Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, German authorities unmasked the alleged REvil and GandCrab ringleader, a critical Docker flaw exposed systems to root access and Chinese hackers deployed Medusa ransomware. North Korean hackers abused GitHub for covert command-and-control, a Grafana AI flaw enabled silent data exfiltration and U.S. scam losses hit a record $20 billion. CISA flagged an actively exploited Ivanti bug, a cyberattack disrupted Northern Ireland’s school network and a German political party faced a ransomware breach.

See Also: Why Cyberattackers Love ‘Living Off the Land’

German federal police recently identified Daniil Maksimovich Shchukin, a 31-year-old Russian national, as the alleged mastermind behind the notorious REvil and GandCrab ransomware operations. This identification marks a significant breakthrough, as he has long evaded capture and remains on the run, which raises critical questions about the wider cybercrime landscape.

The Federal Criminal Police Office, known in Germany as the BKA, has disclosed that Shchukin, also referred to by the alias “UNKN” or “UNKNOWN,” orchestrated cybercriminal activities from at least 2019 to mid-2021. His operations reportedly extorted hundreds of millions of euros worldwide through ransom payments.

Authorities have also implicated Anatoly Sergeevitsch Kravchuk, a 43-year-old Ukrainian-born Russian citizen, as one of Shchukin’s associates. This collaboration points to a sophisticated level of organization within these ransomware groups, suggesting that they employed a franchise model involving affiliates to carry out intrusions while reserving operational control over malware and extortion strategies.

REvil and its predecessor, GandCrab, innovated the franchise model for ransomware, employing double extortion tactics that included stealing sensitive data alongside encrypting systems. This method has pressured victims into paying up to avoid public data leaks. German investigators have linked this duo to 130 ransomware incidents solely within Germany, with confirmed ransom payments totaling around 1.9 million euros across 25 cases, generating damages estimated at over 35 million euros.

A separate court filing in the U.S. indicates an ongoing effort to seize cryptocurrency wallets associated with Shchukin, which were valued at approximately $317,000 at the time of their seizure in December 2022. The REvil operation, which has been estimated to have accrued more than $200 million in ransom payments globally, represents a daunting chapter in the ongoing battle against global cybercrime.

At its height, GandCrab affiliates are said to have pulled in over $2 billion in ransom revenue before it was discontinued in 2019, only for REvil to emerge as its successor. The attacks orchestrated by these groups had significant repercussions, including the widely publicized supply chain attack against Kaseya in July 2021, which crippled an estimated 1,500 downstream businesses worldwide and demanded an astonishing $70 million ransom for decryption.

Research from Cyera has unveiled a severe vulnerability in Docker’s core security measures, potentially enabling attackers to gain root-level access to host systems. This critical flaw, assigned the identifier CVE-2026-34040, builds upon previously disclosed issues affecting Docker Engine.

This vulnerability is rooted in a logical error associated with Docker’s request size validation. The flaw complicates authorization layers designed to enforce security protocols. It affects numerous Docker environments employing authorization plugins typical in enterprise settings for managing container actions.

By manipulating this request size parameter, an attacker could surmount existing protective measures, facilitating unauthorized tasks like launching privileged containers or accessing sensitive host resources. The implications are vast, given that the underlying bug has existed within Docker versions for nearly a decade, potentially exposing a large number of enterprise deployments to significant risks.

The Chinese hacking group known as Storm-1175 is intensifying its Medusa ransomware campaigns. By swiftly exploiting unpatched internet-facing vulnerabilities, the group targets critical systems often within hours of new security flaws being exposed, as reported by Microsoft.

This group employs a methodical approach to identifying vulnerable systems. They leverage over 16 vulnerabilities impacting various popular enterprise technologies, like Microsoft Exchange and Ivanti Connect Secure, to secure their initial access.

Once inside, the attackers establish persistence through various techniques, including adding accounts to privileged groups and leveraging legitimate administrative tools to navigate through networks. Credential theft forms a key part of their strategy, as they use tools to escalate privileges and expand their reach within targeted environments.

In addition, Storm-1175 conducts data exfiltration prior to deploying the ransomware, effectively raising the stakes by threatening to publish sensitive files to coerce victims into paying up. Recent reports indicate that their activities have impacted organizations across multiple sectors, including healthcare, education, and finance, across several countries, including the United States, the United Kingdom, and Australia.

Recent findings have revealed that North Korean-linked hackers are exploiting GitHub as a covert command-and-control platform in a sophisticated phishing campaign targeting South Korean organizations. This operation utilizes disguised Windows shortcut files to deliver malware.

Researchers from Fortinet highlighted that these malicious .lnk files, when executed, mask harmful PowerShell commands while showing decoy content to the unwitting user. This clever tactic relies on a unique combination of hardcoded logic that reroutes sensitive information to GitHub repositories controlled by the attackers.

This approach allows the threat actors a measure of stealth, as the campaign employs living-off-the-land techniques, leveraging legitimate tools for malicious purposes to fly under the radar of security measures. The use of widely trusted cloud platforms like GitHub complicates defense measures for organizations that typically allow outbound traffic to these sites.

These cyber campaigns reflect a broader trend of North Korean operatives deploying similar tactics, further underlining the evolving landscape of threat vectors organizations must now navigate.

A newly discovered vulnerability within the Grafana platform has raised alarms about potential silent data exfiltration risks. This flaw, dubbed “GrafanaGhost,” enables attackers to extract sensitive enterprise data, including financial metrics and customer records.

The issue revolves around how Grafana processes external inputs within its AI-assisted features, allowing attackers to craft malicious prompts that the platform’s security checks inadequately handle. Once exploited, this vulnerability could result in dire data security breaches, with malicious instructions being processed as legitimate system operations.

Researchers have identified that this attack operates entirely in the background, making detection exceedingly difficult, effectively allowing thieves to siphon internal data without triggering alarms.

In a grim reflection of the current cybersecurity landscape, recent statistics reveal that cyber-enabled scams involving cryptocurrency and artificial intelligence led to staggering losses of nearly $21 billion for Americans in 2025, marking an all-time high.

The FBI’s Internet Crime Complaint Center (IC3) documented over one million complaints, indicating a significant escalation in online fraud. Investment-related scams, largely using cryptocurrencies due to their untraceable nature, were chiefly responsible for approximately half of these reported losses. The data also highlights that victims, particularly the elderly population, faced disproportionately severe consequences.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts concerning a critical vulnerability in Ivanti Endpoint Manager Mobile, which is actively being exploited. This code injection flaw allows unauthenticated remote code execution on internet-facing systems, presenting a straightforward opportunity for attackers to infiltrate enterprise environments.

The recent flagging of this bug underscores the urgent need for organizations to bolster their security postures and patch vulnerabilities promptly.

A significant cyberattack recently disrupted the “C2K” network, essential for schools across Northern Ireland, locking students and educators out during a critical exam preparation phase. The Education Authority of Northern Ireland reported that the centralized network was targeted, leading to password resets for all users to regain access.

Education authorities continue to investigate the incident, which coincided with crucial study preparation timelines, leaving many students unable to access learning resources.

The Qilin ransomware group has claimed responsibility for a breach targeting Germany’s Die Linke party, threatening to leak sensitive internal data as leverage against the organization. Although the party reported that its membership database remains secure, the attack raises significant concerns about the growing frequency of cyber threats targeting political entities.

This incident underscores the necessity for enhanced cybersecurity measures, especially amidst rising attacks attributed to prominent global hackers.

Other Stories From This Week