Ransomware

Cisco Talos and others report that Kraken now profiles each host to select encryption mode and threading. Here’s a concise IR playbook fo...

Kraken ransomware adds CPU/IO benchmarking—what to hunt before the encryptor runs

4n6 Beat
5 min read

On November 13, 2025, reporting highlighted that the cross-platform Kraken ransomware profiles victim machines first, benchmarking disk/CPU to choose between full or partial encryption and tune threads to avoid tripping resource alarms BleepingComputer. Cisco Talos’ deep dive confirms host-side performance tests via a temporary file and command-line switches, plus distinct encryptors for Windows and Linux/VMware ESXi that append “.zpsc” and drop “readme_you_ws_hacked.txt” Talos. Talos also notes ties to the older HelloKitty operation and a Kraken-hosted forum announcement (“The Last Haven Board”), a link also observed by independent analysis of Kraken’s leak site Talos Cyjax.

Check Point’s Oct 27 intel highlights a fast‑moving LockBit 5.0 wave and live exploitation of Magento’s SessionReaper (CVE‑2025‑54236). H...

LockBit 5.0 and Magento “SessionReaper”: DFIR notes on two active intrusion patterns

4n6 Beat
5 min read

Check Point’s October 27, 2025 weekly report flags two things we should treat as priority hunts: a fresh LockBit 5.0 build with cross-platform encryptors and faster runtime, and active abuse of Magento’s SessionReaper (CVE-2025-54236) to hijack sessions and drop PHP webshells via the REST API. Their write-up aligns with Trend Micro’s technical analysis of the LockBit 5.0 binaries and Adobe/Sansec guidance on SessionReaper exploitation in the wild. (Check Point report; Check Point blog on the comeback; Trend Micro analysis; Adobe APSB25-88; Sansec). (research.checkpoint.com)

DFIR field guide: Investigating ToolShell-driven SharePoint intrusions (Talos IR Q3 2025)

4n6 Beat
7 min read

Cisco Talos IR’s Q3 2025 report highlights a sharp rise in compromises that began with exploitation of on-premises Microsoft SharePoint via the ToolShell chain. More than 60% of Talos engagements involved exploitation of public-facing apps, and almost 40% showed ToolShell activity; ransomware dropped to ~20% of cases while post-exploitation phishing from compromised accounts continued to climb (Talos IR Q3 2025). Microsoft confirms active, multi-actor abuse of new SharePoint bugs (CVE-2025-53770, CVE-2025-53771) related to earlier July CVEs (CVE-2025-49704, CVE-2025-49706), and stresses that only on-prem servers are affected-not SharePoint Online (Microsoft Security TI, MSRC customer guidance). CISA added CVE-2025-53770 to the KEV catalog, underscoring exploitation in the wild (CISA KEV entry).