns. 

GTIG said it observed UNC5342 using EtherHiding, malicious code in the form of JavaScript payloads that turn a public blockchain into a decentralized command and control server. Researchers said UNC5342 incorporated EtherHiding into a North Korea-aligned social engineering campaign previously dubbed Contagious Interview by Palo Alto Networks. 

Cisco and Google both said North Korean threat groups’ use of more specialized and evasive malware underscores the efforts the nation-state attackers are taking to achieve multiple goals while avoiding more common forms of detection.

By installing EtherHiding on the blockchain, UNC5342 can remotely update the malware’s functionality and maintain continuous control over their operations without worry about infrastructure takedowns or disruptions.

“This development signals an escalation in the threat landscape, as nation-state threat actors are now utilizing new techniques to distribute malware that is resistant to law enforcement takedowns and can be easily modified for new campaigns,” Robert Wallace, consulting leader at Mandiant, Google’s incident response firm, said in an email. 

Google researchers described North Korea’s social engineering campaign as a sophisticated and ongoing effort to commit espionage, gain persistent access to corporate networks and steal sensitive data or cryptocurrency during the job application and interview process.

The crux of these attacks often occur during a fake technical assessment when job candidates are asked to download files that unbeknownst to them contain malicious code, according to Google. Researchers observed a multi-stage malware infection process involving JadeSnow, BeaverTail and InvisibleFerret. 

Cisco Talos researchers uncovered a Famous Chollima attack on an undisclosed organization based in Sri Lanka that likely originated from a user that fell for a fake job offer. The organization wasn’t targeted by the attackers, according to the report.

Researchers observed a previously undocumented keylogging and screenshotting module in the campaign that they traced to OtterCookie samples. The information-stealing malware contained a module that listens for keystrokes and periodically takes screenshots of the desktop session, which are automatically uploaded to the OtterCookie command and control server, Cisco Talos said.

Cisco and Google both shared indicators of compromise in their respective reports to help threat hunters find additional artifacts of the North Korea threat groups’ malicious activity.

The post North Korean operatives spotted using evasive techniques to steal data and cryptocurrency appeared first on CyberScoop.

A Massachusetts man who previously pleaded guilty to a cyberattack on PowerSchool, exposing data on tens of millions of students and teachers, was sentenced to four years in prison Tuesday — half the amount federal prosecutors sought in sentencing recommendations submitted to the court.

Matthew Lane, 20, stole data from PowerSchool belonging to nearly 70 million students and teachers, extorted the California-based company for a ransom, which it paid, causing the education software vendor more than $14 million in financial losses, according to prosecutors.

U.S. District Judge Margaret Guzman sentenced Lane to four years in prison, followed by three years of supervised release. Lane was also ordered to pay almost $14.1 million in restitution and a $25,000 fine for crimes involving the attack on PowerSchool and an undisclosed U.S. telecommunications company.

Federal prosecutors were seeking a sentence of eight years for Lane, arguing that the crimes he pleaded guilty to follow a series of cybercriminal activity dating back to 2021. “The government has serious concerns that Lane poses an ongoing threat to the community and remains in denial about the scope of his criminal activity,” prosecutors said in a sentencing memo filed Oct. 7 in the U.S. District Court for the District of Massachusetts. 

Prosecutors cited multiple examples of other cybercriminals who committed and were convicted of less serious crimes. In those cases, the lighter sentences cybercriminals received did not sufficiently deter them from reengaging in cybercrime upon their release from jail. Lane’s attack on PowerSchool put 10 million teachers and 60 million children, some as young as five years old, at risk of identity theft for the remainder of their lives, prosecutors said. 

The PowerSchool attack, which Lane committed in September 2024 by using a PowerSchool contractor’s credentials to gain unauthorized access, is reportedly the single largest breach of American schoolchildren’s data on record. Lane threatened to release the data in December 2024 if PowerSchool didn’t pay a ransom valued at nearly $2.9 million at the time.

Multiple school district customers of PowerSchool received follow-on extortion demands linked to the stolen same data, the company said in May. The downstream extortion attempts underscore how cybercriminals, affiliated or not, will continue to exploit sensitive data for financial gain.

Lane forfeited almost $161,000 traced to his crimes, but about $3 million in illicit proceeds remains unaccounted for, according to court documents. “The money he returned is barely one percent of the financial loss he caused,” prosecutors said in the court filing.

Lane is required to surrender to the Federal Bureau of Prisons by Dec. 1.

The post PowerSchool hacker sentenced to 4 years in prison appeared first on CyberScoop.

Investors are placing bets on a hardware-based approach to data security in a market dominated by software solutions for ransomware resilience.

The post HyperBunker Raises Seed Funding to Launch Next-Generation Anti-Ransomware Device appeared first on SecurityWeek.

Fortra, in its most forceful admission yet, confirmed a maximum-severity defect it disclosed in GoAnywhere MFT has been actively exploited in attacks, yet researchers are still pressing the vendor to be more forthcoming about how attackers obtained a private key required to achieve exploitation.

The vendor published a summary of its investigation into CVE-2025-10035 Thursday, three weeks after it publicly addressed the vulnerability in its file-transfer service for the first time. “At this time, we have a limited number of reports of unauthorized activity related to CVE-2025-10035,” the company said. 

“It is positive to see Fortra increase their transparency surrounding the CVE-2025-10035 saga,” Ben Harris, founder and CEO at watchTowr, told CyberScoop. “However, the mystery remains — watchTowr researchers and others are still unclear how this vulnerability could be exploited without access to a private key that only Fortra is believed to have access to.”

Researchers at watchTowr, Rapid7 and VulnCheck last month rang alarm bells about the private key after they independently confirmed the steps attackers would have to take to achieve exploitation. 

“The fact that Fortra has now opted to confirm ‘unauthorized activity related to CVE-2025-10035,’ confirms yet again that the vulnerability was not theoretical, and that the attacker has somehow circumvented, or satisfied, the cryptographic requirements needed to exploit this vulnerability,” Harris said.

The scope of compromise has continued to grow during the past month as Fortra and researchers continue hunting for evidence of active exploitation. Fortra also shared more details about the timeline and actions it took behind the scenes prior to publicly disclosing and addressing the vulnerability. 

Security staff at Fortra began investigating a potential vulnerability after a customer reported suspicious activity Sept. 11. After inspecting customer logs, the company started notifying potentially impacted customers and reported the malicious activity to law enforcement that same day. 

