News Week: June 30th to July 6th, 2025

Ransomware Attack on Radix Impacts Swiss Government Offices

A ransomware breach targeting the Swiss non-profit Radix has compromised sensitive data from multiple federal agencies. The attack was carried out by the Sarcoma group, which exploited phishing tactics, outdated vulnerabilities, and notably Remote Desktop Protocol (RDP) access to infiltrate the system. After stealing and encrypting the data, the attackers leaked 1.3TB of documents—including contracts, scans, and financial files—on their dark web portal. Radix, which runs government-backed health projects, has notified affected individuals and emphasized vigilance against phishing and credential theft. The Swiss National Cyber Security Centre (NCSC) is investigating the extent of the exposure. While there’s no current evidence that data from partner institutions was accessed, the breach highlights growing threats via RDP entry points. The incident follows a similar 2023 ransomware attack on government service provider Xplain, which resulted in a leak of 65,000 internal documents.

Dark Angels’ Double Extortion Hits Johnson Controls

Johnson Controls is now alerting individuals affected by the massive ransomware attack that disrupted its global operations in 2023. The breach, linked to the Dark Angels ransomware group, resulted in both the theft and encryption of critical data—an example of the group’s signature double extortion method. The attackers infiltrated systems as early as February 2023, eventually stealing over 27TB of sensitive files before encrypting VMware ESXi virtual machines. The stolen data was used as leverage in a $51 million ransom demand and later featured on Dark Angels’ leak portal, Dunghill Leaks. Known for combining data theft with system lockdown, Dark Angels typically gains access via domain controllers and deploys both Windows and Linux encryptors. Although Johnson Controls spent over $27 million on response and recovery, the long-term consequences of the leak remain significant. The incident underscores the rising threat of double extortion campaigns by groups like Dark Angels.

Aeza Group Sanctioned for Bulletproof Hosting Tied to BianLian

The U.S. Treasury has sanctioned Russian hosting provider Aeza Group for operating as a bulletproof hosting service aiding cybercriminals, including the BianLian ransomware gang. Bulletproof hosting services like Aeza are notorious for shielding malicious actors by ignoring abuse reports and law enforcement takedown requests. Aeza’s infrastructure was allegedly used not only by BianLian but also by operators of RedLine infostealer panels and the BlackSprut darknet drug market. The sanctions also target four key Aeza executives, freezing their U.S. assets and banning American entities from doing business with them. Aeza was previously linked to the Russian disinformation campaign “Doppelgänger,” which mimicked Western news outlets to spread propaganda. This action builds on OFAC’s earlier crackdown on similar bulletproof hosts like ZServers and Xhost. By supporting BianLian’s ransomware operations, Aeza played a central role in enabling data theft, extortion, and malware distribution on a global scale.

AT&T Launches Wireless Lock to Fight SIM Swaps Linked to Scattered Spider

AT&T has introduced “Wireless Lock,” a new feature aimed at stopping SIM swap attacks—a method frequently used by threat groups like Scattered Spider ransomware to infiltrate high-value targets. SIM swapping allows attackers to hijack a victim’s phone number, intercept calls and texts, and gain access to banking, email, or crypto accounts. Scattered Spider, a known cybercrime group, has used this technique to breach corporate networks and execute high-profile attacks. The new feature blocks any number transfers or account changes, even by AT&T staff, unless the user disables the lock manually via app or web portal. It also prevents modifications to billing info, authorized users, and phone numbers. Business users get advanced controls, including exemptions for specific lines. While rival carriers like Verizon have offered similar protections for years, AT&T’s move is a welcome step, especially as groups like Scattered Spider continue to exploit weak SIM protections in social engineering and insider-assisted schemes.

Qantas Cyberattack Highlights Growing Scattered Spider Threat

Qantas has confirmed a cyberattack affecting a third-party platform used by its call center, potentially exposing data of up to 6 million customers. Although no financial details or login credentials were compromised, names, emails, phone numbers, and frequent flyer numbers were accessed. While Qantas hasn’t officially linked the breach to Scattered Spider, the attack bears striking similarities to recent campaigns by the group, also known as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra. Scattered Spider is notorious for social engineering attacks involving SIM swaps, phishing, MFA fatigue, and help desk manipulation. The group previously hit aviation targets like Hawaiian Airlines and WestJet and partnered with ransomware syndicates such as RansomHub, Qilin ransomware, and DragonForce ransomware. In their MGM Resorts attack, they deployed BlackCat ransomware to encrypt over 100 ESXi hypervisors. As Scattered Spider expands its reach into aviation, experts urge organizations to lock down identity systems and harden password reset processes.

Spain Arrests Hackers Tied to Data Leaks Targeting Officials and Media

Spanish authorities have arrested two individuals in Las Palmas for orchestrating cyberattacks against politicians, government institutions, and journalists—marking a major blow against underground hacker networks. The duo, labeled a “serious threat to national security,” exfiltrated sensitive data linked to central and regional officials, which was later leaked online to boost their credibility and sale value. One suspect specialized in data theft, while the other handled sales and cryptocurrency transactions. Police seized electronic devices during the raids that may uncover additional connections to buyers or organized cybercrime. This arrest follows a string of successful operations by Spanish law enforcement against hacker gangs. In recent years, they’ve apprehended suspects tied to attacks on NATO, the U.S. Army, and the Ministry of Defense. Notably, in 2024, they arrested a British national connected to the Scattered Spider group, and in 2023, the alleged ringleaders of Kelvin Security—responsible for 300 international cyberattacks—were also detained.

