ransomNewsMar 3
⚠️ New threat actor on the radar ⚠️ πŸ₯·πŸ» AiLock πŸ—“οΈ added on March 03, 2026 (first identified April 2025) πŸ₯’ Overview Emerging ransomware group that publicly markets itself as "AI-assisted." Active since early 2025, it is suspected of having ties to the Russian state-associated threat actor #FancyBear
Show threadransomNewsMar 3
(APT28), indicating potential strategic objectives beyond financial gain. The group went through a period of downtime but has re-emerged, with victim postings continuing into 2026. βš™οΈ Core modus operandi - double extortion: encrypts victim data and threatens to leak it, but also uniquely
Show threadransomNews
threatens to report the breach to regulators and the victim's competitors - aggressive timelines: gives victims 72 hours to establish contact and 5 days to pay, threatening to destroy decryption tools post-deadline - AI Marketing: heavily promotes the use of artificial intelligence in its
Mar 3 at 6:01pmWeb
Show threadransomNewsMar 3
attacks, likely for social engineering, evasion, and optimizing encryption - laundering strategy: uses a standard peel chain, funneling most funds through the #Wasabi coin mixer and the high-risk, non-custodial exchange #FixedFloat, often converting to #Monero for obfuscation.
Show threadransomNewsMar 3
- destructive component: attacks show signs of intentional data destruction, aligning with suspected state-sponsored disruptive aims. 😱 Notable breaches Primarily targets in the United States πŸ‡ΊπŸ‡Έ and European Union πŸ‡ͺπŸ‡Ί, with at least one known victim in Asia 🌏 Most publicized victims are from 2025.
Show threadransomNewsMar 3
- Demanor AS, a Norwegian company specializing in customized goods lifts and lifting machines. - Aaronson Rappaport Feinstein Deutsch, LLP: A US-based law firm. 🧰 @MITRE ATT&CK status β€’ impact (T1486): data encrypted for impact β€’ impact (T1485): data destruction
Show threadransomNewsMar 3
β€’ exfiltration (T1567): exfiltration over web service β€’ financial Motivation (T1657): the primary objective is financial gain through extortion, with potential secondary strategic disruption πŸ‘‰πŸ» What to watch next (#SOCPlaybook cues) - monitor their DLS for re-emergence and new victim postings
Show threadransomNewsMar 3
- enhance detection for AI-assisted behaviors, focusing on anomalous user interaction patterns and rapid, large-scale encryption - track blockchain transactions involving Wasabi mixer and FixedFloat exchange, especially conversions to Monero - scrutinize threats of regulatory reporting,
Show threadransomNewsMar 3
as this is an evolving pressure tactic πŸ€“ Analyst take (confidence: low) While AiLock's re-emergence and ties to sophisticated state actors are concerning, its public embrace of AI may be as much a marketing ploy as a technical reality.
Show threadransomNewsMar 3
The group's activity pattern suggests it is still establishing its operational tempo. #Security teams should prioritize behavior-based detection and assume zero-trust principles, as traditional IOCs may be insufficient against an AI-augmented and state-aligned adversary.
Show threadransomNewsMar 3
However, some victim claims are unverified, indicating possible fabrications to inflate reputation. #ransomNews #cybersecurity #newthreatactor
Show threadShadowGuardiansMar 3
@ransomnews.online Yeah, they have XMR, ZEC, and DASH. Monero uses ring signatures and stealth addresses so transactions are actually private. Zcash needs Z-addresses for privacy (T-addresses are transparent).