The vendor also said it found three instances in its cloud-based GoAnywhere MFT environment “with potentially suspicious activity related to the vulnerability.” Fortra said it isolated those instances for further investigation and alerted customers using those managed services of potential exposure. 

The company deployed the patch to cloud-based services it hosts for customers Sept. 17, but it has not described the extent to which the vulnerability has been exploited in on-premises customer environments and Fortra-hosted services. The vendor said it updated all company-hosted instances of GoAnywhere MFT, including infrastructure rebuilds.

Fortra did not answer questions submitted by CyberScoop on Monday.

The Cybersecurity and Infrastructure Security Agency added CVE-2025-10035 to its known exploited vulnerabilities catalog Sept. 29, noting the defect has been used in ransomware campaigns. Microsoft Threat Intelligence followed up on that last week, noting that a cybercriminal group it tracks as Storm-1175 has exploited CVE-2025-10035 to initiate multi-stage attacks including ransomware. 

Fortra repeatedly declined to confirm it was aware of active exploitation in the wake of those reports. The company previously added indicators of compromise to its security advisory, but didn’t say it was aware of reports of unauthorized activity related to the defect until Thursday.

The post Fortra cops to exploitation of GoAnywhere file-transfer service defect appeared first on CyberScoop.

Clop, the notorious ransomware group, began targeting Oracle E-Business Suite customers three months ago and started exploiting a zero-day affecting the enterprise platform to steal massive amounts of data from victims as early as Aug. 9, Google Threat Intelligence Group and Mandiant said in a report Thursday. 

“We’re still assessing the scope of this incident, but we believe it affected dozens of organizations. Some historic Clop data extortion campaigns have had hundreds of victims,” John Hultquist, chief analyst at GTIG, said in a statement. “Unfortunately large scale zero-day campaigns like this are becoming a regular feature of cybercrime.”

The new timeline provided by Google’s incident response firm and security researchers confirms malicious activity against Oracle E-Business Suite customers began almost three months before Clop sent extortion emails to executives of alleged victim organizations demanding payment on Sept. 29. 

Oracle disclosed the critical zero-day vulnerability — CVE-2025-61882 — Saturday, two days after it said its customers had received extortion emails following exploitation of vulnerabilities it previously identified and addressed in a July security update. 

The widespread attack spree actually involved at least five distinct defects, including the zero-day, that were chained together to achieve pre-authenticated remote code execution, watchTowr researchers said earlier this week.

Researchers at watchTowr reproduced the full exploit chain after obtaining a proof of concept and published a flow chart depicting how attackers chained multiple vulnerabilities together. 

“It’s currently unclear which specific vulnerabilities or exploit chains correspond to CVE-2025-61882, however, GTIG assesses that Oracle EBS servers updated through the patch released on Oct. 4 are likely no longer vulnerable to known exploitation chains,” Google said in the report.

Researchers identified suspicious traffic that may point to early attempts at exploitation prior to Oracle’s July security update, but Google has not confirmed the precise nature of that activity. 

Many customers remain exposed and potentially vulnerable to attacks. Shadowserver scans found 576 potentially vulnerable instances of Oracle E-Business Suite on Oct. 6, with the majority of those IPs based in the United States.

Clop’s ransom demands have reached up to $50 million, according to Halcyon. “We have seen seven- and eight-figure demands thus far,” Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center, told CyberScoop.

Investigations into Clop’s activity underscore the stealthy nature of the threat group’s operations, including the use of multi-stage fileless malware designed to evade file-based detection. Other critical details remain unknown and cybercriminals from other groups have complicated analysis through unsubstantiated claims. 

Mandiant said it observed artifacts on Oct. 3 that overlap with an exploit leaked in a Telegram group dubbed “Scattered LAPSUS$ Hunters.” Yet, Google hasn’t gathered enough evidence to definitively link the malicious July 2025 activity with this exploit. 

“At this time, GTIG does not assess that actors associated with UNC6240 (also known as “Shiny Hunters”) were involved in this exploitation activity,” Google said in the report. 

While multiple pieces of evidence indicate Clop is behind the attacks, Google said it’s possible other threat groups are involved.

Clop has successfully intruded multiple technology vendors’ systems, particularly file-transfer services, allowing it to steal data on many downstream customers. The threat group achieved mass exploitation as it infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.

The post Dozens of Oracle customers impacted by Clop data theft for extortion campaign appeared first on CyberScoop.

The hackers claim the theft of 27 gigabytes of data, including contracts, employee information, and financial documents.

The post Ransomware Group Claims Attack on Beer Giant Asahi appeared first on SecurityWeek.

The Medusa ransomware operators exploited the GoAnywhere MFT vulnerability one week before patches were released.

The post Fortra GoAnywhere MFT Zero-Day Exploited in Ransomware Attacks appeared first on SecurityWeek.

A cybercriminal group that used voice phishing attacks to siphon more than a billion records from Salesforce customers earlier this year has launched a website that threatens to publish data stolen from dozens of Fortune 500 firms if they refuse to pay a ransom. The group also claimed responsibility for a recent breach involving Discord user data, and for stealing terabytes of sensitive files from thousands of customers of the enterprise software maker Red Hat.

In May 2025, a prolific and amorphous English-speaking cybercrime group known as ShinyHunters launched a social engineering campaign that used voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal.

The first real details about the incident came in early June, when the Google Threat Intelligence Group (GTIG) warned that ShinyHunters — tracked by Google as UNC6040 — was extorting victims over their stolen Salesforce data, and that the group was poised to launch a data leak site to publicly shame victim companies into paying a ransom to keep their records private. A month later, Google acknowledged that one of its own corporate Salesforce instances was impacted in the voice phishing campaign.

Last week, a new victim shaming blog dubbed “Scattered LAPSUS$ Hunters” began publishing the names of companies that had customer Salesforce data stolen as a result of the May voice phishing campaign.

“Contact us to negotiate this ransom or all your customers data will be leaked,” the website stated in a message to Salesforce. “If we come to a resolution all individual extortions against your customers will be withdrawn from. Nobody else will have to pay us, if you pay, Salesforce, Inc.”

Below that message were more than three dozen entries for companies that allegedly had Salesforce data stolen, including Toyota, FedEx, Disney/Hulu, and UPS. The entries for each company specified the volume of stolen data available, as well as the date that the information was retrieved (the stated breach dates range between May and September 2025).

