Ransomware Pivots to Pure Exfiltration as Encryption Fades

◆ DEEP DIVES

1. 01

   Ransomware Actors Stopped Encrypting and Started Stealing — Your Defense Model Is Obsolete

   <h3>The Business Model Flip</h3><p>The ransomware economy just completed a fundamental strategic pivot that invalidates most organizations' primary defense investment. <strong>Data exfiltration now occurs in 77% of intrusions</strong> (up from 57%), while successful encryption deployment <strong>dropped from 54% to 36%</strong>. Leak site posts surged 48% to 7,784. The message from threat actors is clear: why bother encrypting when you can steal data and extort the victim with exposure threats?</p><p>This means your carefully architected backup and recovery strategy — the one your board approved as your ransomware defense — is solving for a <strong>declining threat model</strong>. The new attack chain ends with "we have your data and we're posting it in 72 hours," not "pay us to decrypt your files."</p><hr><h3>The Speed Problem Is Existential</h3><p>Threat actor <strong>HexStrike exploited thousands of Citrix Netscaler products in under 10 minutes</strong> using a single CVE. CISA's typical patch timeline is 15 days. That's not a gap — it's a <strong>chasm measured in orders of magnitude</strong>. Booz Allen Hamilton's new report frames this as proof that threat actors have adopted AI faster than defenders, identifying two emerging paradigms:</p><ul><li><strong>Amplifier model</strong>: LLMs assist human operators to run recon across dozens of targets simultaneously — <em>operational today</em> and explains HexStrike-class speed</li><li><strong>Orchestration model</strong>: AI agents execute attack chains autonomously with set parameters — <em>emerging</em> and represents the next escalation</li></ul><h3>Where They're Getting In</h3><p>Exploited vulnerabilities in <strong>Fortinet, SonicWall, Palo Alto Networks, and Citrix</strong> VPNs and firewalls account for <strong>one-third of all ransomware initial access</strong>. Stolen credentials provide another 21%. That's over half of all entry points concentrated in two controllable vectors. Meanwhile, <strong>VMware ESXi hypervisors</strong> were targeted in 43% of ransomware cases (up from 29%) — attackers compromise one hypervisor, destroy dozens of VMs, and <strong>wipe forensic evidence</strong>.</p><blockquote>The initial access broker market has commoditized to the point where most hacked networks sell for under $3,000, with valid accounts lacking MFA as the dominant product category.</blockquote><h3>What Cross-Source Analysis Reveals</h3><p>Multiple intelligence streams this week confirm the same pattern from different angles: the cybercrime infrastructure is industrializing. AI-generated malware is now in active ransomware campaigns — IBM X-Force reports Hive0163 deployed <strong>Slopoly, an AI-generated backdoor</strong>. Gen Digital researchers documented <strong>"promptmorphism"</strong> — using AI to rapidly generate unique polymorphic variants, dramatically accelerating signature evasion. Combined with the sub-$3K IAB market, the economics now favor attackers who can move from purchase to exfiltration in hours.</p>

   Action items

   • Shift ransomware defense model from recovery to data theft prevention: deploy or enhance egress DLP, establish data movement baselines, and build a data-extortion-specific IR track with legal/comms/regulatory workflows
   • Emergency audit all internet-facing Fortinet, SonicWall, Palo Alto, and Citrix appliances against CISA KEV catalog; deploy virtual patches for any CVE you cannot patch within 48 hours
   • Harden VMware ESXi as Tier 0: isolate management to dedicated VLAN, enable lockdown mode, forward all logs to SIEM (attackers destroy local forensic evidence), restrict SSH and vMotion
   • Stress-test SOC detection-to-containment workflows against a 10-minute full-chain exploitation scenario modeled on HexStrike; identify where human triage creates fatal bottlenecks

   Sources:Your backup strategy won't save you: ransomware actors now steal data in 77% of intrusions and skip encryption entirely · 9 AppArmor bugs since 2017 break your container isolation

2. 02

   Emergency Patch Convergence: CrackArmor, Veeam 9.9s, Chrome Zero-Day, and Cisco SD-WAN Hit Simultaneously

