Threat Intelligence
Actionable insights to stay ahead of evolving cyber threats.
Medusa Ransomware
Medusa is a configurable ransomware toolkit that operators tune at runtime—from surgical strikes to full network outages—using flags to control scope, visibility, and cleanup. Defenders should hunt precursors (mass service stops, odd command-line flags, rare API calls) before files are encrypted.
SafePay Ransomware
SafePay, active since late 2024, is a quiet but fast-moving in-house ransomware group that uses VPN/RDP and stolen credentials to exfiltrate data and rapidly encrypt high-value targets; defenders should watch for unusual remote logins, privilege escalation, and shadow-copy deletions to stop it early.
DragonForce Ransomware
DragonForce has evolved from hacktivists into a professional double-extortion ransomware operation. This post gives a hands-on technical breakdown—encryption scheme (ChaCha + appended footer), loader/evasion tactics, kernel driver abuse, exfiltration capabilities, MITRE ATT&CK mapping, IOCs, and concrete defensive takeaways to detect, contain, and recover from attacks. Essential reading for threat hunters, incident responders, and security leaders.
Bert Ransomware
Bert ransomware is brutally efficient and deceptively simple. Unlike advanced families packed with obfuscation, Bert relies on speed, multithreaded AES encryption, and ruthless process termination to cripple Windows and Linux systems. This post examines its use of PowerShell loaders, database-killing routines, intermittent encryption, and Session-based negotiations—revealing why Bert is so disruptive despite its straightforward design.