On October 5, the Scattered LAPSUS$ Hunters victim shaming and extortion blog announced that the group was responsible for a breach in September involving a GitLab server used by Red Hat that contained more than 28,000 Git code repositories, including more than 5,000 Customer Engagement Reports (CERs).

“Alot of folders have their client’s secrets such as artifactory access tokens, git tokens, azure, docker (redhat docker, azure containers, dockerhub), their client’s infrastructure details in the CERs like the audits that were done for them, and a whole LOT more, etc.,” the hackers claimed.

Their claims came several days after a previously unknown hacker group calling itself the Crimson Collective took credit for the Red Hat intrusion on Telegram.

Red Hat disclosed on October 2 that attackers had compromised a company GitLab server, and said it was in the process of notifying affected customers.

“The compromised GitLab instance housed consulting engagement data, which may include, for example, Red Hat’s project specifications, example code snippets, internal communications about consulting services, and limited forms of business contact information,” Red Hat wrote.

Separately, Discord has started emailing users affected by another breach claimed by ShinyHunters. Discord said an incident on September 20 at a “third-party customer service provider” impacted a “limited number of users” who communicated with Discord customer support or Trust & Safety teams. The information included Discord usernames, emails, IP address, the last four digits of any stored payment cards, and government ID images submitted during age verification appeals.

The Scattered Lapsus$ Hunters claim they will publish data stolen from Salesforce and its customers if ransom demands aren’t paid by October 10. The group also claims it will soon begin extorting hundreds more organizations that lost data in August after a cybercrime group stole vast amounts of authentication tokens from Salesloft, whose AI chatbot is used by many corporate websites to convert customer interaction into Salesforce leads.

In a communication sent to customers today, Salesforce emphasized that the theft of any third-party Salesloft data allegedly stolen by ShinyHunters did not originate from a vulnerability within the core Salesforce platform. The company also stressed that it has no plans to meet any extortion demands.

“Salesforce will not engage, negotiate with, or pay any extortion demand,” the message to customers read. “Our focus is, and remains, on defending our environment, conducting thorough forensic analysis, supporting our customers, and working with law enforcement and regulatory authorities.”

The GTIG tracked the group behind the Salesloft data thefts as UNC6395, and says the group has been observed harvesting the data for authentication tokens tied to a range of cloud services like Snowflake and Amazon’s AWS.

Google catalogs Scattered Lapsus$ Hunters by so many UNC names (throw in UNC6240 for good measure) because it is thought to be an amalgamation of three hacking groups — Scattered Spider, Lapsus$ and ShinyHunters. The members of these groups hail from many of the same chat channels on the Com, a mostly English-language cybercriminal community that operates across an ocean of Telegram and Discord servers.

The Scattered Lapsus$ Hunters darknet blog is currently offline. The outage appears to have coincided with the disappearance of the group’s new clearnet blog — breachforums[.]hn — which vanished after shifting its Domain Name Service (DNS) servers from DDoS-Guard to Cloudflare.

But before it died, the websites disclosed that hackers were exploiting a critical zero-day vulnerability in Oracle’s E-Business Suite software. Oracle has since confirmed that a security flaw tracked as CVE-2025-61882 allows attackers to perform unauthenticated remote code execution, and is urging customers to apply an emergency update to address the weakness.

Mandiant’s Charles Carmakal shared on LinkedIn that CVE-2025-61882 was initially exploited in August 2025 by the Clop ransomware gang to steal data from Oracle E-Business Suite servers. Bleeping Computer writes that news of the Oracle zero-day first surfaced on the Scattered Lapsus$ Hunters blog, which published a pair of scripts that were used to exploit vulnerable Oracle E-Business Suite instances.

On Monday evening, KrebsOnSecurity received a malware-laced message from a reader that threatened physical violence unless their unstated demands were met. The missive, titled “Shiny hunters,” contained the hashtag $LAPSU$$SCATEREDHUNTER, and urged me to visit a page on limewire[.]com to view their demands.

KrebsOnSecurity did not visit this link, but instead forwarded it to Mandiant, which confirmed that similar menacing missives were sent to employees at Mandiant and other security firms around the same time.

The link in the message fetches a malicious trojan disguised as a Windows screensaver file (Virustotal’s analysis on this malware is here). Simply viewing the booby-trapped screensaver on a Windows PC is enough to cause the bundled trojan to launch in the background.

Mandiant’s Austin Larsen said the trojan is a commercially available backdoor known as ASYNCRAT, a .NET-based backdoor that communicates using a custom binary protocol over TCP, and can execute shell commands and download plugins to extend its features.

“Downloaded plugins may be executed directly in memory or stored in the registry,” Larsen wrote in an analysis shared via email. “Capabilities added via plugins include screenshot capture, file transfer, keylogging, video capture, and cryptocurrency mining. ASYNCRAT also supports a plugin that targets credentials stored by Firefox and Chromium-based web browsers.”

Malware-laced targeted emails are not out of character for certain members of the Scattered Lapsus$ Hunters, who have previously harassed and threatened security researchers and even law enforcement officials who are investigating and warning about the extent of their attacks.

With so many big data breaches and ransom attacks now coming from cybercrime groups operating on the Com, law enforcement agencies on both sides of the pond are under increasing pressure to apprehend the criminal hackers involved. In late September, prosecutors in the U.K. charged two alleged Scattered Spider members aged 18 and 19 with extorting at least $115 million in ransom payments from companies victimized by data theft.

U.S. prosecutors heaped their own charges on the 19 year-old in that duo — U.K. resident Thalha Jubair — who is alleged to have been involved in data ransom attacks against Marks & Spencer and Harrods, the British food retailer Co-op Group, and the 2023 intrusions at MGM Resorts and Caesars Entertainment. Jubair also was allegedly a key member of LAPSUS$, a cybercrime group that broke into dozens of technology companies beginning in late 2021.

In August, convicted Scattered Spider member and 20-year-old Florida man Noah Michael Urban was sentenced to 10 years in federal prison and ordered to pay roughly $13 million in restitution to victims.

In April 2025, a 23-year-old Scottish man thought to be an early Scattered Spider member was extradited from Spain to the U.S., where he is facing charges of wire fraud, conspiracy and identity theft. U.S. prosecutors allege Tyler Robert Buchanan and co-conspirators hacked into dozens of companies in the United States and abroad, and that he personally controlled more than $26 million stolen from victims.