   <h3>This Is Not a Normal Patch Week</h3><p>Five distinct critical vulnerability sets dropped simultaneously, each targeting a different layer of your stack. The combination demands cross-functional triage — your Linux team, backup team, browser fleet, network team, and Windows admins all have emergency work today.</p><hr><h3>CrackArmor: Container Escape Since 2017</h3><p><strong>Nine vulnerabilities in AppArmor</strong> — the kernel security module enforcing container isolation — enable root escalation and container escape across <strong>every major Linux distro and Kubernetes since 2017</strong>. Ubuntu, Debian, SUSE, and all Kubernetes clusters running AppArmor are affected. A public technical write-up is available, meaning weaponization is expected imminently. This has been <em>silently exploitable for seven years</em> — assume adversaries with kernel exploit capabilities are already aware.</p><h3>Veeam: Your Backup Infrastructure Is the Target</h3><p>Veeam patched five vulnerabilities including <strong>three at CVSS 9.9/10</strong>. This is near-total compromise of backup infrastructure — the exact system ransomware operators target first. With ransomware actors pivoting to data theft (77% exfiltration rate), compromised backup infrastructure provides both the data and the leverage. No exploitation reported yet, but the combination of Veeam + active ransomware campaign data makes this a race condition.</p><h3>Chrome: One Patched, One Pending</h3><p>Google patched one <strong>actively exploited Chrome zero-day</strong>, but a second zero-day mentioned in initial patch notes was <em>removed and remains unpatched</em> — fix expected later this week. Force the available update fleet-wide now and prepare rapid deployment for the second patch.</p><h3>Cisco SD-WAN + Windows RRAS</h3><p><strong>Three Cisco SD-WAN vulnerabilities</strong> are under active exploitation, and VulnCheck expects <strong>CVE-2026-20133</strong> to be targeted imminently. Separately, Microsoft <em>re-released</em> hotpatch KB5084597 for three RRAS RCE flaws (CVE-2026-25172, CVE-2026-25173, CVE-2026-26111) — the re-release indicates the initial patch may have failed silently.</p><table><thead><tr><th>Vulnerability</th><th>Severity</th><th>Exploitation Status</th><th>Action</th></tr></thead><tbody><tr><td>CrackArmor (9 CVEs)</td><td>Critical</td><td>Write-up public; weaponization expected</td><td>Patch all Linux/K8s immediately</td></tr><tr><td>Veeam (3 of 5 CVEs)</td><td>CVSS 9.9</td><td>No exploitation yet</td><td>Emergency patch; verify backup integrity</td></tr><tr><td>Chrome zero-day</td><td>High</td><td>Actively exploited</td><td>Force update fleet-wide now</td></tr><tr><td>Cisco SD-WAN (4 CVEs)</td><td>High</td><td>3 exploited; 4th imminent</td><td>Patch all four proactively</td></tr><tr><td>Windows RRAS (3 CVEs)</td><td>RCE</td><td>Write-up published</td><td>Apply re-released KB5084597; verify even if patched before</td></tr></tbody></table>

   Action items

   • Patch AppArmor across all Linux distributions and Kubernetes clusters; validate container isolation post-patch; assume this has been silently exploitable since 2017
   • Emergency patch Veeam Backup infrastructure for three CVSS 9.9 vulnerabilities; verify backup integrity and test restore capability immediately after patching
   • Force Chrome browser update enterprise-wide; prepare deployment pipeline for second zero-day patch expected this week
   • Patch Cisco SD-WAN for all four vulnerabilities including CVE-2026-20133 proactively before exploitation begins; segment SD-WAN management interfaces
   • Apply re-released Windows RRAS hotpatch KB5084597 on all Windows 11 24H2/25H2 and LTSC 2024 systems; verify application even if previously patched

   Sources:9 AppArmor bugs since 2017 break your container isolation · 81 malicious npm packages are live right now stealing your CI/CD tokens

3. 03

   Five Simultaneous Supply Chain Attacks Are Targeting Your Developer Pipeline Right Now