DOJ Probes Ransomware Negotiator Over Extortion Kickbacks

The U.S. Department of Justice is investigating a former ransomware negotiator from DigitalMint for allegedly colluding with ransomware gangs to profit from extortion deals. DigitalMint, a Chicago-based firm known for handling over 2,000 ransomware negotiations, specializes in facilitating crypto ransom payments for decryptors or data suppression. The ex-employee is suspected of secretly securing ransom deals and receiving kickbacks while clients unknowingly footed the inflated bill. While DigitalMint has distanced itself from the individual and cooperates with authorities, some law and insurance firms have begun advising against using their services during the investigation. The case sheds light on long-standing concerns about corruption in negotiation services, where financial incentives can skew objective advice. Experts like Coveware’s CEO Bill Siegel have long criticized percentage-based business models in the incident response industry, warning that they create moral hazards and encourage larger ransom payments instead of prioritizing the victim’s best interests.

Hunters International RaaS Shuts Down and Offers Free Decryptors

Hunters International, a major Ransomware-as-a-Service (RaaS) operation, has officially ceased its activities and is now providing free decryptors to victims. In a statement posted to its dark web portal, the group acknowledged the impact of its actions and offered decryption tools to help affected organizations recover their data without paying ransoms. Known for targeting over 300 companies globally—including high-profile victims like the U.S. Marshals Service and Integris Health—the RaaS group previously combined encryption and data extortion. While the gang did not specify what led to the shutdown, prior reports cited increased law enforcement pressure and profitability issues. Threat intel firm Group-IB noted Hunters had been transitioning to an extortion-only model called “World Leaks.” Initially suspected to be a rebrand of Hive ransomware due to code similarities, Hunters International supported multi-platform payloads and became a prominent name in the RaaS ecosystem before its abrupt exit.

SafePay Ransomware Disrupts Ingram Micro in Major RaaS Attack

Ingram Micro, one of the world’s largest tech distributors, suffered a major outage caused by a SafePay ransomware attack—part of a growing wave of Ransomware-as-a-Service (RaaS) incidents in 2025. Employees first discovered the breach when SafePay ransom notes appeared across systems early on a Thursday morning, leading to the shutdown of internal services and a company-wide shift to remote work. Although initial concerns pointed to compromised credentials via the GlobalProtect VPN, Palo Alto Networks later confirmed its systems were not exploited. SafePay, a rising RaaS operation first spotted in late 2024, has already claimed over 220 victims by exploiting VPN access and launching password spray attacks. Affected systems include Ingram’s Xvantage distribution platform and Impulse licensing, while services like Microsoft 365 and Teams remain operational. Ingram Micro has since begun restoring functionality and is working with cybersecurity experts and law enforcement to investigate and mitigate the breach.

Atomic macOS Infostealer Evolves into Persistent MaaS Backdoor Threat

The Atomic macOS Stealer (AMOS), a known malware-as-a-service (MaaS) strain, has taken a dangerous leap forward by integrating a persistent backdoor, granting attackers indefinite access to compromised systems. Researchers at Moonlock, a cybersecurity division of MacPaw, found that the latest AMOS variant now executes arbitrary remote commands, survives reboots via LaunchDaemons, and maintains stealth with obfuscated strings. Originally sold for $1,000/month on Telegram, Atomic began as a data-harvesting MaaS targeting crypto wallets, browser-stored passwords, and macOS files. The new version downloads a hidden binary named “.helper” and runs it persistently through “.agent” scripts at system startup. The malware abuses stolen user credentials to elevate privileges, allowing changes at the root level. AMOS campaigns—now affecting over 120 countries—are increasingly targeted, focusing on crypto users and freelancers. Although AMOS isn’t ransomware, its evolution signals convergence with ransomware tactics, and future variants may even adopt encrypted payloads and .atomic file extensions to extort users directly.

Russian Basketball Player Arrested for Alleged Role in Conti-Ryuk Ransomware Ops

Russian professional basketball player Daniil Kasatkin was arrested in France at the request of U.S. authorities for allegedly serving as a negotiator for a prolific ransomware gang. The arrest took place at Charles de Gaulle airport on June 21, and Kasatkin now faces extradition over charges of conspiracy to commit computer fraud. While the specific group involved wasn’t officially named, the scope—over 900 corporate and federal victims between 2020 and 2022—mirrors the activity of the Conti ransomware gang, a group that evolved from the infamous Ryuk ransomware operation. Conti, which emerged in 2020 and was dismantled in 2022, played a central role in major ransomware campaigns and was known for its aggressive double extortion tactics. Both Conti and Ryuk relied heavily on human negotiators to extract massive ransom payments, making Kasatkin’s alleged involvement particularly significant. His defense claims he was unknowingly set up via a second-hand, compromised computer.

Conclusion

The increasing sophistication of ransomware operations like Conti and Ryuk underscores the urgent need for organizations to prepare for advanced cyber threats. The arrest of Daniil Kasatkin highlights how deeply ransomware groups rely on human intermediaries to manage negotiations and extort victims, often under the radar. As ransomware-as-a-service operations evolve, so must the defense strategies of companies worldwide.

As experts in ransomware recovery and cybersecurity, we offer specialized services such as Ransomware Recovery Services and Ransomware Negotiation Services. If your organization requires assistance in recovering from a ransomware attack or bolstering its cybersecurity defenses, contact us today. We also provide in-depth training through our Cyber Defense Academy, conduct comprehensive Cybersecurity Risk Assessment, and offer proactive support with our Incident Response Retainer.

Reach out now to secure your business and explore our full range of ransomware decryption service options.