Update, Oct. 8, 8:59 a.m. ET: A previous version of this story incorrectly referred to the malware sent by the reader as a Windows screenshot file. Rather, it is a Windows screensaver file.

Microsoft Threat Intelligence said a cybercriminal group it tracks as Storm-1175 has exploited a maximum-severity vulnerability in GoAnywhere MFT to initiate multi-stage attacks including ransomware. Researchers observed the malicious activity Sept. 11, Microsoft said in a blog post Monday.

Microsoft’s research adds another substantive chunk of evidence to a growing collection of intelligence confirming the defect in Fortra’s file-transfer service was exploited as a zero-day before the company disclosed and patched CVE-2025-10035 on Sept. 18.

Despite this mounting pile of evidence, Fortra has yet to confirm the vulnerability is under active exploitation. The company has not answered questions or provided additional information since it updated its security advisory Sept. 18 to include indicators of compromise. 

Storm-1175, a financially motivated cybercrime group known for exploiting public vulnerabilities to gain access and deploy Medusa ransomware, exploited CVE-2025-10035 to achieve remote code execution, according to Microsoft. 

“They used this access to install remote monitoring tools such as SimpleHelp and MeshAgent, drop web shells, to move laterally across networks using built-in Windows utilities,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, told CyberScoop in an email. “In at least one instance, the intrusion led to data theft via Rclone and a Medusa ransomware deployment.”

Microsoft’s findings bolster research from other firms including watchTowr, which said it obtained credible evidence of active exploitation of the GoAnywhere vulnerability dating back to Sept. 10, a day before Fortra maintains the vulnerability was discovered. 

“Microsoft has now linked the attacks to a known Medusa ransomware affiliate, confirming what we feared. Organizations running GoAnywhere MFT have effectively been under silent assault since at least Sept. 11, with little clarity from Fortra,” said Ben Harris, founder and CEO at watchTowr.

“Microsoft’s confirmation now paints a pretty unpleasant picture — exploitation, attribution, and a month-long head start for the attackers. What’s still missing are the answers only Fortra can provide,” Harris added.

This includes details about how the attackers accessed private keys required to achieve exploitation, as researchers from multiple firms flagged as a worrying signal last month. “Customers deserve transparency, not silence,” Harris said. 

Federal cyber authorities have confirmed active exploitation of GoAnywhere’s defect as well. The Cybersecurity and Infrastructure Security Agency added CVE-2025-10035 to its known exploited vulnerabilities catalog Sept. 29, noting the defect has been used in ransomware campaigns. 

DeGrippo said Storm-1175’s attacks are opportunistic, and have affected organizations in the transportation, education, retail, insurance and manufacturing sectors. “Their tactics reflect the broader pattern we’re seeing, which is blending legitimate tools with stealthy techniques to stay under the radar and monetize access through extortion and data theft,” she added.

Researchers haven’t said how many organizations are impacted by GoAnywhere attacks, but Fortra customers went through this before when a zero-day vulnerability in the same file-transfer service was widely exploited two years ago, resulting in attacks on more than 100 organizations.

The post Microsoft pins GoAnywhere zero-day attacks to ransomware affiliate Storm-1175 appeared first on CyberScoop.

The brewing giant has reverted to manual order processing and shipment as operations at its Japanese subsidiaries are disrupted.

The post Beer Giant Asahi Says Data Stolen in Ransomware Attack appeared first on SecurityWeek.

Federal cyber authorities and threat hunters are on edge following Oracle’s Saturday disclosure of an actively exploited zero-day vulnerability the Clop ransomware group used to initiate a widespread data theft and extortion campaign researchers initially warned about last week. 

Oracle addressed the critical vulnerability — CVE-2025-61882 affecting Oracle E-Business Suite — in a security advisory Saturday and advised customers to apply the patch as soon as possible. The tech giant previously said it was aware some customers had received extortion emails and said vulnerabilities it addressed in its July security update were potentially involved. 

Rob Duhart, chief security officer at Oracle Security, updated his blog post Saturday to alert customers to the zero-day. Oracle did not say the zero-day is actively exploited but it provided indicators of compromise, which indirectly confirm the defect has been exploited in the wild. 

The Cybersecurity and Infrastructure Security Agency added CVE-2025-61882 to its known exploited vulnerabilities catalog Monday, noting that it has been used in ransomware campaigns. 

Brett Leatherman, assistant director of the FBI’s Cyber Division, described the zero-day as an emergency putting Oracle E-Business Suite environments at risk of full compromise. 

“Oracle E-Business Suite remains a backbone enterprise resource planning system for major enterprises and public-sector environments, which means attackers have every incentive to weaponize this one fast,” he said in a LinkedIn post.

The zero-day isn’t the only problem confronting Oracle and its customers. Clop exploited multiple vulnerabilities, including the zero-day, in Oracle E-Business Suite to steal large amounts of data from several victims in August, according to Mandiant Consulting CTO Charles Carmakal. 

Researchers at watchTowr reproduced the full exploit chain after a proof of concept and published a flow chart depicting how attackers chained multiple vulnerabilities together. 

“The chain demonstrates a high level of skill and effort, with at least five distinct bugs orchestrated together to achieve pre-authenticated remote code execution,” watchTowr researchers wrote in a blog post Monday. The cybersecurity firm said there is a high probability more vulnerabilities will be found in Oracle E-Business Suite tied to this campaign. 

The zero-day vulnerability, which has a CVSS rating of 9.8, can be exploited remotely without authentication, resulting in remote code execution. 

The significant lag time between when the attacks occurred and Oracle’s zero-day vulnerability disclosure indicates Clop was breaking into and stealing data from Oracle E-Business Suite customers’ environments for months. Researchers were not aware of the attacks until executives of alleged victim organizations received extortion emails demanding payment. 

CrowdStrike researchers said the first known exploitation occurred Aug. 9, eight weeks before Oracle disclosed and patched the zero-day defect. 

The number of organizations impacted by Clop’s attack spree remains unknown, yet researchers have identified victims across multiple sectors and geographies. Clop’s ransom demands have reached up to $50 million, according to Halcyon.

“We have seen seven- and eight-figure demands thus far,” Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center, told CyberScoop.