   <h3>The Convergence</h3><p>Your developer supply chain is under <strong>five distinct, simultaneous attacks</strong> across different layers — npm packages, IDE extensions, mobile SDKs, GitHub repositories, and VPN client downloads. This isn't a single campaign; it's a convergence of unrelated threat actors all recognizing that the developer pipeline is the highest-leverage target in 2026.</p><hr><h3>1. PhantomRaven: npm's Own Features Weaponized</h3><p>Endor Labs identified <strong>88 malicious npm packages</strong> published from 50+ disposable accounts. The critical innovation: these packages abuse <strong>Remote Dynamic Dependencies (RDD)</strong> — HTTP URL entries in package.json that cause npm itself to fetch and execute a 259-line credential-harvesting payload at install time. <em>No postinstall scripts. No suspicious code in the package itself.</em> Your SCA scanner likely sees nothing. As of now, <strong>81 of 88 remain live</strong> with both C2 servers operational (AWS EC2, plaintext HTTP port 80). Targets: developer emails, CI/CD tokens, system fingerprints — exfiltrated via triple-redundant GET/POST/WebSocket channels.</p><h3>2. GlassWorm → ForcedMemo: The Cascade</h3><p>The GlassWorm worm continues spreading through <strong>72 new VSCode/OpenVSX extensions</strong> since late January. The critical escalation: Step Security reports that <strong>GitHub credentials stolen by GlassWorm</strong> are now being reused in the ForcedMemo campaign, injecting crypto-wallet stealer code into <strong>hundreds of GitHub Python projects since March 8</strong>. This is a textbook cascade: workstation compromise → credential theft → repository poisoning → downstream consumer compromise.</p><h3>3. AppsFlyer SDK Compromise</h3><p>A threat actor injected a cryptocurrency address hijacker into <strong>AppsFlyer's mobile and web analytics SDK</strong>. The malware intercepts clipboard operations to replace Bitcoin, Ethereum, Solana, Ripple, and TRON wallet addresses. Any application integrating the compromised SDK version is distributing this payload to its users. <em>Your app becomes the delivery mechanism.</em></p><h3>4. DPRK Famous Chollima npm Packages</h3><p>North Korea's Famous Chollima uploaded new malicious npm packages containing <strong>PylangGhost RAT</strong>, continuing state-level poisoning of package registries.</p><h3>5. Storm-2561 Fake VPN Clients</h3><p><strong>Storm-2561</strong>, active since May 2025, uses SEO poisoning to serve fake VPN client downloads impersonating <strong>Fortinet, Ivanti, and Cisco</strong>. The trojanized clients capture VPN credentials during "authentication," then stolen credentials provide corporate network access. The multi-vendor strategy casts a wide net regardless of which VPN stack an organization runs.</p><blockquote>Five separate supply chain attacks across npm, IDE extensions, SDKs, GitHub repos, and VPN downloads are all live simultaneously — this is the most concentrated developer pipeline threat landscape in years.</blockquote>

   Action items

   • Search all package.json and lockfiles for HTTP/HTTPS URL entries in dependency fields; cross-reference against PhantomRaven IOCs (AWS EC2 C2 on port 80, PHP endpoints jpd.php and npm.php); rotate CI/CD tokens as precaution
   • Audit all VSCode/OpenVSX extensions against approved allowlist; rotate GitHub personal access tokens for any developer who installed unverified extensions; scan Python dependencies pulled since March 8 for ForcedMemo indicators
   • Audit AppsFlyer SDK integration across all mobile and web applications; verify SDK integrity and check for clipboard hijacking behavior by testing copy-paste of crypto addresses
   • Restrict VPN client software installation to IT-managed deployment channels only; hunt DNS/proxy logs for VPN client downloads from non-vendor domains since May 2025
   • Scan npm dependencies for DPRK Famous Chollima packages containing PylangGhost RAT; implement package provenance verification with block-on-threat policy in CI/CD

   Sources:81 malicious npm packages are live right now stealing your CI/CD tokens · 9 AppArmor bugs since 2017 break your container isolation · 72 poisoned Open VSX extensions in your dev pipeline · Your Intune MDM is now a wiper weapon

4. 04

   Your Defensive Tools Became the Attack Surface: Intune Weaponized at Stryker, Lilli Breached at McKinsey

