<p>Ransomware gangs and strains come and go, and some reemerge stronger than ever.</p> <p>Take the BlackCat ransomware gang, for example. It <a target="_blank" href="https://www.darkreading.com/cyberattacks-data-breaches/blackcat-goes-dark-again-reportedly-rips-off-change-healthcare-ransom" rel="noopener">shuttered operations</a> in March 2024 following an exit scam. Or LockBit, a ransomware gang that <a href="https://www.techtarget.com/searchsecurity/news/366571377/LockBit-restores-servers-following-law-enforcement-takedown">revived itself</a> days after law enforcement <a href="https://www.techtarget.com/searchsecurity/news/366570614/Operation-Cronos-dismantles-LockBit-ransomware-gang">took the group down</a>.</p><div class="ad-wrapper ad-embedded"> <div id="halfpage" class="ad ad-hp"> <script>GPT.display('halfpage')</script> </div> <div id="mu-1" class="ad ad-mu"> <script>GPT.display('mu-1')</script> </div> </div> <p>Then there are variants that just won't stop -- building off their predecessors with stronger, more resilient attack techniques. Also using LockBit as an example, it first emerged in 2019 and has just recently evolved into <a target="_blank" href="https://www.vectra.ai/blog/lockbit-is-back-whats-new-in-version-5-0" rel="noopener">LockBit 5.0</a>, "boasting faster encryption, stronger evasion and a revamped affiliate program."</p> <p>This week's featured articles cover an old and a new ransomware group, as well as the reemergence of Petya in a potential new strain.</p> <section class="section main-article-chapter" data-menu-title="KillSec ransomware attacks Brazilian healthcare provider"> <h2 class="section-title"><i class="icon" data-icon="1"></i>KillSec ransomware attacks Brazilian healthcare provider</h2> <p>On Sept. 8, the KillSec ransomware group attacked MedicSolution, a Brazilian healthcare software provider. It threatened to leak 34 GB of sensitive data, including more than 94,000 files containing lab results, X-rays and patient records.</p> <p>The breach originated from insecure AWS S3 buckets, with the window of exposure potentially going back several months. MedicSolution provides cloud services to numerous medical practices, putting healthcare organizations at risk. Affected patients have not been notified that their data was compromised.</p> <p><a href="https://www.darkreading.com/cyberattacks-data-breaches/killsec-ransomware-brazil-healthcare-software-provider"><i>Read the full story by Kristina Beek on Dark Reading</i></a><i>.</i></p></section> <section class="section main-article-chapter" data-menu-title="Yurei ransomware group scored its first victim"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Yurei ransomware group scored its first victim</h2> <p>On Sept. 5, newcomer ransomware group Yurei claimed its first double-extortion attack victim in MidCity Marketing, a food manufacturing company in Sri Lanka. Days later, additional victims were reported in India and Nigeria.</p> <p>The likely Moroccan-based operators used a modified version of open source Prince-Ransomware -- written in Go, which makes it harder to detect -- to conduct the attacks. Using open source malware "significantly lowers the barrier to entry for cybercriminals," cybersecurity vendor Check Point Software researchers wrote in a <a target="_blank" href="https://research.checkpoint.com/2025/yurei-the-ghost-of-open-source-ransomware/" rel="noopener">blog post</a>.</p> <p>The same researchers also discovered a critical flaw that could enable victims to recover their stolen and encrypted data.</p> <p><a href="https://www.darkreading.com/threat-intelligence/emerging-yurei-ransomware-claims-first-victims"><i>Read the full story by Elizabeth Montalbano on Dark Reading</i></a><i>.</i></p></section> <section class="section main-article-chapter" data-menu-title="New malware HybridPetya threatens Secure Boot"> <h2 class="section-title"><i class="icon" data-icon="1"></i>New malware HybridPetya threatens Secure Boot</h2> <p>Researchers at cybersecurity vendor ESET have discovered HybridPetya, a sophisticated malware that combines <a href="https://www.computerweekly.com/news/450424559/NotPetya-attack-cost-up-to-300m-says-Maersk">NotPetya's</a> destructive capabilities with Petya's recoverable encryption.</p> <p>Though not yet deployed in the wild, it represents the fourth known malware capable of bypassing UEFI Secure Boot protections. HybridPetya can deploy malicious UEFI payloads directly to the EFI System Partition and encrypt the Master File Table, rendering systems inaccessible.</p> <p>Unlike NotPetya, HybridPetya enables operators to reconstruct decryption keys. This persistent threat remains even after OS reinstallation or wiping the hard drive.</p> <p><a href="https://www.darkreading.com/vulnerabilities-threats/hybridpetya-ransomware-bypasses-secure-boot"><i>Read the full story by Jai Vijayan on Dark Reading</i></a><i>.</i></p> <p><b>Editor's note: </b><i>An editor used AI tools to aid in the generation of this news brief. Our expert editors always review and edit content before publishing.</i></p> <p><i>Kyle Johnson is technology editor for Informa TechTarget's SearchSecurity site.</i></p></section>