“This group is notorious for stealthy, mass data theft that heightens their leverage in ransom negotiations,” she said.

Clop is a ransomware group that has successfully intruded multiple technology vendors’ systems, allowing it to steal data on many downstream customers. The threat group specializes in exploiting vulnerabilities in file-transfer services to conduct large-scale attacks. 

Clop achieved mass exploitation as it infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.

The group is driven by profit, as it operates within a Russia-aligned cybercrime environment, Kaiser said. “Clop’s operations can simultaneously extract financial value and produce outcomes useful to state actors, such as data collection, disruption, or pressure on targeted organizations.”

The post Oracle zero-day defect amplifies panic over Clop’s data theft attack spree appeared first on CyberScoop.

Emails sent to Oracle customers by members of the Clop ransomware group assert that the cybercriminals are solely interested in a financial payout, framing the extortion as a business transaction rather than a politically motivated attack.  

The extortion emails were sent to executives of alleged victim organizations earlier this week, with attackers claiming they would provide victims copies of any three files or data rows upon request to verify their organization’s data was stolen. 

“But, don’t worry,” the attackers wrote in an extortion email, which CyberScoop obtained a copy of Thursday. “You can always save your data for payment. We do not seek political power or care about any business.”

Broken English and poor spelling appears throughout the email. The sender begins the message by introducing themselves as “CL0P team” and encourages the recipient to search for information about Clop on the internet if they haven’t heard of the highly prolific threat group.  

The extortion email is designed to achieve several goals: intimidate recipients, apply a deadline to create urgency, show proof of compromise and provide contact info to negotiate an extortion payment.  

“We always fulfil all promises and obligations,” the email said. “We are not interested in destroying your business. We want to take the money and you not hear from us again.”

Clop hasn’t made the claims public through its leak site. Researchers have yet to verify if a breach occurred or if the threat group is behind the attacks, yet the contact info in the emails has been previously used by the group.

Oracle on Thursday confirmed it’s aware some Oracle E-Business Suite customers have received extortion emails.

“Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 critical patch update,” Rob Duhart, chief security officer at Oracle Security, said in a blog post.

Oracle did not say which vulnerabilities are under active exploitation, nor did it confirm if its customers’ data was stolen. The July security update included 309 patches, including nine that addressed defects in Oracle E-Business Suite. 

The vendor, at the time, said three of the Oracle E-Business Suite vulnerabilities, all of which it designated as medium-severity, can be remotely exploited without authentication. Three additional Oracle E-Business Suite vulnerabilities addressed in July were designated high severity. 

The company has not responded to multiple requests for comment. 

The emails were sent from hundreds of compromised third-party accounts beginning on or before Monday, researchers said.

“The compromised accounts belong to various, unrelated organizations,” Austin Larsen, principal analyst at Google Threat Intelligence Group, told CyberScoop. “This is a common tactic where threat actors acquire credentials for legitimate accounts, often from infostealer malware logs sold on underground forums, to add a layer of legitimacy to their campaigns and help bypass spam filters.”

In the email obtained by CyberScoop, the sender claims to have carefully examined the data they allegedly stole, warning “that estimated financial losses, harm to reputation and regulatory fines are likely to materially exceed the amount claimed.” 

This tactic has appeared in previous extortion attacks wherein hackers mention accompanying effects of a compromise, such as legal penalties, as a reason to pay the ransom.

The extortion email ends with a threatening call to action, claiming the clock is ticking and data will be published in a few days. 

“Please convey this information to your executive and managers as soon as possible,” the attackers said in the email. “We advice not reach point of no return.”

The full text of the email is below:

Dearest executive,

We are CL0P team. If you haven’t heard about us, you can google about us on internet.

We have recently breached your Oracle E-Business Suite application and copied a lot of documents. All the private files and other information are now held on our systems.

But, don’t worry. You can always save your data for payment. We do not seek political power or care about any business.

So, your only option to protect your business reputation is to discuss conditions and pay claimed sum. In case you refuse, you will lose all abovementioned data: some of it will be sold to the black actors, the rest will be published on our blog and shared on torrent trackers.

We always fulfil all promises and obligations.

We have carefully examined the data we got. And, regrettably for your company, this analysis shows that estimated financial losses, harm to reputation , and regulatory fines are likely to materially exceed the amount claimed.

Lower you see our contact email addresses:

[REDACTED]

[REDACTED]

As evidence, we can show any 3 files you ask or data row.

We are also ready to continue discussing the next steps after you confirm that you are a legitimate representative of the company.

We are not interested in destroying your business. We want to take the money and you not hear from us again.

Time is ticking on clock and in few days if no payment we publish and close chat.

Please convey this information to your executive and managers as soon as possible.

After a successful transaction and receipt of payment we promise

1) technical advice

2) We will never publish you data

3) Everything we download will be delete w/proof

4) Nothing will ever disclose

Decide soon and recall that no response result in blog posting. Name is first and soon data after. We advice not reach point of no return.

KR CL0P

Update: 10/02/25, 5:30 p.m: This story has been updated with information about Oracle’s alert.

The post Here is the email Clop attackers sent to Oracle customers appeared first on CyberScoop.

The hackers stole names, contact details, Social Security numbers, and driver’s license numbers in an August 19 ransomware attack.

The post 766,000 Impacted by Data Breach at Dealership Software Provider Motility appeared first on SecurityWeek.

Attackers appearing to be aligned with the Clop ransomware group have sent emails to Oracle customers seeking extortion payments, claiming they stole data from the tech giant’s E-Business Suite, according to researchers who spoke with CyberScoop. 

Researchers haven’t confirmed the veracity of Clop’s claimed data theft, but multiple investigations into Oracle environments belonging to organizations that received the emails are underway.

“We are currently observing a high-volume email campaign being launched from hundreds of compromised accounts,” Mandiant Consulting CTO Charles Carmakal told CyberScoop. “The malicious emails contain contact information, and we’ve verified that the two specific contact addresses provided are also publicly listed on the Clop data leak site,” he added.

Clop hasn’t made the claims public through its leak sites.

Oracle on Thursday confirmed it’s aware some Oracle E-Business Suite customers have received extortion emails.

“Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 critical patch update,” Rob Duhart, chief security officer at Oracle Security, said in a blog post.

