Threat Briefing: May 9, 2025

Ransomware attacks can provide cyber threat actors with valuable information for future attacks, as seen with several PowerSchool customers targeted after the company’s ransomware incident in late 2024. While some customers are now facing extortion, data breaches can also pose risks to attackers. Recently, a site linked to the LockBit group was compromised, exposing details about the group’s operations.

• School Districts Using PowerSchool Platform Targeted for Extortion After December 2024 Ransomware Attack – The attack compromised data of over 60 million K-12 students, which was reportedly deleted by the attackers following a ransom payment by PowerSchool. Recently, a cyber threat actor has extorted four school boards using data obtained from the breach. The Record
• U.S. Government Indicts Yemeni National for Allegedly Distributing Black Kingdom Malware – From 2021 to 2023, schools, medical organizations, and businesses were targeted by the Black Kingdom ransomware. Around 1,500 victims worldwide were reportedly instructed to pay $10,000 in Bitcoin. The ransomware exploited a Microsoft Exchange vulnerability as part of its attack strategy. U.S. Attorney’s Office, Central District of California
• LockBit Ransomware Group’s Site Defaced – The admin panels now display the message, “Don’t do crime CRIME IS BAD xoxo from Prague,” along with a link to a zip file. The file includes data from LockBit’s affiliate panel, revealing Bitcoin addresses, over 4,000 negotiation messages with victims, and information on 75 admins and affiliates with panel access. Additionally, a server used by LockBit was reportedly running a vulnerable PHP version susceptible to remote code execution. Bleeping Computer
• U.S. Sanctions Cambodia-Based Huione Group for Alleged Cybercrime Money Laundering – The Huione Group is accused of laundering funds for investment scams in Southeast Asia and over $37 million linked to North Korean cyber actors. The group operates a payment processor, an online marketplace called Haowang Guarantee, and a cryptocurrency platform named Huione Crypto. As a result of the sanctions, Huione Group’s access to correspondent banking will be disrupted. The Record
• Over 800,000 Credit Cards Stolen via Darcula Phishing-as-a-Service Platform – The cards were obtained through malicious text messages sent in 2023 and 2024, using package delivery notifications and toll road fines as lures. Unlike typical SMS phishing, Darcula targets iPhone and Android users through RCS and iMessage. The platform can spoof over 200 brands and target victims in more than 100 countries. Bleeping Computer