   <h3>When Trust Inverts</h3><p>Two incidents this week share a devastating pattern: the tools organizations trust most became the attack vector. At Stryker, the MDM platform designed to <em>protect</em> devices destroyed them. At McKinsey, the AI platform built to <em>empower</em> employees exposed their most sensitive conversations. Neither attack required sophisticated exploits — both abused legitimate functionality.</p><hr><h3>Stryker: 200,000 Devices Wiped via Microsoft Intune</h3><p>Iranian nation-state actors allegedly compromised Stryker's Microsoft Intune environment and issued <strong>remote wipe commands to 200,000 devices across 79 countries</strong>. No malware deployment was needed — the legitimate Intune wipe functionality <em>is</em> the weapon. This is "living off the land" at the infrastructure management layer, and <strong>no endpoint detection tool would flag a legitimate Intune wipe command as malicious</strong>.</p><p>The attack chain: privileged access compromise → management plane abuse → mass destructive action. The critical insight for your environment: your MDM platform has the same destructive capability as a nation-state wiper, and the only thing standing between a threat actor and fleet-wide destruction is your admin access controls.</p><p><em>Note: The Intune vector carries ~0.7 confidence in initial reporting. The exact compromise method is still under investigation. However, the architectural risk applies regardless of the specific MDM platform.</em></p><h3>McKinsey Lilli: $20 AI Agent, 2 Hours, 46.5 Million Chats</h3><p>CodeWall's autonomous AI agent performed end-to-end exploitation of McKinsey's 30,000-user Lilli AI platform — <strong>reconnaissance → vulnerability discovery → exploitation → data access — entirely autonomously in under 2 hours for $20 in API tokens</strong>. The vulnerability was a textbook SQL injection through an unauthenticated public endpoint that McKinsey's own scanners missed for over two years.</p><p>The exposed data: <strong>46.5 million chat messages</strong> covering strategy, M&A, and client engagements, plus 728,000 files and 95 system prompts. The most alarming detail: <strong>the agent had write access to the prompt layer</strong>. An attacker could silently rewrite Lilli's core behavioral instructions, turning a trusted internal tool into an adversarial agent with legitimate network access.</p><blockquote>McKinsey's claim that 46.5 million chats covering M&A and client strategy contained "no client data" warrants skepticism.</blockquote><h3>Cross-Source Pattern</h3><p>Multiple sources confirm that internal AI platforms are the new shadow IT — deployed with urgency and exempted from the security rigor applied to customer-facing applications. The 66% vulnerability rate across 1,808 scanned MCP servers and the finding that 93% of AI agents use unscoped API keys stored in env files reinforce that <strong>AI infrastructure is deploying faster than security controls</strong> industry-wide.</p><p>Meanwhile, the <strong>ClickFix social engineering technique</strong> has crossed the threshold from novel to industry-standard initial access — appearing in APT28's Phexia campaign on macOS (with a TCC reset trick and 150-retry credential harvest), trojanized OpenClaw installers on GitHub, and 250+ compromised WordPress sites serving fake Cloudflare CAPTCHAs. Your email security gateway will never see ClickFix because <em>the user pastes the payload themselves</em>.</p>

   Action items

   • Audit all Intune/MDM admin accounts for phishing-resistant MFA (FIDO2); implement PIM with time-limited elevation; configure bulk action thresholds requiring multi-party approval for wipe/retire actions exceeding 50 devices
   • Conduct emergency security audit of all internal AI platforms, chatbots, and RAG pipelines — specifically test for SQLi, unauthenticated endpoints, and prompt layer isolation from data stores
   • Verify AI system prompts are stored in separate, access-controlled datastores from user-accessible data — never in the same database tables; implement change detection alerting on prompt modifications
   • Deploy endpoint controls for ClickFix: monitor clipboard-to-terminal paste events, restrict osascript from interactive Terminal on macOS, enforce PowerShell Constrained Language Mode on Windows; block vdsina[.]com at DNS

   Sources:Your Intune MDM is now a wiper weapon · An AI agent popped McKinsey's crown jewels in 2 hours for $20 · An autonomous AI agent just popped McKinsey's flagship AI platform via SQLi · 81 malicious npm packages are live right now stealing your CI/CD tokens · Prompt injection is now weaponized against your AI agents