Oracle did not say which vulnerabilities are under active exploitation, nor did it confirm if its customers’ data was stolen. The July security update included 309 patches, including nine that addressed defects in Oracle E-Business Suite. 

The vendor, at the time, said three of the Oracle E-Business Suite vulnerabilities, all of which it designated as medium-severity, can be remotely exploited without authentication. Three additional Oracle E-Business Suite vulnerabilities addressed in July were designated high severity. 

The company has not responded to multiple requests for comment. 

The extortion activity involves targeted emails sent to company executives from hundreds of compromised third-party accounts beginning on or before Sept. 29, according to Genevieve Stark, head of cybercrime and information operations intelligence analysis at Google Threat Intelligence Group.

“It is not yet clear whether the threat actor’s claims are credible, and if so, how they obtained access,” Stark told CyberScoop.

While the tactics and contact email addresses align with Clop, researchers have yet to verify if the financially-motivated group is behind the attacks.

Clop is a highly prolific and notorious ransomware group that has successfully intruded multiple technology vendors’ systems, allowing it to steal data on many downstream customers. 

The financially motivated threat group specializes in exploiting vulnerabilities in file-transfer services to conduct large-scale attacks. Clop achieved mass exploitation as it infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.

The extortion emails originate from hundreds of compromised third-party accounts at various legitimate websites, and not from one specific vendor, said Austin Larsen, principal analyst at GTIG. “The claim within those emails is that they have stolen data from the Oracle E-Business Suite of the targeted organizations,” he added. 

The emails observed by researchers don’t contain a specific demand, but pressure victims to contact the threat group to start negotiations.  

“The primary indicators of this new campaign are the extortion emails themselves and the use of email addresses associated with the Clop data leak site,” Stark said. “At this time, we do not have evidence of a successful data breach or a specific malware family associated with this particular campaign.”

Investigators are working through the night to confirm if and how attackers gained access to Oracle’s E-Business Suite and the extent to which Oracle customers may be impacted.

Update: 10/02/25, 5:30 p.m.: This story has been updated with information about Oracle’s security alert.

The post Oracle customers being bombarded with emails claiming widespread data theft appeared first on CyberScoop.

In one attack, the hackers leveraged the Datto RMM utility on a domain controller and various other legitimate tools to evade detection.

The post Akira Ransomware’s Exploitation of SonicWall Vulnerability Continues appeared first on SecurityWeek.

The aerospace and defense giant has disclosed the cyberattack in a filing with the SEC.

The post RTX Confirms Airport Services Hit by Ransomware appeared first on SecurityWeek.

The Miljödata data breach has impacted numerous organizations, education institutions, and Swedish municipalities.

The post Volvo Group Employee Data Stolen in Ransomware Attack appeared first on SecurityWeek.

Trend™ Research analyzed source binaries from the latest activity from notorious LockBit ransomware with their 5.0 version that exhibits advanced obfuscation, anti-analysis techniques, and seamless cross-platform capabilities for Windows, Linux, and ESXi systems.

U.S. prosecutors last week levied criminal hacking charges against 19-year-old U.K. national Thalha Jubair for allegedly being a core member of Scattered Spider, a prolific cybercrime group blamed for extorting at least $115 million in ransom payments from victims. The charges came as Jubair and an alleged co-conspirator appeared in a London court to face accusations of hacking into and extorting several large U.K. retailers, the London transit system, and healthcare providers in the United States.

At a court hearing last week, U.K. prosecutors laid out a litany of charges against Jubair and 18-year-old Owen Flowers, accusing the teens of involvement in an August 2024 cyberattack that crippled Transport for London, the entity responsible for the public transport network in the Greater London area.

On July 10, 2025, KrebsOnSecurity reported that Flowers and Jubair had been arrested in the United Kingdom in connection with recent Scattered Spider ransom attacks against the retailers Marks & Spencer and Harrods, and the British food retailer Co-op Group.

That story cited sources close to the investigation saying Flowers was the Scattered Spider member who anonymously gave interviews to the media in the days after the group’s September 2023 ransomware attacks disrupted operations at Las Vegas casinos operated by MGM Resorts and Caesars Entertainment.

The story also noted that Jubair’s alleged handles on cybercrime-focused Telegram channels had far lengthier rap sheets involving some of the more consequential and headline-grabbing data breaches over the past four years. What follows is an account of cybercrime activities that prosecutors have attributed to Jubair’s alleged hacker handles, as told by those accounts in posts to public Telegram channels that are closely monitored by multiple cyber intelligence firms.

EARLY DAYS (2021-2022)

Jubair is alleged to have been a core member of the LAPSUS$ cybercrime group that broke into dozens of technology companies beginning in late 2021, stealing source code and other internal data from tech giants including Microsoft, Nvidia, Okta, Rockstar Games, Samsung, T-Mobile, and Uber.

That is, according to the former leader of the now-defunct LAPSUS$. In April 2022, KrebsOnSecurity published internal chat records taken from a server that LAPSUS$ used, and those chats indicate Jubair was working with the group using the nicknames Amtrak and Asyntax. In the middle of the gang’s cybercrime spree, Asyntax told the LAPSUS$ leader not to share T-Mobile’s logo in images sent to the group because he’d been previously busted for SIM-swapping and his parents would suspect he was back at it again.

The leader of LAPSUS$ responded by gleefully posting Asyntax’s real name, phone number, and other hacker handles into a public chat room on Telegram:

That story about the leaked LAPSUS$ chats also connected Amtrak/Asyntax to several previous hacker identities, including “Everlynn,” who in April 2021 began offering a cybercriminal service that sold fraudulent “emergency data requests” targeting the major social media and email providers.

In these so-called “fake EDR” schemes, the hackers compromise email accounts tied to police departments and government agencies, and then send unauthorized demands for subscriber data (e.g. username, IP/email address), while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.

EARTHTOSTAR

Prosecutors in New Jersey last week alleged Jubair was part of a threat group variously known as Scattered Spider, 0ktapus, and UNC3944, and that he used the nicknames EarthtoStar, Brad, Austin, and Austistic.

Beginning in 2022, EarthtoStar co-ran a bustling Telegram channel called Star Chat, which was home to a prolific SIM-swapping group that relentlessly used voice- and SMS-based phishing attacks to steal credentials from employees at the major wireless providers in the U.S. and U.K.

