SANS ISC Reports Surge in Ransomware, Vaultjacking and Cryptojacking Campaigns
AI-generated from multiple sources. Verify before acting on this reporting.
JACKSONVILLE, Fla. (AP) — The SANS Internet Storm Center issued a weekly security threat report Wednesday detailing a coordinated rise in ransomware, credential theft, and cryptocurrency mining attacks targeting enterprise and consumer systems.
The report, released from the center’s Jacksonville headquarters, identifies three primary vectors currently active in the threat landscape. The first involves Akira ransomware, which security analysts say is being deployed with increased frequency against healthcare and manufacturing sectors. The malware encrypts critical data and demands payment in cryptocurrency, often leaving victims without a decryption key even after compliance.
A second threat highlighted in the briefing is a series of vaultjacking attacks targeting Google Password Manager. Attackers are exploiting authentication weaknesses to gain unauthorized access to stored credentials. Once inside, the threat actors harvest login information for banking, email, and corporate portals, facilitating further intrusion attempts. The report notes that these attacks are particularly effective because they bypass traditional perimeter defenses by leveraging compromised user accounts.
The third campaign involves cryptojacking operations abusing ScreenConnect remote access software and Microsoft .NET utilities. Malicious actors are injecting code into legitimate applications to hijack computing resources for cryptocurrency mining. This activity degrades system performance and increases energy costs for affected organizations. The report indicates that the abuse of Microsoft utilities is designed to evade detection by mimicking standard administrative processes.
The SANS Internet Storm Center provided specific detection signatures and mitigation strategies for each threat vector. For Akira ransomware, the center recommends isolating infected systems immediately and restoring data from offline backups. Regarding vaultjacking, organizations are advised to enforce multi-factor authentication and monitor for anomalous login patterns. To counter the cryptojacking campaign, the report suggests auditing remote access tools and restricting the execution of unsigned .NET applications.
Cybersecurity experts warn that the convergence of these threats indicates a sophisticated threat actor or multiple groups sharing infrastructure. The simultaneous targeting of consumer password managers and enterprise remote access tools suggests a broad campaign aimed at maximizing financial gain through both extortion and resource theft.
The report does not specify the origin of the threat actors or the total number of confirmed incidents. It remains unclear whether the campaigns are linked to a single criminal organization or represent independent efforts capitalizing on similar vulnerabilities. The SANS Internet Storm Center stated it will continue to monitor the situation and update its guidance as new indicators of compromise emerge.
Security teams are urged to review their current defenses against these specific vectors. The center emphasized that proactive monitoring and rapid incident response are critical to minimizing damage from these evolving threats. As the campaigns continue to develop, organizations face the challenge of balancing operational continuity with the need for stringent security controls.