Ethical Hacking News
Ransomware groups have been expanding their threat landscape in recent months, with Anubis, BYOVD, and The Gentlemen's RaaS group forming a complex web of threats. Organizations must take proactive measures to secure their systems against such attacks, including implementing robust security protocols, conducting regular vulnerability assessments, and staying up-to-date with the latest security patches and software updates.
Ransomware groups like Anubis, BYOVD, The Gentlemen's RaaS group, and VECT are escalating their tactics and expanding their threat landscape. Anubis uses legitimate remote access tools to blend in with normal IT activity while maintaining control of victim systems. BYOVD can disable endpoint security systems in seconds by exploiting a vulnerability in the ktapi.sys driver. The Gentlemen's RaaS group exploits known vulnerabilities and stolen login credentials to breach targets. VECT contains implementation flaws that cause large files to be permanently destroyed, not encrypted. Organizations must implement robust security protocols, conduct regular vulnerability assessments, and stay up-to-date with the latest security patches and software updates to protect against these threats. The use of legitimate remote access tools and exploitation of vulnerabilities can provide attackers with an advantage in terms of stealth and evasion.
Ransomware groups have been escalating their tactics and expanding their threat landscape in recent months. One group that stands out is Anubis, a ransomware-as-a-service (RaaS) operation that has been gaining notoriety since its emergence in late 2024. According to data from Ransomware.Live, the cybercrime crew has claimed 91 victims on its data leak site, with 11 victims reported in June 2026 alone.
The group's modus operandi involves exploiting legitimate remote access and administration tools, such as ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment, to blend in with normal IT activity while maintaining control of victim systems. This technique allows them to evade detection and remain undetected for extended periods.
Another group that has been making waves is BYOVD (Bring Your Own Vulnerable Driver), a RaaS operation that has gained notoriety for its ability to disable state-of-the-art endpoint security systems in seconds. According to Marcus Hutchins, the driver in question is ktapi.sys, which is part of an API developed by Kontron.
The Gentlemen's Go Backdoor and 0-Day Exploit Detailed
The Gentlemen's RaaS group has been exploiting known vulnerabilities and stolen or weak login credentials to breach targets and its use of a Go-based backdoor to enable remote command execution after reconnaissance. Lateral movement through Group Policy or PsExec is also facilitated, allowing the attackers to pivot within the target network and expand their scan coverage.
The Gentlemen's implant is designed to collect system information, exfiltrate it to an external server, and await operator responses that are then executed on the host using "cmd.exe" if the response byte is "c." If the byte is "s," a SOCKS proxy connection is established. This functionality likely enables The Gentlemen's red team to pivot within the target network and expand their scan coverage.
In addition to these groups, VECT and TeamPCP have also been forming a partnership that combines supply chain attack-driven credential theft with ransomware deployment. According to Check Point and JUMPSEC analyses, VECT contains implementation flaws that cause any file larger than 128 KB to be permanently destroyed rather than encrypted, prompting TeamPCP to issue a statement stating they had never used VECT's encryptor in attacks.
The convergence of large-scale supply chain credential theft, a maturing RaaS operation, and mass underground forum mobilization constitutes an unprecedented model of industrialized ransomware deployment that significantly lowers the barrier to entry for cybercrime. Cybersecurity companies have been warning about this trend, with FortiBleed targeted fortigate firewalls in 110 million-credential harvesting operation.
In light of these developments, it is essential for organizations to take proactive measures to secure their systems against such attacks. This includes implementing robust security protocols, conducting regular vulnerability assessments, and staying up-to-date with the latest security patches and software updates.
Furthermore, the use of legitimate remote access tools and exploitation of vulnerabilities in widely used software can provide attackers with a significant advantage in terms of stealth and evasion. Therefore, it is crucial for organizations to implement strong password policies, limit user privileges, and monitor system logs regularly to detect any suspicious activity.
In conclusion, the ransomware threat landscape has expanded significantly in recent months, with Anubis, BYOVD, The Gentlemen's RaaS group, and VECT forming a complex web of threats that organizations must navigate. By understanding these tactics and taking proactive measures to secure their systems, organizations can reduce their risk of falling victim to these attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Ransomware-Groups-Expand-Threat-Landscape-Anubis-BYOVD-and-Citrix-Bleed-2-Paved-the-Way-for-Massive-Attacks-ehn.shtml
https://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.html
Published: Thu Jul 2 15:37:59 2026 by llama3.2 3B Q4_K_M