The group would then use that access to sell a SIM-swapping service that could redirect a target’s phone number to a device the attackers controlled, allowing them to intercept the victim’s phone calls and text messages (including one-time codes). Members of Star Chat targeted multiple wireless carriers with SIM-swapping attacks, but they focused mainly on phishing T-Mobile employees.

In February 2023, KrebsOnSecurity scrutinized more than seven months of these SIM-swapping solicitations on Star Chat, which almost daily peppered the public channel with “Tmo up!” and “Tmo down!” notices indicating periods wherein the group claimed to have active access to T-Mobile’s network.

The data showed that Star Chat — along with two other SIM-swapping groups operating at the same time — collectively broke into T-Mobile over a hundred times in the last seven months of 2022. However, Star Chat was by far the most prolific of the three, responsible for at least 70 of those incidents.

A review of EarthtoStar’s messages on Star Chat as indexed by the threat intelligence firm Flashpoint shows this person also sold “AT&T email resets” and AT&T call forwarding services for up to $1,200 per line. EarthtoStar explained the purpose of this service in post on Telegram:

“Ok people are confused, so you know when u login to chase and it says ‘2fa required’ or whatever the fuck, well it gives you two options, SMS or Call. If you press call, and I forward the line to you then who do you think will get said call?”

New Jersey prosecutors allege Jubair also was involved in a mass SMS phishing campaign during the summer of 2022 that stole single sign-on credentials from employees at hundreds of companies. The text messages asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page, saying recipients needed to review pending changes to their upcoming work schedules.

The phishing websites used a Telegram instant message bot to forward any submitted credentials in real-time, allowing the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website.

That weeks-long SMS phishing campaign led to intrusions and data thefts at more than 130 organizations, including LastPass, DoorDash, Mailchimp, Plex and Signal.

DA, COMRADE

EarthtoStar’s group Star Chat specialized in phishing their way into business process outsourcing (BPO) companies that provide customer support for a range of multinational companies, including a number of the world’s largest telecommunications providers. In May 2022, EarthtoStar posted to the Telegram channel “Frauwudchat”:

“Hi, I am looking for partners in order to exfiltrate data from large telecommunications companies/call centers/alike, I have major experience in this field, [including] a massive call center which houses 200,000+ employees where I have dumped all user credentials and gained access to the [domain controller] + obtained global administrator I also have experience with REST API’s and programming. I have extensive experience with VPN, Citrix, cisco anyconnect, social engineering + privilege escalation. If you have any Citrix/Cisco VPN or any other useful things please message me and lets work.”

At around the same time in the Summer of 2022, at least two different accounts tied to Star Chat — “RocketAce” and “Lopiu” — introduced the group’s services to denizens of the Russian-language cybercrime forum Exploit, including:

-SIM-swapping services targeting Verizon and T-Mobile customers;
-Dynamic phishing pages targeting customers of single sign-on providers like Okta;
-Malware development services;
-The sale of extended validation (EV) code signing certificates.

These two accounts on Exploit created multiple sales threads in which they claimed administrative access to U.S. telecommunications providers and asked other Exploit members for help in monetizing that access. In June 2022, RocketAce, which appears to have been just one of EarthtoStar’s many aliases, posted to Exploit:

Hello. I have access to a telecommunications company’s citrix and vpn. I would like someone to help me break out of the system and potentially attack the domain controller so all logins can be extracted we can discuss payment and things leave your telegram in the comments or private message me ! Looking for someone with knowledge in citrix/privilege escalation

On Nov. 15, 2022, EarthtoStar posted to their Star Sanctuary Telegram channel that they were hiring malware developers with a minimum of three years of experience and the ability to develop rootkits, backdoors and malware loaders.

“Optional: Endorsed by advanced APT Groups (e.g. Conti, Ryuk),” the ad concluded, referencing two of Russia’s most rapacious and destructive ransomware affiliate operations. “Part of a nation-state / ex-3l (3 letter-agency).”

2023-PRESENT DAY

The Telegram and Discord chat channels wherein Flowers and Jubair allegedly planned and executed their extortion attacks are part of a loose-knit network known as the Com, an English-speaking cybercrime community consisting mostly of individuals living in the United States, the United Kingdom, Canada and Australia.

Many of these Com chat servers have hundreds to thousands of members each, and some of the more interesting solicitations on these communities are job offers for in-person assignments and tasks that can be found if one searches for posts titled, “If you live near,” or “IRL job” — short for “in real life” job.

These “violence-as-a-service” solicitations typically involve “brickings,” where someone is hired to toss a brick through the window at a specified address. Other IRL jobs for hire include tire-stabbings, molotov cocktail hurlings, drive-by shootings, and even home invasions. The people targeted by these services are typically other criminals within the community, but it’s not unusual to see Com members asking others for help in harassing or intimidating security researchers and even the very law enforcement officers who are investigating their alleged crimes.

It remains unclear what precipitated this incident or what followed directly after, but on January 13, 2023, a Star Sanctuary account used by EarthtoStar solicited the home invasion of a sitting U.S. federal prosecutor from New York. That post included a photo of the prosecutor taken from the Justice Department’s website, along with the message:

“Need irl niggas, in home hostage shit no fucking pussies no skinny glock holding 100 pound niggas either”

Throughout late 2022 and early 2023, EarthtoStar’s alias “Brad” (a.k.a. “Brad_banned”) frequently advertised Star Chat’s malware development services, including custom malicious software designed to hide the attacker’s presence on a victim machine:

We can develop KERNEL malware which will achieve persistence for a long time,
bypass firewalls and have reverse shell access.

This shit is literally like STAGE 4 CANCER FOR COMPUTERS!!!

Kernel meaning the highest level of authority on a machine.
This can range to simple shells to Bootkits.

Bypass all major EDR’s (SentinelOne, CrowdStrike, etc)
Patch EDR’s scanning functionality so it’s rendered useless!

Once implanted, extremely difficult to remove (basically impossible to even find)
Development Experience of several years and in multiple APT Groups.

Be one step ahead of the game. Prices start from $5,000+. Message @brad_banned to get a quote

In September 2023 , both MGM Resorts and Caesars Entertainment suffered ransomware attacks at the hands of a Russian ransomware affiliate program known as ALPHV and BlackCat. Caesars reportedly paid a $15 million ransom in that incident.

Within hours of MGM publicly acknowledging the 2023 breach, members of Scattered Spider were claiming credit and telling reporters they’d broken in by social engineering a third-party IT vendor. At a hearing in London last week, U.K. prosecutors told the court Jubair was found in possession of more than $50 million in ill-gotten cryptocurrency, including funds that were linked to the Las Vegas casino hacks.

The Star Chat channel was finally banned by Telegram on March 9, 2025. But U.S. prosecutors say Jubair and fellow Scattered Spider members continued their hacking, phishing and extortion activities up until September 2025.

In April 2025, the Com was buzzing about the publication of “The Com Cast,” a lengthy screed detailing Jubair’s alleged cybercriminal activities and nicknames over the years. This account included photos and voice recordings allegedly of Jubair, and asserted that in his early days on the Com Jubair used the nicknames Clark and Miku (these are both aliases used by Everlynn in connection with their fake EDR services).

More recently, the anonymous Com Cast author(s) claimed, Jubair had used the nickname “Operator,” which corresponds to a Com member who ran an automated Telegram-based doxing service that pulled consumer records from hacked data broker accounts. That public outing came after Operator allegedly seized control over the Doxbin, a long-running and highly toxic community that is used to “dox” or post deeply personal information on people.

“Operator/Clark/Miku: A key member of the ransomware group Scattered Spider, which consists of a diverse mix of individuals involved in SIM swapping and phishing,” the Com Cast account stated. “The group is an amalgamation of several key organizations, including Infinity Recursion (owned by Operator), True Alcorians (owned by earth2star), and Lapsus, which have come together to form a single collective.”

The New Jersey complaint (PDF) alleges Jubair and other Scattered Spider members committed computer fraud, wire fraud, and money laundering in relation to at least 120 computer network intrusions involving 47 U.S. entities between May 2022 and September 2025. The complaint alleges the group’s victims paid at least $115 million in ransom payments.

U.S. authorities say they traced some of those payments to Scattered Spider to an Internet server controlled by Jubair. The complaint states that a cryptocurrency wallet discovered on that server was used to purchase several gift cards, one of which was used at a food delivery company to send food to his apartment. Another gift card purchased with cryptocurrency from the same server was allegedly used to fund online gaming accounts under Jubair’s name. U.S. prosecutors said that when they seized that server they also seized $36 million in cryptocurrency.

The complaint also charges Jubair with involvement in a hacking incident in January 2025 against the U.S. courts system that targeted a U.S. magistrate judge overseeing a related Scattered Spider investigation. That other investigation appears to have been the prosecution of Noah Michael Urban, a 20-year-old Florida man charged in November 2024 by prosecutors in Los Angeles as one of five alleged Scattered Spider members.

Urban pleaded guilty in April 2025 to wire fraud and conspiracy charges, and in August he was sentenced to 10 years in federal prison. Speaking with KrebsOnSecurity from jail after his sentencing, Urban asserted that the judge gave him more time than prosecutors requested because he was mad that Scattered Spider hacked his email account.

A court transcript (PDF) from a status hearing in February 2025 shows Urban was telling the truth about the hacking incident that happened while he was in federal custody. The judge told attorneys for both sides that a co-defendant in the California case was trying to find out about Mr. Urban’s activity in the Florida case, and that the hacker accessed the account by impersonating a judge over the phone and requesting a password reset.

Allison Nixon is chief research officer at the New York based security firm Unit 221B, and easily one of the world’s leading experts on Com-based cybercrime activity. Nixon said the core problem with legally prosecuting well-known cybercriminals from the Com has traditionally been that the top offenders tend to be under the age of 18, and thus difficult to charge under federal hacking statutes.

In the United States, prosecutors typically wait until an underage cybercrime suspect becomes an adult to charge them. But until that day comes, she said, Com actors often feel emboldened to continue committing — and very often bragging about — serious cybercrime offenses.

“Here we have a special category of Com offenders that effectively enjoy legal immunity,” Nixon told KrebsOnSecurity. “Most get recruited to Com groups when they are older, but of those that join very young, such as 12 or 13, they seem to be the most dangerous because at that age they have no grounding in reality and so much longevity before they exit their legal immunity.”

Nixon said U.K. authorities face the same challenge when they briefly detain and search the homes of underage Com suspects: Namely, the teen suspects simply go right back to their respective cliques in the Com and start robbing and hurting people again the minute they’re released.

Indeed, the U.K. court heard from prosecutors last week that both Scattered Spider suspects were detained and/or searched by local law enforcement on multiple occasions, only to return to the Com less than 24 hours after being released each time.

“What we see is these young Com members become vectors for perpetrators to commit enormously harmful acts and even child abuse,” Nixon said. “The members of this special category of people who enjoy legal immunity are meeting up with foreign nationals and conducting these sometimes heinous acts at their behest.”

Nixon said many of these individuals have few friends in real life because they spend virtually all of their waking hours on Com channels, and so their entire sense of identity, community and self-worth gets wrapped up in their involvement with these online gangs. She said if the law was such that prosecutors could treat these people commensurate with the amount of harm they cause society, that would probably clear up a lot of this problem.

“If law enforcement was allowed to keep them in jail, they would quit reoffending,” she said.

The Times of London reports that Flowers is facing three charges under the Computer Misuse Act: two of conspiracy to commit an unauthorized act in relation to a computer causing/creating risk of serious damage to human welfare/national security and one of attempting to commit the same act. Maximum sentences for these offenses can range from 14 years to life in prison, depending on the impact of the crime.

Jubair is reportedly facing two charges in the U.K.: One of conspiracy to commit an unauthorized act in relation to a computer causing/creating risk of serious damage to human welfare/national security and one of failing to comply with a section 49 notice to disclose the key to protected information.

In the United States, Jubair is charged with computer fraud conspiracy, two counts of computer fraud, wire fraud conspiracy, two counts of wire fraud, and money laundering conspiracy. If extradited to the U.S., tried and convicted on all charges, he faces a maximum penalty of 95 years in prison.

In July 2025, the United Kingdom barred victims of hacking from paying ransoms to cybercriminal groups unless approved by officials. U.K. organizations that are considered part of critical infrastructure reportedly will face a complete ban, as will the entire public sector. U.K. victims of a hack are now required to notify officials to better inform policymakers on the scale of Britain’s ransomware problem.

For further reading (bless you), check out Bloomberg’s poignant story last week based on a year’s worth of jailhouse interviews with convicted Scattered Spider member Noah Urban.